You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@shiro.apache.org by Peter McNeil <pe...@mcneils.net> on 2013/09/18 06:32:17 UTC

spring AuthorizationAttributeSourceAdvisor

G'day all,

I'm maintaining the Grails Shiro plugin, and in re-writing tests around 
Annotations I discovered a problem mentioned several times about spring 
integration with the Shiro Annotations, namely that they don't work on a 
class as documented.

I tracked the problem to the 
org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor, 
which only checks the method for the annotation, but not the class. I 
implemented a replacement AuthorizationAttributeSourceAdvisor which 
overrides the matches method as below. This works as expected in my tests.

public class AuthorizationAttributeSourceAdvisor extends 
org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor 
{

     @Override
     public boolean matches(Method method, Class targetClass) {
         return ((method.getAnnotation(RequiresPermissions.class) != 
null) ||
                 (method.getAnnotation(RequiresRoles.class) != null) ||
                 (method.getAnnotation(RequiresUser.class) != null) ||
                 (method.getAnnotation(RequiresGuest.class) != null) ||
                 (method.getAnnotation(RequiresAuthentication.class) != 
null) ||
(targetClass.getAnnotation(RequiresPermissions.class) != null) ||
                 (targetClass.getAnnotation(RequiresRoles.class) != null) ||
                 (targetClass.getAnnotation(RequiresUser.class) != null) ||
                 (targetClass.getAnnotation(RequiresGuest.class) != null) ||
(targetClass.getAnnotation(RequiresAuthentication.class) != null));
     }
}

Is this right? Have I missed anything? Does it need to be patched in Shiro?

Cheers,
Peter.

-- 
web: http://nerderg.com
Twitter: http://twitter.com/pmcneil
Google+: https://plus.google.com/u/0/communities/110661434396927001866