Why do permissions depend on roles?

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Why do permissions depend on roles?

raupach
Hi group, hi Brian,

maybe you can help me understand some things about permissions in web applications.

I started with with this configuration in shiro.ini (ok, this is an example, not the real one)

[main]
jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm
jdbcRealm.dataSource = $dataSource
jdbcRealm.credentialsMatcher = $passwordMatcher
jdbcRealm.authenticationQuery = select Passwort from Benutzer where EMail = ?
jdbcRealm.permissionsLookupEnabled = true
jdbcRealm.permissionsQuery = call Permissions(?)

urls]
/secure/foo/** = ssl, authc, perms["foo"]
/secure/bar/** = ssl, authc, perms["bar"]
/secure/** = ssl, authc
/logout = ssl, logout
/** = ssl

According to the reference manual that should be fine. See https://shiro.apache.org/web.html and the URL section.

(Note: The permissionsQuery calls a StoredProcedure. That works for MySQL.)

So the idea is that everything under /secure/ needs ssl and you have to be authorized. Additionally some urls paths need further permission
to allow access: foo and bar.

Compile, package and run.

The login in my web application works. Now I tried to to access /secure/bar/index.html.

Failure 500

10-Aug-2017 10:18:29.648 SEVERE [https-jsse-nio-8443-exec-8] org.apache.shiro.realm.jdbc.JdbcRealm.doGetAuthorizationInfo There was a SQL error while authorizing user [[hidden email]]
 com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: Table ‘mydb.user_roles' doesn't exist

Ok, this is odd. Looks like the JDBC Realm executes the default userRolesQuery even if there is not a single role needed anywhere.

To overcome this I just added a dummy query to shiro.ini. This should give every authenticated subject a role of ‘user’.

jdbcRealm.userRolesQuery =  select ‘user' from Benutzer where Email = ?

Compile, package and run.

The login in my web application works. Now I tried to to access /secure/bar/index.html.

Failure 401

Odd again. I checked several times that the subject ‘[hidden email]’ has the permissions foo and bar. I looked through the source of JDBCRealm and found this.

[...]
PreparedStatement ps = null;
        Set<String> permissions = new LinkedHashSet<String>();
        try {
            ps = conn.prepareStatement(permissionsQuery);
            for (String roleName : roleNames) {

                ps.setString(1, roleName);

                ResultSet rs = null;
[…]

The permissionsQuery sets the role as the parameter not the principal. Why do the permissions depend on roles?

By changing the permission query I could cheat my way out of this.

jdbcRealm.userRolesQuery =  select Email from Benutzer where Email = ?

Compile, package and run.

Everything works as excepted. Perfect!

But again: Why do permissions depend on roles. Did I miss this in the reference documentation? I expected permissions to be independent of roles.

Example:
/secure/foo/** = ssl, authc, roles[admin], perms["foo”]

To access everything under /foo/ I would expect that you need ssl, be authenticated, have the role admin and the permission foo.

/secure/foo/** = ssl, authc, perms["foo”]

To access everything under /foo/ I would expect that you need ssl, be authenticated, and the permission foo. No role needed.


Hope you guys have time to answer. As always, thanks for the great work. Hope in time I can contribute to this great project.

/Björn




Loading...