Annotation support with Apache Shiro

Apache Shiro is a Java framework to simply authentication, authorization etc. I previously blogged about a test-case I wrote that shows how to use Shiro with Apache CXF to authenticate and authorize a username and password received as part of a web service request. This post extends the previous post by showing how to use Shiro to enable authorization via annotations on the service implementation.

The previous post defined some required roles for an endpoint in Spring, and passed them through to a ShiroUTValidator class which checks that the authenticated subject has all of the defined roles:

	<util:list id="requiredRolesList">
	<value>boss</value>
	</util:list>
	<bean class="org.apache.coheigea.cxf.shiro.authentication.ShiroUTValidator" id="utValidator">
	<constructor-arg value="src/test/resources/securityconfig.ini"/>
	<property name="requiredRoles" ref="requiredRolesList"/>
	</bean>

view raw gistfile1.txt hosted with ❤ by GitHub

The problem with this approach is that it's not possible to specify individual roles for different methods in the service implementation - the user must have the role to invoke on any of the methods.

An alternative is instead to use Shiro's annotation support. Here we can add annotations to the service endpoint implementation to require that the authenticated user has the correct role (@RequiresRoles) or permissions (@RequiresPermissions). Note that these annotations are specific to Shiro, support is not yet added to support the standard javax.annotation.security annotations (see here).

So to change our test-case to use annotations, instead of defining the roles in Spring, we instead define the following annotation in the service implementation:

	@RequiresRoles("boss")
	public int doubleIt(int numberToDouble) {
	...
	}

view raw gistfile1.txt hosted with ❤ by GitHub

In the spring configuration for the service, we need to add a few additional interceptors so that the annotation gets processed:

	<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>
	<bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"
	depends-on="lifecycleBeanPostProcessor"/>
	<bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor" />

view raw gistfile1.txt hosted with ❤ by GitHub

That's all that's required to get Shiro annotations working with CXF service implementations. The full test source is available here.