Hi Luke, We have a similar setup (JAX-RS and Shiro) and we needed to implement security based on the path being accessed.
Our use case was more in regards to sub-resources. So for example, if a user has access to GET:/accounts/1/projects, then that needs to imply that he also has access to GET:/accounts/1 and GET:/accounts. We needed to have "hierarchical" permissions. This allows a user to have access to the list of accounts (/accounts) after we've given them the right to see a specific one (/accounts/1), or something more specific within that resource (/accounts/1/projects). Related thread: http://shiro-user.582556.n2.nabble.com/Question-regarding-WildcardPermission-tt5728829.html#a5728911 Tamas was nice enough to make an implementation of this (and much more) here: https://github.com/cstamas/shiro-extras. I have a fork of this project with a few fixes. That fork is in production in our RESTful application. Hope it helps, Philippe -- View this message in context: http://shiro-user.582556.n2.nabble.com/RESTful-uris-and-direct-object-reference-manipulation-OWASP-4-tp6754377p6787643.html Sent from the Shiro User mailing list archive at Nabble.com.
