001/*
002 * Licensed to the Apache Software Foundation (ASF) under one
003 * or more contributor license agreements.  See the NOTICE file
004 * distributed with this work for additional information
005 * regarding copyright ownership.  The ASF licenses this file
006 * to you under the Apache License, Version 2.0 (the
007 * "License"); you may not use this file except in compliance
008 * with the License.  You may obtain a copy of the License at
009 *
010 *     http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing,
013 * software distributed under the License is distributed on an
014 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
015 * KIND, either express or implied.  See the License for the
016 * specific language governing permissions and limitations
017 * under the License.
018 */
019package org.apache.shiro.authz.aop;
020
021import org.apache.shiro.authz.AuthorizationException;
022import org.apache.shiro.authz.annotation.Logical;
023import org.apache.shiro.authz.annotation.RequiresPermissions;
024import org.apache.shiro.authz.annotation.RequiresRoles;
025import org.apache.shiro.subject.Subject;
026
027import java.lang.annotation.Annotation;
028
029/**
030 * Checks to see if a @{@link org.apache.shiro.authz.annotation.RequiresPermissions RequiresPermissions} annotation is
031 * declared, and if so, performs a permission check to see if the calling <code>Subject</code> is allowed continued
032 * access.
033 *
034 * @since 0.9.0
035 */
036public class PermissionAnnotationHandler extends AuthorizingAnnotationHandler {
037
038    /**
039     * Default no-argument constructor that ensures this handler looks for
040     * {@link org.apache.shiro.authz.annotation.RequiresPermissions RequiresPermissions} annotations.
041     */
042    public PermissionAnnotationHandler() {
043        super(RequiresPermissions.class);
044    }
045
046    /**
047     * Returns the annotation {@link RequiresPermissions#value value}, from which the Permission will be constructed.
048     *
049     * @param a the RequiresPermissions annotation being inspected.
050     * @return the annotation's <code>value</code>, from which the Permission will be constructed.
051     */
052    protected String[] getAnnotationValue(Annotation a) {
053        RequiresPermissions rpAnnotation = (RequiresPermissions) a;
054        return rpAnnotation.value();
055    }
056
057    /**
058     * Ensures that the calling <code>Subject</code> has the Annotation's specified permissions, and if not, throws an
059     * <code>AuthorizingException</code> indicating access is denied.
060     *
061     * @param a the RequiresPermission annotation being inspected to check for one or more permissions
062     * @throws org.apache.shiro.authz.AuthorizationException
063     *          if the calling <code>Subject</code> does not have the permission(s) necessary to
064     *          continue access or execution.
065     */
066    public void assertAuthorized(Annotation a) throws AuthorizationException {
067        if (!(a instanceof RequiresPermissions)) return;
068
069        RequiresPermissions rpAnnotation = (RequiresPermissions) a;
070        String[] perms = getAnnotationValue(a);
071        Subject subject = getSubject();
072
073        if (perms.length == 1) {
074            subject.checkPermission(perms[0]);
075            return;
076        }
077        if (Logical.AND.equals(rpAnnotation.logical())) {
078            getSubject().checkPermissions(perms);
079            return;
080        }
081        if (Logical.OR.equals(rpAnnotation.logical())) {
082            // Avoid processing exceptions unnecessarily - "delay" throwing the exception by calling hasRole first
083            boolean hasAtLeastOnePermission = false;
084            for (String permission : perms) if (getSubject().isPermitted(permission)) hasAtLeastOnePermission = true;
085            // Cause the exception if none of the role match, note that the exception message will be a bit misleading
086            if (!hasAtLeastOnePermission) getSubject().checkPermission(perms[0]);
087            
088        }
089    }
090}