I can not understand whether Apache Shiro allows to authorize a Subject with dynamically changed parameters and specific business rules.
Let's say, I have a business rule: "A user can see only it's own documents". To request some document user must specify an id of this document in the URL:
my.domain.com/doc?docId=1234
In case when the document with id 1234 belongs to a current user it can be displayed otherwise it can not.
Does Apache Shiro allows in general approach to implement the logic such that? If yes, which classes and in which way I must use to do so?
Aucun commentaire:
Enregistrer un commentaire