[aerogear-dev] @Secure annotation does not work on DAO methods when injecting DAO into Arquillian test

Karel Piwko kpiwko at redhat.com
Wed Nov 6 06:58:42 EST 2013


We've discussed the problem here
https://community.jboss.org/message/844604 and it's not an issue related to
Aerogear ;-)

Karel

On Tue, 5 Nov 2013 07:49:19 -0500 (EST)
Stefan Miklosovic <smikloso at redhat.com> wrote:

> Hi,
> 
> I have very basic setup:
> 
> 1) REST endpoint NOT annotated with @Secure from aerogear-security
> 2) service in that REST endpoint method which does some operation on
> database, methods of that service are NOT annotated with @Secure from
> aerogear-security 3) methods in DAO class which are called in that service
> methods (DAO is injected into service), some methods of that DAO class ARE
> annotated with @Secure annotation.
> 
> When I am testing this setup manually, all works ok. When I login as admin,
> after that, I can call that REST endpoint which in turn calls service layer
> which in turn calls DAO layer annotated with @Secure. I do this with CURL and
> I get what I expect.
> 
> However, when I am doing it like this:
> 
> https://gist.github.com/smiklosovic/fe5838598a524afdb775#file-gistfile1-java-L81
> 
> it seems to me that when I do login in the first method, I should be
> authorized to do that (200 is returned, cookies are returned, all is good, I
> am logged in) but I am not from LinkDao point of view. When that 2nd test
> runs, it fails and it ends up with AeroGearSecurityException - not
> authorized. Why?
> 
> It is interesting that it works "in one run" meaning I do that from REST
> point of view but when I inject LinkDao into test, I should have the very
> same container reference of it as in case I am doing it rest-like on the
> command line so it should be the same - and that is apparently not the case.
> 
> How is picketlink related to aerogear-security regarding of sessions? And
> what kind of reference do I get after injecting it into test? Why is not that
> DAO class aware of my authorization? It seems that when I inject it into
> test, that DAO is not aware of previous steps regarding of the authorization.
> 
> Thank you for any hints
> 
> Stefan Miklosovic
> Red Hat Brno - JBoss Mobile Platform
> 
> e-mail: smikloso at redhat.com
> irc: smikloso
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev



More information about the aerogear-dev mailing list