[aerogear-dev] [Unified Push Server] Roles structure & password management
Matthias Wessendorf
matzew at apache.org
Tue Nov 5 12:17:38 EST 2013
On Tue, Nov 5, 2013 at 6:07 PM, Sebastien Blanc <scm.blanc at gmail.com> wrote:
> Sorry I don't get your example, why should destroyEverything() also have
> "simple" annotated?
>
yep - that endpoint would be never annotated w/ "simple";
I think the problem if the annotation contains "incorrect" roles or not is
not a problem on the UPS.
It's more an issue w/ the underlying security framework:
E.g. how can I specify that someone with the role "simple" NEVER is able to
(deep in the stack) can call entityManger.delete();
>
>
>
> On Tue, Nov 5, 2013 at 6:03 PM, Bruno Oliveira <bruno at abstractj.org>wrote:
>
>> But if you are supporting multiple roles, you can't avoid such issue.
>>
>> For example:
>>
>> @Secure({"developer", "simple"})
>> public void destroyEverything(){
>> // access the nuclear reactor
>> }
>>
>> So the interceptor will look into this method and say "geez we have
>> simple role here" and bang!
>>
>> What would be the solution for such problem?
>>
>> Sebastien Blanc wrote:
>> > Well, I was thinking of annotating methods, so delete all the thing
>> > will be only for "developer" and "admin"
>>
>> --
>> abstractj
>>
>>
>>
>> _______________________________________________
>> aerogear-dev mailing list
>> aerogear-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>
>
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
--
Matthias Wessendorf
blog: http://matthiaswessendorf.wordpress.com/
sessions: http://www.slideshare.net/mwessendorf
twitter: http://twitter.com/mwessendorf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20131105/62d50807/attachment.html
More information about the aerogear-dev
mailing list