I have a requirement to allow Subject.runAs(UserB) but with a limited set of
permissions.
eg I want to assume the identity of a person, but without allowing permission
to
leave the house for the assumed identity. but if the person logs in directly
they can do anything.
I have a user->roles->permissions model, and the most reasonable place to
assess
such a use seems for me to do something like:
protected AuthorizationInfo doGetAuthorizationInfo(final PrincipalCollection
principals) {
//somehow get the Subject for the given PrincipalCollection, then
if(subject.isRunAs())
check the parent subjects permissions (which maybe has something like
canRunAs:rolea,roleb:userid)
and use the roles defined there to determine the permissions with which
to build AuthorizationInfo
...
}
I could use SecurityUtils.getSubject() but it feels like an awful hack.
what's the best way to approach this?
PS - as an aside, the shiro documentation says that shiro has no notion of
roles->permissions association because its so application specific. But shiro's
stock iniRealm and all its subclasses understand the association very well and
I
think it a bit obtuse that a bunch of work is required if you want this
association with a realm thats not extending any of the iniRealm heirarchy. -
should be standard since its already available in the case where most people
will start with Shiro.
Thanks in advance
Jason.
