Home/ Questions/Q 9273037
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-18T16:00:37+00:00

I want to use Apache Shiro in my JSF-Application to perform URL-based authorization checks,

  • 0

I want to use Apache Shiro in my JSF-Application to perform URL-based authorization checks, configuration done in shiro.ini As I see in the Shiro-documentation there is a way to use a “perms”-filter

/remoting/rpc/** = authc, perms["remote:invoke"]

In my scenario I want this functionality, but on entity-level1, where the entity-Id is in the http-request 

# "Open settings for user with id=123":
# /user/settings.xhtml?user_id=123
/user/settings.xhtml = perms["user:update:XXX"]

So, how do I do this with Shiro? How to I tell the perms-filter to check for http-params? Or is this supposed to be done in my Realm-Implemenation, concrete by calling FacesContext?

1 This can be done at least programmatically:

SecurityUtils.getSubject().isPermitted("printer:query:lp7200")

https://shiro.apache.org/permissions.html

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    It is possible to do this by implementing and using own “org.apache.shiro.web.filter.AccessControlFilter” subclasses in the software. This own classes can be declared in the shiro.ini:

    [main]
user = filter.FooFilter

    The AccessControlFilter-class provides an “isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue)”-method, which can be overridden to use “request.getParameterMap()” for getting the HTTP-GET-parameters.

    As an example, you could have a look at my project tiramisu (quite outdated).
    See CompanyManagerPermissionsFilter (which extends CompanyScopedPermissionsFilter, which extends DomainPermissionsFilter), included in WEB-INF/shiro.ini.

    • 0