How to determine what permissions a user shiro has
I need to deal with an application that is protected by apache shiro. I am completely new to this framework. As far as I can tell, I can check individual permissions with subject.isPermitted()
eg.
Subject subject = SecurityUtils.getSubject();
[...]
subject.isPermitted("$RightString");
For logging, I need a complete list of user rights as String. And I don't want to iterate over the list of rights and check every time,subject.isPermitted()
true
Is there a shortcut for this problem?
Edit:
Additional Information:
- The application is a Spring 4 application
-
realm is defined as a bean in the application context
<bean id="PRODUCTNAMERealm" class="de.PATHFROMPRODUCT_PRODUCTNAMEJdbcRealm"> <property name="dataSource" ref="dataSource"/> <property name="schema" value="${PRODUCTNAME.schema}"/> </bean>
so that I can inject if necessary.
I believe this cannot be, is it, we are working on this by registering the user's session rights. We are using a custom realm implementation and our permissions are stored in the database.
In our regular scope class:
@Override
public AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
Set<String> permissionsSet = //logic to get the permissions here
info.addStringPermissions(permissionsSet);
SecurityUtils.getSubject().getSession().setAttribute("permissions", permissionsSet);
return info;
}
Now getting permissions is just a call:
SecurityUtils.getSubject().getSession().getAttribute("permissions");
Another way would be to add a custom scope where you need the information and make the bean publicly getAuthorizationInfo.
@Override
public AuthorizationInfo getAuthorizationInfo(PrincipalCollection principals) {
return super.getAuthorizationInfo(principals);
}
....
yourRealm.getAuthorizationInfo(SecurityUtils.getSubject().getPrincipals()).getStringPermissions();
In my opinion, Shiro is only concerned with security, authority, etc. the current user, not the entire user base. You can use standard SQL queries to get user rights.