I'm guessing your GuiceTest isn't getting picked up by any AOP processing. It is likely just still a POJO at that time when you call your methods. IIRC, if you move those annotated methods to a guice component they will start to work.
On Fri, Apr 13, 2018 at 9:31 AM, Ken Han <hangisike...@gmail.com> wrote: > I'm experimenting with Shiro + Guice with the goal of using them to > implement > an authorization service in a jsf web application. But I'm having trouble > with getting the @RequiresRoles and @RequiresPermissions to actually work. > It looks like they are being ignored. > > My shiro module looks like this: > > > public class MyShiroModule extends ShiroModule { > > private final String DUKE_ROLE = "duke"; > > private final DomainPermission DUKE_PERMISSION = new > DomainPermission("duking"); > > @Override > protected void configureShiro() { > MySimpleAccountRealm simpleAccountRealm = new > MySimpleAccountRealm("Feudal realm"); > > Set<Permission> duke_permissions = new HashSet<>(); > duke_permissions.add(DUKE_PERMISSION); > > SimpleRole duke = new SimpleRole(DUKE_ROLE, duke_permissions); > > simpleAccountRealm.addAccount("kenzo", "atreides", duke); > > bindRealm().toInstance(simpleAccountRealm); > } > } > > > > As you can see I've created my own Realm and added a user with a sing role > and permission. I've created an extension of the SimpleAccountRealm because > I wanted to add roles with permissions to an account. > > MySimpleAccountRealm looks like this: > > > public class MySimpleAccountRealm extends SimpleAccountRealm { > > public MySimpleAccountRealm(String name) { > super(name); > } > > public void addAccount(String username, String password, SimpleRole... > roles) { > //Get all the role names from the roles array > Set<String> roleNames = > Arrays.stream(roles).map(SimpleRole::getName).collect(Collectors.toSet()); > > //Get every permission from the roles > Set<Permission> permissions = new HashSet<>(); > Arrays.stream(roles).forEach(r -> > permissions.addAll(r.getPermissions())); > > SimpleAccount account = new SimpleAccount(username, password, > getName(), > roleNames, permissions); > add(account); > } > } > > > > I have a simple Main class: > > > public class Main { > public static void main(String[] args) { > GuiceTest test = new GuiceTest(); > test.gogo(); > } > } > > > > My test class looks like: > > > public class GuiceTest { > private Injector injector; > private SecurityManager securityManager; > > public GuiceTest() { > injector = Guice.createInjector(new MyShiroModule(), new > ShiroAopModule()); > securityManager = injector.getInstance(SecurityManager.class); > SecurityUtils.setSecurityManager(securityManager); > } > > public void gogo() { > Subject currentUser = SecurityUtils.getSubject(); > loginUser(currentUser); > > testValidWithoutAnnotation(currentUser); > testInvalidWithoutAnnotation(currentUser); > testValidRoleAnnotation(); > testInvalidRoleAnnotation(); > > currentUser.logout(); > } > > > private void loginUser(Subject currentUser) { > if (!currentUser.isAuthenticated()) { > UsernamePasswordToken token = new UsernamePasswordToken("kenzo", > "atreides"); > token.setRememberMe(true); > try { > currentUser.login(token); > > //say who they are: > //print their identifying principal (in this case, a username): > System.out.println("User [" + currentUser.getPrincipal() + "] > logged in successfully."); > } catch (UnknownAccountException uae) { > System.out.println("There is no user with username of " + > token.getPrincipal()); > } catch (IncorrectCredentialsException ice) { > System.out.println("Password for account " + > token.getPrincipal() + " was incorrect!"); > } catch (LockedAccountException lae) { > System.out.println("The account for username " + > token.getPrincipal() + " is locked. " + > "Please contact your administrator to unlock it."); > } > // ... catch more exceptions here (maybe custom ones specific to > your application? > catch (AuthenticationException ae) { > //unexpected condition? error? > } > } > } > > > @RequiresRoles("dontHaveThisRoles") > public void testInvalidRoleAnnotation() { > System.out.println("Testing (with annotation) that the user has the > role 'dontHaveThisRoles'. User doesn't have this, so it should cause an > AuthenticationException."); > } > > @RequiresRoles("duke") > public void testValidRoleAnnotation() { > System.out.println("Testing (with annotation) that the user has the > role 'duke'. User has this role, so this should be printed."); > } > > private void testValidWithoutAnnotation(Subject currentUser) { > if (currentUser.hasRole("duke")) { > System.out.println("Testing (without annotation) that the user > has the role 'duke'. User has this role."); > > } else { > System.out.println("Pleb"); > } > } > > private void testInvalidWithoutAnnotation(Subject currentUser) { > if (!currentUser.hasRole("nope")) { > System.out.println("Testing (without annotation) that the user > has the role 'nope'. User doesn't have this role."); > } > } > > } > > > > > > When running the application I get the following output: > > User [kenzo] logged in successfully. > Testing (without annotation) that the user has the role 'duke'. User has > this role. > Testing (without annotation) that the user has the role 'nope'. User > doesn't > have this role. > Testing (with annotation) that the user has the role 'duke'. User has this > role, so this should be printed. > Testing (with annotation) that the user has the role 'dontHaveThisRoles'. > User doesn't have this, so it should cause an AuthenticationException. > > > > > The problem lies in the fifth line. Since the logged in user doesn't have > the 'dontHaveThisRoles' role, I expected an AuthenticationException. But > this doesn't happen. I've been debugging the assertAuthorized method in the > RoleAnnotationHandler class to see what's happening. But it looks like I > don't even enter the assertAuthorized method. > > > > > Note: My dependencies: > > <dependencies> > <dependency> > <groupId>org.apache.shiro</groupId> > <artifactId>shiro-guice</artifactId> > <version>1.4.0</version> > </dependency> > > > <dependency> > <groupId>commons-logging</groupId> > <artifactId>commons-logging</artifactId> > <version>1.1.1</version> > </dependency> > </dependencies> > > > Since I'm creating my own realm, I don't have a shiro.ini file. > > > > > -- > Sent from: http://shiro-user.582556.n2.nabble.com/ >