Apache shiro implied permissions
If a user has a permissions user:edit:1
and I'm using the annotation driven @RequiresPermissions("user:edit")
why is shiro throwing an exception? Shouldn't tha开发者_如何学JAVAt permission be implied by the fact that they have user:edit:1
? If I put @RequriesPermissions("user:edit:1")
then it works fine but during the context of operation I won't know what 1 is yet so that will be checked later in the method, but I'd like to avoid going into the method at all if they don't have the user:edit
permission at all.
I don't think, ascandrolis answer is correct, since Shiro documentation states:
The following however is much less ideal for a runtime check:
if (SecurityUtils.getSubject().isPermitted("printer:print")) {
//print the document
}
Why? Because the second example says "You must be able to print to any printer for the following code block to execute". But remember that "printer:print" is equivalent to "printer:print:*"!
(Shiro Documentation)
So @RequiresPermissions("user:edit:*")
means the same as @RequiresPermissions("user:edit")
, i.e. that the principal needs to be able to edit any user.
"user:edit"
implies "user:edit:1"
but not the other way around.
You can keep using @RequiresPermissions("user:edit")
and then check for the "1" in your method. You can also use a wildcard @RequiresPermissions("user:edit:*")
, which is the exactly the same but I think it's clearer.
精彩评论