I achieved something similar in our project like:
public class ... {
...
@RequiresValidation(validationMethod="checkDeleteRecord")
public void deleteRecord(....) {
...
}
protected void checkDeleteRecord(...) {
/* If this method throws a SecurityException, then the subject is not
authorized to invoke the 'deleteRecord' */
}
On runtime, validation method is invoked via reflection.
Similar improvement would be great for Shiro, for example, suppose you have
a class named UserDashboard that each instance represents a user's unique
content etc.; only the corresponding user should be able to call the seter
methods.
This kind of on-the-fly authorization check is required in a lot of
scenarios.
Either some sort of regex permissions (like
"record:delete:subject.principals['recordID']") or an authorizing method to
authorize on runtime (e.g, via reflection)
-----Original Message-----
From: richs [mailto:[email protected]]
Sent: 20 Ekim 2011 Perşembe 18:40
To: [email protected]
Subject: Authroization instance level checks
Say you have a database containing millions of records
You have a permission which states that you can delete record 1234 -
"record:delete:1234"
What is the best practice to check the authorization for instance 1234? The
method /AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection
principals)/ accepts a collection of principals, so does not contain the
identifier 1234. I don't want to add every record my user can delete to an
AuthorizationInfo object
(record:delete:0001,record:delete:0002,record:delete:0004, etc) as this
could be 1000s.
I can't see any easy way to hook in the callback to check instance 1234.
Any ideas?
Thanks
--
View this message in context:
http://shiro-user.582556.n2.nabble.com/Authroization-instance-level-checks-t
p6913395p6913395.html
Sent from the Shiro User mailing list archive at Nabble.com.
