Hi Les,
I'm using the spring integration as shown in the shiro documentation.
<bean id="lifecycleBeanPostProcessor"
class="org.apache.shiro.spring.LifecycleBeanPostProcessor" />
<bean
class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
<property name="securityManager" ref="securityManager"/>
</bean>
It's creating CGLIB proxies for the controllers, and method security works
great, but class-level is ignored.
--b
On Jan 17, 2012, at 1:18 AM, Les Hazlewood wrote:
> Hi Brian,
>
> What AOP mechanism are you using? Typically the AOP interception
> mechanism needs to check for the existence at the method or class
> level and enforce accordingly.
>
> Regards,
>
> Les
>
> On Mon, Jan 16, 2012 at 8:15 AM, Brian M. Carr <[email protected]> wrote:
>> Hello all,
>>
>> I'm working with Shiro 1.1.0 and have a project with a custom realm. When I
>> add a @RequiresRoles("admin") annotation to a method in a controller, Shiro
>> correctly intercepts the request, and throws an expected
>> AuthorizationEception. However, when I move the annotation up to the class
>> level, users lacking the "admin" role are granted access without an
>> exception.
>>
>> The @RequiresRoles annotation has TYPE in it's target, so I was expecting
>> this to work. Is this functionality currently available? If it is
>> available, is there additional configuration necessary to cause Shiro to
>> intercept all method calls in a class beyond what is needed to intercept
>> annotated methods?
>>
>> Thank you,
>> --b
