Ah, can you please open a JIRA issue for this? It must be Spring AOP related (i.e. we'll probably have to change something in Shiro's code to reflect class-level inspection).
Thanks, Les On Tue, Jan 17, 2012 at 7:10 AM, Brian M. Carr <[email protected]> wrote: > Hi Les, > > I'm using the spring integration as shown in the shiro documentation. > > <bean id="lifecycleBeanPostProcessor" > class="org.apache.shiro.spring.LifecycleBeanPostProcessor" /> > <bean > class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor"> > <property name="securityManager" ref="securityManager"/> > </bean> > > It's creating CGLIB proxies for the controllers, and method security works > great, but class-level is ignored. > > --b > > On Jan 17, 2012, at 1:18 AM, Les Hazlewood wrote: > >> Hi Brian, >> >> What AOP mechanism are you using? Typically the AOP interception >> mechanism needs to check for the existence at the method or class >> level and enforce accordingly. >> >> Regards, >> >> Les >> >> On Mon, Jan 16, 2012 at 8:15 AM, Brian M. Carr <[email protected]> wrote: >>> Hello all, >>> >>> I'm working with Shiro 1.1.0 and have a project with a custom realm. When >>> I add a @RequiresRoles("admin") annotation to a method in a controller, >>> Shiro correctly intercepts the request, and throws an expected >>> AuthorizationEception. However, when I move the annotation up to the class >>> level, users lacking the "admin" role are granted access without an >>> exception. >>> >>> The @RequiresRoles annotation has TYPE in it's target, so I was expecting >>> this to work. Is this functionality currently available? If it is >>> available, is there additional configuration necessary to cause Shiro to >>> intercept all method calls in a class beyond what is needed to intercept >>> annotated methods? >>> >>> Thank you, >>> --b
