Re: [aerogear-dev] [Unified Push Server] Roles structure & password management
On Tue, 5 Nov 2013 18:17:38 +0100
Matthias Wessendorf <matzew(a)apache.org> wrote:
On Tue, Nov 5, 2013 at 6:07 PM, Sebastien Blanc
<scm.blanc(a)gmail.com> wrote:
> Sorry I don't get your example, why should destroyEverything() also have
> "simple" annotated?
>
yep - that endpoint would be never annotated w/ "simple";
I think the problem if the annotation contains "incorrect" roles or not is
not a problem on the UPS.
It's more an issue w/ the underlying security framework:
E.g. how can I specify that someone with the role "simple" NEVER is able to
(deep in the stack) can call entityManger.delete();
There is no such think. Security framework would need to proxy EntityManager.
Such think does not exists in PL, although I admit it would be handy and not
that complicated to implement. The closest OSS solution I've found is
http://jpasecurity.sourceforge.net/. So the, only solution possible for now is
to @Secure DAO objects on CRUD level.
>
>
>
> On Tue, Nov 5, 2013 at 6:03 PM, Bruno Oliveira <bruno(a)abstractj.org>wrote:
>
>> But if you are supporting multiple roles, you can't avoid such issue.
>>
>> For example:
>>
>> @Secure({"developer", "simple"})
>> public void destroyEverything(){
>> // access the nuclear reactor
>> }
>>
>> So the interceptor will look into this method and say "geez we have
>> simple role here" and bang!
>>
>> What would be the solution for such problem?
>>
>> Sebastien Blanc wrote:
>> > Well, I was thinking of annotating methods, so delete all the thing
>> > will be only for "developer" and "admin"
>>
>> --
>> abstractj
>>
>>
>>
>> _______________________________________________
>> aerogear-dev mailing list
>> aerogear-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>
>
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>