Shiro Authorization Permission check using Annotation not working

Question

Platform: Shiro 1.1.0, Spring 3.0.5

I\'m trying to secure the MVC Controller methods using Shiro annotation. However something is wrong with annotations. Regular cal

Answer 1

I have only used spring-hibernate example from sample. To use annotations like @RequiresPermissions and others I tried configuration from shiro manual, configuration from this post, but I was either unsuccessful to compile or run the valid urls. So I only commented all the @RequiresPermissions from ManageUserController and started to use it in service implementation. E.g In DefaultUserService in getAllUsers method I added the annotation @RequiresPermissions("user:manage"). Magically now the application works as expected. Whenever the url manageUsers is called it displays the list page if the user has role user:manage and throws the user to /unauthorized if the user don't have that permission.

I have even configured the application to use mysql instead. To make the permissions independent of roles according to new RBAC(http://www.stormpath.com/blog/new-rbac-resource-based-access-control) I have created a new class called Permission as

@Entity
@Table(name = "permissions")
@Cache(usage= CacheConcurrencyStrategy.READ_WRITE)
public class Permission {
    @Id
    @GeneratedValue
    private Long id;
    private String element;
    private String description;
    // setter and getter

Now Role class is configured as

 @CollectionOfElements
    @JoinTable(name="roles_permissions")
    @Cache(usage=CacheConcurrencyStrategy.READ_WRITE)
    public Set getPermissions() {
        return permissions;
    }

And finally SampleRealm as

 for (Role role : user.getRoles()) {
        info.addRole(role.getName());

        System.out.println("Roles " + role.getName());

        // Get permissions first
        Set permissions = role.getPermissions();
        Set permissionsStrings = new HashSet();

        for (Permission permission : permissions) {
            permissionsStrings.add(permission.getelement());
            System.out
                    .println("Permissions " + permission.getelement());
        }

        info.addStringPermissions(permissionsStrings);
    }

It creates five tables as | permissions | | roles | | roles_permissions | | users | | users_roles |

And permissions is independent of any other. According to new RBAC you have both ways (explicit and implicit) way of authorising resources.