Some questions about Apache Shiro in Spring MVC

Question

I downloaded a Spring MVC project which using Apache Shiro for security layer. In the controller, it uses @RequiresPermissions to define the permission, for example:

@RequiresPermissions("sys:user:view")
@RequestMapping(value = {"index"})
public String index(User user, Model model) {
    return "modules/sys/userIndex";
}

@RequiresPermissions("sys:user:view")
@RequestMapping(value = {"list", ""})
public String list(User user, HttpServletRequest request, HttpServletResponse response, Model model) {
    return "modules/sys/userList";
}

I have couple of questions about this:

1. What kind of permission is this? I checked the Shiro documents, based on the doc, three parts should be "domain:action:instance", but in the code above, the first two parts are path, and the last part is the action. So I'm just confused.
2. I'm not sure whether the annotation @RequiresPermissions is using to define the permission. I tried to use that define a new permission, but failed. If it's not, how to define a new permission?

Answer 1

The actual permission String is freeform. "domain:action:instance" is an example. You could use something like users:write:1234 or just more general users:write. But there is nothing stopping you from using something like <domain>:<instance>:<action>. Using the same two examples you would have users:1234:write and users:*:write (respectively).

As for #2 your realm (or a RolePermissionResolver) is responsible for defining the mapping between users and permissions (or roles and permissions)