[aerogear-dev] [Unified Push Server] Roles structure & password management

Stefan Miklosovic smikloso at redhat.com
Thu Nov 7 07:33:29 EST 2013 

Hello, 

when I was doing some REST endpoints and I was trying to test that with APE and Arquillian, I would like to see this one in the action: 

Given:

I have this class

@Secure( { "admin" })
public class SomeClass {

    public void theFirstMethod() {
    }

    @Secure({ "developer" })
    public void theSecondMethod() {
    }
}

When:

I am logged in with "developer" role

Then:

I can call theSecondMethod but I can not call theFirstMethod.

Right now, the implementation logic assumes that class level @Secure takes it all, I would expect that class level scope is used when there is not any annotation present on some particular method, otherwise that one on the method level is used. 
>From the implementation point of view to have the idea: 
@AroundInvoke
    public Object invoke(InvocationContext ctx) throws Exception {

        Class clazz = ctx.getTarget().getClass();
        Method method = ctx.getMethod();

        // this will be added 

        // method beats the class
        if (clazz.isAnnotationPresent(Secure.class) && 
            method.isAnnotationPresent(Secure.class)) {
            authorize(methodMetadata(ctx));
        }

       // end of adding things 

        if (clazz.isAnnotationPresent(Secure.class)) {
            authorize(clazzMetadata(ctx));
        }

        Method method = ctx.getMethod();

        if (method.isAnnotationPresent(Secure.class)) {
            authorize(methodMetadata(ctx));
        }
        return ctx.proceed(); 
However it is rather unknow how this fits into your perspective but I have to say that I personally do not like the way how it is done right now. 

Regards 

Stefan Miklosovic 
Red Hat Brno - JBoss Mobile Platform 

e-mail: smikloso at redhat.com 
irc: smikloso 

----- Original Message -----

> Sorry I don't get your example, why should destroyEverything() also have
> "simple" annotated?

> On Tue, Nov 5, 2013 at 6:03 PM, Bruno Oliveira < bruno at abstractj.org > wrote:

> > But if you are supporting multiple roles, you can't avoid such issue.
> 

> > For example:
> 

> > @Secure({"developer", "simple"})
> 
> > public void destroyEverything(){
> 
> > // access the nuclear reactor
> 
> > }
> 

> > So the interceptor will look into this method and say "geez we have
> 
> > simple role here" and bang!
> 

> > What would be the solution for such problem?
> 

> > Sebastien Blanc wrote:
> 
> > > Well, I was thinking of annotating methods, so delete all the thing
> 
> > > will be only for "developer" and "admin"
> 

> > --
> 
> > abstractj
> 

> > _______________________________________________
> 
> > aerogear-dev mailing list
> 
> > aerogear-dev at lists.jboss.org
> 
> > https://lists.jboss.org/mailman/listinfo/aerogear-dev
> 
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20131107/72f44585/attachment.html

More information about the aerogear-dev mailing list