Reputation: 3644
Dynamic instance-level permissions with Apache Shiro
I am creating a REST service in Java using Dropwizard in combination with Apache Shiro for authentication and authorization. I extended JdbcRealm in order to make Shiro use my PostgreSQL database (which I access through Hibernate). Authentication works well. Creating group-level permissions is also very easy. Unfortunately, I was not able to find an idiomatic way to bind certain resource instances to specific users (subjects). I know that Shiro provides support for instance-level access control, but the documentation does not show a workflow which allows me to do the following:
- User Alice creates resource X
- User Bob should be allowed to read X, but not to write/delete it
- User Alice should have full read/write/delete access to X
Any hints or recommendations are appreciated!
Upvotes: 3
Views: 1667
Answers (1)
Reputation: 1673
I'm investigating a similar problem where I have a multi tenancy requirement so I don't know who the tenant is at compile time, something like this type of permission string:
global:{tenant}:users:limited,c,r,u,d
You might want to take a look at PermissionResolver I found this page quite helpful AuthorizationConfiguration from the shiro docs, the shiro docs are a bit of a scattergun
Upvotes: 2
Related Questions
- Can I use Apache Shiro for a hierarchical user model?
- How to deal with hierarchical roles/permissions using Apache Shiro?
- Defining a security model with implicit permissions / role
- Use Apache Shiro to restrict operation based on owner or admin role
- Integrate Apache Shiro Security Library with Dropwizard based JAX-RS application
- Store Permissions for Apache Shiro
- Shiro 'Any' Permission Instance
- Apache shiro implied permissions
- Getting confused with Apache Shiro and Custom Authorizing Realms
- Instance level access control in Apache Shiro