You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@deltaspike.apache.org by Andrew Schmidt <An...@impactmobile.com> on 2017/09/14 14:19:18 UTC
Secured Stereotype annotations and parent class methods do not
invoke decision voter
I have a @Secured @Stereotype annotation
@Retention( RUNTIME )
@Stereotype
@Inherited
@Secured( CustomAccessDecisionVoter.class )
@Target( { ElementType.TYPE, ElementType.METHOD } )
public @interface Permission
{
}
And my decision voter:
@ApplicationScoped
public class CustomAccessDecisionVoter extends AbstractAccessDecisionVoter
{
@Override
protected void checkPermission( AccessDecisionVoterContext voterContext, Set<SecurityViolation> violations )
{
System.out.println( "Checking permission for " + voterContext.<InvocationContext> getSource().getMethod().getName() );
}
}
And now a bean that inherits from another class
public class Animal
{
public String getParentName()
{
return "parent";
}
}
@Named
@Permission
public class Dog extends Animal
{
public String getChildName()
{
return "dog";
}
}
In JSF dogName: #{dog.childName} will invoke the checkPermission whereas #{dog.parentName} will not
Is this expected behavior?
I tested a similar concept out with a demo from the docs for a @SecurityBindingType annotation and it secured both methods. For example:
@Retention( value = RetentionPolicy.RUNTIME )
@Target( { ElementType.TYPE, ElementType.METHOD } )
@Documented
@SecurityBindingType
public @interface UserLoggedIn
{
}
@ApplicationScoped
public class LoginAuthorizer
{
@Secures
@UserLoggedIn
public boolean doSecuredCheck( InvocationContext invocationContext ) throws Exception
{
System.out.println( "doSecuredCheck called for: " + invocationContext.getMethod().getName() );
return true;
}
}
Now applying @UserLoggedIn to the Dog class will cause the doSecuredCheck to fire for both getChildName and getParentName
Re: Secured Stereotype annotations and parent class methods do not
invoke decision voter
Posted by Mark Struberg <st...@yahoo.de.INVALID>.
Sounds inconsistent indeed!
Can you please create a jira ticket so we don't forget to look at it in more detail?
ts and LieGrue,
strub
> Am 14.09.2017 um 16:19 schrieb Andrew Schmidt <An...@impactmobile.com>:
>
> I have a @Secured @Stereotype annotation
>
> @Retention( RUNTIME )
> @Stereotype
> @Inherited
> @Secured( CustomAccessDecisionVoter.class )
> @Target( { ElementType.TYPE, ElementType.METHOD } )
> public @interface Permission
> {
>
> }
>
> And my decision voter:
>
> @ApplicationScoped
> public class CustomAccessDecisionVoter extends AbstractAccessDecisionVoter
> {
> @Override
> protected void checkPermission( AccessDecisionVoterContext voterContext, Set<SecurityViolation> violations )
> {
> System.out.println( "Checking permission for " + voterContext.<InvocationContext> getSource().getMethod().getName() );
> }
>
> }
>
> And now a bean that inherits from another class
>
> public class Animal
> {
> public String getParentName()
> {
> return "parent";
> }
> }
>
>
> @Named
> @Permission
> public class Dog extends Animal
> {
> public String getChildName()
> {
> return "dog";
> }
> }
>
>
> In JSF dogName: #{dog.childName} will invoke the checkPermission whereas #{dog.parentName} will not
>
> Is this expected behavior?
>
> I tested a similar concept out with a demo from the docs for a @SecurityBindingType annotation and it secured both methods. For example:
>
> @Retention( value = RetentionPolicy.RUNTIME )
> @Target( { ElementType.TYPE, ElementType.METHOD } )
> @Documented
> @SecurityBindingType
> public @interface UserLoggedIn
> {
>
> }
>
> @ApplicationScoped
> public class LoginAuthorizer
> {
> @Secures
> @UserLoggedIn
> public boolean doSecuredCheck( InvocationContext invocationContext ) throws Exception
> {
> System.out.println( "doSecuredCheck called for: " + invocationContext.getMethod().getName() );
>
> return true;
> }
> }
>
> Now applying @UserLoggedIn to the Dog class will cause the doSecuredCheck to fire for both getChildName and getParentName
>
>