View Javadoc
1   /*
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements.  See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership.  The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License.  You may obtain a copy of the License at
9    *
10   *     http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing,
13   * software distributed under the License is distributed on an
14   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   * KIND, either express or implied.  See the License for the
16   * specific language governing permissions and limitations
17   * under the License.
18   */
19  package org.apache.shiro.web.jaxrs;
20  
21  
22  import org.apache.shiro.authz.annotation.RequiresAuthentication;
23  import org.apache.shiro.authz.annotation.RequiresGuest;
24  import org.apache.shiro.authz.annotation.RequiresPermissions;
25  import org.apache.shiro.authz.annotation.RequiresRoles;
26  import org.apache.shiro.authz.annotation.RequiresUser;
27  import org.apache.shiro.web.filter.authz.AuthorizationFilter;
28  
29  import javax.ws.rs.Priorities;
30  import javax.ws.rs.container.DynamicFeature;
31  import javax.ws.rs.container.ResourceInfo;
32  import javax.ws.rs.core.FeatureContext;
33  import java.lang.annotation.Annotation;
34  import java.util.ArrayList;
35  import java.util.Arrays;
36  import java.util.Collections;
37  import java.util.List;
38  
39  /**
40   * Wraps {@link AuthorizationFilter filters} around JAX-RS resources that are annotated with Shiro annotations.
41   * @since 1.4
42   */
43  public class ShiroAnnotationFilterFeature implements DynamicFeature {
44  
45      private static List<Class<? extends Annotation>> shiroAnnotations = Collections.unmodifiableList(Arrays.asList(
46              RequiresPermissions.class,
47              RequiresRoles.class,
48              RequiresAuthentication.class,
49              RequiresUser.class,
50              RequiresGuest.class));
51  
52      @Override
53      public void configure(ResourceInfo resourceInfo, FeatureContext context) {
54  
55          List<Annotation> authzSpecs = new ArrayList<Annotation>();
56  
57          for (Class<? extends Annotation> annotationClass : shiroAnnotations) {
58              // XXX What is the performance of getAnnotation vs getAnnotations?
59              Annotation classAuthzSpec = resourceInfo.getResourceClass().getAnnotation(annotationClass);
60              Annotation methodAuthzSpec = resourceInfo.getResourceMethod().getAnnotation(annotationClass);
61  
62              if (classAuthzSpec != null) authzSpecs.add(classAuthzSpec);
63              if (methodAuthzSpec != null) authzSpecs.add(methodAuthzSpec);
64          }
65  
66          if (!authzSpecs.isEmpty()) {
67              context.register(new AnnotationAuthorizationFilter(authzSpecs), Priorities.AUTHORIZATION);
68          }
69      }
70  
71  }