[aerogear-dev] [Unified Push Server] Roles structure & password management
Stefan Miklosovic
smikloso at redhat.com
Thu Nov 7 07:33:29 EST 2013
Hello,
when I was doing some REST endpoints and I was trying to test that with APE and Arquillian, I would like to see this one in the action:
Given:
I have this class
@Secure( { "admin" })
public class SomeClass {
public void theFirstMethod() {
}
@Secure({ "developer" })
public void theSecondMethod() {
}
}
When:
I am logged in with "developer" role
Then:
I can call theSecondMethod but I can not call theFirstMethod.
Right now, the implementation logic assumes that class level @Secure takes it all, I would expect that class level scope is used when there is not any annotation present on some particular method, otherwise that one on the method level is used.
>From the implementation point of view to have the idea:
@AroundInvoke
public Object invoke(InvocationContext ctx) throws Exception {
Class clazz = ctx.getTarget().getClass();
Method method = ctx.getMethod();
// this will be added
// method beats the class
if (clazz.isAnnotationPresent(Secure.class) &&
method.isAnnotationPresent(Secure.class)) {
authorize(methodMetadata(ctx));
}
// end of adding things
if (clazz.isAnnotationPresent(Secure.class)) {
authorize(clazzMetadata(ctx));
}
Method method = ctx.getMethod();
if (method.isAnnotationPresent(Secure.class)) {
authorize(methodMetadata(ctx));
}
return ctx.proceed();
However it is rather unknow how this fits into your perspective but I have to say that I personally do not like the way how it is done right now.
Regards
Stefan Miklosovic
Red Hat Brno - JBoss Mobile Platform
e-mail: smikloso at redhat.com
irc: smikloso
----- Original Message -----
> Sorry I don't get your example, why should destroyEverything() also have
> "simple" annotated?
> On Tue, Nov 5, 2013 at 6:03 PM, Bruno Oliveira < bruno at abstractj.org > wrote:
> > But if you are supporting multiple roles, you can't avoid such issue.
>
> > For example:
>
> > @Secure({"developer", "simple"})
>
> > public void destroyEverything(){
>
> > // access the nuclear reactor
>
> > }
>
> > So the interceptor will look into this method and say "geez we have
>
> > simple role here" and bang!
>
> > What would be the solution for such problem?
>
> > Sebastien Blanc wrote:
>
> > > Well, I was thinking of annotating methods, so delete all the thing
>
> > > will be only for "developer" and "admin"
>
> > --
>
> > abstractj
>
> > _______________________________________________
>
> > aerogear-dev mailing list
>
> > aerogear-dev at lists.jboss.org
>
> > https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20131107/72f44585/attachment.html
More information about the aerogear-dev
mailing list