[aerogear-dev] [Unified Push Server] Roles structure & password management
Karel Piwko
kpiwko at redhat.com
Wed Nov 6 06:37:11 EST 2013
On Tue, 5 Nov 2013 18:17:38 +0100
Matthias Wessendorf <matzew at apache.org> wrote:
> On Tue, Nov 5, 2013 at 6:07 PM, Sebastien Blanc <scm.blanc at gmail.com> wrote:
>
> > Sorry I don't get your example, why should destroyEverything() also have
> > "simple" annotated?
> >
>
> yep - that endpoint would be never annotated w/ "simple";
>
> I think the problem if the annotation contains "incorrect" roles or not is
> not a problem on the UPS.
>
> It's more an issue w/ the underlying security framework:
> E.g. how can I specify that someone with the role "simple" NEVER is able to
> (deep in the stack) can call entityManger.delete();
>
There is no such think. Security framework would need to proxy EntityManager.
Such think does not exists in PL, although I admit it would be handy and not
that complicated to implement. The closest OSS solution I've found is
http://jpasecurity.sourceforge.net/. So the, only solution possible for now is
to @Secure DAO objects on CRUD level.
>
>
>
> >
> >
> >
> > On Tue, Nov 5, 2013 at 6:03 PM, Bruno Oliveira <bruno at abstractj.org>wrote:
> >
> >> But if you are supporting multiple roles, you can't avoid such issue.
> >>
> >> For example:
> >>
> >> @Secure({"developer", "simple"})
> >> public void destroyEverything(){
> >> // access the nuclear reactor
> >> }
> >>
> >> So the interceptor will look into this method and say "geez we have
> >> simple role here" and bang!
> >>
> >> What would be the solution for such problem?
> >>
> >> Sebastien Blanc wrote:
> >> > Well, I was thinking of annotating methods, so delete all the thing
> >> > will be only for "developer" and "admin"
> >>
> >> --
> >> abstractj
> >>
> >>
> >>
> >> _______________________________________________
> >> aerogear-dev mailing list
> >> aerogear-dev at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/aerogear-dev
> >>
> >
> >
> > _______________________________________________
> > aerogear-dev mailing list
> > aerogear-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/aerogear-dev
> >
>
>
>
More information about the aerogear-dev
mailing list