Skip to content

[Feature request] Featuren similar to Shiro Wildcard Permissions #4611

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
jiming opened this issue Oct 11, 2017 · 9 comments
Open

[Feature request] Featuren similar to Shiro Wildcard Permissions #4611

jiming opened this issue Oct 11, 2017 · 9 comments
Labels
status: waiting-for-triage An issue we've not yet triaged

Comments

@jiming
Copy link

jiming commented Oct 11, 2017
edited
Loading

Summary

support Shiro Wildcard Permissions like feature

Actual Behavior

Expected Behavior

Shiro Wildcard Permissions feature is one big highlight than spring security. Which is one important reason a lot of company still using shiro over spring security. Any plan to implements similar feature. So I can persuade other programmer to switch to spring security. Thanks!

Configuration

Version

Sample
@HerrDerb
Copy link

HerrDerb commented Nov 8, 2017
edited
Loading

I'm actually just implementing this for the method security context in my project. It's not really hard. Maybe this can be helpful.

First thing is a PermissionVoter, including a static vote method for for programmatic use.
PermissioVoter.txt

Second thing is a special GrantedAuthority called Permission (how unexpected)
Permission.txt

Finally configure the AccessDecisionManager
MethodSecurityConfig.txt

Why do we want a special Permission object?
We also could use a regular GrantedAuthority containing a permission String like "feature1:read:files". Doing this mean, we need to split the string on every permission check. This is a unnecessary waste of performance and memory. The Permission object already splits the string into its parts on initialization. Therefore only once.

@jiming
Copy link
Author

jiming commented Nov 9, 2017

Dear @HerrDerb,

Thanks for your reply.

Spring security is official subproject of Spring. Logically speaking, when a project need a auth solution, spring security should be the first option. However, in China, most projects I know are using Shiro. It is a pity for spring security.

The two reason I know developers like shiro are easy to use and wildcard permission(which is super powerful for complex permission).

With spring security 4.0 release, I think the easy to use is a big progress and acceptable. Thank your for it very much.

Now I can describe why I wanted wildcard permission. Let's say I have permissions as following:

orderSystem.[order|payment|refund]:[view|modify|delete]

[xxx|yy] means optional.

Persion admin with permission setting *:* can do anything.
Persion orderManager with permission setting orderSystem.*:* can do anything under orderSystem.
Persion orderDealer with permission setting orderSystem.order:view,modify can view and modify for orderSystem.order objects.
Persion payDealer with permission setting orderSystem.payment,refund:view,modify can view and modify for orderSystem.payment and orderSystem.refund domain.

About the performance, usually complex permissions using wildcard permission are in backend system. The request is fairly less than web app for huge web site. So the functionality is more important than performance.

Shiro using AntPathMatcher to split the permission and cached the permission objects.

Since you already finished it, why not add into Spring Security as an official features. After that I can more easily to recommend Spring security over shiro in the future:)

Thanks and have a nice day!

Jiming

@jiming
Copy link
Author

jiming commented Nov 9, 2017

A code example

@RequiresPermissions(value={"channel:edit","channel:create"},logical=Logical.OR)

@HerrDerb
Copy link

My implementation still needs improvement, currently it's only a prototype. Once this is done, I'll create a pull request.

@jiming
Copy link
Author

jiming commented Dec 13, 2017

Great to hear that!

@jccode
Copy link

jccode commented Jun 6, 2018

+1

@HerrDerb
Copy link

I've prepared a basic commit for this issue. Discussing it now in https://gitter.im/spring-projects/spring-security?source=explore before I create a pull request.

@HerrDerb
Copy link

HerrDerb commented Jun 27, 2018
edited
Loading

I've integrated the AntPathMatcher and changed to the following permission scheme:
path.subpath.subsubpath.resource:permission1,permission2:objectIdentifier ->
test.module1.users:read,write:admin,operator implies read and write operations on user admin and operator

@jiming
Copy link
Author

jiming commented Jun 28, 2018

Thanks HerrDerb, That terrific!

@HerrDerb HerrDerb mentioned this issue Jun 28, 2018
Closed
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label May 7, 2019
@marcusdacoregio marcusdacoregio self-assigned this Nov 16, 2021
@marcusdacoregio marcusdacoregio removed the status: waiting-for-triage An issue we've not yet triaged label Nov 16, 2021
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Nov 16, 2021
@marcusdacoregio marcusdacoregio removed their assignment Dec 2, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status: waiting-for-triage An issue we've not yet triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@jiming @jccode @HerrDerb @marcusdacoregio @spring-projects-issues