I'm using shiro in conjunction with Jersey jax-rs and am hoping for some
guidance around the following scenario.
Imagine I have the following uri provided by my Jersey resource:
/accounts/{accountId}
The rules around access are such that:
sysadmin role can access it always
accountadmin role can access it if accountId is the same as their
account id principal
So I have two accounts, id 1 and 2.
Sysadmin can access both /accounts/1 and /accounts/2.
accountadmin for account 1 can access /accounts/1.
accountadmin for account 1 gets a 403 forbidden when trying to access
/accounts/2.
accountadmin for account 2 can access /accounts/2.
accountadmin for account 2 gets a 403 forbidden when trying to access
/accounts/1.
The current rest filter see the two accountadmins as the same.
I know I can handle this in code by cross referencing the uri parameter with
the user's account id principal.
Is there a slick way using Shiro's ini filter chains etc?
Any nicer suggestions?
End game is to secure my app against the OWASP Top 10 and this is #4.
https://www.owasp.org/index.php/Top_10_2010-A4-Insecure_Direct_Object_References
Thanks
Luke
