Permission deprecation

[rumyrrh]

Hello,

I recently updated from Java 8 to Java 11, and so moved from pac4j 4+ to pac4j 5+. During the upgrade, I noticed that permissions on the user profile have been marked for deprecation. Is there a plan to keep this feature in another manner than on the user profile? Or is this feature being removed altogether?

We actively use this feature and are currently relying on it for several applications.

[Jérôme LELEU]

Hi,

Yes, the permissions have been deprecated in pac4j v5 and removed in pac4j v6.

They were not different from the roles so the roles only are kept and must be used in replacement.

Thanks.

Best regards,

Jérôme

[rumyrrh]

Hello,

So do roles act the same with * format (such as "READ:*")? We utilize the permissions feature in connection with the Shiro project (utilizing the buji-pac4j connector), and so utilize string-based permissions throughout the application. We have roles, but roles for us are a way of grouping permissions - Role A might have Permission 1 and Permission 2, while Role B has only Permission 1, etc.

Are you saying that in our case, we should just consider "roles" in pac4j as permissions and go from there?

[Jérôme LELEU]

Hi,

From the pac4j core engine, roles were not different from permissions; that's why only roles remain.

Over the years, the pac4j core project has tried to remain easy and focused on core and limited concepts.

That said, in Shiro, permissions exist (and I think it's the only use case among the 20 something implementations using pac4j).

So either you forget about permissions and only use roles

or

we can think of a smooth transition and specific behavior for Shiro.

For example, instead of adding permissions in your user profile, you can add a "permissions" attribute and we could rely on that when building the Shiro security context:

profile.addAttribute(Pac4jRealm.PERMISSIONS_ATTRIBUTE, Arrays.asList("PERM1", "PERM2"));

and:

@Override
protected AuthorizationInfo doGetAuthorizationInfo(final PrincipalCollection principals) {
    final Set<String> roles = new HashSet<>();
    final Set<String> permissions = new HashSet<>();
    final Pac4jPrincipal principal = principals.oneByType(Pac4jPrincipal.class);
    if (principal != null) {
        final List<UserProfile> profiles = principal.getProfiles();
        for (final UserProfile profile : profiles) {
            if (profile != null) {
                roles.addAll(profile.getRoles());
                val perm = profile.getAttribute(PERMISSIONS_ATTRIBUTE);
                if (perm instanceof List) {
                    permissions.addAll((List) perm);
                } else if (perm instanceof Set) {
                    permissions.addAll((Set) perm);
                }
            }
        }
    }

    final SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo();
    simpleAuthorizationInfo.addRoles(roles);
    simpleAuthorizationInfo.addStringPermissions(permissions);
    return simpleAuthorizationInfo;
}

You would only need to change the way of setting permissions.

 

What do you think?

Thanks.

Best regards,

Jérôme

--
You received this message because you are subscribed to the Google Groups "Pac4j users mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pac4j-users/fda5b3e5-029c-478d-8b8f-fb5b09f67f94n%40googlegroups.com.

[rumyrrh]

Hello,

I think that would work well!

As long as we have a way of setting permissions, it doesn't matter if it is through the pac4j user profile or an attribute like you proposed.

We utilize Shiro for reading permissions after we set them, so removing them from pac4j itself won't be a problem if it is done this way.

[Jérôme LELEU]

Hi,

Good. This will be available in the future version based on pac4j v6: https://github.com/bujiio/buji-pac4j/commit/fdd10630c7d045925957c6317a6e2ac6a3bd4249

Thanks.

Best regards,

Jérôme

To view this discussion on the web visit https://groups.google.com/d/msgid/pac4j-users/a568b123-04f0-4d82-b69f-c64448e341b3n%40googlegroups.com.