package org.secnod.shiro.jersey;
import java.lang.annotation.Annotation;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import javax.ws.rs.Priorities;
import javax.ws.rs.container.DynamicFeature;
import javax.ws.rs.container.ResourceInfo;
import javax.ws.rs.core.FeatureContext;
import org.apache.shiro.authz.annotation.RequiresAuthentication;
import org.apache.shiro.authz.annotation.RequiresGuest;
import org.apache.shiro.authz.annotation.RequiresPermissions;
import org.apache.shiro.authz.annotation.RequiresRoles;
import org.apache.shiro.authz.annotation.RequiresUser;
/**
* Wraps {@link AuthorizationFilter filters} around JAX-RS resources that are annotated with Shiro annotations.
*/
public class AuthorizationFilterFeature implements DynamicFeature {
private static List<Class<? extends Annotation>> shiroAnnotations = Collections.unmodifiableList(Arrays.asList(
RequiresPermissions.class,
RequiresRoles.class,
RequiresAuthentication.class,
RequiresUser.class,
RequiresGuest.class));
@Override
public void configure(ResourceInfo resourceInfo, FeatureContext context) {
List<Annotation> authzSpecs = new ArrayList<>();
for (Class<? extends Annotation> annotationClass : shiroAnnotations) {
// XXX What is the performance of getAnnotation vs getAnnotations?
Annotation classAuthzSpec = resourceInfo.getResourceClass().getAnnotation(annotationClass);
Annotation methodAuthzSpec = resourceInfo.getResourceMethod().getAnnotation(annotationClass);
if (classAuthzSpec != null) authzSpecs.add(classAuthzSpec);
if (methodAuthzSpec != null) authzSpecs.add(methodAuthzSpec);
}
if (!authzSpecs.isEmpty()) {
context.register(new AuthorizationFilter(authzSpecs), Priorities.AUTHORIZATION);
}
}
}
