View Javadoc
1   /*
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements.  See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership.  The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License.  You may obtain a copy of the License at
9    *
10   *     http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing,
13   * software distributed under the License is distributed on an
14   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   * KIND, either express or implied.  See the License for the
16   * specific language governing permissions and limitations
17   * under the License.
18   */
19  package org.apache.shiro.authz.aop;
20  
21  import org.apache.shiro.authz.AuthorizationException;
22  import org.apache.shiro.authz.annotation.Logical;
23  import org.apache.shiro.authz.annotation.RequiresRoles;
24  
25  import java.lang.annotation.Annotation;
26  import java.util.Arrays;
27  
28  /**
29   * Checks to see if a @{@link org.apache.shiro.authz.annotation.RequiresRoles RequiresRoles} annotation is declared, and if so, performs
30   * a role check to see if the calling <code>Subject</code> is allowed to proceed.
31   *
32   * @since 0.9.0
33   */
34  public class RoleAnnotationHandler extends AuthorizingAnnotationHandler {
35  
36      /**
37       * Default no-argument constructor that ensures this handler looks for
38       * {@link org.apache.shiro.authz.annotation.RequiresRoles RequiresRoles} annotations.
39       */
40      public RoleAnnotationHandler() {
41          super(RequiresRoles.class);
42      }
43  
44      /**
45       * Ensures that the calling <code>Subject</code> has the Annotation's specified roles, and if not, throws an
46       * <code>AuthorizingException</code> indicating that access is denied.
47       *
48       * @param a the RequiresRoles annotation to use to check for one or more roles
49       * @throws org.apache.shiro.authz.AuthorizationException
50       *          if the calling <code>Subject</code> does not have the role(s) necessary to
51       *          proceed.
52       */
53      public void assertAuthorized(Annotation a) throws AuthorizationException {
54          if (!(a instanceof RequiresRoles)) return;
55  
56          RequiresRoles rrAnnotation = (RequiresRoles) a;
57          String[] roles = rrAnnotation.value();
58  
59          if (roles.length == 1) {
60              getSubject().checkRole(roles[0]);
61              return;
62          }
63          if (Logical.AND.equals(rrAnnotation.logical())) {
64              getSubject().checkRoles(Arrays.asList(roles));
65              return;
66          }
67          if (Logical.OR.equals(rrAnnotation.logical())) {
68              // Avoid processing exceptions unnecessarily - "delay" throwing the exception by calling hasRole first
69              boolean hasAtLeastOneRole = false;
70              for (String role : roles) if (getSubject().hasRole(role)) hasAtLeastOneRole = true;
71              // Cause the exception if none of the role match, note that the exception message will be a bit misleading
72              if (!hasAtLeastOneRole) getSubject().checkRole(roles[0]);
73          }
74      }
75  
76  }