I am still learning Shiro, so my apologies if this question has been answered
previously. I haven't been able to find much documentation on how I might
implement this with annotations.
I am trying to use the @RequiresPermissions annotation, but I need to access
the variable to determine the permission. So for example:
@GET
@Path("/{id}")
@RequiresRoles("hospital_admin", "patient")
@RequiresPermissions("medicalRecord:view:$medicalRecordId")
public MedicalRecordsResponse viewMedicalRecords(ViewRecordsRequest request,
@PathParam("medicalRecordId") String medicalRecordId) {
return medicalRecordService.retrieveRecord(medicalRecordId);
}
In this trivialized example, this API returns back the medical records that
was requested. The rules are essentially if you are a hospital
administrator, then you are allowed to view any medical record carte
blanche. However, if you are a patient, you are only allowed to view your
own medical records.
As such to do this "ownership" permission check, I'll need to verify using
the medicalRecordId that was passed to my API to confirm the subject is
requesting their own record. I am unsure how to access the variable id in
the annotation as I am unsure how the annotation is being processed.
I believe I can rewrite the code like so, and not use the annotations, but
this approach doesn't seem as clean to me:
Permission p = WildcardPermission("medicalRecord:view:" +
medicalRecordId);
Subject currentUser = SecurityUtils.getSubject();
if (currentUser.isPermitted(p)) {
return medicalRecordService.retrieveRecord(medicalRecordId);
}
else {
// return authentication failure
}
Any suggestions / thoughts would be appreciated.
Thanks!
--
View this message in context:
http://shiro-user.582556.n2.nabble.com/Shiro-Spring-AOP-accessing-variables-in-annotations-tp7579047.html
Sent from the Shiro User mailing list archive at Nabble.com.
