On Tue, Nov 5, 2013 at 6:07 PM, Sebastien Blanc <scm.blanc@gmail.com> wrote:
Sorry I don't get your example, why should destroyEverything() also have  "simple" annotated? 

yep - that endpoint would be never annotated w/ "simple"; 

I think the problem if the annotation contains "incorrect" roles or not is not a problem on the UPS.

It's more an issue w/ the underlying security framework:
E.g. how can I specify that someone with the role "simple" NEVER is able to (deep in the stack) can call entityManger.delete();


 



On Tue, Nov 5, 2013 at 6:03 PM, Bruno Oliveira <bruno@abstractj.org> wrote:
But if you are supporting multiple roles, you can't avoid such issue.

For example:

@Secure({"developer", "simple"})
public void destroyEverything(){
// access the nuclear reactor
}

So the interceptor will look into this method and say "geez we have
simple role here" and bang!

What would be the solution for such problem?

Sebastien Blanc wrote:
> Well, I was thinking of annotating methods, so delete all the thing
> will be only for "developer" and "admin"

--
abstractj



_______________________________________________
aerogear-dev mailing list
aerogear-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev


_______________________________________________
aerogear-dev mailing list
aerogear-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev



--
Matthias Wessendorf

blog: http://matthiaswessendorf.wordpress.com/
sessions: http://www.slideshare.net/mwessendorf
twitter: http://twitter.com/mwessendorf