@RequiresAuthentication on type

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

@RequiresAuthentication on type

Laszlo Hornyak
Hi,

When I use security annotations on a type, shiro ignores it, but when I add move the annotation to the method, it works perfectly.

e.g.
@RequiresAuthentication //ignored
interface FooService {

@GET
@Path("/auth")
@RequiresAuthentication // this works
fun list() : List<String>

}

Shiro is configured with spring, I am using spring 4.2.6 and shiro 1.3.2.

Anyone can give an idea why annotations on the type are ignored?

Best regards,
Laszlo
Reply | Threaded
Open this post in threaded view
|

Re: @RequiresAuthentication on type

Tamás Cservenák
Howdy,

Because Spring integration defines them as method advices? Am unsure and don't know much about Spring AOP support, but by looking at the code it looks evident that this will trigger on methods only....


hth,
~t~


On Tue, Dec 27, 2016 at 8:11 AM Laszlo Hornyak <[hidden email]> wrote:
Hi,

When I use security annotations on a type, shiro ignores it, but when I add move the annotation to the method, it works perfectly.

e.g.
@RequiresAuthentication //ignored
interface FooService {

@GET
@Path("/auth")
@RequiresAuthentication // this works
fun list() : List<String>

}

Shiro is configured with spring, I am using spring 4.2.6 and shiro 1.3.2.

Anyone can give an idea why annotations on the type are ignored?

Best regards,
Laszlo
--
Thanks,
~t~

Reply | Threaded
Open this post in threaded view
|

Re: @RequiresAuthentication on type

Laszlo Hornyak
Hi Tamas,

Nice to meet you on this list :)

That indeed is the reason why the type-annotations were ignored and by replacing the AuthorizationAttributeSourceAdvisor with a custom one I have worked around the problem, but I am still wondering if this is the intended behavior or this is a bug.

Basically this is the workaround:
override fun matches(method: Method, targetClass: Class<*>): Boolean
      =
      super.matches(method, targetClass)
            || securityAnnotations.any { AnnotationUtils.findAnnotation(targetClass, it) != null }

and then one has to replace the AuthorizationAttributeSourceAdvisor in the spring context.

Best regards,
Laszlo

Reply | Threaded
Open this post in threaded view
|

Re: @RequiresAuthentication on type

Brian Demers
To follow up on this. I just noticed the pull request from Laszlo.  Thanks!


Can you open a JIRA as well, that way we can track this in the release notes?

On Tue, Dec 27, 2016 at 3:31 PM, Laszlo Hornyak <[hidden email]> wrote:
Hi Tamas,

Nice to meet you on this list :)

That indeed is the reason why the type-annotations were ignored and by replacing the AuthorizationAttributeSourceAdvisor with a custom one I have worked around the problem, but I am still wondering if this is the intended behavior or this is a bug.

Basically this is the workaround:
override fun matches(method: Method, targetClass: Class<*>): Boolean
      =
      super.matches(method, targetClass)
            || securityAnnotations.any { AnnotationUtils.findAnnotation(targetClass, it) != null }

and then one has to replace the AuthorizationAttributeSourceAdvisor in the spring context.

Best regards,
Laszlo