You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@deltaspike.apache.org by "Andrew Schmidt (JIRA)" <ji...@apache.org> on 2017/09/19 14:09:01 UTC
[jira] [Updated] (DELTASPIKE-1294) Secured Stereotypes do not get
applied to inherited methods
[ https://issues.apache.org/jira/browse/DELTASPIKE-1294?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Andrew Schmidt updated DELTASPIKE-1294:
---------------------------------------
Description:
I have a @Secured @Stereotype annotation
{code:java}
@Retention( RUNTIME )
@Stereotype
@Inherited
@Secured( CustomAccessDecisionVoter.class )
@Target( { ElementType.TYPE, ElementType.METHOD } )
public @interface Permission {
}
{code}
And my decision voter:
{code:java}
@ApplicationScoped
public class CustomAccessDecisionVoter extends AbstractAccessDecisionVoter {
@Override
protected void checkPermission( AccessDecisionVoterContext voterContext, Set<SecurityViolation> violations )
{
System.out.println( "Checking permission for " + voterContext.<InvocationContext> getSource().getMethod().getName() );
}
}
{code}
And now a bean that inherits from another class
{code:java}
public class Animal
{
public String getParentName()
{
return "parent";
}
}
{code}
{code:java}
@Named
@Permission
public class Dog extends Animal
{
public String getChildName()
{
return "dog";
}
}
{code}
In JSF dogName:
{code}#{dog.childName}{code} will invoke the checkPermission whereas {code}#{dog.parentName}{code} will not
This is in contrast to the @SecurityBindingType
{code:java}
@Retention( value = RetentionPolicy.RUNTIME )
@Target( { ElementType.TYPE, ElementType.METHOD } )
@Documented
@SecurityBindingType
public @interface UserLoggedIn {
}
{code}
{code:java}
@ApplicationScoped
public class LoginAuthorizer
{
@Secures
@UserLoggedIn
public boolean doSecuredCheck( InvocationContext invocationContext ) throws Exception
{
System.out.println( "doSecuredCheck called for: " + invocationContext.getMethod().getName() );
return true;
}
}
{code}
Now applying @UserLoggedIn to the Dog class will cause the doSecuredCheck to fire for both getChildName and getParentName
was:
I have a @Secured @Stereotype annotation
{code:java}
@Retention( RUNTIME )
@Stereotype
@Inherited
@Secured( CustomAccessDecisionVoter.class )
@Target( { ElementType.TYPE, ElementType.METHOD } )
public @interface Permission {
}
{code}
And my decision voter:
{code:java}
@ApplicationScoped
public class CustomAccessDecisionVoter extends AbstractAccessDecisionVoter {
@Override
protected void checkPermission( AccessDecisionVoterContext voterContext, Set<SecurityViolation> violations )
{
System.out.println( "Checking permission for " + voterContext.<InvocationContext> getSource().getMethod().getName() );
}
}
{code}
And now a bean that inherits from another class
{code:java}
public class Animal
{
public String getParentName()
{
return "parent";
}
}
{code}
{code:java}
@Named
@Permission
public class Dog extends Animal
{
public String getChildName()
{
return "dog";
}
}
{code}
In JSF dogName: #{dog.childName} will invoke the checkPermission whereas #{dog.parentName} will not
This is in contrast to the @SecurityBindingType
{code:java}
@Retention( value = RetentionPolicy.RUNTIME )
@Target( { ElementType.TYPE, ElementType.METHOD } )
@Documented
@SecurityBindingType
public @interface UserLoggedIn {
}
{code}
{code:java}
@ApplicationScoped
public class LoginAuthorizer
{
@Secures
@UserLoggedIn
public boolean doSecuredCheck( InvocationContext invocationContext ) throws Exception
{
System.out.println( "doSecuredCheck called for: " + invocationContext.getMethod().getName() );
return true;
}
}
{code}
Now applying @UserLoggedIn to the Dog class will cause the doSecuredCheck to fire for both getChildName and getParentName
> Secured Stereotypes do not get applied to inherited methods
> -----------------------------------------------------------
>
> Key: DELTASPIKE-1294
> URL: https://issues.apache.org/jira/browse/DELTASPIKE-1294
> Project: DeltaSpike
> Issue Type: Bug
> Components: Security-Module
> Affects Versions: 1.8.0
> Reporter: Andrew Schmidt
>
> I have a @Secured @Stereotype annotation
> {code:java}
> @Retention( RUNTIME )
> @Stereotype
> @Inherited
> @Secured( CustomAccessDecisionVoter.class )
> @Target( { ElementType.TYPE, ElementType.METHOD } )
> public @interface Permission {
> }
> {code}
> And my decision voter:
> {code:java}
> @ApplicationScoped
> public class CustomAccessDecisionVoter extends AbstractAccessDecisionVoter {
> @Override
> protected void checkPermission( AccessDecisionVoterContext voterContext, Set<SecurityViolation> violations )
> {
> System.out.println( "Checking permission for " + voterContext.<InvocationContext> getSource().getMethod().getName() );
> }
> }
> {code}
> And now a bean that inherits from another class
> {code:java}
> public class Animal
> {
> public String getParentName()
> {
> return "parent";
> }
> }
> {code}
> {code:java}
> @Named
> @Permission
> public class Dog extends Animal
> {
> public String getChildName()
> {
> return "dog";
> }
> }
> {code}
> In JSF dogName:
> {code}#{dog.childName}{code} will invoke the checkPermission whereas {code}#{dog.parentName}{code} will not
> This is in contrast to the @SecurityBindingType
> {code:java}
> @Retention( value = RetentionPolicy.RUNTIME )
> @Target( { ElementType.TYPE, ElementType.METHOD } )
> @Documented
> @SecurityBindingType
> public @interface UserLoggedIn {
> }
> {code}
> {code:java}
> @ApplicationScoped
> public class LoginAuthorizer
> {
> @Secures
> @UserLoggedIn
> public boolean doSecuredCheck( InvocationContext invocationContext ) throws Exception
> {
> System.out.println( "doSecuredCheck called for: " + invocationContext.getMethod().getName() );
> return true;
> }
> }
> {code}
> Now applying @UserLoggedIn to the Dog class will cause the doSecuredCheck to fire for both getChildName and getParentName
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)