Using Shiro for permission-based resource lookup

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Using Shiro for permission-based resource lookup

pashazz
My Spring  application has various types of resources that some users
have permission to read, update, delete, etc. I will use Stormtrooper
example from Shiro documentation to illustrate my goals.

As far as I'm concerned Shiro has item-level permissions in form
"domain:action:item_id"). So, GET controller method would be rewritten
as:

@GetMapping(path = "/{id}")
public Stormtrooper getTrooper(@PathVariable("id") String id) throws
NotFoundException {
            // Instance-based annotations are not supported, so we use
direct check instead:
    SecurityUtils.getSubject().checkPermission(String.format("troopers:read:%s",
id));
    Stormtrooper stormtrooper = trooperDao.getStormtrooper(id);
    if (stormtrooper == null) {
        throw new NotFoundException(id);
    }
    return stormtrooper;
}



Now I would like to implement a method that lists all Stormtroopers
for a given User. I can't use @RequiresPermission("troopers:read")  as
there may be users who can only read some stormtroopers, not all of
them.


I need some mechanism to obtain all objects of a given type that are
permitted to read. Given a permission wildcard, say "troopers:read:*"
I want to get all permissions that satisfy and then ask DAO for these
objects and return them as a collection.

How can I achieve that?

Thanks in advance.
Reply | Threaded
Open this post in threaded view
|

Re: Using Shiro for permission-based resource lookup

Brian Demers
This _could_ be application-specific, depending on how your data is stored (i.e. somehow push that logic into your database). 
That said, you _could_ just iterate over a collection and filter out items the user does not have access to. (`subject.isPermitted(...)` in place of `checkPermission`

I mention pushing this into your datastore because filtering all the items in memory may not scale for you, and gets more complicated if you need to paginate your results.

On Wed, Dec 25, 2019 at 11:03 AM pashazz <[hidden email]> wrote:
My Spring  application has various types of resources that some users
have permission to read, update, delete, etc. I will use Stormtrooper
example from Shiro documentation to illustrate my goals.

As far as I'm concerned Shiro has item-level permissions in form
"domain:action:item_id"). So, GET controller method would be rewritten
as:

@GetMapping(path = "/{id}")
public Stormtrooper getTrooper(@PathVariable("id") String id) throws
NotFoundException {
            // Instance-based annotations are not supported, so we use
direct check instead:
    SecurityUtils.getSubject().checkPermission(String.format("troopers:read:%s",
id));
    Stormtrooper stormtrooper = trooperDao.getStormtrooper(id);
    if (stormtrooper == null) {
        throw new NotFoundException(id);
    }
    return stormtrooper;
}



Now I would like to implement a method that lists all Stormtroopers
for a given User. I can't use @RequiresPermission("troopers:read")  as
there may be users who can only read some stormtroopers, not all of
them.


I need some mechanism to obtain all objects of a given type that are
permitted to read. Given a permission wildcard, say "troopers:read:*"
I want to get all permissions that satisfy and then ask DAO for these
objects and return them as a collection.

How can I achieve that?

Thanks in advance.