Hello,

when I was doing some REST endpoints and I was trying to test that with APE and Arquillian, I would like to see this one in the action:

Given: I have this class @Secure( { "admin" }) public class SomeClass { public void theFirstMethod() { } @Secure({ "developer" }) public void theSecondMethod() { } } When: I am logged in with "developer" role Then: I can call theSecondMethod but I can not call theFirstMethod. Right now, the implementation logic assumes that class level @Secure takes it all, I would expect that class level scope is used when there is not any annotation present on some particular method, otherwise that one on the method level is used.
From the  implementation point of view to have the idea:
    @AroundInvoke
    public Object invoke(InvocationContext ctx) throws Exception {

        Class clazz = ctx.getTarget().getClass();
        Method method = ctx.getMethod();

        // this will be added 

        // method beats the class
        if (clazz.isAnnotationPresent(Secure.class) && 
            method.isAnnotationPresent(Secure.class)) {
            authorize(methodMetadata(ctx));
        }

       // end of adding things 

        if (clazz.isAnnotationPresent(Secure.class)) {
            authorize(clazzMetadata(ctx));
        }

        Method method = ctx.getMethod();

        if (method.isAnnotationPresent(Secure.class)) {
            authorize(methodMetadata(ctx));
        }
        return ctx.proceed();
However it is rather unknow how this fits into your perspective but I have to say that I personally do not like the way how it is done right now.

Regards

Stefan Miklosovic
Red Hat Brno - JBoss Mobile Platform

e-mail: smikloso@redhat.com
irc: smikloso


Sorry I don't get your example, why should destroyEverything() also have  "simple" annotated? 



On Tue, Nov 5, 2013 at 6:03 PM, Bruno Oliveira <bruno@abstractj.org> wrote:
But if you are supporting multiple roles, you can't avoid such issue.

For example:

@Secure({"developer", "simple"})
public void destroyEverything(){
// access the nuclear reactor
}

So the interceptor will look into this method and say "geez we have
simple role here" and bang!

What would be the solution for such problem?

Sebastien Blanc wrote:
> Well, I was thinking of annotating methods, so delete all the thing
> will be only for "developer" and "admin"

--
abstractj



_______________________________________________
aerogear-dev mailing list
aerogear-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev

_______________________________________________
aerogear-dev mailing list
aerogear-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev