Jersey support

[lt_schmidt_jr <mk...@gmail.com>]

Anyone here try to use Shiro with Jersey? 
I am just now looking at Shiro AspectJ integration and wondering if there is
a clean way to have AspectJ call out to Shiro methods with pointcuts based
on Jersey annotations. Any thoughts or suggestions would be appreciated.
-- 
View this message in context: http://shiro-user.582556.n2.nabble.com/Jersey-support-tp5453408p5453408.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: Jersey support

[Kalle Korhonen <ka...@gmail.com>]

/samples/aspectj? No, that does compile-time weaving. Run/load-time
weaving requires configuring JRE with -javaagent:aspectjweaver.jar.

Kalle


On Fri, Aug 27, 2010 at 10:11 AM, Mike K <mk...@semanticresearch.com> wrote:
>
> After thinking about this more. I would like to try to add parameter
> annotation to the decision process for auth (currently Shiro seems to only
> support method annotations).
> However, I am experiencing a newbie Aspect J issue. The Aspect J Shiro
> example provided run-time weaving, and I was hoping someone can point out
> how to make it weave at compile time.
>
> Thanks,
>
> Mike.
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/Jersey-support-tp5453408p5470354.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>

Re: Jersey support

[Mike K <mk...@semanticresearch.com>]

After thinking about this more. I would like to try to add parameter
annotation to the decision process for auth (currently Shiro seems to only
support method annotations). 
However, I am experiencing a newbie Aspect J issue. The Aspect J Shiro
example provided run-time weaving, and I was hoping someone can point out
how to make it weave at compile time.

Thanks,

Mike.
-- 
View this message in context: http://shiro-user.582556.n2.nabble.com/Jersey-support-tp5453408p5470354.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: Jersey support

[Les Hazlewood <lh...@apache.org>]

Hi Mike,

Glad to help!  And welcome!

> Thanks for the quick reply Les. This sort of thing makes feel good about
> picking Shiro as the security framework for our project.

I hope you enjoy it -  the community is pretty strong and is
continuing to grow, and we'll probably (hopefully!) graduate to an
Apache Top Level Project (TLP) at the next September Apache board
meeting.

> We are using Jersey, but the annotations are in fact JSR-spec. I need to
> build something rather quickly I will likely use the
> HttpMethodPermissionFilter (or maybe the AspectJ implementation that is
> currently there) in the short term (very short). However, longer-term it
> would be great to have the JSR-311 annotation support.

Could you please create a Jira issue for this?  New features will
almost definitely get lost unless they're tracked.

One difficulty that I see with this is that there are many ways of
implementing this - AspectJ, Spring AOP, JBoss AOP, etc.  We'd have to
talk through on the dev list how to accomplish it.  Please feel free
to sign up for the dev list if you'd like to help us.

> As for HttpMethodPermissionFilter:
> The Shiro documentation does mention that it has item level permissions, but
> I don't see how that can be used by HttpMethodPermissionFilter (or with AOP
> for that matter). Am I missing something?

The HttpMethodPermissionFilter doesn't support instance-level
permissions at the moment, because it doesn't know where in the
request URL to parse the id.  Some work would be needed to support
this, but it shouldn't be hard.  You could probably subclass
HttpMethodPermissionFilter to do it easily.

If you can make this work for any app, please consider contributing
back any fixes as a patch and we'll be able to include it in an
upcoming release.

Best regards,

Les

Re: Jersey support

[Mike K <mk...@semanticresearch.com>]

Thanks for the quick reply Les. This sort of thing makes feel good about
picking Shiro as the security framework for our project.
We are using Jersey, but the annotations are in fact JSR-spec. I need to
build something rather quickly I will likely use the
HttpMethodPermissionFilter (or maybe the AspectJ implementation that is
currently there) in the short term (very short). However, longer-term it
would be great to have the JSR-311 annotation support.
As for HttpMethodPermissionFilter:
The Shiro documentation does mention that it has item level permissions, but
I don't see how that can be used by HttpMethodPermissionFilter (or with AOP
for that matter). Am I missing something?

Mike
-- 
View this message in context: http://shiro-user.582556.n2.nabble.com/Jersey-support-tp5453408p5453794.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: Jersey support

[Les Hazlewood <lh...@apache.org>]

Hiya,

I've used Jersey for REST support in the past with Shiro, but I used
the web-tier support to enforce rules, such as the
HttpMethodPermissionFilter:

http://incubator.apache.org/shiro/static/current/apidocs/org/apache/shiro/web/filter/authz/HttpMethodPermissionFilter.html

I've never used the annotation-based approach, but I don't see why it
couldn't work equally as well.  Also, 'Jersey annotations' are a
JSR-spec right?  I.e. nothing Jersey-specific about them?  If so, an
implementation based on that standard could be quite convenient.

HTH,

Les

On Mon, Aug 23, 2010 at 10:03 AM, lt_schmidt_jr <mk...@gmail.com> wrote:
>
> Anyone here try to use Shiro with Jersey?
> I am just now looking at Shiro AspectJ integration and wondering if there is
> a clean way to have AspectJ call out to Shiro methods with pointcuts based
> on Jersey annotations. Any thoughts or suggestions would be appreciated.
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/Jersey-support-tp5453408p5453408.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>