shiro-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bdem...@apache.org
Subject shiro git commit: Adds support for javax.annotation.security.RolesAllowed, PermitAll, and DenyAll
Date Wed, 23 Nov 2016 14:25:36 GMT
Repository: shiro
Updated Branches:
  refs/heads/roles-allowed-annotation [created] ba1e06bef


Adds support for javax.annotation.security.RolesAllowed, PermitAll, and DenyAll


Project: http://git-wip-us.apache.org/repos/asf/shiro/repo
Commit: http://git-wip-us.apache.org/repos/asf/shiro/commit/ba1e06be
Tree: http://git-wip-us.apache.org/repos/asf/shiro/tree/ba1e06be
Diff: http://git-wip-us.apache.org/repos/asf/shiro/diff/ba1e06be

Branch: refs/heads/roles-allowed-annotation
Commit: ba1e06bef3e8cf273109833aabb6de4bb2bba2b8
Parents: 6d738af
Author: Brian Demers <bdemers@apache.org>
Authored: Wed Nov 23 09:20:40 2016 -0500
Committer: Brian Demers <bdemers@apache.org>
Committed: Wed Nov 23 09:20:40 2016 -0500

----------------------------------------------------------------------
 core/pom.xml                                    |   6 +
 .../JavaxSecurityRolesAnnotationHandler.java    |  84 +++++++++
 .../JavaxSecurityRolesMethodInterceptor.java    |  84 +++++++++
 ...vaxSecurityRolesMethodIntercepterTest.groovy | 175 +++++++++++++++++++
 .../shiro/aop/JavaxSecurityRoleStubs.java       | 114 ++++++++++++
 pom.xml                                         |   5 +
 samples/jaxrs/pom.xml                           |   6 +
 .../shiro/samples/jaxrs/SampleApplication.java  |   4 +
 .../samples/jaxrs/resources/SecureResource.java |   9 +
 .../web/jaxrs/ContainerIntegrationIT.groovy     |  25 +++
 support/jaxrs/pom.xml                           |   6 +
 .../JavaxSecurityAnnotationFilterFeature.java   |  70 ++++++++
 .../jaxrs/JavaxSecurityAuthorizationFilter.java |  75 ++++++++
 ...axSecurityAnnotationFilterFeatureTest.groovy |  55 ++++++
 .../JavaxSecurityAuthorizationFilterTest.groovy |  92 ++++++++++
 .../JavaxAnnotatedStub.java                     |  41 +++++
 16 files changed, 851 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/shiro/blob/ba1e06be/core/pom.xml
----------------------------------------------------------------------
diff --git a/core/pom.xml b/core/pom.xml
index 39ea570..17b695f 100644
--- a/core/pom.xml
+++ b/core/pom.xml
@@ -94,6 +94,12 @@
             <artifactId>shiro-event</artifactId>
         </dependency>
 
+        <dependency>
+            <groupId>javax.annotation</groupId>
+            <artifactId>javax.annotation-api</artifactId>
+            <optional>true</optional>
+        </dependency>
+
         <!-- Test dependencies -->
         <dependency>
             <groupId>org.slf4j</groupId>

http://git-wip-us.apache.org/repos/asf/shiro/blob/ba1e06be/core/src/main/java/org/apache/shiro/authz/aop/JavaxSecurityRolesAnnotationHandler.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/org/apache/shiro/authz/aop/JavaxSecurityRolesAnnotationHandler.java
b/core/src/main/java/org/apache/shiro/authz/aop/JavaxSecurityRolesAnnotationHandler.java
new file mode 100644
index 0000000..6198deb
--- /dev/null
+++ b/core/src/main/java/org/apache/shiro/authz/aop/JavaxSecurityRolesAnnotationHandler.java
@@ -0,0 +1,84 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.shiro.authz.aop;
+
+import org.apache.shiro.authz.AuthorizationException;
+import org.apache.shiro.authz.annotation.Logical;
+import org.apache.shiro.authz.annotation.RequiresRoles;
+
+import javax.annotation.security.RolesAllowed;
+import java.lang.annotation.Annotation;
+import java.util.Arrays;
+
+/**
+ * Checks to see if a @{@link RolesAllowed}, annotation is declared, and if so, performs
+ * a role check to see if the calling <code>Subject</code> is allowed to proceed.
+ *
+ * @since 1.4.0
+ */
+public class JavaxSecurityRolesAnnotationHandler extends AuthorizingAnnotationHandler {
+
+    /**
+     * Default no-argument constructor that ensures this handler looks for
+     * {@link RequiresRoles RequiresRoles} annotations.
+     */
+    public JavaxSecurityRolesAnnotationHandler() {
+        super(RolesAllowed.class);
+    }
+
+    /**
+     * Ensures that the calling <code>Subject</code> has the Annotation's specified
roles, and if not, throws an
+     * <code>AuthorizingException</code> indicating that access is denied.
+     *
+     * @param a the RolesAllowed annotation to use to check for one or more roles
+     * @throws AuthorizationException
+     *          if the calling <code>Subject</code> does not have the role(s)
necessary to
+     *          proceed.
+     */
+    public void assertAuthorized(Annotation a) throws AuthorizationException {
+
+        if (!(a instanceof RolesAllowed)) {
+            return;
+        }
+
+        RolesAllowed rannotation = (RolesAllowed) a;
+        String[] roles = rannotation.value();
+
+        if (roles.length == 1) {
+            getSubject().checkRole(roles[0]);
+            return;
+        }
+
+        // Avoid processing exceptions unnecessarily - "delay" throwing the exception by
calling hasRole first
+        boolean hasAtLeastOneRole = false;
+
+        for (String role : roles) {
+            if (getSubject().hasRole(role)) {
+                hasAtLeastOneRole = true;
+            }
+        }
+
+        // Cause the exception if none of the role match, note that the exception message
will be a bit misleading
+        if (!hasAtLeastOneRole)
+        {
+            getSubject().checkRole(roles[0]);
+        }
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/shiro/blob/ba1e06be/core/src/main/java/org/apache/shiro/authz/aop/JavaxSecurityRolesMethodInterceptor.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/org/apache/shiro/authz/aop/JavaxSecurityRolesMethodInterceptor.java
b/core/src/main/java/org/apache/shiro/authz/aop/JavaxSecurityRolesMethodInterceptor.java
new file mode 100644
index 0000000..8530fab
--- /dev/null
+++ b/core/src/main/java/org/apache/shiro/authz/aop/JavaxSecurityRolesMethodInterceptor.java
@@ -0,0 +1,84 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.shiro.authz.aop;
+
+import org.apache.shiro.aop.AnnotationResolver;
+import org.apache.shiro.aop.MethodInvocation;
+import org.apache.shiro.authz.AuthorizationException;
+import org.apache.shiro.authz.UnauthorizedException;
+
+import javax.annotation.security.DenyAll;
+import javax.annotation.security.PermitAll;
+import javax.annotation.security.RolesAllowed;
+
+
+/**
+ * Checks to see if a @{@link javax.annotation.security.RolesAllowed RolesAllowed} annotation
is declared, and if so, performs
+ * a role check to see if the calling <code>Subject</code> is allowed to invoke
the method.
+ *
+ * @since 1.4.0
+ */
+public class JavaxSecurityRolesMethodInterceptor extends AuthorizingAnnotationMethodInterceptor
{
+
+    /**
+     * Default no-argument constructor that ensures this interceptor looks for
+     * {@link javax.annotation.security.RolesAllowed RolesAllowed} annotations in a method
declaration.
+     */
+    public JavaxSecurityRolesMethodInterceptor() {
+        super( new JavaxSecurityRolesAnnotationHandler() );
+    }
+
+    /**
+     * @param resolver
+     * @since 1.4.0
+     */
+    public JavaxSecurityRolesMethodInterceptor(AnnotationResolver resolver) {
+        super(new JavaxSecurityRolesAnnotationHandler(), resolver);
+    }
+
+    @Override
+    public void assertAuthorized(MethodInvocation mi) throws AuthorizationException {
+
+        DenyAll denyAllOnMethod = mi.getMethod().getAnnotation(DenyAll.class); // this can
only be at the method level
+        PermitAll permitAllOnMethod = mi.getMethod().getAnnotation(PermitAll.class); // a
PermitAll on a class, is the default condition.
+        RolesAllowed rolesAllowedOnMethod = mi.getMethod().getAnnotation(RolesAllowed.class);
+
+        // DenyAll on the method take precedence over RolesAllowed and PermitAll
+        if (denyAllOnMethod != null ) {
+            throw new UnauthorizedException("Subject does not have access to method due to
DenyAll annotation.");
+        }
+
+        // RolesAllowed on the method takes precedence over PermitAll
+        if(rolesAllowedOnMethod != null) {
+            super.assertAuthorized(mi);
+            return;
+        }
+
+        // PermitAll on method takes precedence over RolesAllowed on the class
+        if (permitAllOnMethod != null) {
+            // just return
+            return;
+        }
+
+        // DenyAll can't be attached to classes
+
+        // RolesAllowed on the class takes precedence over PermitAll
+        super.assertAuthorized(mi);
+    }
+}

http://git-wip-us.apache.org/repos/asf/shiro/blob/ba1e06be/core/src/test/groovy/org/apache/shiro/aop/JavaxSecurityRolesMethodIntercepterTest.groovy
----------------------------------------------------------------------
diff --git a/core/src/test/groovy/org/apache/shiro/aop/JavaxSecurityRolesMethodIntercepterTest.groovy
b/core/src/test/groovy/org/apache/shiro/aop/JavaxSecurityRolesMethodIntercepterTest.groovy
new file mode 100644
index 0000000..9828ee6
--- /dev/null
+++ b/core/src/test/groovy/org/apache/shiro/aop/JavaxSecurityRolesMethodIntercepterTest.groovy
@@ -0,0 +1,175 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.shiro.aop
+
+import org.apache.shiro.authz.UnauthorizedException
+import org.apache.shiro.authz.aop.JavaxSecurityRolesMethodInterceptor
+import org.apache.shiro.subject.Subject
+import org.apache.shiro.util.ThreadContext
+import org.junit.Assert;
+import org.junit.Test;
+
+import static org.apache.shiro.aop.JavaxSecurityRoleStubs.*
+
+import java.lang.reflect.Method
+
+import static org.easymock.EasyMock.*
+import static org.junit.Assert.*
+
+
+/**
+ * Tests for {@link JavaxSecurityRolesMethodInterceptor}.
+ */
+public class JavaxSecurityRolesMethodIntercepterTest {
+
+    @Test
+    public void rolesAllowedOnMethod() throws Throwable {
+
+        Subject subject = mock(Subject)
+        expect(subject.checkRole("RoleOne"))
+        assertTrue executeStubMethod(new RolesAllowedOnMethod(), subject);
+    }
+
+    @Test
+    public void rolesAllowedOnClass() throws Throwable {
+
+        Subject subject = mock(Subject)
+        expect(subject.checkRole("RoleOne"))
+        assertTrue executeStubMethod(new RolesAllowedOnClass(), subject);
+    }
+
+
+    @Test
+    public void permitAllOnMethod() throws Throwable {
+
+        Subject subject = mock(Subject)
+        assertTrue executeStubMethod(new PermitAllOnMethod(), subject);
+    }
+
+    @Test
+    public void permitAllOnClass() throws Throwable {
+
+        Subject subject = mock(Subject)
+        assertTrue executeStubMethod(new PermitAllOnClass(), subject);
+    }
+
+    @Test(expected = UnauthorizedException.class)
+    public void denyAllOnMethod() throws Throwable {
+
+        Subject subject = mock(Subject)
+        executeStubMethod(new DenyAllOnMethod(), subject);
+    }
+
+    @Test(expected = UnauthorizedException.class)
+    public void rolesAllowedOnClassDenyAllOnMethod() throws Throwable {
+
+        Subject subject = mock(Subject)
+        executeStubMethod(new RolesAllowedOnClassDenyAllOnMethod(), subject);
+    }
+
+    @Test(expected = UnauthorizedException.class)
+    public void rolesAllowedOnMethodDenyAllOnMethod() throws Throwable {
+
+        Subject subject = mock(Subject)
+        executeStubMethod(new RolesAllowedOnMethodDenyAllOnMethod(), subject);
+    }
+
+    @Test
+    public void rolesAllowedOnClassPermitAllOnClass() throws Throwable {
+
+        Subject subject = mock(Subject)
+        expect(subject.checkRole("RoleOne"))
+        assertTrue executeStubMethod(new RolesAllowedOnClassPermitAllOnClass(), subject);
+    }
+
+    @Test
+    public void rolesAllowedOnMethodPermitAllOnMethod() throws Throwable {
+
+        Subject subject = mock(Subject)
+        expect(subject.checkRole("RoleOne"))
+        assertTrue executeStubMethod(new RolesAllowedOnMethodPermitAllOnMethod(), subject);
+    }
+
+    @Test
+    public void rolesAllowedOnClassPermitAllOnMethod() throws Throwable {
+
+        Subject subject = mock(Subject)
+        assertTrue executeStubMethod(new RolesAllowedOnClassPermitAllOnMethod(), subject);
+    }
+
+    @Test
+    public void permitAllOnClassRolesAllowedOnMethod() throws Throwable {
+
+        Subject subject = mock(Subject)
+        expect(subject.checkRole("RoleOne"))
+        assertTrue executeStubMethod(new PermitAllOnClassRolesAllowedOnMethod(), subject);
+    }
+
+
+
+
+
+
+    static boolean executeStubMethod(final SimpleStub stub, Subject subject) {
+
+        try {
+            replay subject
+            ThreadContext.bind(subject)
+
+            JavaxSecurityRolesMethodInterceptor interceptor = new JavaxSecurityRolesMethodInterceptor();
+
+            Object result = interceptor.invoke(new MethodInvocation() {
+                @Override
+                public Object proceed() throws Throwable {
+                    return stub.callMe();
+                }
+
+                @Override
+                public Method getMethod() {
+                    try {
+                        return stub.getClass().getMethod("callMe");
+                    } catch (NoSuchMethodException e) {
+                        Assert.fail("Failed to return method 'callMe()' on stub");
+                        return null;
+                    }
+                }
+
+                @Override
+                public Object[] getArguments() {
+                    return new Object[0];
+                }
+
+                @Override
+                public Object getThis() {
+                    return stub;
+                }
+            });
+
+            verify subject
+
+            return result;
+        }
+        finally {
+            ThreadContext.unbindSubject()
+        }
+
+
+
+    }
+}

http://git-wip-us.apache.org/repos/asf/shiro/blob/ba1e06be/core/src/test/java/org/apache/shiro/aop/JavaxSecurityRoleStubs.java
----------------------------------------------------------------------
diff --git a/core/src/test/java/org/apache/shiro/aop/JavaxSecurityRoleStubs.java b/core/src/test/java/org/apache/shiro/aop/JavaxSecurityRoleStubs.java
new file mode 100644
index 0000000..2a07a2d
--- /dev/null
+++ b/core/src/test/java/org/apache/shiro/aop/JavaxSecurityRoleStubs.java
@@ -0,0 +1,114 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.shiro.aop;
+
+import javax.annotation.security.DenyAll;
+import javax.annotation.security.PermitAll;
+import javax.annotation.security.RolesAllowed;
+
+public final class JavaxSecurityRoleStubs {
+
+    public interface SimpleStub {
+        boolean callMe();
+    }
+
+
+    @RolesAllowed("RoleOne")
+    public static class RolesAllowedOnClass implements SimpleStub {
+        public boolean callMe() {
+            return true;
+        }
+    }
+
+    public static class RolesAllowedOnMethod implements SimpleStub {
+        @RolesAllowed("RoleOne")
+        public boolean callMe() {
+            return true;
+        }
+    }
+
+    public static class PermitAllOnMethod implements SimpleStub {
+        @PermitAll
+        public boolean callMe() {
+            return true;
+        }
+    }
+
+    @PermitAll
+    public static class PermitAllOnClass implements SimpleStub {
+        public boolean callMe() {
+            return true;
+        }
+    }
+
+    public static class DenyAllOnMethod implements SimpleStub {
+        @DenyAll
+        public boolean callMe() {
+            return false;
+        }
+    }
+
+    @RolesAllowed("RoleOne")
+    public static class  RolesAllowedOnClassDenyAllOnMethod implements SimpleStub {
+        @DenyAll
+        public boolean callMe() {
+            return false;
+        }
+    }
+
+    public static class  RolesAllowedOnMethodDenyAllOnMethod implements SimpleStub {
+        @RolesAllowed("RoleOne")
+        @DenyAll
+        public boolean callMe() {
+            return false;
+        }
+    }
+
+    @RolesAllowed("RoleOne")
+    @PermitAll
+    public static class RolesAllowedOnClassPermitAllOnClass implements SimpleStub {
+        public boolean callMe() {
+            return true;
+        }
+    }
+
+    public static class RolesAllowedOnMethodPermitAllOnMethod implements SimpleStub {
+        @RolesAllowed("RoleOne")
+        @PermitAll
+        public boolean callMe() {
+            return true;
+        }
+    }
+
+    @RolesAllowed("RoleOne")
+    public static class RolesAllowedOnClassPermitAllOnMethod implements SimpleStub {
+        @PermitAll
+        public boolean callMe() {
+            return true;
+        }
+    }
+
+    @PermitAll
+    public static class PermitAllOnClassRolesAllowedOnMethod implements SimpleStub {
+        @RolesAllowed("RoleOne")
+        public boolean callMe() {
+            return true;
+        }
+    }
+}

http://git-wip-us.apache.org/repos/asf/shiro/blob/ba1e06be/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index 1162d41..3959dc8 100644
--- a/pom.xml
+++ b/pom.xml
@@ -813,6 +813,11 @@
                 <scope>provided</scope>
             </dependency>
             <dependency>
+                <groupId>javax.annotation</groupId>
+                <artifactId>javax.annotation-api</artifactId>
+                <version>1.2</version>
+            </dependency>
+            <dependency>
                 <groupId>log4j</groupId>
                 <artifactId>log4j</artifactId>
                 <version>1.2.17</version>

http://git-wip-us.apache.org/repos/asf/shiro/blob/ba1e06be/samples/jaxrs/pom.xml
----------------------------------------------------------------------
diff --git a/samples/jaxrs/pom.xml b/samples/jaxrs/pom.xml
index da02fed..3c57d32 100644
--- a/samples/jaxrs/pom.xml
+++ b/samples/jaxrs/pom.xml
@@ -80,6 +80,12 @@
             <artifactId>shiro-jaxrs</artifactId>
         </dependency>
 
+        <!-- enable optional support for javax.annotation.security annotations -->
+        <dependency>
+            <groupId>javax.annotation</groupId>
+            <artifactId>javax.annotation-api</artifactId>
+        </dependency>
+
         <dependency>
             <!-- Required for any libraries that expect to call the commons logging APIs
-->
             <groupId>org.slf4j</groupId>

http://git-wip-us.apache.org/repos/asf/shiro/blob/ba1e06be/samples/jaxrs/src/main/java/org/apache/shiro/samples/jaxrs/SampleApplication.java
----------------------------------------------------------------------
diff --git a/samples/jaxrs/src/main/java/org/apache/shiro/samples/jaxrs/SampleApplication.java
b/samples/jaxrs/src/main/java/org/apache/shiro/samples/jaxrs/SampleApplication.java
index b7ae949..00b8649 100644
--- a/samples/jaxrs/src/main/java/org/apache/shiro/samples/jaxrs/SampleApplication.java
+++ b/samples/jaxrs/src/main/java/org/apache/shiro/samples/jaxrs/SampleApplication.java
@@ -20,6 +20,7 @@ package org.apache.shiro.samples.jaxrs;
 
 import org.apache.shiro.samples.jaxrs.resources.HelloResource;
 import org.apache.shiro.samples.jaxrs.resources.SecureResource;
+import org.apache.shiro.web.jaxrs.JavaxSecurityAnnotationFilterFeature;
 import org.apache.shiro.web.jaxrs.ShiroFeature;
 
 import javax.ws.rs.ApplicationPath;
@@ -41,6 +42,9 @@ public class SampleApplication extends Application {
         // register Shiro
         classes.add(ShiroFeature.class);
 
+        // optional javax.annotations.security support
+        classes.add(JavaxSecurityAnnotationFilterFeature.class);
+
         // register resources
         classes.add(HelloResource.class);
         classes.add(SecureResource.class);

http://git-wip-us.apache.org/repos/asf/shiro/blob/ba1e06be/samples/jaxrs/src/main/java/org/apache/shiro/samples/jaxrs/resources/SecureResource.java
----------------------------------------------------------------------
diff --git a/samples/jaxrs/src/main/java/org/apache/shiro/samples/jaxrs/resources/SecureResource.java
b/samples/jaxrs/src/main/java/org/apache/shiro/samples/jaxrs/resources/SecureResource.java
index c590987..47e347e 100644
--- a/samples/jaxrs/src/main/java/org/apache/shiro/samples/jaxrs/resources/SecureResource.java
+++ b/samples/jaxrs/src/main/java/org/apache/shiro/samples/jaxrs/resources/SecureResource.java
@@ -25,12 +25,15 @@ import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.apache.shiro.authz.annotation.RequiresRoles;
 import org.apache.shiro.authz.annotation.RequiresUser;
 
+import javax.annotation.security.RolesAllowed;
 import javax.ws.rs.DefaultValue;
 import javax.ws.rs.GET;
 import javax.ws.rs.Path;
 import javax.ws.rs.Produces;
 import javax.ws.rs.QueryParam;
 
+import static org.glassfish.grizzly.http.util.Header.Allow;
+
 @Path("secure")
 @Produces({"application/json","plain/text"})
 public class SecureResource {
@@ -71,5 +74,11 @@ public class SecureResource {
         return "protected";
     }
 
+    @RolesAllowed("admin")
+    @Path("RolesAllowed")
+    @GET
+    public String protectedByRolesAllowed() {
+        return "protected";
+    }
 
 }

http://git-wip-us.apache.org/repos/asf/shiro/blob/ba1e06be/samples/jaxrs/src/test/groovy/org/apache/shiro/web/jaxrs/ContainerIntegrationIT.groovy
----------------------------------------------------------------------
diff --git a/samples/jaxrs/src/test/groovy/org/apache/shiro/web/jaxrs/ContainerIntegrationIT.groovy
b/samples/jaxrs/src/test/groovy/org/apache/shiro/web/jaxrs/ContainerIntegrationIT.groovy
index 84899d7..40495ce 100644
--- a/samples/jaxrs/src/test/groovy/org/apache/shiro/web/jaxrs/ContainerIntegrationIT.groovy
+++ b/samples/jaxrs/src/test/groovy/org/apache/shiro/web/jaxrs/ContainerIntegrationIT.groovy
@@ -96,6 +96,31 @@ public class ContainerIntegrationIT extends AbstractContainerIT {
     }
 
     @Test
+    void testSecuredRolesAllowed() {
+
+        get(getBaseUri() + "secure/RolesAllowed")
+                .then()
+                .assertThat().statusCode(is(401))
+
+        given()
+                .header("Authorization", getBasicAuthorizationHeaderValue("guest", "guest"))
+                .when()
+                .get(getBaseUri() + "secure/RolesAllowed")
+                .then()
+                .assertThat()
+                .statusCode(is(403)).and()
+
+        given()
+                .header("Authorization", getBasicAuthorizationHeaderValue("root", "secret"))
+                .when()
+                .get(getBaseUri() + "secure/RolesAllowed")
+                .then()
+                .assertThat()
+                .statusCode(is(200)).and()
+                .body(equalTo("protected"))
+    }
+
+    @Test
     void testSecuredRequiresPermissions() {
 
         get(getBaseUri() + "secure/RequiresPermissions")

http://git-wip-us.apache.org/repos/asf/shiro/blob/ba1e06be/support/jaxrs/pom.xml
----------------------------------------------------------------------
diff --git a/support/jaxrs/pom.xml b/support/jaxrs/pom.xml
index 05b3c5b..bcf922b 100644
--- a/support/jaxrs/pom.xml
+++ b/support/jaxrs/pom.xml
@@ -49,6 +49,12 @@
             <version>2.0.1</version>
         </dependency>
 
+        <dependency>
+            <groupId>javax.annotation</groupId>
+            <artifactId>javax.annotation-api</artifactId>
+            <optional>true</optional>
+        </dependency>
+
         <!-- Test Deps -->
         <dependency>
             <groupId>org.slf4j</groupId>

http://git-wip-us.apache.org/repos/asf/shiro/blob/ba1e06be/support/jaxrs/src/main/java/org/apache/shiro/web/jaxrs/JavaxSecurityAnnotationFilterFeature.java
----------------------------------------------------------------------
diff --git a/support/jaxrs/src/main/java/org/apache/shiro/web/jaxrs/JavaxSecurityAnnotationFilterFeature.java
b/support/jaxrs/src/main/java/org/apache/shiro/web/jaxrs/JavaxSecurityAnnotationFilterFeature.java
new file mode 100644
index 0000000..49d4374
--- /dev/null
+++ b/support/jaxrs/src/main/java/org/apache/shiro/web/jaxrs/JavaxSecurityAnnotationFilterFeature.java
@@ -0,0 +1,70 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.shiro.web.jaxrs;
+
+import org.apache.shiro.web.filter.authz.AuthorizationFilter;
+
+import javax.annotation.security.DenyAll;
+import javax.annotation.security.PermitAll;
+import javax.annotation.security.RolesAllowed;
+import javax.ws.rs.Priorities;
+import javax.ws.rs.container.DynamicFeature;
+import javax.ws.rs.container.ResourceInfo;
+import javax.ws.rs.core.FeatureContext;
+import java.lang.annotation.Annotation;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * Wraps {@link AuthorizationFilter filters} around JAX-RS resources that are annotated with
Shiro annotations.
+ * @since 1.4
+ */
+public class JavaxSecurityAnnotationFilterFeature implements DynamicFeature {
+
+    private static List<Class<? extends Annotation>> javaxSecurityAnnotations
= Collections.unmodifiableList(Arrays.asList(
+            DenyAll.class,
+            PermitAll.class,
+            RolesAllowed.class));
+
+    @Override
+    public void configure(ResourceInfo resourceInfo, FeatureContext context) {
+
+        List<Annotation> authzSpecs = new ArrayList<Annotation>();
+
+        for (Class<? extends Annotation> annotationClass : javaxSecurityAnnotations)
{
+            // XXX What is the performance of getAnnotation vs getAnnotations?
+            Annotation classAuthzSpec = resourceInfo.getResourceClass().getAnnotation(annotationClass);
+            Annotation methodAuthzSpec = resourceInfo.getResourceMethod().getAnnotation(annotationClass);
+
+            if (classAuthzSpec != null) {
+                authzSpecs.add(classAuthzSpec);
+            }
+            if (methodAuthzSpec != null) {
+                authzSpecs.add(methodAuthzSpec);
+            }
+        }
+
+        if (!authzSpecs.isEmpty()) {
+            context.register(new JavaxSecurityAuthorizationFilter(authzSpecs), Priorities.AUTHORIZATION);
+        }
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/shiro/blob/ba1e06be/support/jaxrs/src/main/java/org/apache/shiro/web/jaxrs/JavaxSecurityAuthorizationFilter.java
----------------------------------------------------------------------
diff --git a/support/jaxrs/src/main/java/org/apache/shiro/web/jaxrs/JavaxSecurityAuthorizationFilter.java
b/support/jaxrs/src/main/java/org/apache/shiro/web/jaxrs/JavaxSecurityAuthorizationFilter.java
new file mode 100644
index 0000000..1519ab5
--- /dev/null
+++ b/support/jaxrs/src/main/java/org/apache/shiro/web/jaxrs/JavaxSecurityAuthorizationFilter.java
@@ -0,0 +1,75 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.shiro.web.jaxrs;
+
+import org.apache.shiro.authz.aop.AuthorizingAnnotationHandler;
+import org.apache.shiro.authz.aop.JavaxSecurityRolesAnnotationHandler;
+
+import javax.annotation.security.DenyAll;
+import javax.annotation.security.PermitAll;
+import javax.annotation.security.RolesAllowed;
+import javax.ws.rs.container.ContainerRequestContext;
+import javax.ws.rs.container.ContainerRequestFilter;
+import java.io.IOException;
+import java.lang.annotation.Annotation;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
+
+
+/**
+ * A filter that grants or denies access to a JAX-RS resource based on the <code>javax.annotation.security</code>
annotations on it.
+ *
+ * @see org.apache.shiro.authz.annotation
+ * @since 1.4
+ */
+public class JavaxSecurityAuthorizationFilter implements ContainerRequestFilter {
+
+    private final Map<AuthorizingAnnotationHandler, Annotation> authzChecks;
+
+    public JavaxSecurityAuthorizationFilter(Collection<Annotation> authzSpecs) {
+        Map<AuthorizingAnnotationHandler, Annotation> authChecks = new HashMap<AuthorizingAnnotationHandler,
Annotation>(authzSpecs.size());
+        for (Annotation authSpec : authzSpecs) {
+            authChecks.put(createHandler(authSpec), authSpec);
+        }
+        this.authzChecks = Collections.unmodifiableMap(authChecks);
+    }
+
+    private static AuthorizingAnnotationHandler createHandler(Annotation annotation) {
+        Class<?> t = annotation.annotationType();
+
+        if (RolesAllowed.class.equals(t) || DenyAll.class.equals(t) || PermitAll.class.equals(t))
{
+            return new JavaxSecurityRolesAnnotationHandler();
+        }
+
+        else throw new IllegalArgumentException("Cannot create a handler for the unknown
for annotation " + t);
+    }
+
+    @Override
+    public void filter(ContainerRequestContext requestContext) throws IOException {
+
+        for (Map.Entry<AuthorizingAnnotationHandler, Annotation> authzCheck : authzChecks.entrySet())
{
+            AuthorizingAnnotationHandler handler = authzCheck.getKey();
+            Annotation authzSpec = authzCheck.getValue();
+            handler.assertAuthorized(authzSpec);
+        }
+    }
+
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/shiro/blob/ba1e06be/support/jaxrs/src/test/groovy/org/apache/shiro/web/jaxrs/JavaxSecurityAnnotationFilterFeatureTest.groovy
----------------------------------------------------------------------
diff --git a/support/jaxrs/src/test/groovy/org/apache/shiro/web/jaxrs/JavaxSecurityAnnotationFilterFeatureTest.groovy
b/support/jaxrs/src/test/groovy/org/apache/shiro/web/jaxrs/JavaxSecurityAnnotationFilterFeatureTest.groovy
new file mode 100644
index 0000000..d43d25e
--- /dev/null
+++ b/support/jaxrs/src/test/groovy/org/apache/shiro/web/jaxrs/JavaxSecurityAnnotationFilterFeatureTest.groovy
@@ -0,0 +1,55 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.shiro.web.jaxrs
+
+import org.easymock.Capture
+import org.junit.Test
+
+import javax.annotation.security.DenyAll
+import javax.annotation.security.PermitAll
+import javax.annotation.security.RolesAllowed
+import javax.ws.rs.Priorities
+import javax.ws.rs.container.ResourceInfo
+import javax.ws.rs.core.FeatureContext
+
+import static org.easymock.EasyMock.*
+
+/**
+ * Tests for {@link JavaxSecurityAnnotationFilterFeature}.
+ * @since 1.4.0
+ */
+class JavaxSecurityAnnotationFilterFeatureTest {
+
+    @Test
+    void simpleTest() {
+
+        def resourceInfo = mock(ResourceInfo)
+        def featureContext = mock(FeatureContext)
+        def filterCapture = new Capture<JavaxSecurityAuthorizationFilter>()
+        expect(resourceInfo.getResourceClass()).andReturn(JavaxAnnotatedStub).anyTimes()
+        expect(resourceInfo.getResourceMethod()).andReturn(JavaxAnnotatedStub.getMethod("denyMe")).anyTimes()
+        expect(featureContext.register(capture(filterCapture), eq(Priorities.AUTHORIZATION))).andReturn(featureContext)
+
+        replay resourceInfo, featureContext
+
+        new JavaxSecurityAnnotationFilterFeature().configure(resourceInfo, featureContext)
+
+        verify resourceInfo, featureContext
+    }
+}

http://git-wip-us.apache.org/repos/asf/shiro/blob/ba1e06be/support/jaxrs/src/test/groovy/org/apache/shiro/web/jaxrs/JavaxSecurityAuthorizationFilterTest.groovy
----------------------------------------------------------------------
diff --git a/support/jaxrs/src/test/groovy/org/apache/shiro/web/jaxrs/JavaxSecurityAuthorizationFilterTest.groovy
b/support/jaxrs/src/test/groovy/org/apache/shiro/web/jaxrs/JavaxSecurityAuthorizationFilterTest.groovy
new file mode 100644
index 0000000..0d1e711
--- /dev/null
+++ b/support/jaxrs/src/test/groovy/org/apache/shiro/web/jaxrs/JavaxSecurityAuthorizationFilterTest.groovy
@@ -0,0 +1,92 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.shiro.web.jaxrs
+
+import org.apache.shiro.authz.annotation.RequiresGuest
+import org.apache.shiro.subject.Subject
+import org.apache.shiro.util.ThreadContext
+import org.junit.Assert
+import org.junit.Test
+
+import javax.annotation.security.PermitAll
+import javax.annotation.security.RolesAllowed
+import javax.ws.rs.container.ContainerRequestContext
+import java.lang.annotation.Annotation
+
+import static org.easymock.EasyMock.*
+import static org.hamcrest.Matchers.*
+import static org.hamcrest.MatcherAssert.*
+
+/**
+ * Tests for {@link JavaxSecurityAuthorizationFilter}.
+ * @since 1.4.0
+ */
+class JavaxSecurityAuthorizationFilterTest {
+
+    @Test
+    void simpleTest() {
+
+        List<Annotation> annotationSpecs = new ArrayList<Annotation>();
+        annotationSpecs.add(JavaxAnnotatedStub.getAnnotation(PermitAll.class))
+        annotationSpecs.add(JavaxAnnotatedStub.getMethod("rolesAllowed").getAnnotation(RolesAllowed.class))
+
+        def requestContext = mock(ContainerRequestContext)
+        def subject = mock(Subject)
+        subject.checkRole("Role1")
+
+        try {
+            ThreadContext.bind(subject)
+
+            replay requestContext, subject
+
+            new JavaxSecurityAuthorizationFilter(annotationSpecs).filter(requestContext)
+
+            verify requestContext, subject
+        }
+        finally {
+            ThreadContext.unbindSubject()
+        }
+    }
+
+    @Test
+    void unhandledAnnotationTest() {
+        List<Annotation> annotationSpecs = new ArrayList<Annotation>();
+        annotationSpecs.add(JavaxAnnotatedStub.getMethod("requiresGuest").getAnnotation(RequiresGuest.class))
+
+        def requestContext = mock(ContainerRequestContext)
+        def subject = mock(Subject)
+
+        try {
+            ThreadContext.bind(subject)
+
+            replay requestContext, subject
+
+            new JavaxSecurityAuthorizationFilter(annotationSpecs).filter(requestContext)
+            Assert.fail("expected IllegalArgumentException")
+        }
+        catch(IllegalArgumentException e){
+            assertThat e.getMessage(), stringContainsInOrder(RequiresGuest.getName())
+        }
+        finally {
+
+            verify requestContext, subject
+            ThreadContext.unbindSubject()
+        }
+    }
+}

http://git-wip-us.apache.org/repos/asf/shiro/blob/ba1e06be/support/jaxrs/src/test/java/org/apache.shiro.web.jaxrs/JavaxAnnotatedStub.java
----------------------------------------------------------------------
diff --git a/support/jaxrs/src/test/java/org/apache.shiro.web.jaxrs/JavaxAnnotatedStub.java
b/support/jaxrs/src/test/java/org/apache.shiro.web.jaxrs/JavaxAnnotatedStub.java
new file mode 100644
index 0000000..eec850b
--- /dev/null
+++ b/support/jaxrs/src/test/java/org/apache.shiro.web.jaxrs/JavaxAnnotatedStub.java
@@ -0,0 +1,41 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.shiro.web.jaxrs;
+
+import org.apache.shiro.authz.annotation.RequiresGuest;
+
+import javax.annotation.security.DenyAll;
+import javax.annotation.security.PermitAll;
+import javax.annotation.security.RolesAllowed;
+
+@PermitAll
+public class JavaxAnnotatedStub {
+
+    @DenyAll
+    public void denyMe() {}
+
+    @PermitAll
+    public void allowMe() {}
+
+    @RolesAllowed("Role1")
+    public void rolesAllowed() {}
+
+    @RequiresGuest
+    public void requiresGuest() {}
+}


Mime
View raw message