Apache Shiro, INI-Configuration, Perms per URL: How to get URL params?

Posted by Marcus Schultö on Stack Overflow See other posts from Stack Overflow or by Marcus Schultö
Published on 2012-10-30T21:30:15Z Indexed on 2012/10/31 11:00 UTC
Read the original article Hit count: 249

Filed under:
|
|

I want to use Apache Shiro[1] in my JSF-Application to perform URL-based authorization checks, configuration done in shiro.ini As I see in the Shiro-documentation[2] there is a way to use a "perms"-filter

/remoting/rpc/** = authc, perms["remote:invoke"]

In my scenario I want this functionality, but on entity-level[3], where the entity-Id is in the http-request

# "Open settings for user with id=123":
# /user/settings.xhtml?user_id=123
/user/settings.xhtml = perms["user:update:XXX"]

So, how do I do this with Shiro? How to I tell the perms-filter to check for http-params? Or is this supposed to be done in my Realm-Implemenation, concrete by calling FacesContext?

[1] https://shiro.apache.org

[2] https://shiro.apache.org/web.html#Web-webini

[3] This can be done at least programmatically:

SecurityUtils.getSubject().isPermitted("printer:query:lp7200")

https://shiro.apache.org/permissions.html

© Stack Overflow or respective owner

Related posts about jsf

Related posts about authorization