I'm using Apache Shiro to manage my applications security with great success. However, I'm trying to specify a url path in my shiro.ini file that will prevent access to a specified page based on the subjects allocated 'permissions'.
I know the permissions are generally working as I can use the SecurityUtil to restrict access to methods and functions and this works fine.
SecurityUtils.getSubject().isPermitted("account:create");
I am obviously missing something because when I try to apply this through my ini configuration file using the default perms filter the permission seem to be ignored.
Relevant parts of my shiro.ini file:
[urls]
...
/accounts/create.jsf = perms["account:create"]
...
(obtained from Shiro Docs)
I would have thought that when the specified url is accessed the perms filter is instantiated, the subject is found to be lacking the implied permission and the page is not rendered! However the page seems to be rendered just fine. :(
Do I need to create my own implementation of the perms filter and specify its action? I would have thought that was the point of supplying a default!
Any help would be appreciated.
I completely forgot that the order of the filters in the ini file causes a 'short circuit' when a match is found.
Above this filter I had a role based filter that was matched, ergo the perms filter was never reached.
[urls]
...
/** = auth, roles[XXX]
...
/accounts/create.jsf = perms["account:create"]