Apache Shiro Permissions: How to implement any of permission check

Question

I have a list of the following permissions:

book:download:red,
book:download:blue,
book:download:green

Now, I want to check whether the subject has any of those permissions set. If at least one of them is present, - permit.

So, on my REST controller, I am slapping this annotation with value:

@RequiresPermissions(value = book:download:*)

It means in my case, the subject has at minimum one valid book it can download, - let him in!

But, to my surprise, I get 403 with:

Subject does not have permission [book:download:*]

I would expect Shiro to use this wildcard and compare it against submitted permission like a REGEX check. And a result would have been - access allowed.

Please correct me if my understanding is wrong. And is there is a way to achieve what I am asking here?

Answer 1

you can use something like following:

@RequiresPermissions(value=
{PermissionsConstants.BOOK_DOWNLOAD_RED,
PermissionsConstants.BOOK_DOWNLOAD_BLUE,
PermissionsConstants.BOOK_DOWNLOAD_GREEN}, logical = Logical.OR)

Answer 2

Think of the match the other way, your resource has a specific permission "book:download:red" and your user can download any book because they have a more general permission book:download or book:download:* (or the same specific red permission)

You can also configure the annotation to use a logical "OR", where you could use your list of red, blue, or green https://shiro.apache.org/static/1.7.1/apidocs/org/apache/shiro/authz/annotation/RequiresPermissions.html

See more: https://shiro.apache.org/permissions.html