[aerogear-dev] [Unified Push Server] Roles structure & password management
Karel Piwko
kpiwko at redhat.com
Thu Nov 7 10:23:57 EST 2013
Stefan pointed out that method scoped @Secure vs. class scoped
@Secure behavior should be clarified as well - method one should take
precedence. This relates to behavior of the annotation itself (one role from
set vs. multiple roles) as Sebi pointed out.
Karel
On Thu, 7 Nov 2013 13:55:15 +0100
Matthias Wessendorf <matzew at apache.org> wrote:
> excuse me, but how does that related to the roles and structure that we
> discuss in THIS thead ?
>
>
>
>
> On Thu, Nov 7, 2013 at 1:33 PM, Stefan Miklosovic <smikloso at redhat.com>wrote:
>
> > Hello,
> >
> > when I was doing some REST endpoints and I was trying to test that with APE
> > and Arquillian, I would like to see this one in the action:
> >
> > Given:
> >
> > I have this class
> >
> > @Secure( { "admin" })
> > public class SomeClass {
> >
> > public void theFirstMethod() {
> > }
> >
> > @Secure({ "developer" })
> > public void theSecondMethod() {
> > }
> > }
> >
> > When:
> >
> > I am logged in with "developer" role
> >
> > Then:
> >
> > I can call theSecondMethod but I can not call theFirstMethod.
> >
> > Right now, the implementation logic assumes that class level @Secure takes
> > it all, I would expect that class level scope is used when there is not any
> > annotation present on some particular method, otherwise that one on the
> > method level is used.
> >
> > From the implementation point of view to have the idea:
> >
> > @AroundInvoke
> > public Object invoke(InvocationContext ctx) throws Exception {
> >
> > Class clazz = ctx.getTarget().getClass();
> > Method method = ctx.getMethod();
> >
> > // this will be added
> >
> > // method beats the class
> > if (clazz.isAnnotationPresent(Secure.class) &&
> > method.isAnnotationPresent(Secure.class)) {
> > authorize(methodMetadata(ctx));
> > }
> >
> > // end of adding things
> >
> > if (clazz.isAnnotationPresent(Secure.class)) {
> > authorize(clazzMetadata(ctx));
> > }
> >
> > Method method = ctx.getMethod();
> >
> > if (method.isAnnotationPresent(Secure.class)) {
> > authorize(methodMetadata(ctx));
> > }
> > return ctx.proceed();
> >
> > However it is rather unknow how this fits into your perspective but I have
> > to say that I personally do not like the way how it is done right now.
> >
> > Regards
> >
> > Stefan Miklosovic
> > Red Hat Brno - JBoss Mobile Platform
> >
> > e-mail: smikloso at redhat.com
> > irc: smikloso
> >
> > ------------------------------
> >
> > Sorry I don't get your example, why should destroyEverything() also have
> > "simple" annotated?
> >
> >
> >
> > On Tue, Nov 5, 2013 at 6:03 PM, Bruno Oliveira <bruno at abstractj.org>
> > wrote:
> >
> >> But if you are supporting multiple roles, you can't avoid such issue.
> >>
> >> For example:
> >>
> >> @Secure({"developer", "simple"})
> >> public void destroyEverything(){
> >> // access the nuclear reactor
> >> }
> >>
> >> So the interceptor will look into this method and say "geez we have
> >> simple role here" and bang!
> >>
> >> What would be the solution for such problem?
> >>
> >> Sebastien Blanc wrote:
> >> > Well, I was thinking of annotating methods, so delete all the thing
> >> > will be only for "developer" and "admin"
> >>
> >> --
> >> abstractj
> >>
> >>
> >>
> >> _______________________________________________
> >> aerogear-dev mailing list
> >> aerogear-dev at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/aerogear-dev
> >
> >
> > _______________________________________________
> > aerogear-dev mailing list
> > aerogear-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/aerogear-dev
> >
> >
> >
> > _______________________________________________
> > aerogear-dev mailing list
> > aerogear-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/aerogear-dev
> >
>
>
>
More information about the aerogear-dev
mailing list