Re: How to implement Authorization on Rest (Jersey) Services using HttpMethodPermissionFilter

Fri, 22 Oct 2010 00:41:12 -0700 


Hey mate .... 

This is an extract from my code .. if it's of any help



import org.apache.shiro.authz.AuthorizationException;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.Permission;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;

import org.dropchop.jop.managers.base.InvalidDataException;
import org.dropchop.jop.managers.base.ResourceException;
import org.dropchop.jop.security.beans.Role;
import org.dropchop.jop.security.beans.User;
import org.dropchop.jop.security.beans.WildcardPermission;
import org.dropchop.jop.security.managers.SecurityManager;
import org.dropchop.jop.storage.Storage;


@Override
        protected AuthorizationInfo doGetAuthorizationInfo(final
PrincipalCollection principals) {
                Set<String>                     roles                   = new 
HashSet<String>();
                Set<Permission>         permissions             = new 
HashSet<Permission>();
                Collection<User>        principalsList  = 
principals.byType(User.class);
                //pricipals we're loading roles for !
                if (principalsList.isEmpty()) {
                        throw new AuthorizationException("Empty principals 
list!");
                }
                //Iterate through principals
                for (User userPrincipal : principalsList) {
                        try {
                                this.userManager.beginTransaction();
                                
                                User user = 
this.userManager.loadById(userPrincipal.getId());
                                //get User roles
                                Set<Role> userRoles     = user.getRoles();
                                for (Role r : userRoles) {
                                        roles.add(r.getName()); //add role to 
roles list
                                        Set<WildcardPermission> userPermissions 
= r.getPermissions(); //get
Role permissions
                                        for (WildcardPermission permission : 
userPermissions) {  //add
permissions if not set yet
                                                if 
(!permissions.contains(permission)) {
                                                        
permissions.add(permission);
                                                }
                                        }
                                }
                                this.userManager.commitTransaction();
                        } catch (InvalidDataException idEx) {
                                throw new AuthorizationException(idEx);
                        } catch (ResourceException rEx) {
                                throw new AuthorizationException(rEx);
                        } 
                }
                //put everything into authorization info
                SimpleAuthorizationInfo info = new 
SimpleAuthorizationInfo(roles);
                info.setRoles(roles);
                info.setObjectPermissions(permissions);
                
                return info;
        }


This is an implementation I use to load user roles and permissions to shiro
! 
Note that my POJOS User, Role and WildcardPermission are used for loading
data from database ! (sorry for the same name as WildcardPermission on
Shiro) 

Regards

Armando

-- 
View this message in context: 
http://shiro-user.582556.n2.nabble.com/How-to-implement-Authorization-on-Rest-Jersey-Services-using-HttpMethodPermissionFilter-tp5659200p5661623.html
Sent from the Shiro User mailing list archive at Nabble.com.






















					Reply via email to