shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jan Stamer (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (SHIRO-392) Shiro Extension for JAX-RS Implementation Sun Jersey
Date Fri, 26 Oct 2012 13:45:15 GMT

    [ https://issues.apache.org/jira/browse/SHIRO-392?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13484921#comment-13484921
] 

Jan Stamer commented on SHIRO-392:
----------------------------------

Here's a quick preview of the classes needed:
public class PermissionsResourceFilterFactory implements ResourceFilterFactory {

   @Override
   public List<ResourceFilter> create(final AbstractMethod method) {
      final RequiresPermissions methodPermissions = method.getAnnotation(RequiresPermissions.class);
      final RequiresPermissions resourcePermissions = method.getResource().getAnnotation(RequiresPermissions.class);

      // Combine permissions on both resource and method.
      String[] combinedPermissions = new String [] {};
      if (resourcePermissions != null) {
         combinedPermissions = concat(combinedPermissions, resourcePermissions.value());
      }
      if (methodPermissions != null) {
         combinedPermissions = concat(combinedPermissions, methodPermissions.value());
      }

      if (combinedPermissions.length > 0) {
         return Collections.<ResourceFilter>singletonList(createFilter(combinedPermissions));
      }

      return null;
   }

   protected ResourceFilter createFilter(final String[] allowedPermissions) {
      return new PermissionsFilter(allowedPermissions);
   }

   public static <T> T[] concat(T[] first, T[] second) {
      T[] result = Arrays.copyOf(first, first.length + second.length);
      System.arraycopy(second, 0, result, first.length, second.length);
      return result;
   }

}

And:
public class PermissionsFilter implements ResourceFilter, ContainerRequestFilter {
   
   /**
    * The permissions required to access a REST resource.
    */
   private final String[] requiredPermissions;

   public PermissionsFilter(final String... requiredPermissions) {
      this.requiredPermissions = requiredPermissions;
   }

   /**
    * If the user has sufficient permissions the request is executed. Otherwise
    * an exception is thrown which results in the HTTP status 403 (Forbidden).
    */
   public ContainerRequest filter(final ContainerRequest request) {
      if (isPermitted()) {
         return request;
      }
      throw new WebApplicationException(Response.Status.FORBIDDEN);
   }
   
   /**
    * Checks if the current subject has all required permissions.
    */
   protected boolean isPermitted() {
      return SecurityUtils.getSubject().isPermittedAll(requiredPermissions); 
   }

   protected static boolean isPermitted(final String... requiredPermissions) {
      return SecurityUtils.getSubject().isPermittedAll(requiredPermissions);
   }
   
   public String[] getRequiredPermissions() {
      return requiredPermissions.clone();
   }
   
   public ContainerRequestFilter getRequestFilter() {
      return this;
   }
   
   public ContainerResponseFilter getResponseFilter() {
      return null;
   }
   
}
                
> Shiro Extension for JAX-RS Implementation Sun Jersey
> ----------------------------------------------------
>
>                 Key: SHIRO-392
>                 URL: https://issues.apache.org/jira/browse/SHIRO-392
>             Project: Shiro
>          Issue Type: Improvement
>            Reporter: Jan Stamer
>
> We've added an extension to Shiro which enables Shiro annotations in the JAX-RS implementation
Sun Jersey.
> You can do the following with it:
> @Path("/changelog")
> @RequiresPermissions("repository:read")
> public class ChangelogResourceImpl {
>    @POST
>    @Consumes(MediaType.APPLICATION_JSON)
>    @Path("/addObject")
>    @Override
>    @RequiresPermissions("repository:write")
>    public Response addObject(ObjectJson objectJson) {
>       someService.addObject(object);
>       return Response.ok().build();
>    }
> }
> If the user is not authenticated Http Status Code 401 is returned. If the user has insufficient
privileges Status Code 403 is returned.
> Right now we've only added support for the annoation @RequiresPermissions. The other
Shiro annoations could easily be added in the same fashion. Yet currently that's the only
one we need.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message