Using Shiro with JDBCRealm
My use case requires a user to submit a form to next user. The next user can only be someone with specific permission. This is to be known in order to show only valid Next user list for selection.
How can I get list of all the users that have a specific permission?
If not, Is there a workaround of getting the User permission strings from database and then at least reuse Shiro's logic to check if the user has specific permission?
Shiro is related to only security, authority, etc of current user not to the whole user base. You can use your standard sql queries to retrieve users with same permissions of the current logged in subject.
Why not use simple SQL query that matches current user permissions to other users permission and give a list. This way you will save memory and resource by not computing permissions logic in java again.
Related
I would like to get login user (username, roles ...) when start new process via KieSession.
Any one can help?
UserGroupCallback is the kie API entrypoint that it is responsible for verifying whether a user or group exists and for collecting groups for a specific user.
Notice that default UserGroupCallback is based on the security context, therefore it can only retrieve information about authenticated user.
You can see different custom implementations here:
https://github.com/kiegroup/jbpm/tree/master/jbpm-human-task/jbpm-human-task-core/src/main/java/org/jbpm/services/task/identity
And this is the property for configuring a custom one: org.jbpm.ht.custom.callback
I've made an app that utilizes Firestore. I am trying to find documentation on how to assign roles to my users. Ironically enough Google didn't help.
Time has come to set some security rules based on a users role. There will only be two roles; users and admin(s). Admins should be able read and write to everything but a user should only be able to read, write and delte its own content. Writing the rules for that is fine I suppose and well documented, but I can not seem to find any documentation on how to assign a role to a specific user. All my users are just regular users (I guess) including my own user. So adding the .isAdmin to a security check is kind of pointless.
Is there anyone out there that can point me in the right direction?
I am new in apache shiro, and I read almost 60% of tutorials in apache shiro page.
It is a wonderful framework, however I wonder if it can meet my requirements.
I am interested in the permission-based authentication.
For example, to make sure if the user have the permission of delete resources, we can use this:
currentUser.isPermitted( "resource:delete" );
However in our application, even a user have the permission of delete resources, he can only delete some specified resources, not all of them.
For example(just an exmaple), the resource have an filed named createdby to record the one who create this resource.
Now user can only delete the resources created by himself if he have the resouce:delete permission.
In fact, the resources which can be deleted by the user(who have authenticated and have delete permission) will be calculated by more constraints.
Now how to make shiro work in this suitation?
You can do this in Shiro but you will have to write some code. Either create a subclass of Authorizer and inject it into the security manager or create a subclass of one of the realm classes such as JdbcRealm. Then override the isPermitted method. This will need to have access to your permissions model, for example the database table or a document in a NoSQL database.
Your call to isPermitted will need to specify the resource you are deleting so you can look it up in your overridden method.
If you override the isPermitted method in the AuthorizingRealm subclass you will have access to the logged in user's principals and the user's Roles: this gives you quite a bit of flexibility because you can have says: user (principal) Fred with roles: Manager, Administrator. Your permissions model can then decide if Fred, a Manager or and Administrator can perform the task on the specified resource.
Hope that gives you some ideas.
From the extent, I have explored Shiro, I don't think it gives that level of flexibility to have a customized check. It basically functions based on roles and permission defined in the config file.
For this functionality I would suggest that you display only those records the user is allowed to delete, by have this check at query fetch level. (or) add a condition at the UI level not display the delete button if logged in user is same as created by. This is just a suggestion.
I am currently working on a project in which there are many threads that users can create. User's have different permissions for the threads that can be specified by users with admin permission. User's need to be added to the thread before they have access to it.
When a user is added to the thread, they are given either read, write or admin permission. Users can also be part of groups. These groups can then be added to a thread in which case, all users in the group will be added along with the permission that is specified for the group.
thread: {id: xxxxx, users:[{id:user01, permission: write, discovery: non}, {id:user02, permission: read, discovery: GroupA}]}
So a user can be added with an individual permission or they can be added with permission given to the group they are a part of. Discovery would specify whether the user was added individually or as a group.
I am wondering if this would be the best method of setting up Mongo for this sort of permission system and also how I would actually define this schema using Mongoose? I think that it would be fastest to have all these aspects embedded into each thread.
I'm making a application for facebook that will be used for academic research. Right now when the user goes to install the application I'll request additional information which is stated in the extended permissions.
I would perfectly understand someone not wanting to give out certain aspects of this information (It's just used to gather statistics about people taking part , education, religion etc.)
Does anyone know the best way to filter the permissions? For instance maybe someone is willing to give their age but not education. Therefore can I remove the education request from my application install request dynamically?
If you want to ask the user for only those permissions that he wants to give, you can take input from him before redirecting to Facebook login. You can generate the url for requesting permissions based on this custom set of permissions using the 'perms' attribute of the <fb:loginbutton /> tag or pass the list of permissions you want to the $facebook->getLoginUrl(array('req_perms' => $perms)) call.
To keep track of permission changes, you can use the realtime updates offered. You can know more about it here.
You certainly could build an up-front permissions matrix that the user could cherry-pick from. And that would probably be the way to do it, since you can't do anything to customize the permission challenge that the Facebook Platform generates.
The trick would be keeping track of which permissions the user granted in the given access token you'll receive from back from the Platform. Especially since users can change the permissions granted to your application w/o visiting the application itself - so you'll want to be hooked in to that info via the Real Time Updates.