[jira] [Commented] (DELTASPIKE-1345) Support JavaEE Security annotation

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[jira] [Commented] (DELTASPIKE-1345) Support JavaEE Security annotation

JIRA jira@apache.org

    [ https://issues.apache.org/jira/browse/DELTASPIKE-1345?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16491732#comment-16491732 ]

Jonathan Laterreur commented on DELTASPIKE-1345:
------------------------------------------------

[~gpetracek]

Yes. You're right.

This is what confused me : "You will have to map the run-as role name to a given principal defined on the Enterprise Server if the given roles associate to more than one user principal. Mapping roles to principals is described in Part VII, ??Security,?? in ??The Java EE 6 Tutorial, Volume II??."

 

Any plan to support CDI 2.0 in the future?

> Support JavaEE Security annotation
> ----------------------------------
>
>                 Key: DELTASPIKE-1345
>                 URL: https://issues.apache.org/jira/browse/DELTASPIKE-1345
>             Project: DeltaSpike
>          Issue Type: New Feature
>          Components: Security-Module
>            Reporter: Jonathan Laterreur
>            Assignee: Gerhard Petracek
>            Priority: Minor
>
> Deltaspike should take care of the standard JavaEE security annotation.
> {code:java}
> @RolesAllowed
> @PermitAll
> @DenyAll
> {code}
> Maybe a default interceptor should do the job.
> I did something like this (does not covers everything)
> {code:java}
> @Interceptor
> @RolesSecured
> public class RolesSecuredInterceptor {
>     private static final Logger LOGGER = LoggerFactory.getLogger(RolesSecuredInterceptor.class);
>     @Inject
>     private HttpServletRequest request;
>     @AroundInvoke
>     public Object intercept(InvocationContext ctx) throws Exception {
>         boolean allowed = ctx.getMethod().getAnnotation(PermitAll.class) != null;
>         if (!allowed) {
>             RolesAllowed rolesAllowed = ctx.getMethod().getAnnotation(RolesAllowed.class);
>             if (rolesAllowed != null) {
>                 allowed = verifyRolesAllowed(rolesAllowed);
>             }
>             if (!allowed) {
>                 allowed = ctx.getMethod().getDeclaringClass().getAnnotation(PermitAll.class) != null;
>                 if (!allowed) {
>                     rolesAllowed = ctx.getMethod().getDeclaringClass().getAnnotation(RolesAllowed.class);
>                     if (rolesAllowed != null) {
>                         allowed = verifyRolesAllowed(rolesAllowed);
>                     } else {
>                         allowed = true;
>                     }
>                 }
>             }
>         }
>         if (!allowed) {
>             LOGGER.error("Utilisateur « {} » ne possede pas les droits pour appeler cette fonction « {} »", request.getUserPrincipal() != null ? request.getUserPrincipal().getName() : "anonyme",
>                     ctx.getMethod().getName());
>             throw new SecurityException("Ne possede pas les droits pour appeler ce bean CDI");
>         }
>         return ctx.proceed();
>     }
>     private boolean verifyRolesAllowed(RolesAllowed rolesAllowed) {
>         boolean allowed = false;
>         if (request.getUserPrincipal() != null) {
>             String[] roles = rolesAllowed.value();
>             for (String role : roles) {
>                 allowed = request.isUserInRole(role);
>                 if (allowed) {
>                     break;
>                 }
>             }
>         }
>         return allowed;
>     }
> }
> {code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)