I am looking at this class: https://shiro.apache.org/static/1.3.1/xref/org/apache/shiro/spring/security/interceptor/AopAllianceAnnotationsAuthorizingMethodInterceptor.html
It is registering all method interceptors that work with Shiro. Among them is this interceptor:
PermissionAnnotationMethodInterceptor .
I want to create my own custom interceptor and integrate it into the Shiro model.
My own interceptor would be replacing the existing PermissionAnnotationMethodInterceptor.
How do I do it in a clean programmatic Spring Boot way?
You should be able to replace the AuthorizationAttributeSourceAdvisor bean with your own implementation
Or implement your own annotations anyway you want and disable Shiro's annotation processing: shiro.annotations.enabled=false
Related
I have a spring batch job as part of an application. The application already has a TransactionManager and when I use the #EnableBatchProcessing Spring Batch also tries to create a TransactionManager in the SimpleBatchConfiguration. I can't use the override bean property here as I need to use the application's TransactionManager. I was thinking creating a Custom annotation like the #EnableBatchProcessing and use a custom configuration which does not create a TransactionManager. Is there a better way to set or configure SpringBatch to use the existing application's TransactionManager and not create it's own?
This is a known issue: https://github.com/spring-projects/spring-batch/issues/816, which was fixed in v5.0.0-M1.
Is there a better way to set or configure SpringBatch to use the existing application's TransactionManager and not create it's own?
Unless you remove the usage of #EnableBatchProcessing, you won't be able to prevent the exposure of the transaction manager bean because of the #Bean annotation on org.springframework.batch.core.configuration.annotation.SimpleBatchConfiguration#transactionManager.
That said, you can provide a custom BatchConfigurer and override getTransactionManager to instruct Spring Batch to use a custom transaction manager. This is mentioned in documentation here.
I have to integrate spring rest docs in a legacy project were they use a bunch of custom annotation (such as for example the user roles).
Is there a way in spring rest docs to document this annotation?
Spring REST Docs works at the level of HTTP requests and responses. By design, it doesn't know anything about annotations or how those requests are handled and the responses created. This ensures that what you're documenting is at the same level as a client interacting with your service over HTTP.
If you want to include information about #PreAuthorize or an annotation that is similar to it, you will have to write something yourself to do that. If you want to fit into the REST Docs way of doing things, you could implement a custom Snippet that's configured with a class or method from which it extracts the annotation using reflection and generates some documentation from it.
Straight to the point -> anybody knows why this template file does not have #FeignClient annotation?
Problem is we would like to use #EnableFeignClients annotation in our configuration, but seems like without #FeignClient anootations in generated clients we are forced to create client beans explicitly.
I have a very simple service project (SpringBootApplication) that exposes a REST endpoint via a Spring Boot controller class. The controller maps an /events endpoint that converts a simple incoming event DTO into a slightly different event entity object that is then persisted in a database via a org.springframework.data.repository.CrudRepository instance.
In my controller, I am only mapping the POST operator because I don't want my clients to be able to GET, PUT or DELETE data from the service.
During a security scan today, I discovered that the service is exposing a /eventsEntities endpoint, which appears to be mapping all of the CrudRepository verbs into the REST endpoint.
Any idea how I managed to enable this automatic endpoint and more importantly, how to disable it? I'm using Spring Boot 1.2.2.
After some additional digging, I realized that I had inadvertently included org.springframework.boot:spring-boot-starter-data-rest in my compile dependencies. That starter includes spring-data-rest-webmvc, which exposes JPA data over REST. Removing that dependency resolved the issue.
Hope my realization helps someone else in the future.
I'm trying to access the javax.ws.rs.core.SecurityContext in my class programmatically and not using #Context annotations, is a way to do it?
e.g. Spring provide implementation like SecurityContextHolder.getContext() that get the object from the ThreadLocal; is there similar implementation available in CXF JAX-RS?