Shiro - best way to protect subset of controller actions?

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Shiro - best way to protect subset of controller actions?

John Moore
I'm using the Shiro plugin in a Grails app I'm developing, and I've been largely using the accessControl technique, of protection by convention. I have one controller, though, with lots of actions, and I want different roles to be able to access different subsets of these actions. Following the way I've done things so far, I would add the names of all the actions the role could access to my permissions string (e.g., 'product:add,edit,delete,view'). But this is pretty cumbersome with a controller with so many actions, when what I really want to do, in fact, is to exclude certain actions from the permissions - that is, say in effect "You can access all the actions of the Product controller except 'delete' and 'edit'".

Is there a way of doing permissions in this way? Or should I be thinking about the problem in some other way, e.g., at the filter level?
Reply | Threaded
Open this post in threaded view
|

Re: Shiro - best way to protect subset of controller actions?

John Moore
It strikes me that I could do this quite easily if I could get a list of all the actions of a given controller, then I could specifically add the permissions for all which are not in the list of excluded actions. I was sure it was pretty straightforward to get a list of all a controller's actions, but Google isn't turning up anything useful. How can I do this?
Reply | Threaded
Open this post in threaded view
|

Re: Shiro - best way to protect subset of controller actions?

pledbrook
> It strikes me that I could do this quite easily if I could get a list of all
> the actions of a given controller, then I could specifically add the
> permissions for all which are not in the list of excluded actions. I was
> sure it was pretty straightforward to get a list of all a controller's
> actions, but Google isn't turning up anything useful. How can I do this?

Such a method isn't where I would expect it to be
(DefaultGrailsControllerClass), but you can code this manually. In
Grails 2, actions are public methods or public Closure properties. I'm
pretty sure that in both cases you should use reflection to find the
actions as I don't think Grails allows you to inject dynamic actions.

Peter

--
Peter Ledbrook
Grails Advocate
SpringSource - A Division of VMware

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email


Reply | Threaded
Open this post in threaded view
|

Re: Shiro - best way to protect subset of controller actions?

John Moore
Thanks, Peter, I'll give that a go.
Reply | Threaded
Open this post in threaded view
|

Re: Shiro - best way to protect subset of controller actions?

smaldini
You can also scan for @Action methods starting from grails 2. 

On Mon, Aug 13, 2012 at 2:36 PM, John Moore <[hidden email]> wrote:
Thanks, Peter, I'll give that a go.



--
View this message in context: http://grails.1312388.n4.nabble.com/Shiro-best-way-to-protect-subset-of-controller-actions-tp4632737p4633112.html
Sent from the Grails - user mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email





--
Stéphane MALDINI
--


Reply | Threaded
Open this post in threaded view
|

Re: Shiro - best way to protect subset of controller actions?

John Moore
smaldini wrote
You can also scan for @Action methods starting from grails 2.
Not quite sure what you mean by this (I've never really got into using annotations). Perhaps you could give me an example? Thanks.