Hi: This is a cross-post at stackoverflow: http://stackoverflow.com/questions/17187181/permission-control-using-apache-shiro
Since people said my requirement is not possible, so I post it here to make it sure: -------------------------------------------------------------- I am new in apache shiro, and I read almost 60% of tutorials in apache shiro page. It is a wonderful framework, however I wonder if it can meet my requirements. I am interested in the permission-based authentication. For example, to make sure if the user have the permission of delete resources, we can use this: currentUser.isPermitted( "resource:delete" ); However in our application, even a user have the permission of delete resources, he can only delete some specified resources, not all of them. For example(just an exmaple), the resource have an filed named createdby to record the one who create this resource. Now user can only delete the resources created by himself if he have the resouce:delete permission. In fact, the resources which can be deleted by the user(who have authenticated and have deletepermission) will be calculated by more constraints. Now how to make shiro work in this suitation?
