001/*
002 * Licensed to the Apache Software Foundation (ASF) under one
003 * or more contributor license agreements.  See the NOTICE file
004 * distributed with this work for additional information
005 * regarding copyright ownership.  The ASF licenses this file
006 * to you under the Apache License, Version 2.0 (the
007 * "License"); you may not use this file except in compliance
008 * with the License.  You may obtain a copy of the License at
009 *
010 *     http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing,
013 * software distributed under the License is distributed on an
014 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
015 * KIND, either express or implied.  See the License for the
016 * specific language governing permissions and limitations
017 * under the License.
018 */
019package org.apache.shiro.authz.aop;
020
021import java.lang.annotation.Annotation;
022
023import org.apache.shiro.authz.AuthorizationException;
024import org.apache.shiro.authz.UnauthenticatedException;
025import org.apache.shiro.authz.annotation.RequiresUser;
026
027
028/**
029 * Checks to see if a @{@link org.apache.shiro.authz.annotation.RequiresUser RequiresUser} annotation
030 * is declared, and if so, ensures the calling <code>Subject</code> is <em>either</em>
031 * {@link org.apache.shiro.subject.Subject#isAuthenticated() authenticated} <b><em>or</em></b> remembered via remember
032 * me services before allowing access.
033 * <p>
034 * This annotation essentially ensures that <code>subject.{@link org.apache.shiro.subject.Subject#getPrincipal() getPrincipal()} != null</code>.
035 *
036 * @since 0.9.0
037 */
038public class UserAnnotationHandler extends AuthorizingAnnotationHandler {
039
040    /**
041     * Default no-argument constructor that ensures this handler looks for
042     *
043     * {@link org.apache.shiro.authz.annotation.RequiresUser RequiresUser} annotations.
044     */
045    public UserAnnotationHandler() {
046        super(RequiresUser.class);
047    }
048
049    /**
050     * Ensures that the calling <code>Subject</code> is a <em>user</em>, that is, they are <em>either</code>
051     * {@link org.apache.shiro.subject.Subject#isAuthenticated() authenticated} <b><em>or</em></b> remembered via remember
052     * me services before allowing access, and if not, throws an
053     * <code>AuthorizingException</code> indicating access is not allowed.
054     *
055     * @param a the RequiresUser annotation to check
056     * @throws org.apache.shiro.authz.AuthorizationException
057     *         if the calling <code>Subject</code> is not authenticated or remembered via rememberMe services.
058     */
059    public void assertAuthorized(Annotation a) throws AuthorizationException {
060        if (a instanceof RequiresUser && getSubject().getPrincipal() == null) {
061            throw new UnauthenticatedException("Attempting to perform a user-only operation.  The current Subject is " +
062                    "not a user (they haven't been authenticated or remembered from a previous login).  " +
063                    "Access denied.");
064        }
065    }
066}