I downloaded a Spring MVC project which using Apache Shiro for security layer. In the controller, it uses @RequiresPermissions to define the permission, for example:
@RequiresPermissions("sys:user:view")
@RequestMapping(value = {"index"})
public String index(User user, Model model) {
return "modules/sys/userIndex";
}
@RequiresPermissions("sys:user:view")
@RequestMapping(value = {"list", ""})
public String list(User user, HttpServletRequest request, HttpServletResponse response, Model model) {
return "modules/sys/userList";
}
I have couple of questions about this:
The actual permission String is freeform. "domain:action:instance" is an example. You could use something like users:write:1234
or just more general users:write
. But there is nothing stopping you from using something like <domain>:<instance>:<action>
. Using the same two examples you would have users:1234:write
and users:*:write
(respectively).
As for #2 your realm (or a RolePermissionResolver) is responsible for defining the mapping between users and permissions (or roles and permissions)