From the docs I read that it's possible to define attribute-level permissions (as well as resource and instance levels)
Attribute Level - The permission now specifies an attribute of an instance or resource. A user can edit the address on the IBM customer record.
How can these permissions be defined declaratively using the <resource>:<action>:<instance> format in which permissions in Shiro are usually defined? It would seem logical to be if it's possible to do something like <resource>:<action>:<instance>:<attributename> but I can't find docs anywhere discussing this.
Did you check http://shiro.apache.org/permissions.html?
You can create the strings yourself from your own information. In our code we use custom realms to add the permissions programmatically like so:
public class OurAuthorizingReam extends AuthorizingRealm {
...
@Override
public AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
... code to find permission infp
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
while (.. looping through permission info){
info.addStringPermission(... the permission string constructed);
}
return info;
}