[jira] [Commented] (DELTASPIKE-1345) Support JavaEE Security annotation

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[jira] [Commented] (DELTASPIKE-1345) Support JavaEE Security annotation

JIRA jira@apache.org

    [ https://issues.apache.org/jira/browse/DELTASPIKE-1345?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16482847#comment-16482847 ]

Romain Manni-Bucau commented on DELTASPIKE-1345:
------------------------------------------------

[~gpetracek] hmm, why can't we use the same evaluation than in security module but triggered by javax.security annotation? We would have an event which would set if we are allowed or not and [~princemtl] would observe it and use the request to evaluate it. That's what I had in mind. Providing a default impl using the request would not be as useful as just handling the interceptor and preprocess roles etc from a standard API automatically IMO (secural contexts wouldn't be handled based on the cdi request).

> Support JavaEE Security annotation
> ----------------------------------
>
>                 Key: DELTASPIKE-1345
>                 URL: https://issues.apache.org/jira/browse/DELTASPIKE-1345
>             Project: DeltaSpike
>          Issue Type: New Feature
>          Components: Security-Module
>            Reporter: Jonathan Laterreur
>            Priority: Minor
>
> Deltaspike should take care of the standard JavaEE security annotation.
> {code:java}
> @RolesAllowed
> @PermitAll
> @DenyAll
> {code}
> Maybe a default interceptor should do the job.
> I did something like this (does not covers everything)
> {code:java}
> @Interceptor
> @RolesSecured
> public class RolesSecuredInterceptor {
>     private static final Logger LOGGER = LoggerFactory.getLogger(RolesSecuredInterceptor.class);
>     @Inject
>     private HttpServletRequest request;
>     @AroundInvoke
>     public Object intercept(InvocationContext ctx) throws Exception {
>         boolean allowed = ctx.getMethod().getAnnotation(PermitAll.class) != null;
>         if (!allowed) {
>             RolesAllowed rolesAllowed = ctx.getMethod().getAnnotation(RolesAllowed.class);
>             if (rolesAllowed != null) {
>                 allowed = verifyRolesAllowed(rolesAllowed);
>             }
>             if (!allowed) {
>                 allowed = ctx.getMethod().getDeclaringClass().getAnnotation(PermitAll.class) != null;
>                 if (!allowed) {
>                     rolesAllowed = ctx.getMethod().getDeclaringClass().getAnnotation(RolesAllowed.class);
>                     if (rolesAllowed != null) {
>                         allowed = verifyRolesAllowed(rolesAllowed);
>                     } else {
>                         allowed = true;
>                     }
>                 }
>             }
>         }
>         if (!allowed) {
>             LOGGER.error("Utilisateur « {} » ne possede pas les droits pour appeler cette fonction « {} »", request.getUserPrincipal() != null ? request.getUserPrincipal().getName() : "anonyme",
>                     ctx.getMethod().getName());
>             throw new SecurityException("Ne possede pas les droits pour appeler ce bean CDI");
>         }
>         return ctx.proceed();
>     }
>     private boolean verifyRolesAllowed(RolesAllowed rolesAllowed) {
>         boolean allowed = false;
>         if (request.getUserPrincipal() != null) {
>             String[] roles = rolesAllowed.value();
>             for (String role : roles) {
>                 allowed = request.isUserInRole(role);
>                 if (allowed) {
>                     break;
>                 }
>             }
>         }
>         return allowed;
>     }
> }
> {code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)