35

I've been doing some comparisons between Apache Shiro and Spring Security - I'm really loving the security model that Shiro uses and believe it to be far cleaner that Spring Security.

However, one big nice-to-have would be to be able to reference method parameters from within the method-level security annotations. For example, right now I could so something like:

@RequiresPermissions("account:send:*")
public void sendEmail( EmailAccount account, String to, String subject, String message) { ... }

Within the context of this example, this means that the authenticated user must have the permission to send emails on email accounts.

However, this is not fine-grained enough, as I want instance level permissions! In this context, assume that users can have permissions on instances of email accounts. So, I'd like to write the previous code something like this:

@RequiresPermissions("account:send:${account.id}")
public void sendEmail( EmailAccount account, String to, String subject, String message) { ... }

In this way, the permission string is referencing a parameter passed into the method such that the method can be secured against a particular instance of EmailAccount.

I know I could easily do this from plain Java code within the method, but it would be great to achieve the same thing using annotations - I know Spring Security supports Spring EL expressions in its annotations.

Is this definitely not a feature of Shiro and thus will I have to write my own custom annotations?

Thanks,

Andrew

yorkw
  • 40,926
  • 10
  • 117
  • 130
DrewEaster
  • 3,316
  • 3
  • 35
  • 39

2 Answers2

8

Look at the classes in http://shiro.apache.org/static/current/apidocs/org/apache/shiro/authz/aop/package-summary.html, especially PermissionAnnotationHandler. There you can see that all Shiro does when encountering the @RequiresPermissions annotation is call getSubject().isPermitted(permission) and does no substitution inside the annotation value at all. You would have to somehow override that handler if you wanted this kind of functionality.

So to answer your question: yes, this is definitely not a feature of Shiro and you have to either write your own annotation or somehow override that handler.

Uli
  • 574
  • 3
  • 12
  • 1
    @drewzilla I came up to this q/a in the "my tags" view, and I am wondering if the answer isn't correct. Note that negative answers can be answers as well. Could you indicate if anything is missing from the answer? – Maarten Bodewes Sep 19 '12 at 12:51
3

This feature is currently not supported by Shiro. Multiple people have requested this feature. Perhaps we can vote for the issue?

https://issues.apache.org/jira/browse/SHIRO-484

https://issues.apache.org/jira/browse/SHIRO-77

https://issues.apache.org/jira/browse/SHIRO-417

https://issues.apache.org/jira/browse/SHIRO-331

user64141
  • 5,141
  • 4
  • 37
  • 34
  • '${account.id}' this is obviously using Spring's BeanWrapper (reflection). Although it might prevent some lines of code to be written IMHO this is not part of a security framework as Shiro intends to be. – corlaez Nov 18 '16 at 15:42
  • Great but this is not fixed yet. If we're using Spring, is there any way to use it like other Spring annotation now? – tobe Aug 23 '17 at 16:25