I am not interested in using annotations, so we don't need to worry about that.
The part I don't understand here is, how can you assign permissions to a Subject dynamically? On Wed, Sep 9, 2015 at 11:12 AM, Tomas Lund Petersen <[email protected] > wrote: > Hi, > This is posible and I have done it. > But you can't use annotations. You have to manually check for the users > permisions using User.isPermited(requidedPermission); > For example: > f(SecurityUtils.getSubject().isPermitted(requiiredPermission)){ > //do stuff here > }else{ > throw new UnauthorizedException (); > } > Where requiredPermission must be the permission asociated to access record > XYZ or QRS in your example. You will have to look it up Dinamically. > Hope it helps, > Tomas Lund Petersen > > On Wed, Sep 9, 2015 at 11:49 AM, Mark <[email protected]> wrote: > >> Thanks for the information. Would it be possible to set a Subject's >> record access at runtime? I'm envisioning the following scenario: >> >> User A, who is in Group 1 creates a record (XYZ) and only wants to have >> full access for themself. >> User B, who is also in Group 1 tries to access record XYZ. User B should >> be denied. >> >> User C, who is in Group 1 creates a Record (QRS) wants everyone in their >> group to read the record. >> User D, who is in Group 1 wants to read record QRS. User D should be >> able to read record QRS but not make changes. >> >> This feels like it should be similar to UNIX file permissions, but I >> don't know how to enforce all this at runtime in Shiro. The first scenario >> would make the record XYZ have permission of 600, while the permissions on >> record QRS would be 660. Maybe I just need a custom class that can >> translate this in Shiro. If so, would this require a custom >> PermissionResolver? >> >> >> >> >> On Wed, Sep 9, 2015 at 2:48 AM, scSynergy <[email protected]> >> wrote: >> >>> You can verify whether a user / role has access to the record by >>> including >>> these lines at the very beginning of the method which retrieves it from >>> your >>> database: >>> Set<WildcardPermission> permissions = new HashSet<>(); >>> permissions.add(new WildcardPermission("record:read:user")); >>> permissions.add(new WildcardPermission("record:write:user")); >>> SecurityUtils.getSubject().checkPermission(permissions); >>> // retrieve stuff from database >>> >>> The checkPermission method will continue on normally when the subject has >>> the needed permissions and throw an UnauthorizedException if not. >>> >>> You can also use annotations like >>> @RequiresPermissions({"record:read:user", >>> "record:write:user"}) but then you cannot define the needed permissions >>> dynamically because annotations require constant values - this is *not* a >>> limitation of Shiro but of annotations. >>> >>> Have a look at the API to get an idea of what Shiro supports >>> https://shiro.apache.org/static/1.2.3/apidocs/ . >>> >>> >>> >>> -- >>> View this message in context: >>> http://shiro-user.582556.n2.nabble.com/Dynamic-Authorization-tp7580696p7580697.html >>> Sent from the Shiro User mailing list archive at Nabble.com. >>> >> >> >
