Re: [aerogear-dev] [Unified Push Server] Roles structure & password management
On Tue, Nov 5, 2013 at 6:07 PM, Sebastien Blanc <scm.blanc(a)gmail.com> wrote:
Sorry I don't get your example, why should destroyEverything()
also have
"simple" annotated?
yep - that endpoint would be never annotated w/ "simple";
I think the problem if the annotation contains "incorrect" roles or not is
not a problem on the UPS.
It's more an issue w/ the underlying security framework:
E.g. how can I specify that someone with the role "simple" NEVER is able to
(deep in the stack) can call entityManger.delete();
On Tue, Nov 5, 2013 at 6:03 PM, Bruno Oliveira <bruno(a)abstractj.org>wrote:
> But if you are supporting multiple roles, you can't avoid such issue.
>
> For example:
>
> @Secure({"developer", "simple"})
> public void destroyEverything(){
> // access the nuclear reactor
> }
>
> So the interceptor will look into this method and say "geez we have
> simple role here" and bang!
>
> What would be the solution for such problem?
>
> Sebastien Blanc wrote:
> > Well, I was thinking of annotating methods, so delete all the thing
> > will be only for "developer" and "admin"
>
> --
> abstractj
>
>
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
_______________________________________________
aerogear-dev mailing list
aerogear-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev
--
Matthias Wessendorf
blog: http://matthiaswessendorf.wordpress.com/
sessions: http://www.slideshare.net/mwessendorf
twitter: http://twitter.com/mwessendorf
Attachments:
- attachment.html (text/html — 3.3 KB)