On 03/18/2011 10:51 AM, Philippe Laflamme wrote: > Thanks for you input! > > I used LDAP as an example, but this also applies to any other realm, such as > IniRealm: > > [users] > user=password,mygroup > [roles] > # no permissions defined here for mygroup (but there could) > > And I have another realm that hits a database for fetching permissions for > 'mygroup'. Why am I not setting a RolePermissionResolver on my IniRealm? > Because I'm not the one writing this file. The file is left open to > configuration by users. They are able to add other realms (LDAP, AD, > whatever), but my applications offers a custom realm for storing > application-specific permissions for existing users and groups. I guess I'd > need to tell them to add my RolePermissionResolver to their configured > realm. To me, this sounds more like a workaround, but would definitely work.
This is what I've done. From looking at the code, it appears that this is also possible: ((ModularRealmAuthorizer)((AuthorizingSecurityManager) securityManager).getAuthorizer()).setRolePermissionResolver(rolePermissionResolver) This sets the role permission resolver on all realms that implement RolePermissionResolverAware. I can't see an easier way to set this - but those are the default security manager and authorizer - and it seems to me that if you're changing them then you definitely have access to do this. It does reek a bit of relying too much on the implementation though. Perhaps AuthorizingSecurityManager could implement RolePermissionResolverAware and do this? (set the role permission resolver on the authorizer if it implements RolePermissionResolverAware). Les, if you're game for this, I'll create a ticket and submit a patch. > > As for roles being principals, here's my take on it: > > PrincipalCollection->Roles (AuthorizingRealm) > Role->Permissions (RolePermissionResolver) > and > PrincipalCollection->Permissions (AuthorizingRealm) > > The first 2 methods could be re-written as: > PrincipalCollection->Roles->Permissions (AuthorizingRealm + > RolePermissionResolver) > > Which, in a functional sense should be equivalent to: > PrincipalCollection->Permissions (AuthorizingRealm + RolePermissionResolver) > > So, functionally, a set of roles really is a equivalent to a set of > principals as we can derive permissions from both. > > If roles were part of the PrincipalsCollection, then, as you mentioned, a > single method would ever be needed to resolve all permissions for a given > set of principals: > PrincipalCollection->Permissions (AuthorizingRealm) > > Anyway, this won't change soon, so I'll make some modifications to "inject" > my RolePermissionResolver into the user-configured realms. > > Thanks again! > Philippe > > -- > View this message in context: > http://shiro-user.582556.n2.nabble.com/Multiple-realms-and-roles-tp6178792p6185062.html > Sent from the Shiro User mailing list archive at Nabble.com.
signature.asc
Description: OpenPGP digital signature
