Can I use expressions in Apache Shiro security annotations?

Question

I've been doing some comparisons between Apache Shiro and Spring Security - I'm really loving the security model that Shiro uses and believe it to be far cleaner that Spring Security.

However, one big nice-to-have would be to be able to reference method parameters from within the method-level security annotations. For example, right now I could so something like:

@RequiresPermissions("account:send:*") public void sendEmail( EmailAccount account, String to, String subject, String message) { ... } 

Within the context of this example, this means that the authenticated user must have the permission to send emails on email accounts.

However, this is not fine-grained enough, as I want instance level permissions! In this context, assume that users can have permissions on instances of email accounts. So, I'd like to write the previous code something like this:

@RequiresPermissions("account:send:${account.id}") public void sendEmail( EmailAccount account, String to, String subject, String message) { ... } 

In this way, the permission string is referencing a parameter passed into the method such that the method can be secured against a particular instance of EmailAccount.

I know I could easily do this from plain Java code within the method, but it would be great to achieve the same thing using annotations - I know Spring Security supports Spring EL expressions in its annotations.

Is this definitely not a feature of Shiro and thus will I have to write my own custom annotations?

Thanks,

Andrew

Answer 1

Look at the classes in http://shiro.apache.org/static/current/apidocs/org/apache/shiro/authz/aop/package-summary.html, especially PermissionAnnotationHandler. There you can see that all Shiro does when encountering the @RequiresPermissions annotation is call getSubject().isPermitted(permission) and does no substitution inside the annotation value at all. You would have to somehow override that handler if you wanted this kind of functionality.

So to answer your question: yes, this is definitely not a feature of Shiro and you have to either write your own annotation or somehow override that handler.