I'm experimenting with Shiro + Guice with the goal of using them to implement
an authorization service in a jsf web application. But I'm having trouble
with getting the @RequiresRoles and @RequiresPermissions to actually work.
It looks like they are being ignored.

My shiro module looks like this:


public class MyShiroModule extends ShiroModule {

private final String DUKE_ROLE = "duke";

private final DomainPermission DUKE_PERMISSION = new
DomainPermission("duking");

@Override
protected void configureShiro() {
    MySimpleAccountRealm simpleAccountRealm = new
MySimpleAccountRealm("Feudal realm");

    Set<Permission> duke_permissions = new HashSet<>();
    duke_permissions.add(DUKE_PERMISSION);

    SimpleRole duke = new SimpleRole(DUKE_ROLE, duke_permissions);

    simpleAccountRealm.addAccount("kenzo", "atreides", duke);

    bindRealm().toInstance(simpleAccountRealm);
}
}



As you can see I've created my own Realm and added a user with a sing role
and permission. I've created an extension of the SimpleAccountRealm because
I wanted to add roles with permissions to an account.

MySimpleAccountRealm looks like this:


public class MySimpleAccountRealm extends SimpleAccountRealm {

public MySimpleAccountRealm(String name) {
    super(name);
}

    public void addAccount(String username, String password, SimpleRole...
roles) {
    //Get all the role names from the roles array
    Set<String> roleNames =
Arrays.stream(roles).map(SimpleRole::getName).collect(Collectors.toSet());

    //Get every permission from the roles
    Set<Permission> permissions = new HashSet<>();
    Arrays.stream(roles).forEach(r ->
permissions.addAll(r.getPermissions()));

    SimpleAccount account = new SimpleAccount(username, password, getName(),
roleNames, permissions);
    add(account);
}
}



I have a simple Main class:


public class Main {
public static void main(String[] args) {
    GuiceTest test = new GuiceTest();
    test.gogo();
}
}



My test class looks like:


public class GuiceTest {
private Injector injector;
private SecurityManager securityManager;

public GuiceTest() {
    injector = Guice.createInjector(new MyShiroModule(), new
ShiroAopModule());
    securityManager = injector.getInstance(SecurityManager.class);
    SecurityUtils.setSecurityManager(securityManager);
}

public void gogo() {
    Subject currentUser = SecurityUtils.getSubject();
    loginUser(currentUser);

    testValidWithoutAnnotation(currentUser);
    testInvalidWithoutAnnotation(currentUser);
    testValidRoleAnnotation();
    testInvalidRoleAnnotation();

    currentUser.logout();
}


private void loginUser(Subject currentUser) {
    if (!currentUser.isAuthenticated()) {
        UsernamePasswordToken token = new UsernamePasswordToken("kenzo",
"atreides");
        token.setRememberMe(true);
        try {
            currentUser.login(token);

            //say who they are:
            //print their identifying principal (in this case, a username):
            System.out.println("User [" + currentUser.getPrincipal() + "]
logged in successfully.");
        } catch (UnknownAccountException uae) {
            System.out.println("There is no user with username of " +
token.getPrincipal());
        } catch (IncorrectCredentialsException ice) {
            System.out.println("Password for account " +
token.getPrincipal() + " was incorrect!");
        } catch (LockedAccountException lae) {
            System.out.println("The account for username " +
token.getPrincipal() + " is locked.  " +
                    "Please contact your administrator to unlock it.");
        }
        // ... catch more exceptions here (maybe custom ones specific to
your application?
        catch (AuthenticationException ae) {
            //unexpected condition?  error?
        }
    }
}


    @RequiresRoles("dontHaveThisRoles")
    public void testInvalidRoleAnnotation() {
        System.out.println("Testing (with annotation) that the user has the
role 'dontHaveThisRoles'. User doesn't have this, so it should cause an
AuthenticationException.");
    }

    @RequiresRoles("duke")
    public void testValidRoleAnnotation() {
        System.out.println("Testing (with annotation) that the user has the
role 'duke'. User has this role, so this should be printed.");
    }

    private void testValidWithoutAnnotation(Subject currentUser) {
        if (currentUser.hasRole("duke")) {
            System.out.println("Testing (without annotation) that the user
has the role 'duke'. User has this role.");

        } else {
            System.out.println("Pleb");
        }
    }

    private void testInvalidWithoutAnnotation(Subject currentUser) {
        if (!currentUser.hasRole("nope")) {
            System.out.println("Testing (without annotation) that the user
has the role 'nope'. User doesn't have this role.");
        }
    }

}





When running the application I get the following output:

User [kenzo] logged in successfully.
Testing (without annotation) that the user has the role 'duke'. User has
this role.
Testing (without annotation) that the user has the role 'nope'. User doesn't
have this role.
Testing (with annotation) that the user has the role 'duke'. User has this
role, so this should be printed.
Testing (with annotation) that the user has the role 'dontHaveThisRoles'.
User doesn't have this, so it should cause an AuthenticationException.




The problem lies in the fifth line. Since the logged in user doesn't have
the 'dontHaveThisRoles' role, I expected an AuthenticationException. But
this doesn't happen. I've been debugging the assertAuthorized method in the
RoleAnnotationHandler class to see what's happening. But it looks like I
don't even enter the assertAuthorized method.




Note: My dependencies:

    <dependencies>
    <dependency>
        <groupId>org.apache.shiro</groupId>
        <artifactId>shiro-guice</artifactId>
        <version>1.4.0</version>
    </dependency>


    <dependency>
        <groupId>commons-logging</groupId>
        <artifactId>commons-logging</artifactId>
        <version>1.1.1</version>
    </dependency>
    </dependencies>


Since I'm creating my own realm, I don't have a shiro.ini file.




--
Sent from: http://shiro-user.582556.n2.nabble.com/

Reply via email to