UrlBasedAuthorizingFilter.java

package org.ohdsi.webapi.shiro;

import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.web.servlet.AdviceFilter;
import org.apache.shiro.web.util.WebUtils;

/**
 *
 * @author gennadiy.anisimov
 */
public class UrlBasedAuthorizingFilter extends AdviceFilter {
  
  @Override
  protected boolean preHandle(ServletRequest request, ServletResponse response) throws Exception {
    HttpServletRequest httpRequest = WebUtils.toHttp(request);
    
    String path = httpRequest.getPathInfo()
                              .replaceAll("^/+", "")
                              .replaceAll("/+$", "")
                              // replace special characters
                              .replace(":", ":")
                              .replace(",", ",")
                              .replace("*", "&asterisk;");

    String method = httpRequest.getMethod();    
    String permission = String.format("%s:%s", path.replace("/", ":"), method).toLowerCase();

    if (this.isPermitted(permission))
      return true;
    
    HttpServletResponse httpResponse = WebUtils.toHttp(response);
    httpResponse.setStatus(HttpServletResponse.SC_FORBIDDEN);
    return false;
  }

  protected boolean isPermitted(String permission) {
    return SecurityUtils.getSubject().isPermitted(permission);
  };
}