[jira] [Commented] (DELTASPIKE-1345) Support JavaEE Security annotation

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[jira] [Commented] (DELTASPIKE-1345) Support JavaEE Security annotation

JIRA jira@apache.org

    [ https://issues.apache.org/jira/browse/DELTASPIKE-1345?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16482822#comment-16482822 ]

Jonathan Laterreur commented on DELTASPIKE-1345:
------------------------------------------------

If you can manage the fact that you don't always have an ejb context, then It's perfect. :)

> Support JavaEE Security annotation
> ----------------------------------
>
>                 Key: DELTASPIKE-1345
>                 URL: https://issues.apache.org/jira/browse/DELTASPIKE-1345
>             Project: DeltaSpike
>          Issue Type: New Feature
>          Components: Security-Module
>            Reporter: Jonathan Laterreur
>            Priority: Minor
>
> Deltaspike should take care of the standard JavaEE security annotation.
> {code:java}
> @RolesAllowed
> @PermitAll
> @DenyAll
> {code}
> Maybe a default interceptor should do the job.
> I did something like this (does not covers everything)
> {code:java}
> @Interceptor
> @RolesSecured
> public class RolesSecuredInterceptor {
>     private static final Logger LOGGER = LoggerFactory.getLogger(RolesSecuredInterceptor.class);
>     @Inject
>     private HttpServletRequest request;
>     @AroundInvoke
>     public Object intercept(InvocationContext ctx) throws Exception {
>         boolean allowed = ctx.getMethod().getAnnotation(PermitAll.class) != null;
>         if (!allowed) {
>             RolesAllowed rolesAllowed = ctx.getMethod().getAnnotation(RolesAllowed.class);
>             if (rolesAllowed != null) {
>                 allowed = verifyRolesAllowed(rolesAllowed);
>             }
>             if (!allowed) {
>                 allowed = ctx.getMethod().getDeclaringClass().getAnnotation(PermitAll.class) != null;
>                 if (!allowed) {
>                     rolesAllowed = ctx.getMethod().getDeclaringClass().getAnnotation(RolesAllowed.class);
>                     if (rolesAllowed != null) {
>                         allowed = verifyRolesAllowed(rolesAllowed);
>                     } else {
>                         allowed = true;
>                     }
>                 }
>             }
>         }
>         if (!allowed) {
>             LOGGER.error("Utilisateur « {} » ne possede pas les droits pour appeler cette fonction « {} »", request.getUserPrincipal() != null ? request.getUserPrincipal().getName() : "anonyme",
>                     ctx.getMethod().getName());
>             throw new SecurityException("Ne possede pas les droits pour appeler ce bean CDI");
>         }
>         return ctx.proceed();
>     }
>     private boolean verifyRolesAllowed(RolesAllowed rolesAllowed) {
>         boolean allowed = false;
>         if (request.getUserPrincipal() != null) {
>             String[] roles = rolesAllowed.value();
>             for (String role : roles) {
>                 allowed = request.isUserInRole(role);
>                 if (allowed) {
>                     break;
>                 }
>             }
>         }
>         return allowed;
>     }
> }
> {code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)