I have a similar use case to yours but I need anonymous access to certain methods too which I think is not possible (I'll post separately to outline my case). But for your needs, where you must be authenticated for *any* request, I think this can be handled with config only - at least using Shiro 1.2.2
Define a filter chain using the "rest" filter (an inbuilt instance of HttpMethodPermissionFilter)... /data/stocks/** = authc, rest[stocks] ..and in your realm define permissions like; role.admin=stocks:* role.user=stocks:read hth, Darren. Daniel Bimschas wrote > Dear Shiroers, > > I've commented my ticket as I noticed that also my implementation doesn't > really support all use cases. In fact it would be ideal to configure the > filter like in the example of SHIRO-107 > (https://issues.apache.org/jira/browse/SHIRO-107): > > /data/stocks/**:post = authc, roles[admin] > /data/stocks/** = authc > > However, although the issue is marked as resolved it doesn't seem to be > possible to specify the filter as in the given example. Doing so will fail > with the following message: > > There is no filter with name 'post = authc' to apply to chain > [/data/stocks/**] in the pool of available Filters. Ensure a filter with > that name/path has first been registered with the addFilter method(s). > > Is there another way to specify the filter chain that resembles the same > behavior? -- View this message in context: http://shiro-user.582556.n2.nabble.com/Role-based-authorization-depending-on-HTTP-request-method-tp7579143p7579175.html Sent from the Shiro User mailing list archive at Nabble.com.
