Hello,
when I was doing some REST endpoints and I was trying to test that with APE and
Arquillian, I would like to see this one in the action:
Given:
I have this class
@Secure( { "admin" })
public class SomeClass {
public void theFirstMethod() {
}
@Secure({ "developer" })
public void theSecondMethod() {
}
}
When:
I am logged in with "developer" role
Then:
I can call theSecondMethod but I can not call theFirstMethod.
Right now, the implementation logic assumes that class level @Secure takes it all, I would
expect that class level scope is used when there is not any annotation present on some
particular method, otherwise that one on the method level is used.
From the implementation point of view to have the idea:
@AroundInvoke
public Object invoke(InvocationContext ctx) throws Exception {
Class clazz = ctx.getTarget().getClass();
Method method = ctx.getMethod();
// this will be added
// method beats the class
if (clazz.isAnnotationPresent(Secure.class) &&
method.isAnnotationPresent(Secure.class)) {
authorize(methodMetadata(ctx));
}
// end of adding things
if (clazz.isAnnotationPresent(Secure.class)) {
authorize(clazzMetadata(ctx));
}
Method method = ctx.getMethod();
if (method.isAnnotationPresent(Secure.class)) {
authorize(methodMetadata(ctx));
}
return ctx.proceed();
However it is rather unknow how this fits into your perspective but I have to say that I
personally do not like the way how it is done right now.
Regards
Stefan Miklosovic
Red Hat Brno - JBoss Mobile Platform
e-mail: smikloso(a)redhat.com
irc: smikloso
----- Original Message -----
Sorry I don't get your example, why should destroyEverything()
also have
"simple" annotated?
On Tue, Nov 5, 2013 at 6:03 PM, Bruno Oliveira <
bruno(a)abstractj.org > wrote:
> But if you are supporting multiple roles, you can't avoid
such issue.
> For example:
> @Secure({"developer", "simple"})
> public void destroyEverything(){
> // access the nuclear reactor
> }
> So the interceptor will look into this method and say "geez
we have
> simple role here" and bang!
> What would be the solution for such problem?
> Sebastien Blanc wrote:
> > Well, I was thinking of annotating methods, so delete all the thing
> > will be only for "developer" and "admin"
> --
> abstractj
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/aerogear-dev
_______________________________________________
aerogear-dev mailing list
aerogear-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev