I have a jersey API that is protected by Shibboleth, an SSO implementation. Shibboleth places the logged in user ID in the request attribute. In the background, I use Shiro for authorization. Ciro would like to know a registered user so that he can download permissions.
What is the correct way to get this userId from the request attribute and in Shiro? Right now, I'm trying:
@Provider
public final class ShiroLoginFilter implements ContainerRequestFilter {
@Context
private HttpServletRequest request;
@Override
public void filter(final ContainerRequestContext requestContext)
throws IOException {
final String userId = (String) this.request.getAttribute("nameid");
final Subject subject = SecurityUtils.getSubject();
subject.login(new LocusAuthenticationToken(userId));
}
}
Unfortunately, due to JERSEY-1960, I cannot embed a request context in a filter. Each user needs to "log in" to download permissions. I would prefer not to repeat the login code in all API methods. I am also not allowed to use the web.xml filter (by my boss). Do I have a good option here?