001/* 002 * Licensed to the Apache Software Foundation (ASF) under one 003 * or more contributor license agreements. See the NOTICE file 004 * distributed with this work for additional information 005 * regarding copyright ownership. The ASF licenses this file 006 * to you under the Apache License, Version 2.0 (the 007 * "License"); you may not use this file except in compliance 008 * with the License. You may obtain a copy of the License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, 013 * software distributed under the License is distributed on an 014 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 015 * KIND, either express or implied. See the License for the 016 * specific language governing permissions and limitations 017 * under the License. 018 */ 019package org.apache.shiro.authz.aop; 020 021import java.lang.annotation.Annotation; 022 023import org.apache.shiro.authz.AuthorizationException; 024import org.apache.shiro.authz.UnauthenticatedException; 025import org.apache.shiro.authz.annotation.RequiresGuest; 026 027 028/** 029 * Checks to see if a @{@link org.apache.shiro.authz.annotation.RequiresGuest RequiresGuest} annotation 030 * is declared, and if so, ensures the calling <code>Subject</code> does <em>not</em> 031 * have an {@link org.apache.shiro.subject.Subject#getPrincipal() identity} before invoking the method. 032 * <p> 033 * This annotation essentially ensures that <code>subject.{@link org.apache.shiro.subject.Subject#getPrincipal() getPrincipal()} == null</code>. 034 * 035 * @since 0.9.0 036 */ 037public class GuestAnnotationHandler extends AuthorizingAnnotationHandler { 038 039 /** 040 * Default no-argument constructor that ensures this interceptor looks for 041 * 042 * {@link org.apache.shiro.authz.annotation.RequiresGuest RequiresGuest} annotations in a method 043 * declaration. 044 */ 045 public GuestAnnotationHandler() { 046 super(RequiresGuest.class); 047 } 048 049 /** 050 * Ensures that the calling <code>Subject</code> is NOT a <em>user</em>, that is, they do not 051 * have an {@link org.apache.shiro.subject.Subject#getPrincipal() identity} before continuing. If they are 052 * a user ({@link org.apache.shiro.subject.Subject#getPrincipal() Subject.getPrincipal()} != null), an 053 * <code>AuthorizingException</code> will be thrown indicating that execution is not allowed to continue. 054 * 055 * @param a the annotation to check for one or more roles 056 * @throws org.apache.shiro.authz.AuthorizationException 057 * if the calling <code>Subject</code> is not a "guest". 058 */ 059 public void assertAuthorized(Annotation a) throws AuthorizationException { 060 if (a instanceof RequiresGuest && getSubject().getPrincipal() != null) { 061 throw new UnauthenticatedException("Attempting to perform a guest-only operation. The current Subject is " + 062 "not a guest (they have been authenticated or remembered from a previous login). Access " + 063 "denied."); 064 } 065 } 066}