It should be noted that role-based access control checks are a different thing than permission-based access control checks. You can use either approach (or both) depending on how 'fine grained' you need your security policy to be.
-- Les Hazlewood | @lhazlewood CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282 On Wed, Aug 28, 2013 at 9:08 AM, Les Hazlewood <[email protected]>wrote: > That's correct. > > -- > Les Hazlewood | @lhazlewood > CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282 > > > On Thu, Aug 22, 2013 at 8:17 PM, maven apache <[email protected]>wrote: > >> Hi: >> >> I have read the shiro documents and follow some tutorials. >> >> Now I am interesting with the resources based authentication. >> >> For a standlone application I will use the >> >> subject.isPermitted("resources:action:id") >> >> to make sure if the current user have the authentication. >> >> But in web application shiro provide the filter chains to filter >> according to the requested urls. >> >> For example I have a config like this: >> >> >> *[main]* >> * /user/** = role[admin]* >> * >> * >> * >> * >> *[roles]* >> *admin= user:** >> >> And this is the controller: >> >> *@Controller* >> *@RequestMapping("/users")* >> *class UserController{* >> * >> * >> * //user should have 'user:add' permission * >> * public String addForm(){/....}* >> * * >> * >> * >> * //user should have 'user:add' permission * >> * public String addUser(){.........}* >> * >> * >> * >> * >> * //user should have 'user:delete' permission * >> * public String deleteUser(){.........}* >> *}* >> >> >> Normally, I will check if the user have the permission inside the methods >> of the UserController, Now if I add the filter chains, does it mean that >> when these methods are invoked, the user in the current session must have >> the role of `admin`? I do not have to check the permission here? >> > >
