Hi Daniel, Please attach it to a Jira issue so we can take a look at it - if it makes sense to add for general purpose use, we will!
Thanks! -- Les Hazlewood | @lhazlewood CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282 On Wed, Sep 18, 2013 at 12:24 AM, Daniel Bimschas < [email protected]> wrote: > Digging into the Shiro source codes I found that this feature is in fact > not available in Shiro. I've now implemented my own custom filter > (extending RolesAuthorizationFilter) that allows you to do exactly what I > wanted. Configuration for the filter follows the following example: > > [main] > myFilter=my.package.HttpMethodRolesAuthorizationFilter > [urls] > /rest = authcBasic, > myFilter[PUT=SERVICE_PROVIDER&EXPERIMENTER,POST=EXPERIMENTER,DELETE=ADMINISTRATOR] > > So, in this example > > - a user must be authenticated to execute any operation > - a user with both roles SERVICE_PROVIDER and EXPERIMENTER can send a PUT > request, > - a user with role EXPERIMENTER can send POST requests, and > - a user with role ADMINISTRATOR can DELETE things > > I would be more than happy to contribute this little bit of code to the > project in case you're interested! > > Best regards > Daniel Bimschas > > On 16.09.2013, at 11:37, Daniel Bimschas wrote: > > > Dear Shiro gods! > > > > I'm struggling to figure out how I can do role-based authorization > depending on what HTTP method a request is using. I've posted this question > on StackOverflow as it seems nobody has been asking it before (at least I > couldn't find it with my search terms). I would be incredibly happy if you > could take a look! > > > > > http://stackoverflow.com/questions/18824670/how-to-do-role-based-authorization-with-apache-shiro-depending-on-http-request-m > > > > Cheers > > Daniel Bimschas >
