001    /*
002     * Licensed to the Apache Software Foundation (ASF) under one
003     * or more contributor license agreements.  See the NOTICE file
004     * distributed with this work for additional information
005     * regarding copyright ownership.  The ASF licenses this file
006     * to you under the Apache License, Version 2.0 (the
007     * "License"); you may not use this file except in compliance
008     * with the License.  You may obtain a copy of the License at
009     *
010     *     http://www.apache.org/licenses/LICENSE-2.0
011     *
012     * Unless required by applicable law or agreed to in writing,
013     * software distributed under the License is distributed on an
014     * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
015     * KIND, either express or implied.  See the License for the
016     * specific language governing permissions and limitations
017     * under the License.
018     */
019    package org.apache.shiro.authz.aop;
020    
021    import org.apache.shiro.aop.AnnotationMethodInterceptor;
022    import org.apache.shiro.aop.AnnotationResolver;
023    import org.apache.shiro.aop.MethodInvocation;
024    import org.apache.shiro.authz.AuthorizationException;
025    
026    
027    /**
028     * An <tt>AnnotationMethodInterceptor</tt> that asserts the calling code is authorized to execute the method
029     * before allowing the invocation to continue by inspecting code annotations to perform an access control check.
030     *
031     * @since 0.1
032     */
033    public abstract class AuthorizingAnnotationMethodInterceptor extends AnnotationMethodInterceptor
034    {
035        
036        /**
037         * Constructor that ensures the internal <code>handler</code> is set which will be used to perform the
038         * authorization assertion checks when a supported annotation is encountered.
039         * @param handler the internal <code>handler</code> used to perform authorization assertion checks when a 
040         * supported annotation is encountered.
041         */
042        public AuthorizingAnnotationMethodInterceptor( AuthorizingAnnotationHandler handler ) {
043            super(handler);
044        }
045    
046        /**
047         *
048         * @param handler
049         * @param resolver
050         * @since 1.1
051         */
052        public AuthorizingAnnotationMethodInterceptor( AuthorizingAnnotationHandler handler,
053                                                       AnnotationResolver resolver) {
054            super(handler, resolver);
055        }
056    
057        /**
058         * Ensures the <code>methodInvocation</code> is allowed to execute first before proceeding by calling the
059         * {@link #assertAuthorized(org.apache.shiro.aop.MethodInvocation) assertAuthorized} method first.
060         *
061         * @param methodInvocation the method invocation to check for authorization prior to allowing it to proceed/execute.
062         * @return the return value from the method invocation (the value of {@link org.apache.shiro.aop.MethodInvocation#proceed() MethodInvocation.proceed()}).
063         * @throws org.apache.shiro.authz.AuthorizationException if the <code>MethodInvocation</code> is not allowed to proceed.
064         * @throws Throwable if any other error occurs.
065         */
066        public Object invoke(MethodInvocation methodInvocation) throws Throwable {
067            assertAuthorized(methodInvocation);
068            return methodInvocation.proceed();
069        }
070    
071        /**
072         * Ensures the calling Subject is authorized to execute the specified <code>MethodInvocation</code>.
073         * <p/>
074         * As this is an AnnotationMethodInterceptor, this implementation merely delegates to the internal
075         * {@link AuthorizingAnnotationHandler AuthorizingAnnotationHandler} by first acquiring the annotation by
076         * calling {@link #getAnnotation(MethodInvocation) getAnnotation(methodInvocation)} and then calls
077         * {@link AuthorizingAnnotationHandler#assertAuthorized(java.lang.annotation.Annotation) handler.assertAuthorized(annotation)}.
078         *
079         * @param mi the <code>MethodInvocation</code> to check to see if it is allowed to proceed/execute.
080         * @throws AuthorizationException if the method invocation is not allowed to continue/execute.
081         */
082        public void assertAuthorized(MethodInvocation mi) throws AuthorizationException {
083            try {
084                ((AuthorizingAnnotationHandler)getHandler()).assertAuthorized(getAnnotation(mi));
085            }
086            catch(AuthorizationException ae) {
087                // Annotation handler doesn't know why it was called, so add the information here if possible. 
088                // Don't wrap the exception here since we don't want to mask the specific exception, such as 
089                // UnauthenticatedException etc. 
090                if (ae.getCause() == null) ae.initCause(new AuthorizationException("Not authorized to invoke method: " + mi.getMethod()));
091                throw ae;
092            }         
093        }
094    }