G'day all,
I'm maintaining the Grails Shiro plugin, and in re-writing tests around
Annotations I discovered a problem mentioned several times about spring
integration with the Shiro Annotations, namely that they don't work on a
class as documented.
I tracked the problem to the
org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor,
which only checks the method for the annotation, but not the class. I
implemented a replacement AuthorizationAttributeSourceAdvisor which
overrides the matches method as below. This works as expected in my tests.
public class AuthorizationAttributeSourceAdvisor extends
org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor
{
@Override
public boolean matches(Method method, Class targetClass) {
return ((method.getAnnotation(RequiresPermissions.class) !=
null) ||
(method.getAnnotation(RequiresRoles.class) != null) ||
(method.getAnnotation(RequiresUser.class) != null) ||
(method.getAnnotation(RequiresGuest.class) != null) ||
(method.getAnnotation(RequiresAuthentication.class) !=
null) ||
(targetClass.getAnnotation(RequiresPermissions.class) != null) ||
(targetClass.getAnnotation(RequiresRoles.class) != null) ||
(targetClass.getAnnotation(RequiresUser.class) != null) ||
(targetClass.getAnnotation(RequiresGuest.class) != null) ||
(targetClass.getAnnotation(RequiresAuthentication.class) != null));
}
}
Is this right? Have I missed anything? Does it need to be patched in Shiro?
Cheers,
Peter.
--
web: http://nerderg.com
Twitter: http://twitter.com/pmcneil
Google+: https://plus.google.com/u/0/communities/110661434396927001866
