3

I am creating a REST service in Java using Dropwizard in combination with Apache Shiro for authentication and authorization. I extended JdbcRealm in order to make Shiro use my PostgreSQL database (which I access through Hibernate). Authentication works well. Creating group-level permissions is also very easy. Unfortunately, I was not able to find an idiomatic way to bind certain resource instances to specific users (subjects). I know that Shiro provides support for instance-level access control, but the documentation does not show a workflow which allows me to do the following:

  • User Alice creates resource X
  • User Bob should be allowed to read X, but not to write/delete it
  • User Alice should have full read/write/delete access to X

Any hints or recommendations are appreciated!

Marco Lamina
  • 3,326
  • 4
  • 22
  • 22

1 Answers1

2

I'm investigating a similar problem where I have a multi tenancy requirement so I don't know who the tenant is at compile time, something like this type of permission string:

global:{tenant}:users:limited,c,r,u,d

You might want to take a look at PermissionResolver I found this page quite helpful AuthorizationConfiguration from the shiro docs, the shiro docs are a bit of a scattergun

Alex Edwards
  • 1,613
  • 3
  • 24
  • 48
  • I ended up doing it all programmatically using `Subject.checkPermission()` and a DAO for permissions in my database! – Marco Lamina Jan 16 '15 at 08:10