Digging into the Shiro source codes I found that this feature is in fact not available in Shiro. I've now implemented my own custom filter (extending RolesAuthorizationFilter) that allows you to do exactly what I wanted. Configuration for the filter follows the following example:
[main] myFilter=my.package.HttpMethodRolesAuthorizationFilter [urls] /rest = authcBasic, myFilter[PUT=SERVICE_PROVIDER&EXPERIMENTER,POST=EXPERIMENTER,DELETE=ADMINISTRATOR] So, in this example - a user must be authenticated to execute any operation - a user with both roles SERVICE_PROVIDER and EXPERIMENTER can send a PUT request, - a user with role EXPERIMENTER can send POST requests, and - a user with role ADMINISTRATOR can DELETE things I would be more than happy to contribute this little bit of code to the project in case you're interested! Best regards Daniel Bimschas On 16.09.2013, at 11:37, Daniel Bimschas wrote: > Dear Shiro gods! > > I'm struggling to figure out how I can do role-based authorization depending > on what HTTP method a request is using. I've posted this question on > StackOverflow as it seems nobody has been asking it before (at least I > couldn't find it with my search terms). I would be incredibly happy if you > could take a look! > > http://stackoverflow.com/questions/18824670/how-to-do-role-based-authorization-with-apache-shiro-depending-on-http-request-m > > Cheers > Daniel Bimschas
