actually i was thinking alone the lines of this: (i hope you can see images)
only instead of GROUP_REF IN AUTH_GROUP_ROLES i'll use actuall String group name, this is becouse our it department suddenly thinks placing user group mapping in active directory is a good idea (as i did). so in order to avoid locking myself to active directly i thought i would 2 phase process where i would obtain a user data from active directory AND objtain it's groups (by a provider which either get it from ad or from the db) then i would proceed to query my own application schema for the rest of permission resources. now one thing that worries is the permission "overriding" stuff, a manger may decide to grant a specif user elevated roles in though he's not in a group that has such permissions, then i would need to start adding priorities for role assignments On Mon, Jul 11, 2011 at 5:25 PM, Brian Demers [via Shiro User] < [email protected]> wrote: > > > On Sun, Jul 10, 2011 at 12:51 AM, emaayan <[hidden > email]<http://user/SendEmail.jtp?type=node&node=6571082&i=0> > > wrote: > >> i'm trying to figure out if by only checking permission >> (checkPermission/hasPermission, and not using hasRole) shiro willl inspect >> roles which contain said permissions so i won't to do it myself. >> > > You could use a RolePermissionResolver to resolve permissions that are > contained in a Role. For example if your realm connects to some directory > that only maps users and groups/roles you can use a RolePermissionResolver > at an application level to tie specific permissions to roles. > > >> >> also is there a way / pattern , to have servlet filter inspect incoming >> request and have the request name be as resource to checked for permission >> and if not throw an 401 error? >> >> -- >> View this message in context: >> http://shiro-user.582556.n2.nabble.com/is-checking-premission-implicitly-check-roles-as-well-tp6567107p6567107.html >> Sent from the Shiro User mailing list archive at Nabble.com. >> > > > > ------------------------------ > If you reply to this email, your message will be added to the discussion > below: > > http://shiro-user.582556.n2.nabble.com/is-checking-premission-implicitly-check-roles-as-well-tp6567107p6571082.html > To unsubscribe from is checking premission implicitly check roles as > well?, click > here<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=6567107&code=ZWxoLm1haWxnYXRlQGdtYWlsLmNvbXw2NTY3MTA3fDE4MDE1MDYyMA==>. > > -- View this message in context: http://shiro-user.582556.n2.nabble.com/is-checking-premission-implicitly-check-roles-as-well-tp6567107p6574103.html Sent from the Shiro User mailing list archive at Nabble.com.
