001/* 002 * Licensed to the Apache Software Foundation (ASF) under one 003 * or more contributor license agreements. See the NOTICE file 004 * distributed with this work for additional information 005 * regarding copyright ownership. The ASF licenses this file 006 * to you under the Apache License, Version 2.0 (the 007 * "License"); you may not use this file except in compliance 008 * with the License. You may obtain a copy of the License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, 013 * software distributed under the License is distributed on an 014 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 015 * KIND, either express or implied. See the License for the 016 * specific language governing permissions and limitations 017 * under the License. 018 */ 019package org.apache.shiro.authz.aop; 020 021import org.apache.shiro.authz.AuthorizationException; 022import org.apache.shiro.authz.annotation.Logical; 023import org.apache.shiro.authz.annotation.RequiresPermissions; 024import org.apache.shiro.subject.Subject; 025 026import java.lang.annotation.Annotation; 027 028/** 029 * Checks to see if a @{@link org.apache.shiro.authz.annotation.RequiresPermissions RequiresPermissions} annotation is 030 * declared, and if so, performs a permission check to see if the calling <code>Subject</code> is allowed continued 031 * access. 032 * 033 * @since 0.9.0 034 */ 035public class PermissionAnnotationHandler extends AuthorizingAnnotationHandler { 036 037 /** 038 * Default no-argument constructor that ensures this handler looks for 039 * {@link org.apache.shiro.authz.annotation.RequiresPermissions RequiresPermissions} annotations. 040 */ 041 public PermissionAnnotationHandler() { 042 super(RequiresPermissions.class); 043 } 044 045 /** 046 * Returns the annotation {@link RequiresPermissions#value value}, from which the Permission will be constructed. 047 * 048 * @param a the RequiresPermissions annotation being inspected. 049 * @return the annotation's <code>value</code>, from which the Permission will be constructed. 050 */ 051 protected String[] getAnnotationValue(Annotation a) { 052 RequiresPermissions rpAnnotation = (RequiresPermissions) a; 053 return rpAnnotation.value(); 054 } 055 056 /** 057 * Ensures that the calling <code>Subject</code> has the Annotation's specified permissions, and if not, throws an 058 * <code>AuthorizingException</code> indicating access is denied. 059 * 060 * @param a the RequiresPermission annotation being inspected to check for one or more permissions 061 * @throws org.apache.shiro.authz.AuthorizationException if the calling <code>Subject</code> does not have 062 * the permission(s) necessary to continue access or execution. 063 */ 064 public void assertAuthorized(Annotation a) throws AuthorizationException { 065 if (!(a instanceof RequiresPermissions)) { 066 return; 067 } 068 069 RequiresPermissions rpAnnotation = (RequiresPermissions) a; 070 String[] perms = getAnnotationValue(a); 071 Subject subject = getSubject(); 072 073 if (perms.length == 1) { 074 subject.checkPermission(perms[0]); 075 return; 076 } 077 if (Logical.AND.equals(rpAnnotation.logical())) { 078 getSubject().checkPermissions(perms); 079 return; 080 } 081 if (Logical.OR.equals(rpAnnotation.logical())) { 082 // Avoid processing exceptions unnecessarily - "delay" throwing the exception by calling hasRole first 083 boolean hasAtLeastOnePermission = false; 084 for (String permission : perms) { 085 if (getSubject().isPermitted(permission)) { 086 hasAtLeastOnePermission = true; 087 break; 088 } 089 } 090 // Cause the exception if none of the role match, note that the exception message will be a bit misleading 091 if (!hasAtLeastOnePermission) { 092 getSubject().checkPermission(perms[0]); 093 } 094 095 } 096 } 097}