Reputation: 58662
Grails Shiro plugin : confirming my understanding
I'm bit vague about how to start using the shiro plugin, after reading few documents. I decided against Nimble, as it comes with few tables and UI plugins.
I setup shiro plugin with wildcard realm, with my own tables. I may use permission based (rather tan role based) access control as it scales well. Now, the steps for it.
- assign the permission string to the subject, and save it in the db
- check the permission through isPermitted, hasPermission (or relevant tags in GSP).
Now,
1. when to use the accesscontrol through filter?
2. is there a closure injected into the controller where I can define the permission for the actions in it? I read somewhere about accessControl static closure on each controller, but not seems to be documented.
3. How do I create a typical access control scenario like only the creator of (something, a post etc) can delete it? One possibility is creating and persisting a permission string based on userid. to check the permission retrieve the object (post), get the userid and compare with subject.. seems bit complicated.. any easy implementation?
thanks a lot.. Babu.
Upvotes: 2
Views: 1159
Answers (1)
Reputation: 9120
1 when to use the access control security filter?
A. Use accessControl{true} when you want to limit access to controller actions to authenticated users.
B. Use accessControl() when you want to limit access to controller actions, regardless of parameter content, based on permissions "${controllerName}:${actionName}".
C. When you want to limit actions based on parameter content, e.g. only delete a domain object for which you have the delete permission "${name}:${id}:delete", you need to check isPermitted explicitly in the controller.
3 How do I create a typical access control scenario like only the creator?
I would add a the necessary permission(s) to the user when the post is created, e.g. "post:${postId}:*" This way the permissions belong to users and/or roles, and not to arbitrary domain objects, as intended in the Shiro way of working. As opposed to file system permissions, which belong to files and directories instead of users.
Upvotes: 1
Related Questions
- Error in shiro configuration in a Grails-app
- Status of Shiro plugin with Grails 3?
- Issues with Apache Shiro plugin, Grails 2.4.4 upgrade to 3.2.8
- Accessing specific controller in grails shiro plugin
- Need some explanation to understand how Grails works
- how to implement Shiro Security of Grails in my Project
- How do I get Shiro's annotations to work in Grails?
- Specifing package for ShiroUser in Grails
- How do we configure the grails shiro plugin v1.1.3?
- Using Shiro to secure services in grails