001    /*
002     * Licensed to the Apache Software Foundation (ASF) under one
003     * or more contributor license agreements.  See the NOTICE file
004     * distributed with this work for additional information
005     * regarding copyright ownership.  The ASF licenses this file
006     * to you under the Apache License, Version 2.0 (the
007     * "License"); you may not use this file except in compliance
008     * with the License.  You may obtain a copy of the License at
009     *
010     *     http://www.apache.org/licenses/LICENSE-2.0
011     *
012     * Unless required by applicable law or agreed to in writing,
013     * software distributed under the License is distributed on an
014     * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
015     * KIND, either express or implied.  See the License for the
016     * specific language governing permissions and limitations
017     * under the License.
018     */
019    package org.apache.shiro.authz.aop;
020    
021    import org.apache.shiro.authz.AuthorizationException;
022    import org.apache.shiro.authz.annotation.RequiresPermissions;
023    import org.apache.shiro.subject.Subject;
024    import org.apache.shiro.util.PermissionUtils;
025    
026    import java.lang.annotation.Annotation;
027    import java.util.Set;
028    
029    
030    /**
031     * Checks to see if a @{@link org.apache.shiro.authz.annotation.RequiresPermissions RequiresPermissions} annotation is
032     * declared, and if so, performs a permission check to see if the calling <code>Subject</code> is allowed continued
033     * access.
034     *
035     * @author Les Hazlewood
036     * @since 0.9.0
037     */
038    public class PermissionAnnotationHandler extends AuthorizingAnnotationHandler {
039    
040        /**
041         * Default no-argument constructor that ensures this handler looks for
042         * {@link org.apache.shiro.authz.annotation.RequiresPermissions RequiresPermissions} annotations.
043         */
044        public PermissionAnnotationHandler() {
045            super(RequiresPermissions.class);
046        }
047    
048        /**
049         * Returns the annotation {@link RequiresPermissions#value value}, from which the Permission will be constructed.
050         *
051         * @param a the RequiresPermissions annotation being inspected.
052         * @return the annotation's <code>value</code>, from which the Permission will be constructed.
053         */
054        protected String getAnnotationValue(Annotation a) {
055            RequiresPermissions rpAnnotation = (RequiresPermissions) a;
056            return rpAnnotation.value();
057        }
058    
059        /**
060         * Ensures that the calling <code>Subject</code> has the Annotation's specified permissions, and if not, throws an
061         * <code>AuthorizingException</code> indicating access is denied.
062         *
063         * @param a the RequiresPermission annotation being inspected to check for one or more permissions
064         * @throws org.apache.shiro.authz.AuthorizationException
065         *          if the calling <code>Subject</code> does not have the permission(s) necessary to
066         *          continue access or execution.
067         */
068        public void assertAuthorized(Annotation a) throws AuthorizationException {
069            if (!(a instanceof RequiresPermissions)) {
070                return;
071            }
072            String p = getAnnotationValue(a);
073            Set<String> perms = PermissionUtils.toPermissionStrings(p);
074    
075            Subject subject = getSubject();
076    
077            if (perms.size() == 1) {
078                subject.checkPermission(perms.iterator().next());
079            } else {
080                String[] permStrings = new String[perms.size()];
081                permStrings = perms.toArray(permStrings);
082                subject.checkPermissions(permStrings);
083            }
084        }
085    }