You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shiro.apache.org by "Jan Stamer (JIRA)" <ji...@apache.org> on 2012/10/26 15:45:15 UTC
[jira] [Commented] (SHIRO-392) Shiro Extension for JAX-RS
Implementation Sun Jersey
[ https://issues.apache.org/jira/browse/SHIRO-392?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13484921#comment-13484921 ]
Jan Stamer commented on SHIRO-392:
----------------------------------
Here's a quick preview of the classes needed:
public class PermissionsResourceFilterFactory implements ResourceFilterFactory {
@Override
public List<ResourceFilter> create(final AbstractMethod method) {
final RequiresPermissions methodPermissions = method.getAnnotation(RequiresPermissions.class);
final RequiresPermissions resourcePermissions = method.getResource().getAnnotation(RequiresPermissions.class);
// Combine permissions on both resource and method.
String[] combinedPermissions = new String [] {};
if (resourcePermissions != null) {
combinedPermissions = concat(combinedPermissions, resourcePermissions.value());
}
if (methodPermissions != null) {
combinedPermissions = concat(combinedPermissions, methodPermissions.value());
}
if (combinedPermissions.length > 0) {
return Collections.<ResourceFilter>singletonList(createFilter(combinedPermissions));
}
return null;
}
protected ResourceFilter createFilter(final String[] allowedPermissions) {
return new PermissionsFilter(allowedPermissions);
}
public static <T> T[] concat(T[] first, T[] second) {
T[] result = Arrays.copyOf(first, first.length + second.length);
System.arraycopy(second, 0, result, first.length, second.length);
return result;
}
}
And:
public class PermissionsFilter implements ResourceFilter, ContainerRequestFilter {
/**
* The permissions required to access a REST resource.
*/
private final String[] requiredPermissions;
public PermissionsFilter(final String... requiredPermissions) {
this.requiredPermissions = requiredPermissions;
}
/**
* If the user has sufficient permissions the request is executed. Otherwise
* an exception is thrown which results in the HTTP status 403 (Forbidden).
*/
public ContainerRequest filter(final ContainerRequest request) {
if (isPermitted()) {
return request;
}
throw new WebApplicationException(Response.Status.FORBIDDEN);
}
/**
* Checks if the current subject has all required permissions.
*/
protected boolean isPermitted() {
return SecurityUtils.getSubject().isPermittedAll(requiredPermissions);
}
protected static boolean isPermitted(final String... requiredPermissions) {
return SecurityUtils.getSubject().isPermittedAll(requiredPermissions);
}
public String[] getRequiredPermissions() {
return requiredPermissions.clone();
}
public ContainerRequestFilter getRequestFilter() {
return this;
}
public ContainerResponseFilter getResponseFilter() {
return null;
}
}
> Shiro Extension for JAX-RS Implementation Sun Jersey
> ----------------------------------------------------
>
> Key: SHIRO-392
> URL: https://issues.apache.org/jira/browse/SHIRO-392
> Project: Shiro
> Issue Type: Improvement
> Reporter: Jan Stamer
>
> We've added an extension to Shiro which enables Shiro annotations in the JAX-RS implementation Sun Jersey.
> You can do the following with it:
> @Path("/changelog")
> @RequiresPermissions("repository:read")
> public class ChangelogResourceImpl {
> @POST
> @Consumes(MediaType.APPLICATION_JSON)
> @Path("/addObject")
> @Override
> @RequiresPermissions("repository:write")
> public Response addObject(ObjectJson objectJson) {
> someService.addObject(object);
> return Response.ok().build();
> }
> }
> If the user is not authenticated Http Status Code 401 is returned. If the user has insufficient privileges Status Code 403 is returned.
> Right now we've only added support for the annoation @RequiresPermissions. The other Shiro annoations could easily be added in the same fashion. Yet currently that's the only one we need.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira