How to determine which permissions a shiro user has

Question

I have to deal with an application which is secured by apache shiro. I'm quite new to this framework. As far as I can see, I can check single rights via subject.isPermitted(), e.g.

Subject subject = SecurityUtils.getSubject();
[...]
subject.isPermitted("$RightString");

For logging purposes I need the complete list of user rights as a String. And I do not want to iterate over the list of rights and check everytime, whether subject.isPermitted() is true

Is there any shortcut to this problem?

Edit:

Further Information:

• Application is a Spring 4 Application

• realm is defined in in application context as a bean

   <bean id="PRODUCTNAMERealm" class="de.PATHFROMPRODUCT_PRODUCTNAMEJdbcRealm">
       <property name="dataSource" ref="dataSource"/>
       <property name="schema" value="${PRODUCTNAME.schema}"/>
   </bean>
  

  so i could inject it if needed.

Answer 1

I believe there is no out of the box way to do this, be we worked around this by registering the user permissions on the session. We are using a custom realm implementation and our permissions are stored in the database.

In our custom realm class:

@Override
public AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
    SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
    Set<String> permissionsSet = //logic to get the permissions here

    info.addStringPermissions(permissionsSet);

    SecurityUtils.getSubject().getSession().setAttribute("permissions", permissionsSet);
    return info;
}

Now retrieving the permissions is just a matter of calling:

SecurityUtils.getSubject().getSession().getAttribute("permissions");

Another way would be to inject your custom realm where you need the info and have the bean make getAuthorizationInfo public.

@Override
public AuthorizationInfo getAuthorizationInfo(PrincipalCollection principals) {
    return super.getAuthorizationInfo(principals);
}

....

yourRealm.getAuthorizationInfo(SecurityUtils.getSubject().getPrincipals()).getStringPermissions();

Answer 2

In my opinion Shiro is related to only security, authority, etc of current user not to the whole user base. You can use your standard SQL queries to retrieve users permissions.