I've got a Jersey API that's protected by Shibboleth, an SSO implementation. Shibboleth puts the id of the logged-in user in a request attribute. On the back end, I'm using Shiro for authorization. Shiro would like to know the logged-in user so it can load up permissions.
What is the correct way to get that userId out of the request attribute and into Shiro? Right now, what I'm trying is:
@Provider
public final class ShiroLoginFilter implements ContainerRequestFilter {
@Context
private HttpServletRequest request;
@Override
public void filter(final ContainerRequestContext requestContext)
throws IOException {
final String userId = (String) this.request.getAttribute("nameid");
final Subject subject = SecurityUtils.getSubject();
subject.login(new LocusAuthenticationToken(userId));
}
}
Unfortunately, due to JERSEY-1960[1], I can't inject the request context into a filter. Every user needs to "login" in order to load permissions. I'd rather not have to repeat the login code in every method of the API. I am also not permitted to use a web.xml filter (by my boss). Do I have any good option here?
Thanks,
Eric
[1]
https://java.net/jira/browse/JERSEY-1960
(Question also posted to StackOverflow:
http://stackoverflow.com/questions/19691753/read-request-attribute-in-a-jersey-containerrequestfilter)