Record problems with shiro at work. In fact, many problems are explained in official documents, but only limited to English reading ability. Only after solving the problem, can we find that it was explained.
- The shiro annotation @RequiresGuest, etc. is an intersection of permissions. Check order:
RequiresRoles RequiresPermissions RequiresAuthentication RequiresUser RequiresGuest : RequiresGuest === subject.getPrincipal() == null.
RequiresGuest: org.apache.shiro.authz.aop.GuestAnnotationHandler:
/** * Ensures that the calling <code>Subject</code> is NOT a <em>user</em>, that is, they do not * have an {@link org.apache.shiro.subject.Subject#getPrincipal() identity} before continuing. If they are * a user ({@link org.apache.shiro.subject.Subject#getPrincipal() Subject.getPrincipal()} != null), an * <code>AuthorizingException</code> will be thrown indicating that execution is not allowed to continue. * * @param a the annotation to check for one or more roles * @throws org.apache.shiro.authz.AuthorizationException * if the calling <code>Subject</code> is not a "guest". */ public void assertAuthorized(Annotation a) throws AuthorizationException { if (a instanceof RequiresGuest && getSubject().getPrincipal() != null) { throw new UnauthenticatedException("Attempting to perform a guest-only operation. The current Subject is " + "not a guest (they have been authenticated or remembered from a previous login). Access " + "denied."); } }
That is to say, RequiresGuest actually allows only subject.getPrincipal() (not logged in | anonymous) user rights, not anonymity and above.
- shiro The annotation @RequiresGuest execution order is after shiroFilterFactoryBean. filterChain DefinitionMap. shiro annotations are proxy objects generated by spring-aop for annotation method. Thus, AOP authentication permissions are performed before execution. org.apache.shiro.spring.security.interceptor.AopAllianceAnnotationsAuthorizingMethodInterceptor:
/** * Creates a {@link MethodInvocation MethodInvocation} that wraps an * {@link org.aopalliance.intercept.MethodInvocation org.aopalliance.intercept.MethodInvocation} instance, * enabling Shiro Annotations in <a href="http://aopalliance.sourceforge.net/">AOP Alliance</a> environments * (Spring, etc). * * @param implSpecificMethodInvocation AOP Alliance {@link org.aopalliance.intercept.MethodInvocation MethodInvocation} * @return a Shiro {@link MethodInvocation MethodInvocation} instance that wraps the AOP Alliance instance. */ protected org.apache.shiro.aop.MethodInvocation createMethodInvocation(Object implSpecificMethodInvocation) { final MethodInvocation mi = (MethodInvocation) implSpecificMethodInvocation; return new org.apache.shiro.aop.MethodInvocation() { public Method getMethod() { return mi.getMethod(); } public Object[] getArguments() { return mi.getArguments(); } public String toString() { return "Method invocation [" + mi.getMethod() + "]"; } public Object proceed() throws Throwable { return mi.proceed(); } public Object getThis() { return mi.getThis(); } }; } /** * Creates a Shiro {@link MethodInvocation MethodInvocation} instance and then immediately calls * {@link org.apache.shiro.authz.aop.AuthorizingMethodInterceptor#invoke super.invoke}. * * @param methodInvocation the AOP Alliance-specific <code>methodInvocation</code> instance. * @return the return value from invoking the method invocation. * @throws Throwable if the underlying AOP Alliance method invocation throws a <code>Throwable</code>. */ public Object invoke(MethodInvocation methodInvocation) throws Throwable { org.apache.shiro.aop.MethodInvocation mi = createMethodInvocation(methodInvocation); return super.invoke(mi); }
The inheritance structure of org.apache.shiro.aop.MethodInvocation is as follows:
Therefore, authorization can be finally authenticated in org. apache. shiro. authz. aop. AuthorizingAnnotation Method Interceptor:
/** * Ensures the <code>methodInvocation</code> is allowed to execute first before proceeding by calling the * {@link #assertAuthorized(org.apache.shiro.aop.MethodInvocation) assertAuthorized} method first. * * @param methodInvocation the method invocation to check for authorization prior to allowing it to proceed/execute. * @return the return value from the method invocation (the value of {@link org.apache.shiro.aop.MethodInvocation#proceed() MethodInvocation.proceed()}). * @throws org.apache.shiro.authz.AuthorizationException if the <code>MethodInvocation</code> is not allowed to proceed. * @throws Throwable if any other error occurs. */ public Object invoke(MethodInvocation methodInvocation) throws Throwable { assertAuthorized(methodInvocation); return methodInvocation.proceed(); } /** * Ensures the calling Subject is authorized to execute the specified <code>MethodInvocation</code>. * <p/> * As this is an AnnotationMethodInterceptor, this implementation merely delegates to the internal * {@link AuthorizingAnnotationHandler AuthorizingAnnotationHandler} by first acquiring the annotation by * calling {@link #getAnnotation(MethodInvocation) getAnnotation(methodInvocation)} and then calls * {@link AuthorizingAnnotationHandler#assertAuthorized(java.lang.annotation.Annotation) handler.assertAuthorized(annotation)}. * * @param mi the <code>MethodInvocation</code> to check to see if it is allowed to proceed/execute. * @throws AuthorizationException if the method invocation is not allowed to continue/execute. */ public void assertAuthorized(MethodInvocation mi) throws AuthorizationException { try { ((AuthorizingAnnotationHandler)getHandler()).assertAuthorized(getAnnotation(mi)); } catch(AuthorizationException ae) { // Annotation handler doesn't know why it was called, so add the information here if possible. // Don't wrap the exception here since we don't want to mask the specific exception, such as // UnauthenticatedException etc. if (ae.getCause() == null) ae.initCause(new AuthorizationException("Not authorized to invoke method: " + mi.getMethod())); throw ae; } } /** * Returns the {@code AnnotationHandler} used to perform authorization behavior based on * an annotation discovered at runtime. * * @return the {@code AnnotationHandler} used to perform authorization behavior based on * an annotation discovered at runtime. */ public AnnotationHandler getHandler() { return handler; }
Privilege authentication is mainly through subclasses of org.apache.shiro.aop.AnnotationHandler
For example: org. apache. shiro. authz. aop. Guest Annotation Handler (@RequiresGuest)
/** * Checks to see if a @{@link org.apache.shiro.authz.annotation.RequiresGuest RequiresGuest} annotation * is declared, and if so, ensures the calling <code>Subject</code> does <em>not</em> * have an {@link org.apache.shiro.subject.Subject#getPrincipal() identity} before invoking the method. * <p> * This annotation essentially ensures that <code>subject.{@link org.apache.shiro.subject.Subject#getPrincipal() getPrincipal()} == null</code>. * * @since 0.9.0 */ public class GuestAnnotationHandler extends AuthorizingAnnotationHandler { /** * Default no-argument constructor that ensures this interceptor looks for * * {@link org.apache.shiro.authz.annotation.RequiresGuest RequiresGuest} annotations in a method * declaration. */ public GuestAnnotationHandler() { super(RequiresGuest.class); } /** * Ensures that the calling <code>Subject</code> is NOT a <em>user</em>, that is, they do not * have an {@link org.apache.shiro.subject.Subject#getPrincipal() identity} before continuing. If they are * a user ({@link org.apache.shiro.subject.Subject#getPrincipal() Subject.getPrincipal()} != null), an * <code>AuthorizingException</code> will be thrown indicating that execution is not allowed to continue. * * @param a the annotation to check for one or more roles * @throws org.apache.shiro.authz.AuthorizationException * if the calling <code>Subject</code> is not a "guest". */ public void assertAuthorized(Annotation a) throws AuthorizationException { if (a instanceof RequiresGuest && getSubject().getPrincipal() != null) { throw new UnauthenticatedException("Attempting to perform a guest-only operation. The current Subject is " + "not a guest (they have been authenticated or remembered from a previous login). Access " + "denied."); } } }
So shiro annotation is implemented after filter interception and authenticates permissions through aop proxy