Question
I'm refactoring an webapp's security module with Shiro and having trouble in logical operation on multi auth filters.
For example an Article entity. Everyone can post new Article, but only the Article owner/creator OR system admin role can modify existing Article.
To achieve this, I create a OwnerAuthzFilter (extends org.apache.shiro.web.filter.authz.AuthorizationFilter) to check if current user is the creator of an entity.
I'd like to configure the restrictions on [urls] section of shiro.ini like
https://stackoverflow.com/questions/23390793
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian[main]
ownerOf = my.OwnerAuthzFilter
[urls]
#ownerOf checks if a user is owner of entity "article" with request parameter "id"
/article/update*=authc, ownerOf["article","id"] OR roles["admin"]
It seems Shiro does not provide logical expression for url filter. Its Logical only works for annotation, and only works on annotation and for same type filters (like RequiresRoles, RequiresPermissions).
In my case, I need authorize the operation by checking the logical OR result of custom OwnerAuthzFilter and built-in RolesAuthorizationFilter.
Any body has hints how to implement this?
Solution
Why not write a special filter for that as well? You can put any string in your filter array, so you can write your own logical operators.
You can think of anything, for example:
/article/update*=authc, ownerOf["article","id", or(roles(admin))"]
And then parse the string and apply the correct authorization logic you want.
