Configure Apache Shiro to load [urls] section fully from JPA Entities

Question

I can't seem to find an example to load the [users] AND [urls] from my JPA objects. I want to use shiro.ini for [main] section only.

The source code of what I achieved so far is this: Unable to @Inject my DAO in a Custom Apache Shiro AuthorizingRealm

Is there any example where [users] (user/pass) AND [urls] (roles, permissions) are FULLY loaded from database? I can't seem to find that anywhere. I'm looking for it for 1 week now.

Answer 1

After some long research, the "best" solution I came up with was this:

shiro.ini

[main]
jsfFilter = com.test.security.CustomAuthorizationFilter
jsfFilter.loginUrl = /login.jsf

[urls]
/** = jsfFilter

// You can add the methods to filter Ajax requests described by BalusC inside this filter. CustomAuthorizationFilter.java

public class CustomAuthorizationFilter extends AuthorizationFilter {

@Override
    public boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws IOException {

        HttpServletRequest httpRequest = (HttpServletRequest) request;

        if (!httpRequest.getRequestURI().startsWith(httpRequest.getContextPath() + ResourceHandler.RESOURCE_IDENTIFIER)) {

            Subject subject = SecurityUtils.getSubject();

            AuthenticatingSecurityManager authenticatingSecurityManager = ((AuthenticatingSecurityManager) SecurityUtils.getSecurityManager());

            PrincipalCollection principals = subject.getPrincipals();
            JPARealm jpaRealm = (JPARealm) authenticatingSecurityManager.getRealms().iterator().next();
            AuthorizationInfo authorizationInfo = jpaRealm.getAuthorizationInfo(principals);

            for (String permission : authorizationInfo.getStringPermissions()) {
                if (pathsMatch(permission, request)) {
                    return true;
                }
            }

        } else {
            return true;
        }
        return false;
    }
}

The pathsMatch(permission, request) method will try to validate/compare the received string permission with the path the user is trying to access. This filter relies on ALWAYS having an authenticated user. If the subject.getPrincipal() is null, more coding is necessary. If anyone needs the whole code, let me know.