Shiro - problem/doubt with permissions and roles

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Shiro - problem/doubt with permissions and roles

Dalton Cézane
Hi, all.

I have an application and already configure the basic authentication with shiro plugin. However, I would like to enable different permissions to different users. As an example:

                def roleAdmin = new Role(name:'admin')
roleAdmin.addToPermissions('*:*')
roleAdmin.save(flush:true, failOnError: true)

def roleBasic = new Role(name:'basic')
//roleBasic.addToPermissions('controller:action')
roleBasic.addToPermissions('auth:*')
roleBasic.addToPermissions('userAdmin:create,list,edit')
roleBasic.save(flush:true, failOnError: true)
def testUser = new UserAdmin(username:'kermit',passwordHash:new Sha512Hash("password").toHex())
testUser.addToRoles(roleAdmin)
testUser.save(flush:true, failOnError: true)
def user = new UserAdmin(username: "admin", passwordHash: new Sha512Hash("admin").toHex())
user.addToRoles(roleAdmin) //addToPermissions("*:*")
user.save()
def user1 = new UserAdmin(username: "fulano", passwordHash: new Sha512Hash("fulano").toHex())
user1.addToRoles(roleBasic)
user1.save()
def user2 = new UserAdmin(username: "beltrano", passwordHash: new Sha512Hash("beltrano").toHex())
user2.addToRoles(roleBasic)
user2.save()

In this case, I would like that admin and kermit could do everything in all controllers, but fulano and sicrano just had permissions only to access all the controllers, but in the userAdmin controller they could do only the three operations described (create, list and edit). The problem is that it is working for admin and kermit, but not working for fulano and sicrano. I enter with the fulano and sicrano credentials, but after that the system redirect to "You do not have permission to access this page." message.

I saw the values that the system get in execution time:
User --> fulano
Permissions --> []
Roles --> [auth:*, userAdmin:create,list,edit]   (I think the problem is here, with the comma separated values, but I do not know how to solve this, putting the right values in my roles declaration)

Can anyone help me?
Thanks in advance.

--
=======================================================
Dalton Cézane
Mestrando/Especialista/Bacharel  em Ciência da Computação (UFCG)
Técnico em Informática (ETER)
Reply | Threaded
Open this post in threaded view
|

Re: Shiro - problem/doubt with permissions and roles

Dalton Cézane
Thanks by your answer.

You are right in respect to my mistake "beltrano" and "sicrano". But here my code is correct and, as you told, it would not be the problem. With 'fulano' and 'beltrano' I do login, but the application does not allow the 'basic' users to access the other pages (as I put the message of unauthorized access).

I also tried to put roleBasic.addToPermissions('userAdmin:create|list|edit') instead of roleBasic.addToPermissions('userAdmin:create,list,edit'), but it did not work too. This way, I got the following:
User: fulano
Permissions: []
Roles: [auth:*, userAdmin:create|list|edit]
 ------ [auth]:[*]------[useradmin]:[list]  (Required role)
 ------ [useradmin]:[create|list|edit]------[useradmin]:[list] (Required role)

Thanks again.

On Thu, May 23, 2013 at 5:59 PM, John Moore <[hidden email]> wrote:
On 23/05/13 20:44, Dalton Cézane wrote:
Hi, all.

I have an application and already configure the basic authentication with shiro plugin. However, I would like to enable different permissions to different users. As an example:

                def roleAdmin = new Role(name:'admin')
roleAdmin.addToPermissions('*:*')
roleAdmin.save(flush:true, failOnError: true)

def roleBasic = new Role(name:'basic')
//roleBasic.addToPermissions('controller:action')
roleBasic.addToPermissions('auth:*')
roleBasic.addToPermissions('userAdmin:create,list,edit')
roleBasic.save(flush:true, failOnError: true)
def testUser = new UserAdmin(username:'kermit',passwordHash:new Sha512Hash("password").toHex())
testUser.addToRoles(roleAdmin)
testUser.save(flush:true, failOnError: true)
def user = new UserAdmin(username: "admin", passwordHash: new Sha512Hash("admin").toHex())
user.addToRoles(roleAdmin) //addToPermissions("*:*")
user.save()
def user1 = new UserAdmin(username: "fulano", passwordHash: new Sha512Hash("fulano").toHex())
user1.addToRoles(roleBasic)
user1.save()
def user2 = new UserAdmin(username: "beltrano", passwordHash: new Sha512Hash("beltrano").toHex())
user2.addToRoles(roleBasic)
user2.save()

In this case, I would like that admin and kermit could do everything in all controllers, but fulano and sicrano just had permissions only to access all the controllers, but in the userAdmin controller they could do only the three operations described (create, list and edit). The problem is that it is working for admin and kermit, but not working for fulano and sicrano. I enter with the fulano and sicrano credentials, but after that the system redirect to "You do not have permission to access this page." message.

I saw the values that the system get in execution time:
User --> fulano
Permissions --> []
Roles --> [auth:*, userAdmin:create,list,edit]   (I think the problem is here, with the comma separated values, but I do not know how to solve this, putting the right values in my roles declaration)



It looks to me as if it should work - you seem to have it configured correctly. I am assuming that when you mention 'sicrano' in your text, you actually mean 'beltrano', because there is nothing configured for 'sicrano'. It shouldn't be the cause of a problem, but you don't need to explicity add 'auth:*' to the permissions, because the plugin defaults to bypassing credential checks for the 'auth' controller (you need to use the 'auth' controller to log in and acquire the credentials which are checked elsewhere).

Maybe you could put together a small Grails app demonstrating the problem and I could take a look.

John



--
=======================================================
Dalton Cézane
Mestrando/Especialista/Bacharel  em Ciência da Computação (UFCG)
Técnico em Informática (ETER)
Reply | Threaded
Open this post in threaded view
|

Re: Shiro - problem/doubt with permissions and roles

Dalton Cézane
Hi.

I resolved my problem. The fact is that we generally have a controller named as UserAdmin, for example, and the names used to reference our controllers follow the convention 'nameName'... As my controller class is named UserAdmin, I though it would follow the convention and I put roleBasic.addToPermissions('userAdmin:create,list,edit') in my code.

So, when I see at database, the value was stored as 'useradmin'. When I changed my code to roleBasic.addToPermissions('useradmin:create,list,edit'), it worked.

I just miss the fact that we do not something like a wildcard restriction meaning 'all the controllers except this one or these two'... So, I have to specify all the controllers in a role and just the 'restrictions' in other role.

In time, yet, could anyone suggest me the better/direct way to test if the session user (currently logged) is different from the user I want to remove. For example, "admin" is logged and want to delete some user. How do I test if 'this user to be deleted' is not the own admin?

Thanks!

On Thu, May 23, 2013 at 7:29 PM, Dalton Cézane <[hidden email]> wrote:
Thanks by your answer.

You are right in respect to my mistake "beltrano" and "sicrano". But here my code is correct and, as you told, it would not be the problem. With 'fulano' and 'beltrano' I do login, but the application does not allow the 'basic' users to access the other pages (as I put the message of unauthorized access).

I also tried to put roleBasic.addToPermissions('userAdmin:create|list|edit') instead of roleBasic.addToPermissions('userAdmin:create,list,edit'), but it did not work too. This way, I got the following:
User: fulano
Permissions: []
Roles: [auth:*, userAdmin:create|list|edit]
 ------ [auth]:[*]------[useradmin]:[list]  (Required role)
 ------ [useradmin]:[create|list|edit]------[useradmin]:[list] (Required role)

Thanks again.

On Thu, May 23, 2013 at 5:59 PM, John Moore <[hidden email]> wrote:
On 23/05/13 20:44, Dalton Cézane wrote:
Hi, all.

I have an application and already configure the basic authentication with shiro plugin. However, I would like to enable different permissions to different users. As an example:

                def roleAdmin = new Role(name:'admin')
roleAdmin.addToPermissions('*:*')
roleAdmin.save(flush:true, failOnError: true)

def roleBasic = new Role(name:'basic')
//roleBasic.addToPermissions('controller:action')
roleBasic.addToPermissions('auth:*')
roleBasic.addToPermissions('userAdmin:create,list,edit')
roleBasic.save(flush:true, failOnError: true)
def testUser = new UserAdmin(username:'kermit',passwordHash:new Sha512Hash("password").toHex())
testUser.addToRoles(roleAdmin)
testUser.save(flush:true, failOnError: true)
def user = new UserAdmin(username: "admin", passwordHash: new Sha512Hash("admin").toHex())
user.addToRoles(roleAdmin) //addToPermissions("*:*")
user.save()
def user1 = new UserAdmin(username: "fulano", passwordHash: new Sha512Hash("fulano").toHex())
user1.addToRoles(roleBasic)
user1.save()
def user2 = new UserAdmin(username: "beltrano", passwordHash: new Sha512Hash("beltrano").toHex())
user2.addToRoles(roleBasic)
user2.save()

In this case, I would like that admin and kermit could do everything in all controllers, but fulano and sicrano just had permissions only to access all the controllers, but in the userAdmin controller they could do only the three operations described (create, list and edit). The problem is that it is working for admin and kermit, but not working for fulano and sicrano. I enter with the fulano and sicrano credentials, but after that the system redirect to "You do not have permission to access this page." message.

I saw the values that the system get in execution time:
User --> fulano
Permissions --> []
Roles --> [auth:*, userAdmin:create,list,edit]   (I think the problem is here, with the comma separated values, but I do not know how to solve this, putting the right values in my roles declaration)



It looks to me as if it should work - you seem to have it configured correctly. I am assuming that when you mention 'sicrano' in your text, you actually mean 'beltrano', because there is nothing configured for 'sicrano'. It shouldn't be the cause of a problem, but you don't need to explicity add 'auth:*' to the permissions, because the plugin defaults to bypassing credential checks for the 'auth' controller (you need to use the 'auth' controller to log in and acquire the credentials which are checked elsewhere).

Maybe you could put together a small Grails app demonstrating the problem and I could take a look.

John



--
=======================================================
Dalton Cézane
Mestrando/Especialista/Bacharel  em Ciência da Computação (UFCG)
Técnico em Informática (ETER)



--
=======================================================
Dalton Cézane
Mestrando/Especialista/Bacharel  em Ciência da Computação (UFCG)
Técnico em Informática (ETER)
Reply | Threaded
Open this post in threaded view
|

Re: Shiro - problem/doubt with permissions and roles

John Moore
In reply to this post by Dalton Cézane
On 24/05/13 00:12, Dalton Cézane wrote:
Hi.

I resolved my problem. The fact is that we generally have a controller named as UserAdmin, for example, and the names used to reference our controllers follow the convention 'nameName'... As my controller class is named UserAdmin, I though it would follow the convention and I put roleBasic.addToPermissions('userAdmin:create,list,edit') in my code.

So, when I see at database, the value was stored as 'useradmin'. When I changed my code to roleBasic.addToPermissions('useradmin:create,list,edit'), it worked.

I just miss the fact that we do not something like a wildcard restriction meaning 'all the controllers except this one or these two'... So, I have to specify all the controllers in a role and just the 'restrictions' in other role.

In time, yet, could anyone suggest me the better/direct way to test if the session user (currently logged) is different from the user I want to remove. For example, "admin" is logged and want to delete some user. How do I test if 'this user to be deleted' is not the own admin?



Glad you were able to resolve the problem. I agree that it would be handy if there were some way of saying which permissions you want to deny, rather than having to explicitly grant all the permissions, it's something I've wanted to do myself.

As regards your other question, you can at any time find out the details of the logged in user with this: SecurityUtils.subject.principal. So in my system I have a User class, and I can get the details of the logged in user with:

    def user= User.findByUsername(SecurityUtils.subject.principal)

I could then compare that with the user I am trying to remove.

John
Reply | Threaded
Open this post in threaded view
|

Re: Shiro - problem/doubt with permissions and roles

Dalton Cézane
Thank you again, John. Yesterday, I was trying to use the subject.principal, but the way as I found at tutorials was not working here, because when I import org.apache.shiro.subject my application is not compiled (some error). I mean, the library did not recognize this package (subject). 

Anyway, with your tip, I got what I wanted. It worked with the following:
   def userAdminToRemove = UserAdmin.get(id)
   def loggedUser = SecurityUtils.subject.principal

   if (!loggedUser.equals(userAdminToRemove.username)) { ... }

Regards!

On Fri, May 24, 2013 at 5:26 AM, John Moore <[hidden email]> wrote:
On 24/05/13 00:12, Dalton Cézane wrote:
Hi.

I resolved my problem. The fact is that we generally have a controller named as UserAdmin, for example, and the names used to reference our controllers follow the convention 'nameName'... As my controller class is named UserAdmin, I though it would follow the convention and I put roleBasic.addToPermissions('userAdmin:create,list,edit') in my code.

So, when I see at database, the value was stored as 'useradmin'. When I changed my code to roleBasic.addToPermissions('useradmin:create,list,edit'), it worked.

I just miss the fact that we do not something like a wildcard restriction meaning 'all the controllers except this one or these two'... So, I have to specify all the controllers in a role and just the 'restrictions' in other role.

In time, yet, could anyone suggest me the better/direct way to test if the session user (currently logged) is different from the user I want to remove. For example, "admin" is logged and want to delete some user. How do I test if 'this user to be deleted' is not the own admin?



Glad you were able to resolve the problem. I agree that it would be handy if there were some way of saying which permissions you want to deny, rather than having to explicitly grant all the permissions, it's something I've wanted to do myself.

As regards your other question, you can at any time find out the details of the logged in user with this: SecurityUtils.subject.principal. So in my system I have a User class, and I can get the details of the logged in user with:

    def user= User.findByUsername(SecurityUtils.subject.principal)

I could then compare that with the user I am trying to remove.

John



--
=======================================================
Dalton Cézane
Mestrando/Especialista/Bacharel  em Ciência da Computação (UFCG)
Técnico em Informática (ETER)