Shiro Authorization Permission check using Annotation not working
Platform: Shiro 1.1.0, Spring 3.0.5
I\'m trying to secure the MVC Controller methods using Shiro annotation. However something is wrong with annotations. Regular cal
-
You were absolutely right. After seeing your comment, I started giving it a thought. Well then I found out that it was NOT an implementation problem with Shiro, but the jar dependecies were not properly configured. Shiro's pom.xml should have dependency for cglib2 too.
So the below changes worked for me :
- Include all these four jar files.
aspectjrt-1.6.11.jar,
aspectjweaver-1.6.12.jar,
cglib-2.2.2.jar,
asm-3.3.1.jar,
<dependency> <groupId>org.aspectj</groupId> <artifactId>aspectjrt</artifactId> <version>1.6.11</version> </dependency> <dependency> <groupId>org.aspectj</groupId> <artifactId>aspectjweaver</artifactId> <version>1.6.12</version> </dependency> <dependency> <groupId>cglib</groupId> <artifactId>cglib</artifactId> <version>2.2.2</version> </dependency>And finally placing the aop:aspectj-autoproxy in the webApplicationContext.xml
<aop:aspectj-autoproxy proxy-target-class="true"/> <!-- Annotation, so that it's easier to search controllers/components --> <context:component-scan base-package="com.pepsey.soft.web.controller"/>Note : The above two configuration should be placed together in the same spring-webApplicationContext.xml. Otherwise it won’t work. Moreover remove context:annotation-config if you have used it in your config. context:component-scan already scans all annotations.
Once you start testing , set your log4j to debug or (better) trace mode. Whenever you are starting your server you will find somewhere the following entry in your logs :
08:16:24,684 DEBUG AnnotationAwareAspectJAutoProxyCreator:537 - Creating implicit proxy for bean 'userController' with 0 common interceptor and 1 specific interceptors
讨论(0) - Include all these four jar files.
-
I have only used spring-hibernate example from sample. To use annotations like @RequiresPermissions and others I tried configuration from shiro manual, configuration from this post, but I was either unsuccessful to compile or run the valid urls. So I only commented all the @RequiresPermissions from ManageUserController and started to use it in service implementation. E.g In DefaultUserService in getAllUsers method I added the annotation @RequiresPermissions("user:manage"). Magically now the application works as expected. Whenever the url manageUsers is called it displays the list page if the user has role user:manage and throws the user to /unauthorized if the user don't have that permission.
I have even configured the application to use mysql instead. To make the permissions independent of roles according to new RBAC(http://www.stormpath.com/blog/new-rbac-resource-based-access-control) I have created a new class called Permission as
@Entity @Table(name = "permissions") @Cache(usage= CacheConcurrencyStrategy.READ_WRITE) public class Permission { @Id @GeneratedValue private Long id; private String element; private String description; // setter and getterNow Role class is configured as
@CollectionOfElements @JoinTable(name="roles_permissions") @Cache(usage=CacheConcurrencyStrategy.READ_WRITE) public Set<Permission> getPermissions() { return permissions; }And finally SampleRealm as
for (Role role : user.getRoles()) { info.addRole(role.getName()); System.out.println("Roles " + role.getName()); // Get permissions first Set<Permission> permissions = role.getPermissions(); Set<String> permissionsStrings = new HashSet<String>(); for (Permission permission : permissions) { permissionsStrings.add(permission.getelement()); System.out .println("Permissions " + permission.getelement()); } info.addStringPermissions(permissionsStrings); }It creates five tables as | permissions | | roles | | roles_permissions | | users | | users_roles |
And permissions is independent of any other. According to new RBAC you have both ways (explicit and implicit) way of authorising resources.
讨论(0) -
If you're avoiding Spring XML and using primarily Java and annotation configuration, the easiest way to fix this is to add
@Scope(proxyMode = ScopedProxyMode.TARGET_CLASS)to all your
@Controllerclasses. You need cglib on the classpath.讨论(0) -
Guess Shiro was built when Spring 2.0 was in place. Shiro’s annotations (RequiresRoles etc…) works well for the spring container managed beans (service layer), but it does not work with @Controller annotation. This is due to the fact that @Controller is being component scanned by spring framework. I used AOP to resolve the issue. Below is the solution which worked for me. For the below solution to work you have to include the below four jars:
aspectjrt-1.6.11.jar aspectjweaver-1.6.12.jar cglib-2.2.2.jar asm-3.3.1.jarIf you are using maven then below configuration would be helpful.
<dependency> <groupId>org.aspectj</groupId> <artifactId>aspectjrt</artifactId> <version>1.6.11</version> </dependency> <dependency> <groupId>org.aspectj</groupId> <artifactId>aspectjweaver</artifactId> <version>1.6.12</version> </dependency> <dependency> <groupId>cglib</groupId> <artifactId>cglib</artifactId> <version>2.2.2</version> </dependency>Below is a controller class
import org.apache.shiro.authz.annotation.RequiresRoles; @Controller public class PatientController { @RequiresRoles(“admin,warden”) @RequestMapping(value="/form") public String viewPatientForm(Model model, @RequestParam(value="patientId", required=false) Long patientId){ return “somePatientFormJsp”; } }Create the below Aspect for the annotation (RequiresRoles). You can use the same principle to create pointcuts for RequiresPermission.
import java.util.Arrays; import org.apache.shiro.SecurityUtils; import org.apache.shiro.authz.annotation.RequiresRoles; import org.aspectj.lang.JoinPoint; import org.aspectj.lang.annotation.Aspect; import org.aspectj.lang.annotation.Before; import org.springframework.stereotype.Component; @Aspect @Component public class WebAuthorizationAspect { @Before("@target(org.springframework.stereotype.Controller) && @annotation(requiresRoles)") public void assertAuthorized(JoinPoint jp, RequiresRoles requiresRoles) { SecurityUtils.getSubject().checkRoles(Arrays.asList(requiresRoles.value())); } }In your spring-webApplicationContext.xml wherever you have mentioned
<aop:aspectj-autoproxy proxy-target-class="true"/> <!-- Annotation, so that it's easier to search controllers/components --> <context:component-scan base-package="com.example.controller"/>Note : The above two configuration should be placed together in the same spring-webApplicationContext.xml. Otherwise it won’t work. Moreover remove context:annotation-config if you have used it in your config. context:component-scan already scans all annotations.
讨论(0) -
You need to write the
AuthorizationAttributeSourceAdvisorto enable Shiro's annotations bean as per the Shiro documentationIf you have written
ShiroConfigurationclass, make sure you include this:@Bean(name = "lifecycleBeanPostProcessor") public LifecycleBeanPostProcessor getLifecycleBeanPostProcessor() { return new LifecycleBeanPostProcessor(); } @Bean @ConditionalOnMissingBean public AuthorizationAttributeSourceAdvisor getAuthorizationAttributeSourceAdvisor(DefaultSecurityManager securityManager) { // This is to enable Shiro's security annotations AuthorizationAttributeSourceAdvisor sourceAdvisor = new AuthorizationAttributeSourceAdvisor(); sourceAdvisor.setSecurityManager(securityManager); return sourceAdvisor; } @ConditionalOnMissingBean @Bean(name = "defaultAdvisorAutoProxyCreator") @DependsOn("lifecycleBeanPostProcessor") public DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator() { DefaultAdvisorAutoProxyCreator proxyCreator = new DefaultAdvisorAutoProxyCreator(); proxyCreator.setProxyTargetClass(true); return proxyCreator; }Example ShiroConfiguration on Github
讨论(0) -
I had the same problem. My fix was changing my jersey version from 2.2 to 2.22.2 and all @RequiresPermissions worked on my controllers.
讨论(0)
加载中...
- 热议问题