I'm designing an application where users are organized in multiple levels hierarchies. Users can be assigned to any levels of this hierarchy with a role.
So, I want to know if there is a way to adapt Apache Shiro to this hierarchies, where I can define permissions for roles IN organizations, it means, not just have an "admin" role which can do any action on any user, but an "admin" of the "organization A" which can do any actions on any users which belong to the "organization A" or any suborganizations of it.
I think what I'm looking for is a path mechanism, similar to the Apache Shiro wildcard system, but with paths to organizations, something like:
users:*:organizationA/*
This would mean a permission over users for any action over all the users within the organization A and all its suborganizations.
In the end, what I need is a permission system over resources in a hierarchical user model. Is there a way to model something like that with Apache Shiro? Should I use any other framework, or do I need to add some code to achieve this with Shiro?
You can create subclass the WildcardPermission class and implement your own implies method to write your own implementation of a permission string.
Then override WildcardPermissionResolver to return your permission implementation instead of the standard one.
Then you can configure it to be used globally in shiro.ini:
See documentation here: https://shiro.apache.org/authorization.html#Authorization-Configuringaglobal%7B%7BPermissionResolver%7D%7D