9:23 a.m.
Stefan pointed out that method scoped @Secure vs. class scoped
@Secure behavior should be clarified as well - method one should take
precedence. This relates to behavior of the annotation itself (one role from
set vs. multiple roles) as Sebi pointed out.
Karel
On Thu, 7 Nov 2013 13:55:15 +0100
Matthias Wessendorf <matzew(a)apache.org> wrote:
excuse me, but how does that related to the roles and structure that
we
discuss in THIS thead ?
On Thu, Nov 7, 2013 at 1:33 PM, Stefan Miklosovic <smikloso(a)redhat.com>wrote:
> Hello,
>
> when I was doing some REST endpoints and I was trying to test that with APE
> and Arquillian, I would like to see this one in the action:
>
> Given:
>
> I have this class
>
> @Secure( { "admin" })
> public class SomeClass {
>
> public void theFirstMethod() {
> }
>
> @Secure({ "developer" })
> public void theSecondMethod() {
> }
> }
>
> When:
>
> I am logged in with "developer" role
>
> Then:
>
> I can call theSecondMethod but I can not call theFirstMethod.
>
> Right now, the implementation logic assumes that class level @Secure takes
> it all, I would expect that class level scope is used when there is not any
> annotation present on some particular method, otherwise that one on the
> method level is used.
>
> From the implementation point of view to have the idea:
>
> @AroundInvoke
> public Object invoke(InvocationContext ctx) throws Exception {
>
> Class clazz = ctx.getTarget().getClass();
> Method method = ctx.getMethod();
>
> // this will be added
>
> // method beats the class
> if (clazz.isAnnotationPresent(Secure.class) &&
> method.isAnnotationPresent(Secure.class)) {
> authorize(methodMetadata(ctx));
> }
>
> // end of adding things
>
> if (clazz.isAnnotationPresent(Secure.class)) {
> authorize(clazzMetadata(ctx));
> }
>
> Method method = ctx.getMethod();
>
> if (method.isAnnotationPresent(Secure.class)) {
> authorize(methodMetadata(ctx));
> }
> return ctx.proceed();
>
> However it is rather unknow how this fits into your perspective but I have
> to say that I personally do not like the way how it is done right now.
>
> Regards
>
> Stefan Miklosovic
> Red Hat Brno - JBoss Mobile Platform
>
> e-mail: smikloso(a)redhat.com
> irc: smikloso
>
> ------------------------------
>
> Sorry I don't get your example, why should destroyEverything() also have
> "simple" annotated?
>
>
>
> On Tue, Nov 5, 2013 at 6:03 PM, Bruno Oliveira <bruno(a)abstractj.org>
> wrote:
>
>> But if you are supporting multiple roles, you can't avoid such issue.
>>
>> For example:
>>
>> @Secure({"developer", "simple"})
>> public void destroyEverything(){
>> // access the nuclear reactor
>> }
>>
>> So the interceptor will look into this method and say "geez we have
>> simple role here" and bang!
>>
>> What would be the solution for such problem?
>>
>> Sebastien Blanc wrote:
>> > Well, I was thinking of annotating methods, so delete all the thing
>> > will be only for "developer" and "admin"
>>
>> --
>> abstractj
>>
>>
>>
>> _______________________________________________
>> aerogear-dev mailing list
>> aerogear-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
>
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>