Summary
support Shiro Wildcard Permissions like feature
Actual Behavior
Expected Behavior
Shiro Wildcard Permissions feature is one big highlight than spring security. Which is one important reason a lot of company still using shiro over spring security. Any plan to implements similar feature. So I can persuade other programmer to switch to spring security. Thanks!
Configuration
Version
Sample
Comment From: HerrDerb
I'm actually just implementing this for the method security context in my project. It's not really hard. Maybe this can be helpful.
First thing is a PermissionVoter, including a static vote method for for programmatic use.
PermissioVoter.txt
Second thing is a special GrantedAuthority called Permission (how unexpected)
Permission.txt
Finally configure the AccessDecisionManager
MethodSecurityConfig.txt
Why do we want a special Permission object?
We also could use a regular GrantedAuthority containing a permission String like "feature1:read:files". Doing this mean, we need to split the string on every permission check. This is a unnecessary waste of performance and memory. The Permission object already splits the string into its parts on initialization. Therefore only once.
Comment From: jiming
Dear @HerrDerb,
Thanks for your reply.
Spring security is official subproject of Spring. Logically speaking, when a project need a auth solution, spring security should be the first option. However, in China, most projects I know are using Shiro. It is a pity for spring security.
The two reason I know developers like shiro are easy to use and wildcard permission(which is super powerful for complex permission).
With spring security 4.0 release, I think the easy to use is a big progress and acceptable. Thank your for it very much.
Now I can describe why I wanted wildcard permission. Let's say I have permissions as following:
orderSystem.[order|payment|refund]:[view|modify|delete]
[xxx|yy] means optional.
Persion admin with permission setting *:* can do anything.
Persion orderManager with permission setting orderSystem.*:* can do anything under orderSystem.
Persion orderDealer with permission setting orderSystem.order:view,modify can view and modify for orderSystem.order objects.
Persion payDealer with permission setting orderSystem.payment,refund:view,modify can view and modify for orderSystem.payment and orderSystem.refund domain.
About the performance, usually complex permissions using wildcard permission are in backend system. The request is fairly less than web app for huge web site. So the functionality is more important than performance.
Shiro using AntPathMatcher to split the permission and cached the permission objects.
Since you already finished it, why not add into Spring Security as an official features. After that I can more easily to recommend Spring security over shiro in the future:)
Thanks and have a nice day!
Jiming
Comment From: jiming
A code example
@RequiresPermissions(value={"channel:edit","channel:create"},logical=Logical.OR)
Comment From: HerrDerb
My implementation still needs improvement, currently it's only a prototype. Once this is done, I'll create a pull request.
Comment From: jiming
Great to hear that!
Comment From: jccode
+1
Comment From: HerrDerb
I've prepared a basic commit for this issue. Discussing it now in https://gitter.im/spring-projects/spring-security?source=explore before I create a pull request.
Comment From: HerrDerb
I've integrated the AntPathMatcher and changed to the following permission scheme:
path.subpath.subsubpath.resource:permission1,permission2:objectIdentifier ->
test.module1.users:read,write:admin,operator implies read and write operations on user admin and operator
Comment From: jiming
Thanks HerrDerb, That terrific!