[jbosstools-issues] [JBoss JIRA] (JBIDE-23173) Missing validation of @SecurityParameterBinding

Missing validation of @SecurityParameterBinding ----------------------------------------------- Key: JBIDE-23173 URL: https://issues.jboss.org/browse/JBIDE-23173 Project: Tools (JBoss Tools) Issue Type: Bug Components: cdi-extensions Affects Versions: 4.4.1.Final Reporter: Lukáš Valach Fix For: 4.5.x Attachments: SecurityBindingType-Log.txt, securityParameterBinding.zip CDI extension DeltaSpike allows to create custom @SecurityParameterBinding types. These types allows to inject parameters values from the method invocation to authorizer bean. (See [documentation of Deltaspike/Security Module|https://deltaspike.apache.org/documentation/security.html#Simplein...]). When I create my own security parameter {code:java} @SecurityParameterBinding public @interface MySecurityParameter { } {code} ...and authorizer {code:java} public class CustomAuthorizer { @Secures @CustomSecurityBinding() public boolean check(@MySecurityParameter String parameter) { return true; } } {code} ...then I can secure some methods, but these methods must have appropriate input parameter with correct type and with the annotation {code:java} public class SecuredBean { //OK @CustomSecurityBinding() public SecuredBean doSomething(@MySecurityParameter String parameter) { return null; } //Not-OK (Missing @MySecurityParameter annotation) @CustomSecurityBinding() public SecuredBean doSomething2(String parameter) { return null; } //Not-OK (Bad type - Integer) @CustomSecurityBinding() public SecuredBean doSomething3(@MySecurityParameter Integer parameter) { return null; } } {code} Methods doSomething 2 and 3 cause an exception "SecurityDefinitionException: No matching authorizer found for security". Validator doesn't detect any problems. The attached project can be use to reproduce this issue [^securityParameterBinding.zip].