Wednesday 15 April 2015

authorization - does apache shiro supports user groups concept? -


I am reading the shiro document and never found any sign that was shiro < / Code> Supports user group concept at API level.

I expected that there will be such methods in the form of Subject.java in the form of getUserGroups , but it's not. For example, if I write some applications whose purpose is to work with multiple authentication systems, when the user creates some objects, then I want to make it visible to all users in groups of object creator, and this is an authentication provider In an agnostic way, using a few masks APIs like Shiro Topics

But it seems that I am not using this shiro api, is this correct?

How do you support the concept of user group in multi-authentication applications?

Do I have some UserGroupAwareSubject extensions? In the form of 1.2, the head does not have a group concept in its API - it has the notion of roles and permissions in the form of

1.2

This is not a problem if you have only roles or you can use the name of your group, because the role of the call of the call (i.e. realm.hasRole (roleIdentifier, authzInfo) Role identifier ').

If you have both roles and group concepts in your application, you probably will not be able to use the subject.hasRole easily to check both. If you want it as a feature, please do one.

Two options for this, though you want it to work:

  1. .hasRole calls your roles and checks with another scope, where realm.hasRole calls your groups Checks against

  2. Use one field to display both, and use the string used for identifying the group with a recognizable token, for example: 

      topic. HasRole ("group: myGroupName");   
     Then your area can see if the prefix is, and if so, check one group, and if not, then check a role.         
       
     These options aside, what many people do in this case the role and group investigation are completely ignored and instead the permission check in the code ( More powerful):  
      isPermitted topic ("Document: 1234: Read");   
     Then you can see both the  and  topics of any group or roles to see its scope to see that it is allowed. If so, you do not need any group or role investigation because your code (potentially unstable and many) is based on permissions rather than the concept of group / roles.  
     There are some good reasons, but if you feel otherwise and still represent any group in the  topic  API, please open a feature request.  
     Regards,  
     LE
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)