[aerogear-dev] [Unified Push Server] Roles structure & password management
Matthias Wessendorf
matzew at apache.org
Thu Nov 7 07:55:15 EST 2013
excuse me, but how does that related to the roles and structure that we
discuss in THIS thead ?
On Thu, Nov 7, 2013 at 1:33 PM, Stefan Miklosovic <smikloso at redhat.com>wrote:
> Hello,
>
> when I was doing some REST endpoints and I was trying to test that with APE and Arquillian, I would like to see this one in the action:
>
> Given:
>
> I have this class
>
> @Secure( { "admin" })
> public class SomeClass {
>
> public void theFirstMethod() {
> }
>
> @Secure({ "developer" })
> public void theSecondMethod() {
> }
> }
>
> When:
>
> I am logged in with "developer" role
>
> Then:
>
> I can call theSecondMethod but I can not call theFirstMethod.
>
> Right now, the implementation logic assumes that class level @Secure takes it all, I would expect that class level scope is used when there is not any annotation present on some particular method, otherwise that one on the method level is used.
>
> From the implementation point of view to have the idea:
>
> @AroundInvoke
> public Object invoke(InvocationContext ctx) throws Exception {
>
> Class clazz = ctx.getTarget().getClass();
> Method method = ctx.getMethod();
>
> // this will be added
>
> // method beats the class
> if (clazz.isAnnotationPresent(Secure.class) &&
> method.isAnnotationPresent(Secure.class)) {
> authorize(methodMetadata(ctx));
> }
>
> // end of adding things
>
> if (clazz.isAnnotationPresent(Secure.class)) {
> authorize(clazzMetadata(ctx));
> }
>
> Method method = ctx.getMethod();
>
> if (method.isAnnotationPresent(Secure.class)) {
> authorize(methodMetadata(ctx));
> }
> return ctx.proceed();
>
> However it is rather unknow how this fits into your perspective but I have
> to say that I personally do not like the way how it is done right now.
>
> Regards
>
> Stefan Miklosovic
> Red Hat Brno - JBoss Mobile Platform
>
> e-mail: smikloso at redhat.com
> irc: smikloso
>
> ------------------------------
>
> Sorry I don't get your example, why should destroyEverything() also have
> "simple" annotated?
>
>
>
> On Tue, Nov 5, 2013 at 6:03 PM, Bruno Oliveira <bruno at abstractj.org>
> wrote:
>
>> But if you are supporting multiple roles, you can't avoid such issue.
>>
>> For example:
>>
>> @Secure({"developer", "simple"})
>> public void destroyEverything(){
>> // access the nuclear reactor
>> }
>>
>> So the interceptor will look into this method and say "geez we have
>> simple role here" and bang!
>>
>> What would be the solution for such problem?
>>
>> Sebastien Blanc wrote:
>> > Well, I was thinking of annotating methods, so delete all the thing
>> > will be only for "developer" and "admin"
>>
>> --
>> abstractj
>>
>>
>>
>> _______________________________________________
>> aerogear-dev mailing list
>> aerogear-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
>
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
--
Matthias Wessendorf
blog: http://matthiaswessendorf.wordpress.com/
sessions: http://www.slideshare.net/mwessendorf
twitter: http://twitter.com/mwessendorf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20131107/f5b5b318/attachment-0001.html
More information about the aerogear-dev
mailing list