Quantcast

@RequiresRoles interception on class

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

@RequiresRoles interception on class

bcarr
Hello all,

I'm working with Shiro 1.1.0 and have a project with a custom realm.  When I add a @RequiresRoles("admin") annotation to a method in a controller, Shiro correctly intercepts the request, and throws an expected AuthorizationEception.  However, when I move the annotation up to the class level, users lacking the "admin" role are granted access without an exception.

The @RequiresRoles annotation has TYPE in it's target, so I was expecting this to work.  Is this functionality currently available?  If it is available, is there additional configuration necessary to cause Shiro to intercept all method calls in a class beyond what is needed to intercept annotated methods?

Thank you,
--b

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: @RequiresRoles interception on class

Les Hazlewood-2
Hi Brian,

What AOP mechanism are you using?  Typically the AOP interception
mechanism needs to check for the existence at the method or class
level and enforce accordingly.

Regards,

Les

On Mon, Jan 16, 2012 at 8:15 AM, Brian M. Carr <[hidden email]> wrote:
> Hello all,
>
> I'm working with Shiro 1.1.0 and have a project with a custom realm.  When I add a @RequiresRoles("admin") annotation to a method in a controller, Shiro correctly intercepts the request, and throws an expected AuthorizationEception.  However, when I move the annotation up to the class level, users lacking the "admin" role are granted access without an exception.
>
> The @RequiresRoles annotation has TYPE in it's target, so I was expecting this to work.  Is this functionality currently available?  If it is available, is there additional configuration necessary to cause Shiro to intercept all method calls in a class beyond what is needed to intercept annotated methods?
>
> Thank you,
> --b
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: @RequiresRoles interception on class

bcarr
Hi Les,

I'm using the spring integration as shown in the shiro documentation.

<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor" />
<bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
    <property name="securityManager" ref="securityManager"/>
</bean>

It's creating CGLIB proxies for the controllers, and method security works great, but class-level is ignored.

--b

On Jan 17, 2012, at 1:18 AM, Les Hazlewood wrote:

> Hi Brian,
>
> What AOP mechanism are you using?  Typically the AOP interception
> mechanism needs to check for the existence at the method or class
> level and enforce accordingly.
>
> Regards,
>
> Les
>
> On Mon, Jan 16, 2012 at 8:15 AM, Brian M. Carr <[hidden email]> wrote:
>> Hello all,
>>
>> I'm working with Shiro 1.1.0 and have a project with a custom realm.  When I add a @RequiresRoles("admin") annotation to a method in a controller, Shiro correctly intercepts the request, and throws an expected AuthorizationEception.  However, when I move the annotation up to the class level, users lacking the "admin" role are granted access without an exception.
>>
>> The @RequiresRoles annotation has TYPE in it's target, so I was expecting this to work.  Is this functionality currently available?  If it is available, is there additional configuration necessary to cause Shiro to intercept all method calls in a class beyond what is needed to intercept annotated methods?
>>
>> Thank you,
>> --b

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: @RequiresRoles interception on class

Les Hazlewood-2
Ah, can you please open a JIRA issue for this?  It must be Spring AOP
related (i.e. we'll probably have to change something in Shiro's code
to reflect class-level inspection).

Thanks,

Les

On Tue, Jan 17, 2012 at 7:10 AM, Brian M. Carr <[hidden email]> wrote:

> Hi Les,
>
> I'm using the spring integration as shown in the shiro documentation.
>
> <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor" />
> <bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
>    <property name="securityManager" ref="securityManager"/>
> </bean>
>
> It's creating CGLIB proxies for the controllers, and method security works great, but class-level is ignored.
>
> --b
>
> On Jan 17, 2012, at 1:18 AM, Les Hazlewood wrote:
>
>> Hi Brian,
>>
>> What AOP mechanism are you using?  Typically the AOP interception
>> mechanism needs to check for the existence at the method or class
>> level and enforce accordingly.
>>
>> Regards,
>>
>> Les
>>
>> On Mon, Jan 16, 2012 at 8:15 AM, Brian M. Carr <[hidden email]> wrote:
>>> Hello all,
>>>
>>> I'm working with Shiro 1.1.0 and have a project with a custom realm.  When I add a @RequiresRoles("admin") annotation to a method in a controller, Shiro correctly intercepts the request, and throws an expected AuthorizationEception.  However, when I move the annotation up to the class level, users lacking the "admin" role are granted access without an exception.
>>>
>>> The @RequiresRoles annotation has TYPE in it's target, so I was expecting this to work.  Is this functionality currently available?  If it is available, is there additional configuration necessary to cause Shiro to intercept all method calls in a class beyond what is needed to intercept annotated methods?
>>>
>>> Thank you,
>>> --b
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: @RequiresRoles interception on class

Mike K
Best I can tell is that Spring AOP does not actually support class-level interception. I had it working with aspect-J but not Spring.

Mike.

On Jan 17, 2012, at 10:07 AM, Les Hazlewood-2 [via Shiro User] wrote:

Ah, can you please open a JIRA issue for this?  It must be Spring AOP
related (i.e. we'll probably have to change something in Shiro's code
to reflect class-level inspection).

Thanks,

Les

On Tue, Jan 17, 2012 at 7:10 AM, Brian M. Carr <<a href="x-msg://22/user/SendEmail.jtp?type=node&amp;node=7197262&amp;i=0" target="_top" rel="nofollow" link="external">[hidden email]> wrote:

> Hi Les,
>
> I'm using the spring integration as shown in the shiro documentation.
>
> <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor" />
> <bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
>    <property name="securityManager" ref="securityManager"/>
> </bean>
>
> It's creating CGLIB proxies for the controllers, and method security works great, but class-level is ignored.
>
> --b
>
> On Jan 17, 2012, at 1:18 AM, Les Hazlewood wrote:
>
>> Hi Brian,
>>
>> What AOP mechanism are you using?  Typically the AOP interception
>> mechanism needs to check for the existence at the method or class
>> level and enforce accordingly.
>>
>> Regards,
>>
>> Les
>>
>> On Mon, Jan 16, 2012 at 8:15 AM, Brian M. Carr <<a href="x-msg://22/user/SendEmail.jtp?type=node&amp;node=7197262&amp;i=1" target="_top" rel="nofollow" link="external">[hidden email]> wrote:
>>> Hello all,
>>>
>>> I'm working with Shiro 1.1.0 and have a project with a custom realm.  When I add a @RequiresRoles("admin") annotation to a method in a controller, Shiro correctly intercepts the request, and throws an expected AuthorizationEception.  However, when I move the annotation up to the class level, users lacking the "admin" role are granted access without an exception.
>>>
>>> The @RequiresRoles annotation has TYPE in it's target, so I was expecting this to work.  Is this functionality currently available?  If it is available, is there additional configuration necessary to cause Shiro to intercept all method calls in a class beyond what is needed to intercept annotated methods?
>>>
>>> Thank you,
>>> --b



If you reply to this email, your message will be added to the discussion below:
http://shiro-user.582556.n2.nabble.com/RequiresRoles-interception-on-class-tp7193081p7197262.html
To start a new topic under Shiro User, email [hidden email]
To unsubscribe from Shiro User, click here.
NAML

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: @RequiresRoles interception on class

Les Hazlewood-2
Yeah, this is something our AOPAlliance interceptor would have to
check for - first the method and if it has annotations, and then the
class to see if it has annotations.  Please open a Jira issue if you
get a chance.

Cheers,

Les

On Thu, Jan 19, 2012 at 8:55 AM, Mike K <[hidden email]> wrote:

> Best I can tell is that Spring AOP does not actually support class-level interception. I had it working with aspect-J but not Spring.
>
> Mike.
>
> On Jan 17, 2012, at 10:07 AM, Les Hazlewood-2 [via Shiro User] wrote:
>
>> Ah, can you please open a JIRA issue for this?  It must be Spring AOP
>> related (i.e. we'll probably have to change something in Shiro's code
>> to reflect class-level inspection).
>>
>> Thanks,
>>
>> Les
>>
>> On Tue, Jan 17, 2012 at 7:10 AM, Brian M. Carr <[hidden email]> wrote:
>>
>> > Hi Les,
>> >
>> > I'm using the spring integration as shown in the shiro documentation.
>> >
>> > <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor" />
>> > <bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
>> >    <property name="securityManager" ref="securityManager"/>
>> > </bean>
>> >
>> > It's creating CGLIB proxies for the controllers, and method security works great, but class-level is ignored.
>> >
>> > --b
>> >
>> > On Jan 17, 2012, at 1:18 AM, Les Hazlewood wrote:
>> >
>> >> Hi Brian,
>> >>
>> >> What AOP mechanism are you using?  Typically the AOP interception
>> >> mechanism needs to check for the existence at the method or class
>> >> level and enforce accordingly.
>> >>
>> >> Regards,
>> >>
>> >> Les
>> >>
>> >> On Mon, Jan 16, 2012 at 8:15 AM, Brian M. Carr <[hidden email]> wrote:
>> >>> Hello all,
>> >>>
>> >>> I'm working with Shiro 1.1.0 and have a project with a custom realm.  When I add a @RequiresRoles("admin") annotation to a method in a controller, Shiro correctly intercepts the request, and throws an expected AuthorizationEception.  However, when I move the annotation up to the class level, users lacking the "admin" role are granted access without an exception.
>> >>>
>> >>> The @RequiresRoles annotation has TYPE in it's target, so I was expecting this to work.  Is this functionality currently available?  If it is available, is there additional configuration necessary to cause Shiro to intercept all method calls in a class beyond what is needed to intercept annotated methods?
>> >>>
>> >>> Thank you,
>> >>> --b
>>
>>
>> If you reply to this email, your message will be added to the discussion below:
>> http://shiro-user.582556.n2.nabble.com/RequiresRoles-interception-on-class-tp7193081p7197262.html
>> To start a new topic under Shiro User, email [hidden email]
>> To unsubscribe from Shiro User, click here.
>> NAML
>
>
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/RequiresRoles-interception-on-class-tp7193081p7204602.html
> Sent from the Shiro User mailing list archive at Nabble.com.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: @RequiresRoles interception on class

bcarr
I have created https://issues.apache.org/jira/browse/SHIRO-343 to track this.

thanks,
--b


On Jan 23, 2012, at 5:51 PM, Les Hazlewood wrote:

> Yeah, this is something our AOPAlliance interceptor would have to
> check for - first the method and if it has annotations, and then the
> class to see if it has annotations.  Please open a Jira issue if you
> get a chance.
>
> Cheers,
>
> Les
>
> On Thu, Jan 19, 2012 at 8:55 AM, Mike K <[hidden email]> wrote:
>> Best I can tell is that Spring AOP does not actually support class-level interception. I had it working with aspect-J but not Spring.
>>
>> Mike.
>>
>> On Jan 17, 2012, at 10:07 AM, Les Hazlewood-2 [via Shiro User] wrote:
>>
>>> Ah, can you please open a JIRA issue for this?  It must be Spring AOP
>>> related (i.e. we'll probably have to change something in Shiro's code
>>> to reflect class-level inspection).
>>>
>>> Thanks,
>>>
>>> Les
>>>
>>> On Tue, Jan 17, 2012 at 7:10 AM, Brian M. Carr <[hidden email]> wrote:
>>>
>>>> Hi Les,
>>>>
>>>> I'm using the spring integration as shown in the shiro documentation.
>>>>
>>>> <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor" />
>>>> <bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
>>>>    <property name="securityManager" ref="securityManager"/>
>>>> </bean>
>>>>
>>>> It's creating CGLIB proxies for the controllers, and method security works great, but class-level is ignored.
>>>>
>>>> --b
>>>>
>>>> On Jan 17, 2012, at 1:18 AM, Les Hazlewood wrote:
>>>>
>>>>> Hi Brian,
>>>>>
>>>>> What AOP mechanism are you using?  Typically the AOP interception
>>>>> mechanism needs to check for the existence at the method or class
>>>>> level and enforce accordingly.
>>>>>
>>>>> Regards,
>>>>>
>>>>> Les
>>>>>
>>>>> On Mon, Jan 16, 2012 at 8:15 AM, Brian M. Carr <[hidden email]> wrote:
>>>>>> Hello all,
>>>>>>
>>>>>> I'm working with Shiro 1.1.0 and have a project with a custom realm.  When I add a @RequiresRoles("admin") annotation to a method in a controller, Shiro correctly intercepts the request, and throws an expected AuthorizationEception.  However, when I move the annotation up to the class level, users lacking the "admin" role are granted access without an exception.
>>>>>>
>>>>>> The @RequiresRoles annotation has TYPE in it's target, so I was expecting this to work.  Is this functionality currently available?  If it is available, is there additional configuration necessary to cause Shiro to intercept all method calls in a class beyond what is needed to intercept annotated methods?
>>>>>>
>>>>>> Thank you,
>>>>>> --b
>>>
>>>
>>> If you reply to this email, your message will be added to the discussion below:
>>> http://shiro-user.582556.n2.nabble.com/RequiresRoles-interception-on-class-tp7193081p7197262.html
>>> To start a new topic under Shiro User, email [hidden email]
>>> To unsubscribe from Shiro User, click here.
>>> NAML
>>
>>
>>
>> --
>> View this message in context: http://shiro-user.582556.n2.nabble.com/RequiresRoles-interception-on-class-tp7193081p7204602.html
>> Sent from the Shiro User mailing list archive at Nabble.com.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: @RequiresRoles interception on class

Les Hazlewood-2
Thanks!

On Tue, Jan 24, 2012 at 6:10 AM, Brian M. Carr <[hidden email]> wrote:

> I have created https://issues.apache.org/jira/browse/SHIRO-343 to track this.
>
> thanks,
> --b
>
>
> On Jan 23, 2012, at 5:51 PM, Les Hazlewood wrote:
>
>> Yeah, this is something our AOPAlliance interceptor would have to
>> check for - first the method and if it has annotations, and then the
>> class to see if it has annotations.  Please open a Jira issue if you
>> get a chance.
>>
>> Cheers,
>>
>> Les
>>
>> On Thu, Jan 19, 2012 at 8:55 AM, Mike K <[hidden email]> wrote:
>>> Best I can tell is that Spring AOP does not actually support class-level interception. I had it working with aspect-J but not Spring.
>>>
>>> Mike.
>>>
>>> On Jan 17, 2012, at 10:07 AM, Les Hazlewood-2 [via Shiro User] wrote:
>>>
>>>> Ah, can you please open a JIRA issue for this?  It must be Spring AOP
>>>> related (i.e. we'll probably have to change something in Shiro's code
>>>> to reflect class-level inspection).
>>>>
>>>> Thanks,
>>>>
>>>> Les
>>>>
>>>> On Tue, Jan 17, 2012 at 7:10 AM, Brian M. Carr <[hidden email]> wrote:
>>>>
>>>>> Hi Les,
>>>>>
>>>>> I'm using the spring integration as shown in the shiro documentation.
>>>>>
>>>>> <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor" />
>>>>> <bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
>>>>>    <property name="securityManager" ref="securityManager"/>
>>>>> </bean>
>>>>>
>>>>> It's creating CGLIB proxies for the controllers, and method security works great, but class-level is ignored.
>>>>>
>>>>> --b
>>>>>
>>>>> On Jan 17, 2012, at 1:18 AM, Les Hazlewood wrote:
>>>>>
>>>>>> Hi Brian,
>>>>>>
>>>>>> What AOP mechanism are you using?  Typically the AOP interception
>>>>>> mechanism needs to check for the existence at the method or class
>>>>>> level and enforce accordingly.
>>>>>>
>>>>>> Regards,
>>>>>>
>>>>>> Les
>>>>>>
>>>>>> On Mon, Jan 16, 2012 at 8:15 AM, Brian M. Carr <[hidden email]> wrote:
>>>>>>> Hello all,
>>>>>>>
>>>>>>> I'm working with Shiro 1.1.0 and have a project with a custom realm.  When I add a @RequiresRoles("admin") annotation to a method in a controller, Shiro correctly intercepts the request, and throws an expected AuthorizationEception.  However, when I move the annotation up to the class level, users lacking the "admin" role are granted access without an exception.
>>>>>>>
>>>>>>> The @RequiresRoles annotation has TYPE in it's target, so I was expecting this to work.  Is this functionality currently available?  If it is available, is there additional configuration necessary to cause Shiro to intercept all method calls in a class beyond what is needed to intercept annotated methods?
>>>>>>>
>>>>>>> Thank you,
>>>>>>> --b
>>>>
>>>>
>>>> If you reply to this email, your message will be added to the discussion below:
>>>> http://shiro-user.582556.n2.nabble.com/RequiresRoles-interception-on-class-tp7193081p7197262.html
>>>> To start a new topic under Shiro User, email [hidden email]
>>>> To unsubscribe from Shiro User, click here.
>>>> NAML
>>>
>>>
>>>
>>> --
>>> View this message in context: http://shiro-user.582556.n2.nabble.com/RequiresRoles-interception-on-class-tp7193081p7204602.html
>>> Sent from the Shiro User mailing list archive at Nabble.com.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: @RequiresRoles interception on class

Pillar
It's been a while since this was posted but I was curious if any progress (not shown in JIRA) was made.

I think the issue is in AuthorizationAttributeSourceAdvisor, in the matches() method. It calls the method below which only looks for the annotations on methods.

    private boolean isAuthzAnnotationPresent(Method method) {
        for( Class<? extends Annotation> annClass : AUTHZ_ANNOTATION_CLASSES ) {
            Annotation a = AnnotationUtils.findAnnotation(method, annClass); // here
            if ( a != null ) {
                return true;
            }
        }
        return false;
    }

So if it returns false, matches() returns false. In this case, (I think) the instance won't be proxied and the aspect won't apply.

Can you simply modify it to check class level too?
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: @RequiresRoles interception on class

pmcneil
This post has NOT been accepted by the mailing list yet.

It works if you override the AuthorizationAttributeSourceAdvisor as I have tried here:

package org.apache.shiro.grails;

import org.apache.shiro.authz.annotation.*;

import java.lang.reflect.Method;

/**
 * User: pmcneil
 * Date: 16/09/13
 */
public class AuthorizationAttributeSourceAdvisor extends org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor {

    @Override
    public boolean matches(Method method, Class targetClass) {
        return ((method.getAnnotation(RequiresPermissions.class) != null) ||
                (method.getAnnotation(RequiresRoles.class) != null) ||
                (method.getAnnotation(RequiresUser.class) != null) ||
                (method.getAnnotation(RequiresGuest.class) != null) ||
                (method.getAnnotation(RequiresAuthentication.class) != null) ||
                (targetClass.getAnnotation(RequiresPermissions.class) != null) ||
                (targetClass.getAnnotation(RequiresRoles.class) != null) ||
                (targetClass.getAnnotation(RequiresUser.class) != null) ||
                (targetClass.getAnnotation(RequiresGuest.class) != null) ||
                (targetClass.getAnnotation(RequiresAuthentication.class) != null));
    }
}
Loading...