shiro.ini role "or" matching

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

shiro.ini role "or" matching

Rob Young
Hi there,

In the web section of shiro.ini, I'd love to be able to do something like:

/staff/** = roles[staff] OR roles[qa]

I realize this isn't really the shiro way of doing things but it would sure be handy for some features I'm working on.  Is there a way to do this in the shiro.ini DSL?

Thanks,
Rob
Reply | Threaded
Open this post in threaded view
|

Re: shiro.ini role "or" matching

Brian Demers
There is a related issue open: https://issues.apache.org/jira/browse/SHIRO-314
Take a look at that one if you want to comment/add anything.

Though the way I typically recommend solving this type of problem is with permissions.

In this case say we define a 'staff:read' and assign it do your path: /staff/** = perms["staff:read"]

Then you could add this permission to your roles
staff = staff:read
qa = staff:*
admin = *

Any of these roles would be allowed access to your /staff/** resources



Does that help?
-Brian


On Sun, Jun 4, 2017 at 8:49 AM, Rob Young <[hidden email]> wrote:
Hi there,

In the web section of shiro.ini, I'd love to be able to do something like:

/staff/** = roles[staff] OR roles[qa]

I realize this isn't really the shiro way of doing things but it would sure be handy for some features I'm working on.  Is there a way to do this in the shiro.ini DSL?

Thanks,
Rob

Reply | Threaded
Open this post in threaded view
|

Re: shiro.ini role "or" matching

Rob Young
Hey Brian!

The example was a bit of a simple example.  I've decided to bite the bullet and create a roles to permissions mapping in my application, to be honest it is probably for the best in the long term.

I had been delaying this issue, but honestly some application code is looking a lot saner now that I've bit the bullet.

Thanks!
Rob

On Mon, Jun 5, 2017 at 11:01 AM, Brian Demers <[hidden email]> wrote:
There is a related issue open: https://issues.apache.org/jira/browse/SHIRO-314
Take a look at that one if you want to comment/add anything.

Though the way I typically recommend solving this type of problem is with permissions.

In this case say we define a 'staff:read' and assign it do your path: /staff/** = perms["staff:read"]

Then you could add this permission to your roles
staff = staff:read
qa = staff:*
admin = *

Any of these roles would be allowed access to your /staff/** resources



Does that help?
-Brian


On Sun, Jun 4, 2017 at 8:49 AM, Rob Young <[hidden email]> wrote:
Hi there,

In the web section of shiro.ini, I'd love to be able to do something like:

/staff/** = roles[staff] OR roles[qa]

I realize this isn't really the shiro way of doing things but it would sure be handy for some features I'm working on.  Is there a way to do this in the shiro.ini DSL?

Thanks,
Rob