That's correct. -- Les Hazlewood | @lhazlewood CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282
On Thu, Aug 22, 2013 at 8:17 PM, maven apache <[email protected]>wrote: > Hi: > > I have read the shiro documents and follow some tutorials. > > Now I am interesting with the resources based authentication. > > For a standlone application I will use the > > subject.isPermitted("resources:action:id") > > to make sure if the current user have the authentication. > > But in web application shiro provide the filter chains to filter according > to the requested urls. > > For example I have a config like this: > > > *[main]* > * /user/** = role[admin]* > * > * > * > * > *[roles]* > *admin= user:** > > And this is the controller: > > *@Controller* > *@RequestMapping("/users")* > *class UserController{* > * > * > * //user should have 'user:add' permission * > * public String addForm(){/....}* > * * > * > * > * //user should have 'user:add' permission * > * public String addUser(){.........}* > * > * > * > * > * //user should have 'user:delete' permission * > * public String deleteUser(){.........}* > *}* > > > Normally, I will check if the user have the permission inside the methods > of the UserController, Now if I add the filter chains, does it mean that > when these methods are invoked, the user in the current session must have > the role of `admin`? I do not have to check the permission here? >
