You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shiro.apache.org by "Jim Newsham (JIRA)" <ji...@apache.org> on 2011/02/09 02:21:57 UTC
[jira] Created: (SHIRO-243) when method is unauthorized, please
include method info in stack trace
when method is unauthorized, please include method info in stack trace
----------------------------------------------------------------------
Key: SHIRO-243
URL: https://issues.apache.org/jira/browse/SHIRO-243
Project: Shiro
Issue Type: Improvement
Reporter: Jim Newsham
Priority: Minor
We are using Shiro's annotation-based method authorization support, to enforce security checks on remotely invoked services. The problem is that when we get an AuthorizationException, it doesn't include any information about which particular method failed. Looks like it would be really easy to include this in AuthorizingAnnotationMethodInterceptor.assertAuthorized() as follows:
public void assertAuthorized(MethodInvocation method) throws AuthorizationException {
try {
((AuthorizingAnnotationHandler)getHandler()).assertAuthorized(getAnnotation(mi));
}
catch(AuthorizationException ae) {
throw new AuthorizationException("method not authorized: " + method.getMethod(), ae);
}
}
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (SHIRO-243) when method is unauthorized, please
include method info in stack trace
Posted by "Kalle Korhonen (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHIRO-243?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12993224#comment-12993224 ]
Kalle Korhonen commented on SHIRO-243:
--------------------------------------
Right, that's one of main reasons wrapping probably isn't worth the price.
> when method is unauthorized, please include method info in stack trace
> ----------------------------------------------------------------------
>
> Key: SHIRO-243
> URL: https://issues.apache.org/jira/browse/SHIRO-243
> Project: Shiro
> Issue Type: Improvement
> Reporter: Jim Newsham
> Assignee: Kalle Korhonen
> Priority: Minor
> Fix For: 1.2.0
>
>
> We are using Shiro's annotation-based method authorization support, to enforce security checks on remotely invoked services. The problem is that when we get an AuthorizationException, it doesn't include any information about which particular method failed. Looks like it would be really easy to include this in AuthorizingAnnotationMethodInterceptor.assertAuthorized() as follows:
> public void assertAuthorized(MethodInvocation method) throws AuthorizationException {
> try {
> ((AuthorizingAnnotationHandler)getHandler()).assertAuthorized(getAnnotation(mi));
> }
> catch(AuthorizationException ae) {
> throw new AuthorizationException("method not authorized: " + method.getMethod(), ae);
> }
> }
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Resolved: (SHIRO-243) when method is unauthorized, please
include method info in stack trace
Posted by "Kalle Korhonen (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHIRO-243?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Kalle Korhonen resolved SHIRO-243.
----------------------------------
Resolution: Fixed
Fix Version/s: 1.2.0
> when method is unauthorized, please include method info in stack trace
> ----------------------------------------------------------------------
>
> Key: SHIRO-243
> URL: https://issues.apache.org/jira/browse/SHIRO-243
> Project: Shiro
> Issue Type: Improvement
> Reporter: Jim Newsham
> Assignee: Kalle Korhonen
> Priority: Minor
> Fix For: 1.2.0
>
>
> We are using Shiro's annotation-based method authorization support, to enforce security checks on remotely invoked services. The problem is that when we get an AuthorizationException, it doesn't include any information about which particular method failed. Looks like it would be really easy to include this in AuthorizingAnnotationMethodInterceptor.assertAuthorized() as follows:
> public void assertAuthorized(MethodInvocation method) throws AuthorizationException {
> try {
> ((AuthorizingAnnotationHandler)getHandler()).assertAuthorized(getAnnotation(mi));
> }
> catch(AuthorizationException ae) {
> throw new AuthorizationException("method not authorized: " + method.getMethod(), ae);
> }
> }
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Reopened: (SHIRO-243) when method is unauthorized, please
include method info in stack trace
Posted by "Kalle Korhonen (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHIRO-243?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Kalle Korhonen reopened SHIRO-243:
----------------------------------
Re-evaluating the suggested solution, wrapping breaks unit tests in aspectj. I was thinking exactly that it's not necessarily a good practice to hide the actual root cause but didn't run tests elsewhere than core itself. Reverting for now, it's possible I'll just fix the unit tests.
> when method is unauthorized, please include method info in stack trace
> ----------------------------------------------------------------------
>
> Key: SHIRO-243
> URL: https://issues.apache.org/jira/browse/SHIRO-243
> Project: Shiro
> Issue Type: Improvement
> Reporter: Jim Newsham
> Assignee: Kalle Korhonen
> Priority: Minor
> Fix For: 1.2.0
>
>
> We are using Shiro's annotation-based method authorization support, to enforce security checks on remotely invoked services. The problem is that when we get an AuthorizationException, it doesn't include any information about which particular method failed. Looks like it would be really easy to include this in AuthorizingAnnotationMethodInterceptor.assertAuthorized() as follows:
> public void assertAuthorized(MethodInvocation method) throws AuthorizationException {
> try {
> ((AuthorizingAnnotationHandler)getHandler()).assertAuthorized(getAnnotation(mi));
> }
> catch(AuthorizationException ae) {
> throw new AuthorizationException("method not authorized: " + method.getMethod(), ae);
> }
> }
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (SHIRO-243) when method is unauthorized, please
include method info in stack trace
Posted by "Jared Bunting (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHIRO-243?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12993219#comment-12993219 ]
Jared Bunting commented on SHIRO-243:
-------------------------------------
There are subclasses of AuthorizationException. Wrapping it will also break any attempts to catch certain subclasses (UnauthenticatedException for example).
> when method is unauthorized, please include method info in stack trace
> ----------------------------------------------------------------------
>
> Key: SHIRO-243
> URL: https://issues.apache.org/jira/browse/SHIRO-243
> Project: Shiro
> Issue Type: Improvement
> Reporter: Jim Newsham
> Assignee: Kalle Korhonen
> Priority: Minor
> Fix For: 1.2.0
>
>
> We are using Shiro's annotation-based method authorization support, to enforce security checks on remotely invoked services. The problem is that when we get an AuthorizationException, it doesn't include any information about which particular method failed. Looks like it would be really easy to include this in AuthorizingAnnotationMethodInterceptor.assertAuthorized() as follows:
> public void assertAuthorized(MethodInvocation method) throws AuthorizationException {
> try {
> ((AuthorizingAnnotationHandler)getHandler()).assertAuthorized(getAnnotation(mi));
> }
> catch(AuthorizationException ae) {
> throw new AuthorizationException("method not authorized: " + method.getMethod(), ae);
> }
> }
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Resolved: (SHIRO-243) when method is unauthorized, please
include method info in stack trace
Posted by "Kalle Korhonen (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHIRO-243?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Kalle Korhonen resolved SHIRO-243.
----------------------------------
Resolution: Fixed
Initialize the cause of the thrown Exception if not previously set. May not read that well if stacktrace is printed out (UnauthenticatedException caused by AuthorizationException) but semantically can be seen as correct (method authorization caused permission check).
> when method is unauthorized, please include method info in stack trace
> ----------------------------------------------------------------------
>
> Key: SHIRO-243
> URL: https://issues.apache.org/jira/browse/SHIRO-243
> Project: Shiro
> Issue Type: Improvement
> Reporter: Jim Newsham
> Assignee: Kalle Korhonen
> Priority: Minor
> Fix For: 1.2.0
>
>
> We are using Shiro's annotation-based method authorization support, to enforce security checks on remotely invoked services. The problem is that when we get an AuthorizationException, it doesn't include any information about which particular method failed. Looks like it would be really easy to include this in AuthorizingAnnotationMethodInterceptor.assertAuthorized() as follows:
> public void assertAuthorized(MethodInvocation method) throws AuthorizationException {
> try {
> ((AuthorizingAnnotationHandler)getHandler()).assertAuthorized(getAnnotation(mi));
> }
> catch(AuthorizationException ae) {
> throw new AuthorizationException("method not authorized: " + method.getMethod(), ae);
> }
> }
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (SHIRO-243) when method is unauthorized, please
include method info in stack trace
Posted by "Les Hazlewood (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHIRO-243?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12992287#comment-12992287 ]
Les Hazlewood commented on SHIRO-243:
-------------------------------------
Good idea Jim - thanks for the issue.
> when method is unauthorized, please include method info in stack trace
> ----------------------------------------------------------------------
>
> Key: SHIRO-243
> URL: https://issues.apache.org/jira/browse/SHIRO-243
> Project: Shiro
> Issue Type: Improvement
> Reporter: Jim Newsham
> Priority: Minor
>
> We are using Shiro's annotation-based method authorization support, to enforce security checks on remotely invoked services. The problem is that when we get an AuthorizationException, it doesn't include any information about which particular method failed. Looks like it would be really easy to include this in AuthorizingAnnotationMethodInterceptor.assertAuthorized() as follows:
> public void assertAuthorized(MethodInvocation method) throws AuthorizationException {
> try {
> ((AuthorizingAnnotationHandler)getHandler()).assertAuthorized(getAnnotation(mi));
> }
> catch(AuthorizationException ae) {
> throw new AuthorizationException("method not authorized: " + method.getMethod(), ae);
> }
> }
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Assigned: (SHIRO-243) when method is unauthorized, please
include method info in stack trace
Posted by "Kalle Korhonen (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHIRO-243?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Kalle Korhonen reassigned SHIRO-243:
------------------------------------
Assignee: Kalle Korhonen
> when method is unauthorized, please include method info in stack trace
> ----------------------------------------------------------------------
>
> Key: SHIRO-243
> URL: https://issues.apache.org/jira/browse/SHIRO-243
> Project: Shiro
> Issue Type: Improvement
> Reporter: Jim Newsham
> Assignee: Kalle Korhonen
> Priority: Minor
>
> We are using Shiro's annotation-based method authorization support, to enforce security checks on remotely invoked services. The problem is that when we get an AuthorizationException, it doesn't include any information about which particular method failed. Looks like it would be really easy to include this in AuthorizingAnnotationMethodInterceptor.assertAuthorized() as follows:
> public void assertAuthorized(MethodInvocation method) throws AuthorizationException {
> try {
> ((AuthorizingAnnotationHandler)getHandler()).assertAuthorized(getAnnotation(mi));
> }
> catch(AuthorizationException ae) {
> throw new AuthorizationException("method not authorized: " + method.getMethod(), ae);
> }
> }
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Closed] (SHIRO-243) when method is unauthorized, please
include method info in stack trace
Posted by "Les Hazlewood (Closed) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHIRO-243?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Les Hazlewood closed SHIRO-243.
-------------------------------
Closing with the 1.2.0 release.
> when method is unauthorized, please include method info in stack trace
> ----------------------------------------------------------------------
>
> Key: SHIRO-243
> URL: https://issues.apache.org/jira/browse/SHIRO-243
> Project: Shiro
> Issue Type: Improvement
> Reporter: Jim Newsham
> Assignee: Kalle Korhonen
> Priority: Minor
> Fix For: 1.2.0
>
>
> We are using Shiro's annotation-based method authorization support, to enforce security checks on remotely invoked services. The problem is that when we get an AuthorizationException, it doesn't include any information about which particular method failed. Looks like it would be really easy to include this in AuthorizingAnnotationMethodInterceptor.assertAuthorized() as follows:
> public void assertAuthorized(MethodInvocation method) throws AuthorizationException {
> try {
> ((AuthorizingAnnotationHandler)getHandler()).assertAuthorized(getAnnotation(mi));
> }
> catch(AuthorizationException ae) {
> throw new AuthorizationException("method not authorized: " + method.getMethod(), ae);
> }
> }
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (SHIRO-243) when method is unauthorized, please
include method info in stack trace
Posted by "Jim Newsham (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHIRO-243?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12992272#comment-12992272 ]
Jim Newsham commented on SHIRO-243:
-----------------------------------
P.S. I've already implemented a similar approach in the method interceptors for our own custom annotations, but I would have to override Shiro's method interceptors to get the same benefit there; seems more sensible for this to be in the parent class -- AuthorizingAnnotationMethodInterceptor.
> when method is unauthorized, please include method info in stack trace
> ----------------------------------------------------------------------
>
> Key: SHIRO-243
> URL: https://issues.apache.org/jira/browse/SHIRO-243
> Project: Shiro
> Issue Type: Improvement
> Reporter: Jim Newsham
> Priority: Minor
>
> We are using Shiro's annotation-based method authorization support, to enforce security checks on remotely invoked services. The problem is that when we get an AuthorizationException, it doesn't include any information about which particular method failed. Looks like it would be really easy to include this in AuthorizingAnnotationMethodInterceptor.assertAuthorized() as follows:
> public void assertAuthorized(MethodInvocation method) throws AuthorizationException {
> try {
> ((AuthorizingAnnotationHandler)getHandler()).assertAuthorized(getAnnotation(mi));
> }
> catch(AuthorizationException ae) {
> throw new AuthorizationException("method not authorized: " + method.getMethod(), ae);
> }
> }
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (SHIRO-243) when method is unauthorized, please
include method info in stack trace
Posted by "Kalle Korhonen (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHIRO-243?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12993225#comment-12993225 ]
Kalle Korhonen commented on SHIRO-243:
--------------------------------------
Might still be useful to make it visible in the exception hierarchy rather than just write to a log. Perhaps make an attempt to initCause() with AuthorizationException and a message set.
> when method is unauthorized, please include method info in stack trace
> ----------------------------------------------------------------------
>
> Key: SHIRO-243
> URL: https://issues.apache.org/jira/browse/SHIRO-243
> Project: Shiro
> Issue Type: Improvement
> Reporter: Jim Newsham
> Assignee: Kalle Korhonen
> Priority: Minor
> Fix For: 1.2.0
>
>
> We are using Shiro's annotation-based method authorization support, to enforce security checks on remotely invoked services. The problem is that when we get an AuthorizationException, it doesn't include any information about which particular method failed. Looks like it would be really easy to include this in AuthorizingAnnotationMethodInterceptor.assertAuthorized() as follows:
> public void assertAuthorized(MethodInvocation method) throws AuthorizationException {
> try {
> ((AuthorizingAnnotationHandler)getHandler()).assertAuthorized(getAnnotation(mi));
> }
> catch(AuthorizationException ae) {
> throw new AuthorizationException("method not authorized: " + method.getMethod(), ae);
> }
> }
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira