In the interest of readers, I'm sharing the solution I arrived at after some research of existing tools. First, the easy part: Using Shiro annotations in an OSGi environment. I ended up writing the below class since most Shiro-Jersey adapters shared by developers is based on Jersey 1.x.
@Provider public class ShiroAnnotationResourceFilter implements ContainerRequestFilter { private static final Map, AuthorizingAnnotationHandler> ANNOTATION_MAP = new HashMap, AuthorizingAnnotationHandler>(); @Context private ResourceInfo resourceInfo; public ShiroAnnotationResourceFilter() { ANNOTATION_MAP.put(RequiresPermissions.class, new PermissionAnnotationHandler()); ANNOTATION_MAP.put(RequiresRoles.class, new RoleAnnotationHandler()); ANNOTATION_MAP.put(RequiresUser.class, new UserAnnotationHandler()); ANNOTATION_MAP.put(RequiresGuest.class, new GuestAnnotationHandler()); ANNOTATION_MAP.put(RequiresAuthentication.class, new AuthenticatedAnnotationHandler()); } public void filter(ContainerRequestContext context) throws IOException { Class resourceClass = resourceInfo.getResourceClass(); if (resourceClass != null) { Annotation annotation = fetchAnnotation(resourceClass .getAnnotations()); if (annotation != null) { ANNOTATION_MAP.get(annotation.annotationType()) .assertAuthorized(annotation); } } Method method = resourceInfo.getResourceMethod(); if (method != null) { Annotation annotation = fetchAnnotation(method.getAnnotations()); if (annotation != null) { ANNOTATION_MAP.get(annotation.annotationType()) .assertAuthorized(annotation); } } } private static Annotation fetchAnnotation(Annotation[] annotations) { for (Annotation annotation : annotations) { if (ANNOTATION_MAP.keySet().contains(annotation.annotationType())) { return annotation; } } return null; } }
The complete project is here. The above took care of Part 3 of my question.
For Shiro with SAML, I am using the Servicemix wrapped openSAML jar, and it seems to be working okay till now. I did however had to write a bit of code to make Shiro work with SAML2. It's almost on the same lines as shiro-cas, but is a bit more generic to be used with other IdPs. The code is kind of big so sharing a link to the project instead of copying classes to SO. It can be found here.
Now that I have some abstraction between my code and my IdP, WSO2 integration looks a bit simpler.
P.S. Thanks Achim for your comments and suggestions.