Read request attribute in a Jersey ContainerRequestFilter

Question

I've got a Jersey API that's protected by Shibboleth, an SSO implementation. Shibboleth puts the id of the logged-in user in a request attribute. On the back end, I'm using Shiro for authorization. Shiro would like to know the logged-in user so it can load up permissions.

What is the correct way to get that userId out of the request attribute and into Shiro? Right now, what I'm trying is:

@Provider
public final class ShiroLoginFilter implements ContainerRequestFilter {

    @Context
    private HttpServletRequest request;

    @Override
    public void filter(final ContainerRequestContext requestContext)
        throws IOException {

        final String userId = (String) this.request.getAttribute("nameid");
        final Subject subject = SecurityUtils.getSubject();
        subject.login(new LocusAuthenticationToken(userId));

    }
}

Unfortunately, due to JERSEY-1960, I can't inject the request context into a filter. Every user needs to "login" in order to load permissions. I'd rather not have to repeat the login code in every method of the API. I am also not permitted to use a web.xml filter (by my boss). Do I have any good option here?

Answer 1

You should also be able to obtain ServletRequest attributes directly from ContainerRequestContext via ContainerRequestContext#getProperty as described in the JavaDoc of the method:

In a Servlet container, the properties are synchronized with the ServletRequest and expose all the attributes available in the ServletRequest. Any modifications of the properties are also reflected in the set of properties of the associated ServletRequest.

Note: Injecting HttpServletRequest should work as expected since Jersey 2.4 (released in 10.2013).