I have a situation that I need some assistance with. I have four REST URL with same path and different http methods
/api/users/** GET,POST,PUT,DELETE
I want to use Shiro to protoct the PUP, POST, DELETE and keep GET is anonymous. I configured the following URLs but with out luck
/api/users/** =rest[user:update,user:delete,user:create]
/api/users/** =anon
Maybe you could do something like this:
/api/users/**=rest[user]
Then, it kind of depends on how you are creating the REST APIs. With a JAX-RS implementation, like Jersey for example, you could do the following:
@Path("/api/users")
public class SomeResource {
@RequiresPermissions("user:read")
@GET
public Response getResource() {..}
@RequiresPermissions("user:create")
@PUT
public Response putResource() {..}
@RequiresPermissions("user:update")
@POST
public Response postResource() {..}
@RequiresPermissions("user:delete")
@DELETE
public Response deleteResource() {..}
}
This is assuming that you are going with the Annotations based authorization. You could also use the SecurityUtils.getSubject() mechanism.