Fine-grained permissions are a powerful tool for managing authorization for users and groups/roles. They’re also painful to model yourself and a potential security hazard. With Stormpath’s customData resource, Apache Shiro developers can now securely manage user permissions.

Shiro is our tool of choice for enforcing permissions in Java apps – including the Stormpath API. We use it extensively in-house and our CTO, Les Hazlewood, is the PMC Chair.

This post will demonstrate how to add permission data to your user accounts in Stormpath and perform checks on that data with Shiro. We’ll use the Apache Shiro plugin for Stormpath, and you can check out this Beginner’s Webapp Tutorial for a quick intro to the framework.

Plugin Configuration

Add the stormpath-shiro .jars to your application using Maven, Ant+Ivy, Grails, SBT or whatever maven-compatible tool you prefer:

Account Permissions

The easiest way to assign permissions to a user account in Stormpath is to get the account’s CustomData resource and use CustomDataPermissionsEditor to assign permissions.

First, we’ll instantiate an account using the Stormpath Java SDK (Head to the quickstart for a primer on using the SDK):

Now let’s use the plugin to add a “Create Report” permission to the account’s customData resource:

Finally, add the new account – with its assigned permissions – to your application:

Group Permissions

You can now add the “Create report” permission directly to an account. But Stormpath supports custom data on the Group object too, meaning you can easily assign permissions to a collection of accounts rather than just one.

Add the “Login” permission to the “Users” group using the same CustomDataPermissionsEditor:

An account’s total set of permissions is any permissions assigned directly to the account, plus all of the permissions assigned to Groups that contain the account.

Storing Permissions in Stormpath

The Apache Shiro Plugin for Stormpath assumes you’ll store permission data on the default “apacheShiroPermissions” field on an account or group’s customData resource.

In JSON terms, it looks like this:

However, this field name can be changed by specifying the fieldName property on the CustomDataPermissionsEditor:

Note that if you do choose to alter the field name, you’ll also need to update the Shiro realm’s configuration:

Permission Checks

It’s great being able to decorate groups and accounts with ad-hoc custom data, but we want to put that info to work! Lucky for us, permission checks are super easy.

Apache Shiro will automatically determine the permissions assigned to an account (directly or via groups) and give a true or false response.

Because the above check can occur at runtime, it’s incredibly versatile. You’ll be able to model permissions based not only on who the user is, but also on the object currently being interacted with. And you can change permissions stored in Stormpath at runtime, and Shiro will reflect the changes immediately!

Just remember, Shiro looks at the aggregate of all permissions on the account. subject.isPermitted will return true if either AccountPermissionResolver OR GroupPermissionResolver imply a permission on the account in question.

We’d love to see what you come up with! As always, team Stormpath is here to help with roadblocks and user modeling questions: [email protected]

Quick Links:

Next up: Stormpath + Spring Security. Stay tuned!