开发者

Can I use expressions in Apache Shiro security annotations?

I've been doing some comparisons between Apache Shiro and Spring Security - I'm really loving the security model that Shiro uses and believe it to be far cleaner that Spring Security.

However, one big nice-to-have would be to be able to reference method parameters from within the method-level security annotations. For example, right now I could so something like:

@RequiresPermissions("account:send:*")
public void sendEmail( EmailAccount account, String to, String subject, String message) { ... }

Within the context of this example, this means that the authenticated user must have the permission to send emails on email accounts.

However, this is not fine-grained enough, as I want instance level permissions! In this context, assume that users can have permissions on instances of email accounts. So, I'd like to write the previous code something like this:

@Req开发者_JAVA百科uiresPermissions("account:send:${account.id}")
public void sendEmail( EmailAccount account, String to, String subject, String message) { ... }

In this way, the permission string is referencing a parameter passed into the method such that the method can be secured against a particular instance of EmailAccount.

I know I could easily do this from plain Java code within the method, but it would be great to achieve the same thing using annotations - I know Spring Security supports Spring EL expressions in its annotations.

Is this definitely not a feature of Shiro and thus will I have to write my own custom annotations?

Thanks,

Andrew


Look at the classes in http://shiro.apache.org/static/current/apidocs/org/apache/shiro/authz/aop/package-summary.html, especially PermissionAnnotationHandler. There you can see that all Shiro does when encountering the @RequiresPermissions annotation is call getSubject().isPermitted(permission) and does no substitution inside the annotation value at all. You would have to somehow override that handler if you wanted this kind of functionality.

So to answer your question: yes, this is definitely not a feature of Shiro and you have to either write your own annotation or somehow override that handler.


This feature is currently not supported by Shiro. Multiple people have requested this feature. Perhaps we can vote for the issue?

https://issues.apache.org/jira/browse/SHIRO-484

https://issues.apache.org/jira/browse/SHIRO-77

https://issues.apache.org/jira/browse/SHIRO-417

https://issues.apache.org/jira/browse/SHIRO-331

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜