Another thought is that you could modify the rest filter at this point and skip the AOP. I think the key in your case was "permissive". On Sep 26, 2013 6:06 PM, "Jared Bunting" <[email protected]> wrote:
> Are you sure that spring is instantiating the annotated beans? (As > opposed to your jaxrs provider) - that's probably the next thing that I > would check. > On Sep 26, 2013 4:25 PM, "davison" <[email protected]> wrote: > >> Thanks for the reply! >> >> I hadn't come across the "[permissive]" bit in the filter, but looking >> through the code there it seems that it pretty much unconditionally allows >> everything with this mapping. I added it to my setup, and also added the >> Spring beans to my context that according to the Shiro docs are required >> to >> make the annotations work. But it just doesn't work for me. Anonymous is >> permitted to execute the methods protected with the annotation and no >> password is requested. >> >> Here's my security context now: >> >> <bean id="shiroFilter" >> class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"> >> <property name="securityManager" ref="securityManager"/> >> <property name="filterChainDefinitions"> >> <value> >> /index.* = anon >> /static/* = anon >> /api/** = authcBasic[permissive] >> </value> >> </property> >> </bean> >> >> <bean id="securityManager" >> class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"> >> <property name="realm"> >> <bean class="org.apache.shiro.realm.text.PropertiesRealm"> >> <property name="resourcePath" >> value="classpath:shiro-realm.properties"></property> >> </bean> >> </property> >> </bean> >> >> <bean id="lifecycleBeanPostProcessor" >> class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/> >> <bean >> >> class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" >> depends-on="lifecycleBeanPostProcessor"/> >> <bean >> >> class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor"> >> <property name="securityManager" ref="securityManager"/> >> </bean> >> >> >> Is there something else I'm missing? >> >> Best wishes, >> >> >> >> -- >> View this message in context: >> http://shiro-user.582556.n2.nabble.com/REST-API-permissions-with-anonymous-usage-tp7579176p7579186.html >> Sent from the Shiro User mailing list archive at Nabble.com. >> >
