On Wed, Sep 9, 2015 at 5:39 PM, Mark <[email protected]> wrote: > I am not interested in using annotations, so we don't need to worry about > that. > > The part I don't understand here is, how can you assign permissions to a > Subject dynamically? >
As far as I know, you can't. What you can do is to have your own, dynamic subclass of Permission. Your users will have a fixed set of permissions - they could be a single permissions object, or Read/Write or whatever, depending on the granularity you want to achieve. Those will, however, dynamically imply a variable set of permissions that reflect your data. An example will perhaps make it clearer. In Portofino[*], we have users with groups (roles) and an application made of pages which can be dynamically added, removed, moved around etc. Each page has its own permission setup - for example, /home will be readable by anyone, while /admin only by administrators, and /home/profile only by authenticated users. Page permissions can be changed dynamically as well and can be inherited from parent pages. So, computing permissions statically when the user logs in is not possible. Thus, each user is assigned a single Permission object which contains all their groups. http://sourceforge.net/p/portofino/mercurial/ci/default/tree/portofino-pageactions/src/main/java/com/manydesigns/portofino/shiro/GroupPermission.java Each page, on the other hand, is associated to a PagePermission object. http://sourceforge.net/p/portofino/mercurial/ci/default/tree/portofino-pageactions/src/main/java/com/manydesigns/portofino/shiro/PagePermission.java That object holds the actual permissions for that page, computed for each web request according to inheritance. The magic happens in GroupPermission.implies, which is called against the user's permissions and the page's declared permissions. So, in the end, user code only has to do PagePermission pagePermission = new PagePermission(...); if(subject.isPermitted(pagePermission)) { ... } Hope this helps. PS we do use annotations as well, because our data happens to be code (for the pages' methods). However, that won't be your case. [*] our web application framework, http://portofino.manydesigns.com > On Wed, Sep 9, 2015 at 11:12 AM, Tomas Lund Petersen < > [email protected]> wrote: > >> Hi, >> This is posible and I have done it. >> But you can't use annotations. You have to manually check for the users >> permisions using User.isPermited(requidedPermission); >> For example: >> f(SecurityUtils.getSubject().isPermitted(requiiredPermission)){ >> //do stuff here >> }else{ >> throw new UnauthorizedException (); >> } >> Where requiredPermission must be the permission asociated to access >> record XYZ or QRS in your example. You will have to look it up Dinamically. >> Hope it helps, >> Tomas Lund Petersen >> >> On Wed, Sep 9, 2015 at 11:49 AM, Mark <[email protected]> wrote: >> >>> Thanks for the information. Would it be possible to set a Subject's >>> record access at runtime? I'm envisioning the following scenario: >>> >>> User A, who is in Group 1 creates a record (XYZ) and only wants to have >>> full access for themself. >>> User B, who is also in Group 1 tries to access record XYZ. User B >>> should be denied. >>> >>> User C, who is in Group 1 creates a Record (QRS) wants everyone in their >>> group to read the record. >>> User D, who is in Group 1 wants to read record QRS. User D should be >>> able to read record QRS but not make changes. >>> >>> This feels like it should be similar to UNIX file permissions, but I >>> don't know how to enforce all this at runtime in Shiro. The first scenario >>> would make the record XYZ have permission of 600, while the permissions on >>> record QRS would be 660. Maybe I just need a custom class that can >>> translate this in Shiro. If so, would this require a custom >>> PermissionResolver? >>> >>> >>> >>> >>> On Wed, Sep 9, 2015 at 2:48 AM, scSynergy <[email protected]> >>> wrote: >>> >>>> You can verify whether a user / role has access to the record by >>>> including >>>> these lines at the very beginning of the method which retrieves it from >>>> your >>>> database: >>>> Set<WildcardPermission> permissions = new HashSet<>(); >>>> permissions.add(new WildcardPermission("record:read:user")); >>>> permissions.add(new WildcardPermission("record:write:user")); >>>> SecurityUtils.getSubject().checkPermission(permissions); >>>> // retrieve stuff from database >>>> >>>> The checkPermission method will continue on normally when the subject >>>> has >>>> the needed permissions and throw an UnauthorizedException if not. >>>> >>>> You can also use annotations like >>>> @RequiresPermissions({"record:read:user", >>>> "record:write:user"}) but then you cannot define the needed permissions >>>> dynamically because annotations require constant values - this is *not* >>>> a >>>> limitation of Shiro but of annotations. >>>> >>>> Have a look at the API to get an idea of what Shiro supports >>>> https://shiro.apache.org/static/1.2.3/apidocs/ . >>>> >>>> >>>> >>>> -- >>>> View this message in context: >>>> http://shiro-user.582556.n2.nabble.com/Dynamic-Authorization-tp7580696p7580697.html >>>> Sent from the Shiro User mailing list archive at Nabble.com. >>>> >>> >>> >> > -- *Alessio Stalla* | Software Architect M: +39 340 7824743 | T: +39 010 566441 | F: +39 010 8900455 [email protected] | www.manydesigns.com MANYDESIGNS s.r.l. Via G. D'Annunzio, 2/51 | 16121 Genova (GE) | Italy
