Re: Shiro Guice - Requires annotations are ignored/unprocessed
I'm guessing your GuiceTest isn't getting picked up by any AOP processing. It is likely just still a POJO at that time when you call your methods. IIRC, if you move those annotated methods to a guice component they will start to work. On Fri, Apr 13, 2018 at 9:31 AM, Ken Hanwrote: > I'm experimenting with Shiro + Guice with the goal of using them to > implement > an authorization service in a jsf web application. But I'm having trouble > with getting the @RequiresRoles and @RequiresPermissions to actually work. > It looks like they are being ignored. > > My shiro module looks like this: > > > public class MyShiroModule extends ShiroModule { > > private final String DUKE_ROLE = "duke"; > > private final DomainPermission DUKE_PERMISSION = new > DomainPermission("duking"); > > @Override > protected void configureShiro() { > MySimpleAccountRealm simpleAccountRealm = new > MySimpleAccountRealm("Feudal realm"); > > Set duke_permissions = new HashSet<>(); > duke_permissions.add(DUKE_PERMISSION); > > SimpleRole duke = new SimpleRole(DUKE_ROLE, duke_permissions); > > simpleAccountRealm.addAccount("kenzo", "atreides", duke); > > bindRealm().toInstance(simpleAccountRealm); > } > } > > > > As you can see I've created my own Realm and added a user with a sing role > and permission. I've created an extension of the SimpleAccountRealm because > I wanted to add roles with permissions to an account. > > MySimpleAccountRealm looks like this: > > > public class MySimpleAccountRealm extends SimpleAccountRealm { > > public MySimpleAccountRealm(String name) { > super(name); > } > > public void addAccount(String username, String password, SimpleRole... > roles) { > //Get all the role names from the roles array > Set roleNames = > Arrays.stream(roles).map(SimpleRole::getName).collect(Collectors.toSet()); > > //Get every permission from the roles > Set permissions = new HashSet<>(); > Arrays.stream(roles).forEach(r -> > permissions.addAll(r.getPermissions())); > > SimpleAccount account = new SimpleAccount(username, password, > getName(), > roleNames, permissions); > add(account); > } > } > > > > I have a simple Main class: > > > public class Main { > public static void main(String[] args) { > GuiceTest test = new GuiceTest(); > test.gogo(); > } > } > > > > My test class looks like: > > > public class GuiceTest { > private Injector injector; > private SecurityManager securityManager; > > public GuiceTest() { > injector = Guice.createInjector(new MyShiroModule(), new > ShiroAopModule()); > securityManager = injector.getInstance(SecurityManager.class); > SecurityUtils.setSecurityManager(securityManager); > } > > public void gogo() { > Subject currentUser = SecurityUtils.getSubject(); > loginUser(currentUser); > > testValidWithoutAnnotation(currentUser); > testInvalidWithoutAnnotation(currentUser); > testValidRoleAnnotation(); > testInvalidRoleAnnotation(); > > currentUser.logout(); > } > > > private void loginUser(Subject currentUser) { > if (!currentUser.isAuthenticated()) { > UsernamePasswordToken token = new UsernamePasswordToken("kenzo", > "atreides"); > token.setRememberMe(true); > try { > currentUser.login(token); > > //say who they are: > //print their identifying principal (in this case, a username): > System.out.println("User [" + currentUser.getPrincipal() + "] > logged in successfully."); > } catch (UnknownAccountException uae) { > System.out.println("There is no user with username of " + > token.getPrincipal()); > } catch (IncorrectCredentialsException ice) { > System.out.println("Password for account " + > token.getPrincipal() + " was incorrect!"); > } catch (LockedAccountException lae) { > System.out.println("The account for username " + > token.getPrincipal() + " is locked. " + > "Please contact your administrator to unlock it."); > } > // ... catch more exceptions here (maybe custom ones specific to > your application? > catch (AuthenticationException ae) { > //unexpected condition? error? > } > } > } > > > @RequiresRoles("dontHaveThisRoles") > public void testInvalidRoleAnnotation() { > System.out.println("Testing (with annotation) that the user has the > role 'dontHaveThisRoles'. User doesn't have this, so it should cause an > AuthenticationException."); > } > > @RequiresRoles("duke") > public void testValidRoleAnnotation() { > System.out.println("Testing (with annotation) that the user has the > role 'duke'. User has this role, so this should be printed."); > } > > private void testValidWithoutAnnotation(Subject currentUser) { > if (currentUser.hasRole("duke")) { > System.out.println("Testing (without annotation)
Shiro Guice - Requires annotations are ignored/unprocessed
I'm experimenting with Shiro + Guice with the goal of using them to implement an authorization service in a jsf web application. But I'm having trouble with getting the @RequiresRoles and @RequiresPermissions to actually work. It looks like they are being ignored. My shiro module looks like this: public class MyShiroModule extends ShiroModule { private final String DUKE_ROLE = "duke"; private final DomainPermission DUKE_PERMISSION = new DomainPermission("duking"); @Override protected void configureShiro() { MySimpleAccountRealm simpleAccountRealm = new MySimpleAccountRealm("Feudal realm"); Set duke_permissions = new HashSet<>(); duke_permissions.add(DUKE_PERMISSION); SimpleRole duke = new SimpleRole(DUKE_ROLE, duke_permissions); simpleAccountRealm.addAccount("kenzo", "atreides", duke); bindRealm().toInstance(simpleAccountRealm); } } As you can see I've created my own Realm and added a user with a sing role and permission. I've created an extension of the SimpleAccountRealm because I wanted to add roles with permissions to an account. MySimpleAccountRealm looks like this: public class MySimpleAccountRealm extends SimpleAccountRealm { public MySimpleAccountRealm(String name) { super(name); } public void addAccount(String username, String password, SimpleRole... roles) { //Get all the role names from the roles array Set roleNames = Arrays.stream(roles).map(SimpleRole::getName).collect(Collectors.toSet()); //Get every permission from the roles Set permissions = new HashSet<>(); Arrays.stream(roles).forEach(r -> permissions.addAll(r.getPermissions())); SimpleAccount account = new SimpleAccount(username, password, getName(), roleNames, permissions); add(account); } } I have a simple Main class: public class Main { public static void main(String[] args) { GuiceTest test = new GuiceTest(); test.gogo(); } } My test class looks like: public class GuiceTest { private Injector injector; private SecurityManager securityManager; public GuiceTest() { injector = Guice.createInjector(new MyShiroModule(), new ShiroAopModule()); securityManager = injector.getInstance(SecurityManager.class); SecurityUtils.setSecurityManager(securityManager); } public void gogo() { Subject currentUser = SecurityUtils.getSubject(); loginUser(currentUser); testValidWithoutAnnotation(currentUser); testInvalidWithoutAnnotation(currentUser); testValidRoleAnnotation(); testInvalidRoleAnnotation(); currentUser.logout(); } private void loginUser(Subject currentUser) { if (!currentUser.isAuthenticated()) { UsernamePasswordToken token = new UsernamePasswordToken("kenzo", "atreides"); token.setRememberMe(true); try { currentUser.login(token); //say who they are: //print their identifying principal (in this case, a username): System.out.println("User [" + currentUser.getPrincipal() + "] logged in successfully."); } catch (UnknownAccountException uae) { System.out.println("There is no user with username of " + token.getPrincipal()); } catch (IncorrectCredentialsException ice) { System.out.println("Password for account " + token.getPrincipal() + " was incorrect!"); } catch (LockedAccountException lae) { System.out.println("The account for username " + token.getPrincipal() + " is locked. " + "Please contact your administrator to unlock it."); } // ... catch more exceptions here (maybe custom ones specific to your application? catch (AuthenticationException ae) { //unexpected condition? error? } } } @RequiresRoles("dontHaveThisRoles") public void testInvalidRoleAnnotation() { System.out.println("Testing (with annotation) that the user has the role 'dontHaveThisRoles'. User doesn't have this, so it should cause an AuthenticationException."); } @RequiresRoles("duke") public void testValidRoleAnnotation() { System.out.println("Testing (with annotation) that the user has the role 'duke'. User has this role, so this should be printed."); } private void testValidWithoutAnnotation(Subject currentUser) { if (currentUser.hasRole("duke")) { System.out.println("Testing (without annotation) that the user has the role 'duke'. User has this role."); } else { System.out.println("Pleb"); } } private void testInvalidWithoutAnnotation(Subject currentUser) { if (!currentUser.hasRole("nope")) { System.out.println("Testing (without annotation) that the user has the role 'nope'. User doesn't have this role."); } } } When running the application I get the following output: User [kenzo] logged in successfully. Testing (without annotation) that the user has the role 'duke'. User has this role.