Hi guys, I just spent a full day trying to get Shiro authorization annotations to work, but I'm having some trouble and I would appreciate some help :)
I'm writing a REST web application using spring and jersey. I'm able to verify permissions using the standard programmatic approach, but the annotation-based authorization is not working for me, nothing happens. I found a lot of thread but none of the solutions I found worked for me. My issue is very similar to the one in this question: http://stackoverflow.com/questions/7743749/shiro-authorization-permission-check-using-annotation-not-working. I added the dependencies and the config in shiro context. Here is my configuration file for shiro: <?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns:context="http://www.springframework.org/schema/context"; xmlns:aop="http://www.springframework.org/schema/aop"; xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.0.xsd";> <context:component-scan base-package="com.company.mc" /> <aop:aspectj-autoproxy proxy-target-class="true" /> <!-- Enable Shiro Annotations for Spring-configured beans. Only run after --> <!-- the lifecycleBeanProcessor has run: --> <bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor"> <property name="proxyTargetClass" value="true" /> </bean> <bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor"> <property name="securityManager" ref="securityManager" /> </bean> <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean (http://web.ShiroFilterFactoryBean)"> <property name="securityManager" ref="securityManager"/> <property name="loginUrl" value="/login.jsp"/> <property name="successUrl" value="/home.htm"/> <property name="filterChainDefinitions"> <value> # some example chain definitions: /css/** = anon /font/** = anon /img/** = anon /js/** = anon /libs/** = anon /locales/** = anon /login = authFilter /login.jsp = authFilter /login.htm = authFilter /logout = logoutFilter / = authFilter /** = authFilter </value> </property> </bean> <bean id="authFilter" class="com.company.mc.security.filter.CustomFormAuthenticationFilter"> </bean> <bean id="logoutFilter" class="org.apache.shiro.web.filter.authc.LogoutFilter (http://web.filter.authc.LogoutFilter)"> <property name="redirectUrl" value="/"/> </bean> <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager (http://web.mgt.DefaultWebSecurityManager)"> <property name="authenticator" ref="customizedModularRealmAuthenticator" /> <property name="realms"> <list> <!-- <ref bean="easyRealm"/>--> <ref bean="myRealm"/> <ref bean="adRealm"/> </list> </property> <!-- By default the servlet container sessions will be used. Uncomment this line to use shiro's native sessions (see the JavaDoc for more):--> <property name="sessionMode" value="native"/> </bean> <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/> <!-- This realm authenticates against the specified active directory by attempting a bind with the username & password token posted from the login form --> <bean id="adRealm" class="com.company.mc.security.realm.NonAuthorizingActiveDirectoryRealm"> </bean> <!-- This dummy realm authenticates by simply checking that the provided password in the login form matches the provided username. This is practical (in a dev setting) when you want to login with an account for which you don't have the password or when LDAP is not accessible. MUST BE REMOVED FOR PRODUCTION. --> <bean id="easyRealm" class="com.company.mc.security.realm.EasyAccessRealm"> </bean> <bean id="myRealm" class="com.company.mc.security.realm.myRealm"> </bean> <bean id="customizedModularRealmAuthenticator" class="com.company.mc.security.authenticator.CustomizedModularRealmAuthenticator"> <property name="authenticationStrategy" ref="firstSuccessfulStrategy"/> </bean> <bean id="firstSuccessfulStrategy" class="org.apache.shiro.authc.pam.FirstSuccessfulStrategy"/> </beans> Here are my dependencies <!-- Spring --> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-context</artifactId> <version>${spring.version}</version> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-context-support</artifactId> <version>${spring.version}</version> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-web</artifactId> <version>${spring.version}</version> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-webmvc</artifactId> <version>${spring.version}</version> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-aop</artifactId> <version>${spring.version}</version> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-aspects</artifactId> <version>${spring.version}</version> </dependency> <!-- Support for Spring-Shiro authorization annotations --> <dependency> <groupId>org.aspectj</groupId> <artifactId>aspectjrt</artifactId> <version>1.6.11</version> </dependency> <dependency> <groupId>org.aspectj</groupId> <artifactId>aspectjweaver</artifactId> <version>1.6.12</version> </dependency> <dependency> <groupId>cglib</groupId> <artifactId>cglib</artifactId> <version>2.2.2</version> </dependency> <!-- Jersey --> <dependency> <groupId>com.sun.jersey</groupId> <artifactId>jersey-server</artifactId> <version>${jersey.version}</version> </dependency> <dependency> <groupId>com.sun.jersey</groupId> <artifactId>jersey-servlet</artifactId> <version>${jersey.version}</version> </dependency> <!-- Shiro --> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-core</artifactId> <version>1.2.1</version> </dependency> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-web</artifactId> <version>1.2.1</version> </dependency> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-spring</artifactId> <version>1.2.1</version> </dependency> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-aspectj</artifactId> <version>1.2.1</version> </dependency> And the piece of code that is not being processed: @RequiresPermissions({"tenants:create", "accessOtherTenants"}) @POST @Consumes("Application/json") public Response addTenant(Tenant newTenant) { // My Code } (trust me on that: my subject does not have any of those two permissions) I would appreciate some hints on where to direct my search or anything really that can help me going forward in "my quest". I'll make sure to post the solution once I figure it out. Thanks for your help and have a nice day Philippe D.
