users@jersey.java.net

[Jersey] Accessing request attributes in a ContainerRequestFilter

From: Eric Stein <steine_at_locustec.com>
Date: Wed, 30 Oct 2013 19:24:49 +0000

I've got a Jersey API that's protected by Shibboleth, an SSO implementation. Shibboleth puts the id of the logged-in user in a request attribute. On the back end, I'm using Shiro for authorization. Shiro would like to know the logged-in user so it can load up permissions.

What is the correct way to get that userId out of the request attribute and into Shiro? Right now, what I'm trying is:

@Provider
public final class ShiroLoginFilter implements ContainerRequestFilter {

    @Context
    private HttpServletRequest request;

    @Override
    public void filter(final ContainerRequestContext requestContext)
        throws IOException {

        final String userId = (String) this.request.getAttribute("nameid");
        final Subject subject = SecurityUtils.getSubject();
        subject.login(new LocusAuthenticationToken(userId));

    }
}

Unfortunately, due to JERSEY-1960[1], I can't inject the request context into a filter. Every user needs to "login" in order to load permissions. I'd rather not have to repeat the login code in every method of the API. I am also not permitted to use a web.xml filter (by my boss). Do I have any good option here?

Thanks,
Eric

[1] https://java.net/jira/browse/JERSEY-1960

(Question also posted to StackOverflow: http://stackoverflow.com/questions/19691753/read-request-attribute-in-a-jersey-containerrequestfilter)