Hi Daniel,
I'd like to be copied on that Jira ticket as well.
Thanks!
--Stephen
On 9/18/2013 1:33 PM, Les Hazlewood wrote:
Hi Daniel,
Please attach it to a Jira issue so we can take a look at it - if it
makes sense to add for general purpose use, we will!
Thanks!
--
Les Hazlewood | @lhazlewood
CTO, Stormpath | http://stormpath.com <http://stormpath.com/> |
@goStormpath | 888.391.5282
On Wed, Sep 18, 2013 at 12:24 AM, Daniel Bimschas
<[email protected] <mailto:[email protected]>> wrote:
Digging into the Shiro source codes I found that this feature is
in fact not available in Shiro. I've now implemented my own custom
filter (extending RolesAuthorizationFilter) that allows you to do
exactly what I wanted. Configuration for the filter follows the
following example:
[main]
myFilter=my.package.HttpMethodRolesAuthorizationFilter
[urls]
/rest = authcBasic,
myFilter[PUT=SERVICE_PROVIDER&EXPERIMENTER,POST=EXPERIMENTER,DELETE=ADMINISTRATOR]
So, in this example
- a user must be authenticated to execute any operation
- a user with both roles SERVICE_PROVIDER and EXPERIMENTER can
send a PUT request,
- a user with role EXPERIMENTER can send POST requests, and
- a user with role ADMINISTRATOR can DELETE things
I would be more than happy to contribute this little bit of code
to the project in case you're interested!
Best regards
Daniel Bimschas
On 16.09.2013, at 11:37, Daniel Bimschas wrote:
> Dear Shiro gods!
>
> I'm struggling to figure out how I can do role-based
authorization depending on what HTTP method a request is using.
I've posted this question on StackOverflow as it seems nobody has
been asking it before (at least I couldn't find it with my search
terms). I would be incredibly happy if you could take a look!
>
>
http://stackoverflow.com/questions/18824670/how-to-do-role-based-authorization-with-apache-shiro-depending-on-http-request-m
>
> Cheers
> Daniel Bimschas
--
Stephen McCants
Senior Software Engineer
Healthcare Control Systems
1-877-877-8795 x116
