Yeah, this is something our AOPAlliance interceptor would have to check for - first the method and if it has annotations, and then the class to see if it has annotations. Please open a Jira issue if you get a chance.
Cheers, Les On Thu, Jan 19, 2012 at 8:55 AM, Mike K <[email protected]> wrote: > Best I can tell is that Spring AOP does not actually support class-level > interception. I had it working with aspect-J but not Spring. > > Mike. > > On Jan 17, 2012, at 10:07 AM, Les Hazlewood-2 [via Shiro User] wrote: > >> Ah, can you please open a JIRA issue for this? It must be Spring AOP >> related (i.e. we'll probably have to change something in Shiro's code >> to reflect class-level inspection). >> >> Thanks, >> >> Les >> >> On Tue, Jan 17, 2012 at 7:10 AM, Brian M. Carr <[hidden email]> wrote: >> >> > Hi Les, >> > >> > I'm using the spring integration as shown in the shiro documentation. >> > >> > <bean id="lifecycleBeanPostProcessor" >> > class="org.apache.shiro.spring.LifecycleBeanPostProcessor" /> >> > <bean >> > class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor"> >> > <property name="securityManager" ref="securityManager"/> >> > </bean> >> > >> > It's creating CGLIB proxies for the controllers, and method security works >> > great, but class-level is ignored. >> > >> > --b >> > >> > On Jan 17, 2012, at 1:18 AM, Les Hazlewood wrote: >> > >> >> Hi Brian, >> >> >> >> What AOP mechanism are you using? Typically the AOP interception >> >> mechanism needs to check for the existence at the method or class >> >> level and enforce accordingly. >> >> >> >> Regards, >> >> >> >> Les >> >> >> >> On Mon, Jan 16, 2012 at 8:15 AM, Brian M. Carr <[hidden email]> wrote: >> >>> Hello all, >> >>> >> >>> I'm working with Shiro 1.1.0 and have a project with a custom realm. >> >>> When I add a @RequiresRoles("admin") annotation to a method in a >> >>> controller, Shiro correctly intercepts the request, and throws an >> >>> expected AuthorizationEception. However, when I move the annotation up >> >>> to the class level, users lacking the "admin" role are granted access >> >>> without an exception. >> >>> >> >>> The @RequiresRoles annotation has TYPE in it's target, so I was >> >>> expecting this to work. Is this functionality currently available? If >> >>> it is available, is there additional configuration necessary to cause >> >>> Shiro to intercept all method calls in a class beyond what is needed to >> >>> intercept annotated methods? >> >>> >> >>> Thank you, >> >>> --b >> >> >> If you reply to this email, your message will be added to the discussion >> below: >> http://shiro-user.582556.n2.nabble.com/RequiresRoles-interception-on-class-tp7193081p7197262.html >> To start a new topic under Shiro User, email >> [email protected] >> To unsubscribe from Shiro User, click here. >> NAML > > > > -- > View this message in context: > http://shiro-user.582556.n2.nabble.com/RequiresRoles-interception-on-class-tp7193081p7204602.html > Sent from the Shiro User mailing list archive at Nabble.com.
