001/*
002 * Licensed to the Apache Software Foundation (ASF) under one
003 * or more contributor license agreements.  See the NOTICE file
004 * distributed with this work for additional information
005 * regarding copyright ownership.  The ASF licenses this file
006 * to you under the Apache License, Version 2.0 (the
007 * "License"); you may not use this file except in compliance
008 * with the License.  You may obtain a copy of the License at
009 *
010 *     http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing,
013 * software distributed under the License is distributed on an
014 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
015 * KIND, either express or implied.  See the License for the
016 * specific language governing permissions and limitations
017 * under the License.
018 */
019package org.apache.shiro.web.jaxrs;
020
021
022import org.apache.shiro.authz.annotation.RequiresAuthentication;
023import org.apache.shiro.authz.annotation.RequiresGuest;
024import org.apache.shiro.authz.annotation.RequiresPermissions;
025import org.apache.shiro.authz.annotation.RequiresRoles;
026import org.apache.shiro.authz.annotation.RequiresUser;
027import org.apache.shiro.web.filter.authz.AuthorizationFilter;
028
029import javax.ws.rs.Priorities;
030import javax.ws.rs.container.DynamicFeature;
031import javax.ws.rs.container.ResourceInfo;
032import javax.ws.rs.core.FeatureContext;
033import java.lang.annotation.Annotation;
034import java.util.ArrayList;
035import java.util.Arrays;
036import java.util.Collections;
037import java.util.List;
038
039/**
040 * Wraps {@link AuthorizationFilter filters} around JAX-RS resources that are annotated with Shiro annotations.
041 * @since 1.4
042 */
043public class ShiroAnnotationFilterFeature implements DynamicFeature {
044
045    private static List<Class<? extends Annotation>> shiroAnnotations = Collections.unmodifiableList(Arrays.asList(
046            RequiresPermissions.class,
047            RequiresRoles.class,
048            RequiresAuthentication.class,
049            RequiresUser.class,
050            RequiresGuest.class));
051
052    @Override
053    public void configure(ResourceInfo resourceInfo, FeatureContext context) {
054
055        List<Annotation> authzSpecs = new ArrayList<Annotation>();
056
057        for (Class<? extends Annotation> annotationClass : shiroAnnotations) {
058            // XXX What is the performance of getAnnotation vs getAnnotations?
059            Annotation classAuthzSpec = resourceInfo.getResourceClass().getAnnotation(annotationClass);
060            Annotation methodAuthzSpec = resourceInfo.getResourceMethod().getAnnotation(annotationClass);
061
062            if (classAuthzSpec != null) authzSpecs.add(classAuthzSpec);
063            if (methodAuthzSpec != null) authzSpecs.add(methodAuthzSpec);
064        }
065
066        if (!authzSpecs.isEmpty()) {
067            context.register(new AnnotationAuthorizationFilter(authzSpecs), Priorities.AUTHORIZATION);
068        }
069    }
070
071}