You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@deltaspike.apache.org by Thomas Frühbeck <fr...@aon.at> on 2014/12/15 00:44:15 UTC

missing security paramter binding on nonbinding member?

Hi,

I am using DS-1.2.0.
I get a missing parameter binding exception in following situation:

Exception:
java.lang.IllegalStateException: Missing required security parameter 
binding [@at.telekom.sms.web.security.AuthorizedParam(action=UPDATE)] on 
method invocation [net.a1.csms.jsf.GroupBean.setCsmsGroup(class 
at.telekom.sms.persistence.entities.SmsLists)]

Binding Annotaiton:

@SecurityParameterBinding
@Target({ TYPE, METHOD, FIELD, PARAMETER })
@Retention(RUNTIME)
public @interface AuthorizedParam {

     @Nonbinding
     Action action() default Action.UPDATE;

}

Authorizer:

public class MssmsAuthorizer {

     @Secures @Authorized
     public boolean authorized(InvocationContext ctx, @LoggedIn 
MssmsUser mssmsUser, @AuthorizedParam SmsLists smsList) {
         return doAuthorize(ctx, mssmsUser, smsList);
     }
}


Annotated Bean method:

{
     @Authorized
     @OpenTransactionProvided(rollbackOnly=true)
     public void setCsmsGroup(@AuthorizedParam(action=Action.READ) final 
SmsLists newGroup) {
...
     }
}


Can you please explain, what I am doing wrong?

Many Thanks,
Thomas

Re: missing security paramter binding on nonbinding member?

Posted by Gerhard Petracek <ge...@gmail.com>.

short addition:
i'm ready to push the improvement for SecurityParameterValueRedefiner -> it
would be nice if you create the jira-ticket for it.

regards,
gerhard

http://www.irian.at

Your JavaEE powerhouse -
JavaEE Consulting, Development and
Courses in English and German

Professional Support for Apache
MyFaces, DeltaSpike and OpenWebBeans



2014-12-15 2:26 GMT+01:00 Gerhard Petracek <ge...@gmail.com>:
>
> hi thomas,
>
> i just checked that part which came in from seam3 and it looks like it
> never supported @Nonbinding.
> (SecurityParameterValueRedefiner just uses a set to check for the same
> annotation-instances.)
>
> -> please file a jira-ticket (see [1]).
> it's planned to release v1.2.1 quite soon -> maybe we can add the support
> for @Nonbinding with the upcoming release.
>
> regards,
> gerhard
>
> [1] https://issues.apache.org/jira/browse/DELTASPIKE
>
> http://www.irian.at
>
> Your JavaEE powerhouse -
> JavaEE Consulting, Development and
> Courses in English and German
>
> Professional Support for Apache
> MyFaces, DeltaSpike and OpenWebBeans
>
>
>
> 2014-12-15 0:44 GMT+01:00 Thomas Frühbeck <fr...@aon.at>:
>>
>> Hi,
>>
>> I am using DS-1.2.0.
>> I get a missing parameter binding exception in following situation:
>>
>> Exception:
>> java.lang.IllegalStateException: Missing required security parameter
>> binding [@at.telekom.sms.web.security.AuthorizedParam(action=UPDATE)] on
>> method invocation [net.a1.csms.jsf.GroupBean.setCsmsGroup(class
>> at.telekom.sms.persistence.entities.SmsLists)]
>>
>> Binding Annotaiton:
>>
>> @SecurityParameterBinding
>> @Target({ TYPE, METHOD, FIELD, PARAMETER })
>> @Retention(RUNTIME)
>> public @interface AuthorizedParam {
>>
>>     @Nonbinding
>>     Action action() default Action.UPDATE;
>>
>> }
>>
>> Authorizer:
>>
>> public class MssmsAuthorizer {
>>
>>     @Secures @Authorized
>>     public boolean authorized(InvocationContext ctx, @LoggedIn MssmsUser
>> mssmsUser, @AuthorizedParam SmsLists smsList) {
>>         return doAuthorize(ctx, mssmsUser, smsList);
>>     }
>> }
>>
>>
>> Annotated Bean method:
>>
>> {
>>     @Authorized
>>     @OpenTransactionProvided(rollbackOnly=true)
>>     public void setCsmsGroup(@AuthorizedParam(action=Action.READ) final
>> SmsLists newGroup) {
>> ...
>>     }
>> }
>>
>>
>> Can you please explain, what I am doing wrong?
>>
>> Many Thanks,
>> Thomas
>>
>>
>>

Re: missing security paramter binding on nonbinding member?

Posted by Gerhard Petracek <ge...@gmail.com>.

hi thomas,

i just checked that part which came in from seam3 and it looks like it
never supported @Nonbinding.
(SecurityParameterValueRedefiner just uses a set to check for the same
annotation-instances.)

-> please file a jira-ticket (see [1]).
it's planned to release v1.2.1 quite soon -> maybe we can add the support
for @Nonbinding with the upcoming release.

regards,
gerhard

[1] https://issues.apache.org/jira/browse/DELTASPIKE

http://www.irian.at

Your JavaEE powerhouse -
JavaEE Consulting, Development and
Courses in English and German

Professional Support for Apache
MyFaces, DeltaSpike and OpenWebBeans



2014-12-15 0:44 GMT+01:00 Thomas Frühbeck <fr...@aon.at>:
>
> Hi,
>
> I am using DS-1.2.0.
> I get a missing parameter binding exception in following situation:
>
> Exception:
> java.lang.IllegalStateException: Missing required security parameter
> binding [@at.telekom.sms.web.security.AuthorizedParam(action=UPDATE)] on
> method invocation [net.a1.csms.jsf.GroupBean.setCsmsGroup(class
> at.telekom.sms.persistence.entities.SmsLists)]
>
> Binding Annotaiton:
>
> @SecurityParameterBinding
> @Target({ TYPE, METHOD, FIELD, PARAMETER })
> @Retention(RUNTIME)
> public @interface AuthorizedParam {
>
>     @Nonbinding
>     Action action() default Action.UPDATE;
>
> }
>
> Authorizer:
>
> public class MssmsAuthorizer {
>
>     @Secures @Authorized
>     public boolean authorized(InvocationContext ctx, @LoggedIn MssmsUser
> mssmsUser, @AuthorizedParam SmsLists smsList) {
>         return doAuthorize(ctx, mssmsUser, smsList);
>     }
> }
>
>
> Annotated Bean method:
>
> {
>     @Authorized
>     @OpenTransactionProvided(rollbackOnly=true)
>     public void setCsmsGroup(@AuthorizedParam(action=Action.READ) final
> SmsLists newGroup) {
> ...
>     }
> }
>
>
> Can you please explain, what I am doing wrong?
>
> Many Thanks,
> Thomas
>
>
>