83b2e20dab47c297dcc30f772b8f6d282ecd2def
wiki/security.md
| ... | ... | @@ -47,5 +47,12 @@ The Web Bundle then provides a `shiro.ini` file in its classpath root, e.g., dir |
| 47 | 47 | |
| 48 | 48 | ## How to Implement Permission Checks |
| 49 | 49 | |
| 50 | +There are generally two ways in which some feature can require the user to be equipped with permissions: declaratively in the `shiro.ini` file's `[urls]` section; or programmatically by using something like ``org.apache.shiro.SecurityUtils.getSubject().checkPermission(...)`` which will throw an `AuthorizationException` in case the user lacks the necessary permissions. |
|
| 51 | + |
|
| 52 | +Example for a declarative permission check: |
|
| 53 | + [urls] |
|
| 54 | + /api/v1/events = bearerToken, perms["event:view"] |
|
| 55 | +This requires users trying to access the URL `/api/v1/events` to be authenticated using a valid `JSESSIONID` cookie or any authentication supported by the `bearerToken` filter such that the authenticated user has permissions that imply the `event:view:*` permission. |
|
| 56 | + |
|
| 50 | 57 | ## Notes on Replication |
| 51 | 58 |