Hello,
when I was doing some REST endpoints and I was trying to test that with APE and Arquillian, I would like to see this one in the action:
Given: I have this class @Secure( { "admin" }) public class SomeClass { public void theFirstMethod() { } @Secure({ "developer" }) public void theSecondMethod() { } } When: I am logged in with "developer" role Then: I can call theSecondMethod but I can not call theFirstMethod. Right now, the implementation logic assumes that class level @Secure takes it all, I would expect that class level scope is used when there is not any annotation present on some particular method, otherwise that one on the method level is used.From the implementation point of view to have the idea:@AroundInvoke public Object invoke(InvocationContext ctx) throws Exception { Class clazz = ctx.getTarget().getClass(); Method method = ctx.getMethod(); // this will be added // method beats the class if (clazz.isAnnotationPresent(Secure.class) && method.isAnnotationPresent(Secure.class)) { authorize(methodMetadata(ctx)); } // end of adding things if (clazz.isAnnotationPresent(Secure.class)) { authorize(clazzMetadata(ctx)); } Method method = ctx.getMethod(); if (method.isAnnotationPresent(Secure.class)) { authorize(methodMetadata(ctx)); } return ctx.proceed();
However it is rather unknow how this fits into your perspective but I have to say that I personally do not like the way how it is done right now.RegardsSorry I don't get your example, why should destroyEverything() also have "simple" annotated?On Tue, Nov 5, 2013 at 6:03 PM, Bruno Oliveira <bruno@abstractj.org> wrote:
But if you are supporting multiple roles, you can't avoid such issue.
For example:
@Secure({"developer", "simple"})
public void destroyEverything(){
// access the nuclear reactor
}
So the interceptor will look into this method and say "geez we have
simple role here" and bang!
What would be the solution for such problem?--
Sebastien Blanc wrote:
> Well, I was thinking of annotating methods, so delete all the thing
> will be only for "developer" and "admin"
abstractj
_______________________________________________
aerogear-dev mailing list
aerogear-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev
_______________________________________________
aerogear-dev mailing list
aerogear-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev
_______________________________________________
aerogear-dev mailing list
aerogear-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev