You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@deltaspike.apache.org by bu...@apache.org on 2015/05/12 20:37:25 UTC
svn commit: r951069 [2/2] - in /websites/staging/deltaspike/trunk/content:
./ documentation/
Modified: websites/staging/deltaspike/trunk/content/documentation/security.html
==============================================================================
--- websites/staging/deltaspike/trunk/content/documentation/security.html (original)
+++ websites/staging/deltaspike/trunk/content/documentation/security.html Tue May 12 18:37:24 2015
@@ -276,12 +276,27 @@ table.CodeRay td.code>pre{padding:0}
<h2 id="_overview">Overview</h2>
<div class="sectionbody">
<div class="paragraph">
-<p>The Security module provides intercept and security checking on method calls. This module also enables integration of third-party security frameworks and custom security concepts.</p>
+<p>The Security module provides APIs for authorization of method invocations.</p>
+</div>
+<div class="paragraph">
+<p>There are two different APIs provided for two different approaches — one simple interceptor-style API and another for more complex scenarios.</p>
+</div>
+<div class="ulist">
+<ul>
+<li>
+<p><strong><a href="#_simple_interceptor_style_authorization">Simple interceptor-style API</a>:</strong> the method that is to be secured is loosely coupled to a predicate method
+(called <em>authorizer</em> method) which decides whether the secured method invocation should proceed. Similarly to CDI
+interceptors, the secured method and the authorizer are tied together using a binding annotation — <code>@SecurityBindingType</code> in this case.</p>
+</li>
+<li>
+<p><strong><a href="#_advanced_authorization">Advanced API</a>:</strong> this API offers fine-grained control over the authorization process. Multiple independent <em>voters</em> can participate in making the authorization decision and possibly return <em>security violations</em> and thus prevent the method invocation. The voters share a common context. This API is suitable for integration with third-party security frameworks. Also, this API can be used to <a href="jsf.html#_security_integration_via_secured">secure JSF view access</a> when using the DeltaSpike JSF module.</p>
+</li>
+</ul>
</div>
</div>
</div>
<div class="sect1">
-<h2 id="_configure_your_projects">Configure Your Projects</h2>
+<h2 id="_project_setup">Project Setup</h2>
<div class="sectionbody">
<div class="paragraph">
<p>The configuration information provided here is for Maven-based projects and it assumes that you have already declared the DeltaSpike version and DeltaSpike Core module for your projects, as detailed in <a href="configure.html">Configure DeltaSpike in Your Projects</a>. For Maven-independent projects, see <a href="configure.html#config-maven-indep">Configure DeltaSpike in Maven-independent Projects</a>.</p>
@@ -310,7 +325,7 @@ table.CodeRay td.code>pre{padding:0}
</div>
</div>
<div class="sect2">
-<h3 id="_2_enable_the_security_interceptor">2. Enable the Security Interceptor</h3>
+<h3 id="_2_enable_the_securityinterceptor">2. Enable the SecurityInterceptor</h3>
<div class="paragraph">
<p>For CDI 1.0 (or DeltaSpike v1.1.0 and earlier together with CDI 1.1+), you must enable the security interceptor in the project <code>beans.xml</code> file:</p>
</div>
@@ -328,51 +343,44 @@ table.CodeRay td.code>pre{padding:0}
</div>
</div>
<div class="sect1">
-<h2 id="_use_the_module_features">Use the Module Features</h2>
+<h2 id="_simple_interceptor_style_authorization">Simple interceptor-style authorization</h2>
<div class="sectionbody">
-<div class="sect2">
-<h3 id="_securitybinding_for_class_and_method_invocations">SecurityBinding for Class and Method Invocations</h3>
<div class="paragraph">
<p>This feature of the Security module intercepts method calls and performs a security check before invocation is allowed to proceed.</p>
</div>
<div class="paragraph">
-<p>In order to use the DeltaSpike security module, you must first have
-installed the proper dependencies into the <code>pom.xml</code> file. Once this is
-complete, you may proceed to create a security parameter binding
-annotation. This is what we will use to add security behavior to our
-business classes and methods.</p>
+<p>The first piece of code required to use this API is a <em>security binding</em> annotation. This is what we will use to add security behavior to our business classes and methods.</p>
</div>
<div class="listingblock">
-<div class="title">Create the SecurityBinding</div>
+<div class="title">Create the security binding annotation</div>
<div class="content">
<pre class="CodeRay highlight"><code data-lang="java"><span class="annotation">@Retention</span>(value = RUNTIME)
<span class="annotation">@Target</span>({TYPE, METHOD})
<span class="annotation">@Documented</span>
<span class="annotation">@SecurityBindingType</span>
-<span class="directive">public</span> <span class="annotation">@interface</span> CustomSecurityBinding {
-}</code></pre>
+<span class="directive">public</span> <span class="annotation">@interface</span> UserLoggedIn {}</code></pre>
</div>
</div>
<div class="paragraph">
-<p>Next, we must define an Authorizer class to implement behavior for our
-custom SecurityBindingType. This class is simply a CDI bean which
-declares a @Secures method, qualified with the security binding
+<p>Next, we must define an <em>authorizer</em> class to implement behavior for our
+custom security binding type. This class is simply a CDI bean which
+declares a method annotated <code>@Secures</code>, qualified with the security binding
annotation we created in the first step.</p>
</div>
<div class="paragraph">
-<p>This method has access to the InvocationContext of the method call, so
+<p>This method has access to the <code>InvocationContext</code> of the method call, so
if we need to access parameter arguments, we can do so using the given
context. Note that we may also inject other beans into the parameter
-list of our @Secures method.</p>
+list of our authorizer method.</p>
</div>
<div class="listingblock">
-<div class="title">Create the Authorizer</div>
+<div class="title">Create the authorizer</div>
<div class="content">
<pre class="CodeRay highlight"><code data-lang="java"><span class="annotation">@ApplicationScoped</span>
-<span class="directive">public</span> <span class="type">class</span> <span class="class">CustomAuthorizer</span>
+<span class="directive">public</span> <span class="type">class</span> <span class="class">LoggedInAuthorizer</span>
{
<span class="annotation">@Secures</span>
- <span class="annotation">@CustomSecurityBinding</span>
+ <span class="annotation">@UserLoggedIn</span>
<span class="directive">public</span> <span class="type">boolean</span> doSecuredCheck(InvocationContext invocationContext, BeanManager manager, <span class="predefined-type">Identity</span> identity) <span class="directive">throws</span> <span class="exception">Exception</span>
{
<span class="keyword">return</span> identity.isLoggedIn(); <span class="comment">// perform security check</span>
@@ -383,15 +391,15 @@ list of our @Secures method.</p>
<div class="paragraph">
<p>We can then use our new annotation to secure business or bean methods.
This binding annotation may be placed on the entire class (securing all
-methods,) or on individual methods that you wish to secure.</p>
+methods) or on individual methods that you wish to secure.</p>
</div>
<div class="listingblock">
-<div class="title">Secure a Bean Method</div>
+<div class="title">Secure a bean method</div>
<div class="content">
<pre class="CodeRay highlight"><code data-lang="java"><span class="annotation">@ApplicationScoped</span>
<span class="directive">public</span> <span class="type">class</span> <span class="class">SecuredBean1</span>
{
- <span class="annotation">@CustomSecurityBinding</span>
+ <span class="annotation">@UserLoggedIn</span>
<span class="directive">public</span> <span class="type">void</span> doSomething(Thing thing)
{
thing.doSomething();
@@ -401,11 +409,11 @@ methods,) or on individual methods that
</div>
<div class="paragraph">
<p>Next, we may access parameter values from the method invocation directly
-in our authorizer bean by creating custom @SecurityParameterBinding
+in our authorizer bean by creating custom <code>@SecurityParameterBinding</code>
types; this is a simple step once we have completed the work above:</p>
</div>
<div class="listingblock">
-<div class="title">Create a Parameter Binding Annotation</div>
+<div class="title">Create a parameter binding annotation</div>
<div class="content">
<pre class="CodeRay highlight"><code data-lang="java"><span class="annotation">@Retention</span>(value = RUNTIME)
<span class="annotation">@Target</span>({PARAMETER})
@@ -421,13 +429,13 @@ values as arguments into our authorizer
security in our applications:</p>
</div>
<div class="listingblock">
-<div class="title">Update the Authorizer to use Parameter Binding</div>
+<div class="title">Update the authorizer to use parameter binding</div>
<div class="content">
<pre class="CodeRay highlight"><code data-lang="java"><span class="annotation">@ApplicationScoped</span>
<span class="directive">public</span> <span class="type">class</span> <span class="class">CustomAuthorizer</span>
{
<span class="annotation">@Secures</span>
- <span class="annotation">@CustomSecurityBinding</span>
+ <span class="annotation">@UserLoggedIn</span>
<span class="directive">public</span> <span class="type">boolean</span> doSecuredCheck(InvocationContext invocationContext, BeanManager manager, <span class="predefined-type">Identity</span> identity, <span class="annotation">@CurrentThing</span> Thing thing) <span class="directive">throws</span> <span class="exception">Exception</span>
{
<span class="keyword">return</span> thing.hasMember(identity); <span class="comment">// perform security check against our method parameter</span>
@@ -444,7 +452,7 @@ security in our applications:</p>
<pre class="CodeRay highlight"><code data-lang="java"><span class="annotation">@ApplicationScoped</span>
<span class="directive">public</span> <span class="type">class</span> <span class="class">SecuredBean1</span>
{
- <span class="annotation">@CustomSecurityBinding</span>
+ <span class="annotation">@UserLoggedIn</span>
<span class="directive">public</span> <span class="type">void</span> doSomething(<span class="annotation">@CurrentThing</span> Thing thing)
{
thing.doSomething();
@@ -467,7 +475,7 @@ case:</p>
<pre class="CodeRay highlight"><code data-lang="java"><span class="annotation">@ApplicationScoped</span>
<span class="directive">public</span> <span class="type">class</span> <span class="class">SecuredBean1</span>
{
- <span class="annotation">@CustomSecurityBinding</span>
+ <span class="annotation">@UserLoggedIn</span>
<span class="directive">public</span> Thing loadSomething()
{
<span class="keyword">return</span> thingLoader.load();
@@ -477,7 +485,7 @@ case:</p>
</div>
<div class="paragraph">
<p>Now you need to access the return value in the authorizer method. You
-can inject it using the @SecuredReturn annotation. Update the Authorizer
+can inject it using the <code>@SecuredReturn</code> annotation. Update the authorizer
to use a secured return value:</p>
</div>
<div class="listingblock">
@@ -486,7 +494,7 @@ to use a secured return value:</p>
<span class="directive">public</span> <span class="type">class</span> <span class="class">CustomAuthorizer</span>
{
<span class="annotation">@Secures</span>
- <span class="annotation">@CustomSecurityBinding</span>
+ <span class="annotation">@UserLoggedIn</span>
<span class="directive">public</span> <span class="type">boolean</span> doSecuredCheck(<span class="annotation">@SecuredReturn</span> Thing thing, <span class="predefined-type">Identity</span> identity) <span class="directive">throws</span> <span class="exception">Exception</span>
{
<span class="keyword">return</span> thing.hasMember(identity); <span class="comment">// perform security check against the return value</span>
@@ -497,38 +505,13 @@ to use a secured return value:</p>
<p>Now the authorization will take place after the method invocation using
the return value of the business method.</p>
</div>
-<div class="listingblock">
-<div class="title">Complete the Parameter Binding</div>
-<div class="content">
-<pre class="CodeRay highlight"><code data-lang="java"><span class="annotation">@ApplicationScoped</span>
-<span class="directive">public</span> <span class="type">class</span> <span class="class">SecuredBean1</span>
-{
- <span class="annotation">@CustomSecurityBinding</span>
- <span class="directive">public</span> <span class="type">void</span> doSomething(<span class="annotation">@CurrentThing</span> Thing thing)
- {
- thing.doSomething();
- }
-}</code></pre>
-</div>
</div>
-<div class="paragraph">
-<p>Our method is now secured, and we are able to use given parameter values
-as part of our security authorizer!</p>
</div>
-</div>
-<div class="sect2">
-<h3 id="_integrating_third_party_security_frameworks">Integrating Third-party Security Frameworks</h3>
-<div class="sect3">
-<h4 id="__secured">@Secured</h4>
+<div class="sect1">
+<h2 id="_advanced_authorization">Advanced authorization</h2>
+<div class="sectionbody">
<div class="paragraph">
-<p><code>@Secured</code> is build on <code>@SecurityBindingType</code> and a very simple
-alternative to the rest of the security module. It is a basic hook to
-integrate a custom security concept, third-party frameworks, etc. It
-does not provide a full blown security concept like the rest of the
-security module, but other DeltaSpike modules ensure that the security
-concepts are integrated properly (e.g. correct behaviour within custom
-scope implementations,…​). It just allows to integrate other security
-frameworks easily.</p>
+<p>This is an alternative to the simple annotation-based interceptor-style API. This API uses the annotation <code>@Secured</code> and is mainly a hook for integration of custom security concepts and third-party frameworks. The DeltaSpike Security module is <em>not</em> a full application security solution, but some of the other DeltaSpike modules are security-enabled and use this API (e.g. correct behaviour within custom scope implementations,…​). Internally, this <code>@Secured</code> API uses the <code>@Secures</code>/<code>@SecurityBindingType</code> API.</p>
</div>
<div class="paragraph">
<p>(In MyFaces CODI it was originally a CDI interceptor. This part changed
@@ -537,6 +520,9 @@ a bit, because between the interceptor a
approach. Therefore the basic behaviour remains the same and you can
think about it like an interceptor.)</p>
</div>
+<div class="paragraph">
+<p>The entry point to this API is the <code>@Secured</code> annotation placed either on the whole class — enabling security for all methods — or on individual methods. The only other prerequisite is at least one <code>AccessDecisionVoter</code> implementation, explained in the next section.</p>
+</div>
<div class="listingblock">
<div class="title">Securing All Intercepted Methods of a CDI Bean</div>
<div class="content">
@@ -562,11 +548,10 @@ think about it like an interceptor.)</p>
}</code></pre>
</div>
</div>
-</div>
-<div class="sect3">
-<h4 id="_accessdecisionvoter">AccessDecisionVoter</h4>
+<div class="sect2">
+<h3 id="_accessdecisionvoter">AccessDecisionVoter</h3>
<div class="paragraph">
-<p>This interface is (besides the <code>Secured</code> annotation) the most important
+<p>This interface is (besides the <code>@Secured</code> annotation) the most important
part of the concept. Both artifact types are also the only required
parts:</p>
</div>
@@ -584,18 +569,14 @@ parts:</p>
}</code></pre>
</div>
</div>
-<div class="paragraph">
-<p>[TODO] tip about the changed parameter/s</p>
-</div>
</div>
-<div class="sect3">
-<h4 id="_securityviolation">SecurityViolation</h4>
+<div class="sect2">
+<h3 id="_securityviolation">SecurityViolation</h3>
<div class="paragraph">
<p>In case of a detected violation a <code>SecurityViolation</code> has to be added to
the result returned by the <code>AccessDecisionVoter</code>.</p>
</div>
</div>
-</div>
<div class="sect2">
<h3 id="_abstractaccessdecisionvoter">AbstractAccessDecisionVoter</h3>
<div class="paragraph">
@@ -617,8 +598,9 @@ This is a convenience class which allows
}</code></pre>
</div>
</div>
-<div class="sect3">
-<h4 id="__secured_and_stereotypes_with_custom_meta_data">@Secured and Stereotypes with Custom Meta-data</h4>
+</div>
+<div class="sect2">
+<h3 id="__secured_and_stereotypes_with_custom_metadata">@Secured and stereotypes with custom metadata</h3>
<div class="paragraph">
<p>If there are multiple <code>AccessDecisionVoter</code> and maybe in different
constellations, it is easier to provide an expressive CDI stereotypes for
@@ -644,10 +626,10 @@ place.</p>
</div>
</div>
<div class="paragraph">
-<p>Furthermore, it is possible to provide custom meta-data easily.</p>
+<p>Furthermore, it is possible to provide custom metadata easily.</p>
</div>
<div class="listingblock">
-<div class="title">Stereotype of @Secured with Custom Meta-data</div>
+<div class="title">Stereotype of @Secured with custom metadata</div>
<div class="content">
<pre class="CodeRay highlight"><code data-lang="java"><span class="annotation">@Named</span>
<span class="annotation">@Admin</span>(securityLevel=<span class="integer">3</span>)
@@ -679,156 +661,6 @@ place.</p>
</div>
</div>
</div>
-</div>
-<div class="sect2">
-<h3 id="_making_intitially_requested_and_secured_page_available_for_redirect_after_login">Making Intitially Requested and Secured Page available for Redirect after Login</h3>
-<div class="paragraph">
-<p>DeltaSpike can be combined with pure CDI or with any other security
-frameworks (like PicketLink) to track the denied page and make it
-available after user logs in.</p>
-</div>
-<div class="sect3">
-<h4 id="_cdi_implementation_to_redirect_the_login_to_the_first_denied_page">CDI Implementation to Redirect the Login to the First Denied Page</h4>
-<div class="paragraph">
-<p>Your LoginService will fire a custom <code>UserLoggedInEvent</code></p>
-</div>
-<div class="listingblock">
-<div class="content">
-<pre class="CodeRay highlight"><code data-lang="java"><span class="directive">public</span> <span class="type">class</span> <span class="class">LoginService</span> <span class="directive">implements</span> <span class="predefined-type">Serializable</span> {
-
- <span class="annotation">@Inject</span>
- <span class="directive">private</span> <span class="predefined-type">Event</span><UserLoggedInEvent> userLoggedInEvent;
-
- <span class="directive">public</span> Usuario login(<span class="predefined-type">String</span> username, <span class="type">char</span><span class="type">[]</span> password) {
- <span class="comment">//do the loggin process</span>
- userLoggedInEvent.fire(<span class="keyword">new</span> UserLoggedInEvent());
- }
-
-}</code></pre>
-</div>
-</div>
-<div class="paragraph">
-<p>Use @SessionScoped or @WindowScoped for AdminAccessDecisionVoter and
-store the denied page on your own.</p>
-</div>
-<div class="listingblock">
-<div class="content">
-<pre class="CodeRay highlight"><code data-lang="java"><span class="annotation">@SessionScoped</span> <span class="comment">//or @WindowScoped</span>
-<span class="directive">public</span> <span class="type">class</span> <span class="class">AdminAccessDecisionVoter</span> <span class="directive">extends</span> AbstractAccessDecisionVoter {
-
- <span class="annotation">@Inject</span>
- <span class="directive">private</span> ViewConfigResolver viewConfigResolver;
-
- <span class="directive">private</span> <span class="predefined-type">Class</span><? <span class="directive">extends</span> ViewConfig> deniedPage = Pages.Home.class;
-
- <span class="annotation">@Override</span>
- <span class="directive">protected</span> <span class="type">void</span> checkPermission(AccessDecisionVoterContext context, <span class="predefined-type">Set</span><SecurityViolation> violations) {
- <span class="keyword">if</span>(loggedIn) {
- <span class="comment">//...</span>
- } <span class="keyword">else</span> {
- violations.add(<span class="comment">/*...*/</span>);
- deniedPage = viewConfigResolver.getViewConfigDescriptor(FacesContext.getCurrentInstance().getViewRoot().getViewId()).getConfigClass();
- }
- }
-
- <span class="directive">public</span> <span class="predefined-type">Class</span><? <span class="directive">extends</span> ViewConfig> getDeniedPage() {
- <span class="keyword">try</span> {
- <span class="keyword">return</span> deniedPage;
- } <span class="keyword">finally</span> {
- deniedPage = Pages.Home.class;
- }
- }
-}</code></pre>
-</div>
-</div>
-<div class="paragraph">
-<p>And in AuthenticationListener you inject AdminAccessDecisionVoter</p>
-</div>
-<div class="listingblock">
-<div class="content">
-<pre class="CodeRay highlight"><code data-lang="java"><span class="directive">public</span> <span class="type">class</span> <span class="class">AuthenticationListener</span> {
-
- <span class="annotation">@Inject</span>
- <span class="directive">private</span> ViewNavigationHandler viewNavigationHandler;
-
- <span class="annotation">@Inject</span>
- <span class="directive">private</span> AdminAccessDecisionVoter adminAccessDecisionVoter;
-
- <span class="directive">public</span> <span class="type">void</span> handleLoggedIn(<span class="annotation">@Observes</span> UserLoggedInEvent event) {
- <span class="local-variable">this</span>.viewNavigationHandler.navigateTo(adminAccessDecisionVoter.getDeniedPage());
- }
-
-}</code></pre>
-</div>
-</div>
-</div>
-<div class="sect3">
-<h4 id="_picketlink_implementation_to_redirect_the_login_to_the_first_denied_page">PicketLink Implementation to Redirect the Login to the First Denied Page</h4>
-<div class="paragraph">
-<p>Once that PicketLink handles the authentication for you, you only need
-to store the denied page and observe PicketLink <code>LoggedInEvent</code> to
-redirect you back to the denied page.</p>
-</div>
-<div class="paragraph">
-<p>Use @SessionScoped or @WindowScoped for AdminAccessDecisionVoter and
-store the denied page on your own.</p>
-</div>
-<div class="listingblock">
-<div class="content">
-<pre class="CodeRay highlight"><code data-lang="java"><span class="annotation">@SessionScoped</span> <span class="comment">//or @WindowScoped</span>
-<span class="directive">public</span> <span class="type">class</span> <span class="class">AdminAccessDecisionVoter</span> <span class="directive">extends</span> AbstractAccessDecisionVoter {
-
- <span class="annotation">@Inject</span>
- <span class="directive">private</span> ViewConfigResolver viewConfigResolver;
-
- <span class="directive">private</span> <span class="predefined-type">Class</span><? <span class="directive">extends</span> ViewConfig> deniedPage = Pages.Home.class;
-
- <span class="annotation">@Override</span>
- <span class="directive">protected</span> <span class="type">void</span> checkPermission(AccessDecisionVoterContext context, <span class="predefined-type">Set</span><SecurityViolation> violations) {
-
- AuthorizationChecker authorizationChecker = BeanProvider.getContextualReference(AuthorizationChecker.class);
- <span class="type">boolean</span> loggedIn = authorizationChecker.isLoggedIn();
-
- <span class="keyword">if</span>(loggedIn) {
- <span class="comment">//...</span>
- } <span class="keyword">else</span> {
- violations.add(<span class="comment">/*...*/</span>);
- deniedPage = viewConfigResolver.getViewConfigDescriptor(FacesContext.getCurrentInstance().getViewRoot().getViewId()).getConfigClass();
- }
- }
-
- <span class="directive">public</span> <span class="predefined-type">Class</span><? <span class="directive">extends</span> ViewConfig> getDeniedPage() {
- <span class="keyword">try</span> {
- <span class="keyword">return</span> deniedPage;
- } <span class="keyword">finally</span> {
- deniedPage = Pages.Home.class;
- }
- }
-}</code></pre>
-</div>
-</div>
-<div class="paragraph">
-<p>And in AuthenticationListener you inject AdminAccessDecisionVoter</p>
-</div>
-<div class="listingblock">
-<div class="content">
-<pre class="CodeRay highlight"><code data-lang="java"><span class="directive">public</span> <span class="type">class</span> <span class="class">AuthenticationListener</span> {
-
- <span class="annotation">@Inject</span>
- <span class="directive">private</span> ViewNavigationHandler viewNavigationHandler;
-
- <span class="annotation">@Inject</span>
- <span class="directive">private</span> AdminAccessDecisionVoter adminAccessDecisionVoter;
-
- <span class="directive">public</span> <span class="type">void</span> handleLoggedIn(<span class="annotation">@Observes</span> LoggedInEvent event) {
- <span class="local-variable">this</span>.viewNavigationHandler.navigateTo(adminAccessDecisionVoter.getDeniedPage());
- }
-
-}</code></pre>
-</div>
-</div>
-</div>
-</div>
<div class="sect2">
<h3 id="_accessdecisionvotercontext">AccessDecisionVoterContext</h3>
<div class="paragraph">
@@ -858,8 +690,9 @@ the results of the security check.</p>
</li>
</ul>
</div>
-<div class="sect3">
-<h4 id="_securitystrategy_spi">SecurityStrategy SPI</h4>
+</div>
+<div class="sect2">
+<h3 id="_securitystrategy_spi">SecurityStrategy SPI</h3>
<div class="paragraph">
<p>The <code>SecurityStrategy</code> interface allows to provide a custom
implementation which should be used for <code>@Secured</code>. Provide a custom
@@ -883,13 +716,39 @@ implementation as bean-class in combinat
<i class="fa icon-tip" title="Tip"></i>
</td>
<td class="content">
-The configuration for global-alternatives is following the pattern:
-globalAlternatives.<code><interface-name></code>=<code><implementation-class-name></code>
+The configuration for global alternatives is following the pattern:
+<code>globalAlternatives.<em><interface-name></em>=<em><implementation-class-name></em></code>
</td>
</tr>
</table>
</div>
</div>
+<div class="sect2">
+<h3 id="_examples">Examples</h3>
+<div class="sect3">
+<h4 id="_redirect_to_requested_page_after_login">Redirect to requested page after login</h4>
+<div class="paragraph">
+<p>DeltaSpike can be combined with pure CDI or with any other security
+frameworks (like PicketLink) to track the denied page and make it
+available after user logs in.</p>
+</div>
+<div class="paragraph">
+<p>An example of this use case is available in the examples module in the DeltaSpike repository:</p>
+</div>
+<div class="ulist">
+<ul>
+<li>
+<p><a href="https://github.com/apache/deltaspike/tree/master/deltaspike/examples/security-requested-page-after-login-cdi">Making initially requested secured page available for redirect after login with CDI</a></p>
+</li>
+<li>
+<p><a href="https://github.com/apache/deltaspike/tree/master/deltaspike/examples/security-requested-page-after-login-picketlink">Making initially requested secured page available for redirect after login with PicketLink</a></p>
+</li>
+</ul>
+</div>
+<div class="paragraph">
+<p>The relevant classes are <code>AuthenticationListener</code> and <code>LoggedInAccessDecisionVoter</code>.</p>
+</div>
+</div>
</div>
</div>
</div>
@@ -918,36 +777,24 @@ globalAlternatives.<code><interface-n
<div class="fallback-toc">
<ul class="sectlevel1">
<li><a href="#_overview">Overview</a></li>
-<li><a href="#_configure_your_projects">Configure Your Projects</a>
+<li><a href="#_project_setup">Project Setup</a>
<ul class="sectlevel2">
<li><a href="#_1_declare_security_module_dependencies">1. Declare Security Module Dependencies</a></li>
-<li><a href="#_2_enable_the_security_interceptor">2. Enable the Security Interceptor</a></li>
+<li><a href="#_2_enable_the_securityinterceptor">2. Enable the SecurityInterceptor</a></li>
</ul>
</li>
-<li><a href="#_use_the_module_features">Use the Module Features</a>
+<li><a href="#_simple_interceptor_style_authorization">Simple interceptor-style authorization</a></li>
+<li><a href="#_advanced_authorization">Advanced authorization</a>
<ul class="sectlevel2">
-<li><a href="#_securitybinding_for_class_and_method_invocations">SecurityBinding for Class and Method Invocations</a></li>
-<li><a href="#_integrating_third_party_security_frameworks">Integrating Third-party Security Frameworks</a>
-<ul class="sectlevel3">
-<li><a href="#__secured">@Secured</a></li>
<li><a href="#_accessdecisionvoter">AccessDecisionVoter</a></li>
<li><a href="#_securityviolation">SecurityViolation</a></li>
-</ul>
-</li>
-<li><a href="#_abstractaccessdecisionvoter">AbstractAccessDecisionVoter</a>
-<ul class="sectlevel3">
-<li><a href="#__secured_and_stereotypes_with_custom_meta_data">@Secured and Stereotypes with Custom Meta-data</a></li>
-</ul>
-</li>
-<li><a href="#_making_intitially_requested_and_secured_page_available_for_redirect_after_login">Making Intitially Requested and Secured Page available for Redirect after Login</a>
-<ul class="sectlevel3">
-<li><a href="#_cdi_implementation_to_redirect_the_login_to_the_first_denied_page">CDI Implementation to Redirect the Login to the First Denied Page</a></li>
-<li><a href="#_picketlink_implementation_to_redirect_the_login_to_the_first_denied_page">PicketLink Implementation to Redirect the Login to the First Denied Page</a></li>
-</ul>
-</li>
-<li><a href="#_accessdecisionvotercontext">AccessDecisionVoterContext</a>
-<ul class="sectlevel3">
+<li><a href="#_abstractaccessdecisionvoter">AbstractAccessDecisionVoter</a></li>
+<li><a href="#__secured_and_stereotypes_with_custom_metadata">@Secured and stereotypes with custom metadata</a></li>
+<li><a href="#_accessdecisionvotercontext">AccessDecisionVoterContext</a></li>
<li><a href="#_securitystrategy_spi">SecurityStrategy SPI</a></li>
+<li><a href="#_examples">Examples</a>
+<ul class="sectlevel3">
+<li><a href="#_redirect_to_requested_page_after_login">Redirect to requested page after login</a></li>
</ul>
</li>
</ul>
Modified: websites/staging/deltaspike/trunk/content/documentation/servlet.html
==============================================================================
--- websites/staging/deltaspike/trunk/content/documentation/servlet.html (original)
+++ websites/staging/deltaspike/trunk/content/documentation/servlet.html Tue May 12 18:37:24 2015
@@ -281,7 +281,7 @@ table.CodeRay td.code>pre{padding:0}
</div>
</div>
<div class="sect1">
-<h2 id="_configure_your_projects">Configure Your Projects</h2>
+<h2 id="_project_setup">Project Setup</h2>
<div class="sectionbody">
<div class="paragraph">
<p>The configuration information provided here is for Maven-based projects and it assumes that you have already declared the DeltaSpike version and DeltaSpike Core module for your projects, as detailed in <a href="configure.html">Configure DeltaSpike in Your Projects</a>. For Maven-independent projects, see <a href="configure.html#config-maven-indep">Configure DeltaSpike in Maven-independent Projects</a>.</p>
@@ -309,11 +309,8 @@ table.CodeRay td.code>pre{padding:0}
</div>
</div>
</div>
-</div>
-</div>
-<div class="sect1">
-<h2 id="_2_configure_listeners_and_filters">2. Configure Listeners and Filters</h2>
-<div class="sectionbody">
+<div class="sect2">
+<h3 id="_2_configure_listeners_and_filters">2. Configure Listeners and Filters</h3>
<div class="paragraph">
<p>In most cases there is no need for any additional configuration beside
adding the required dependencies to your project, because all required
@@ -384,11 +381,10 @@ register the listeners and filters in yo
</div>
</div>
</div>
+</div>
<div class="sect1">
-<h2 id="_use_the_module_features">Use the Module Features</h2>
+<h2 id="_injectable_servlet_objects">Injectable Servlet Objects</h2>
<div class="sectionbody">
-<div class="sect2">
-<h3 id="_injectable_servlet_objects">Injectable Servlet Objects</h3>
<div class="paragraph">
<p>The DeltaSpike Servlet module contains producers for many objects of a
Servlet environment. All produces are using the special qualifier
@@ -404,8 +400,8 @@ injection of some Servlet objects out of
<span class="directive">private</span> ServletObject servletObject;</code></pre>
</div>
</div>
-<div class="sect3">
-<h4 id="_servletcontext">ServletContext</h4>
+<div class="sect2">
+<h3 id="_servletcontext">ServletContext</h3>
<div class="paragraph">
<p>The <code>ServletContext</code> is made available in the application scope. It can
be injected into any CDI bean like this:</p>
@@ -417,8 +413,8 @@ be injected into any CDI bean like this:
</div>
</div>
</div>
-<div class="sect3">
-<h4 id="_servletrequest_httpservletrequest">ServletRequest / HttpServletRequest</h4>
+<div class="sect2">
+<h3 id="_servletrequest_httpservletrequest">ServletRequest / HttpServletRequest</h3>
<div class="paragraph">
<p>The <code>ServletRequest</code> is made available in the request scope. The current
request can be injected into a CDI bean like this:</p>
@@ -439,8 +435,8 @@ request can be injected into a CDI bean
</div>
</div>
</div>
-<div class="sect3">
-<h4 id="_servletresponse_httpservletresponse">ServletResponse / HttpServletResponse</h4>
+<div class="sect2">
+<h3 id="_servletresponse_httpservletresponse">ServletResponse / HttpServletResponse</h3>
<div class="paragraph">
<p>The <code>ServletResponse</code> is made available in the request scope. The
current response can be injected into a CDI bean like this:</p>
@@ -461,8 +457,8 @@ current response can be injected into a
</div>
</div>
</div>
-<div class="sect3">
-<h4 id="_httpsession">HttpSession</h4>
+<div class="sect2">
+<h3 id="_httpsession">HttpSession</h3>
<div class="paragraph">
<p>The <code>HttpSession</code> is made available in the session scope. You can inject
the current session of a user into a CDI bean like this:</p>
@@ -478,8 +474,8 @@ the current session of a user into a CDI
of a session.</p>
</div>
</div>
-<div class="sect3">
-<h4 id="_principal">Principal</h4>
+<div class="sect2">
+<h3 id="_principal">Principal</h3>
<div class="paragraph">
<p>The <code>Principal</code> is made available in the request scope. The current
principal can be injected into a CDI bean like this:</p>
@@ -496,8 +492,10 @@ principal can be injected into a CDI bea
</div>
</div>
</div>
-<div class="sect2">
-<h3 id="_servlet_event_propagation">Servlet Event Propagation</h3>
+</div>
+<div class="sect1">
+<h2 id="_servlet_event_propagation">Servlet Event Propagation</h2>
+<div class="sectionbody">
<div class="paragraph">
<p>The DeltaSpike Servlet module propagates a number of Servlet object
lifecycle events to the CDI event bus. This allows regular CDI beans to
@@ -512,8 +510,8 @@ object, DeltaSpike uses the qualifiers <
<p>The following sections shows which concrete Servlet objects are
supported and how their lifecycle can be observed.</p>
</div>
-<div class="sect3">
-<h4 id="_servlet_context_lifecycle_events">Servlet Context Lifecycle Events</h4>
+<div class="sect2">
+<h3 id="_servlet_context_lifecycle_events">Servlet Context Lifecycle Events</h3>
<div class="paragraph">
<p>The Servlet module supports initialization and destruction events for
the <code>ServletContext</code>. These events can for example be used to detect
@@ -547,8 +545,8 @@ also simply remove the entry for the <co
your <code>web.xml</code> to disable the events.</p>
</div>
</div>
-<div class="sect3">
-<h4 id="_request_and_response_lifecycle_events">Request and Response Lifecycle Events</h4>
+<div class="sect2">
+<h3 id="_request_and_response_lifecycle_events">Request and Response Lifecycle Events</h3>
<div class="paragraph">
<p>The Servlet module also supports initialization and destruction events
for the <code>HttpServletRequest</code> and <code>HttpServletResponse</code>. These events can
@@ -601,8 +599,8 @@ also simply remove the entry for the <co
<code>web.xml</code> to disable the events.</p>
</div>
</div>
-<div class="sect3">
-<h4 id="_session_lifecycle_events">Session Lifecycle Events</h4>
+<div class="sect2">
+<h3 id="_session_lifecycle_events">Session Lifecycle Events</h3>
<div class="paragraph">
<p>The last category of events supported by the DeltaSpike Servlet module
are the lifecycle events for the user’s HTTP session. The following
@@ -637,7 +635,6 @@ your <code>web.xml</code> to disable the
</div>
</div>
</div>
-</div>
</div>
</div>
@@ -663,16 +660,14 @@ your <code>web.xml</code> to disable the
<div class="fallback-toc">
<ul class="sectlevel1">
<li><a href="#_overview">Overview</a></li>
-<li><a href="#_configure_your_projects">Configure Your Projects</a>
+<li><a href="#_project_setup">Project Setup</a>
<ul class="sectlevel2">
<li><a href="#_1_declare_servlet_module_dependencies">1. Declare Servlet Module Dependencies</a></li>
+<li><a href="#_2_configure_listeners_and_filters">2. Configure Listeners and Filters</a></li>
</ul>
</li>
-<li><a href="#_2_configure_listeners_and_filters">2. Configure Listeners and Filters</a></li>
-<li><a href="#_use_the_module_features">Use the Module Features</a>
-<ul class="sectlevel2">
<li><a href="#_injectable_servlet_objects">Injectable Servlet Objects</a>
-<ul class="sectlevel3">
+<ul class="sectlevel2">
<li><a href="#_servletcontext">ServletContext</a></li>
<li><a href="#_servletrequest_httpservletrequest">ServletRequest / HttpServletRequest</a></li>
<li><a href="#_servletresponse_httpservletresponse">ServletResponse / HttpServletResponse</a></li>
@@ -681,15 +676,13 @@ your <code>web.xml</code> to disable the
</ul>
</li>
<li><a href="#_servlet_event_propagation">Servlet Event Propagation</a>
-<ul class="sectlevel3">
+<ul class="sectlevel2">
<li><a href="#_servlet_context_lifecycle_events">Servlet Context Lifecycle Events</a></li>
<li><a href="#_request_and_response_lifecycle_events">Request and Response Lifecycle Events</a></li>
<li><a href="#_session_lifecycle_events">Session Lifecycle Events</a></li>
</ul>
</li>
</ul>
-</li>
-</ul>
</div>
</div>
Modified: websites/staging/deltaspike/trunk/content/documentation/test-control.html
==============================================================================
--- websites/staging/deltaspike/trunk/content/documentation/test-control.html (original)
+++ websites/staging/deltaspike/trunk/content/documentation/test-control.html Tue May 12 18:37:24 2015
@@ -281,7 +281,7 @@ table.CodeRay td.code>pre{padding:0}
</div>
</div>
<div class="sect1">
-<h2 id="_configure_your_projects">Configure Your Projects</h2>
+<h2 id="_project_setup">Project Setup</h2>
<div class="sectionbody">
<div class="paragraph">
<p>The configuration information provided here is for Maven-based projects and it assumes that you have already declared the DeltaSpike version and DeltaSpike Core module for your projects, as detailed in <a href="configure.html">Configure DeltaSpike in Your Projects</a>. For Maven-independent projects, see <a href="configure.html#config-maven-indep">Configure DeltaSpike in Maven-independent Projects</a>.</p>
@@ -395,12 +395,10 @@ of dependencies instead of the OpenWebBe
</div>
</div>
<div class="sect1">
-<h2 id="_use_the_module_features">Use the Module Features</h2>
+<h2 id="_automated_container_booting_and_shutdown">Automated Container Booting and Shutdown</h2>
<div class="sectionbody">
<div class="sect2">
-<h3 id="_automated_container_booting_and_shutdown">Automated Container Booting and Shutdown</h3>
-<div class="sect3">
-<h4 id="_cditestrunner">CdiTestRunner</h4>
+<h3 id="_cditestrunner">CdiTestRunner</h3>
<div class="paragraph">
<p>Start and stop the CDI container automatically per test class with CdiTestRunner, a JUnit Test-Runner.
This also starts and stops one request and session per test-method.</p>
@@ -425,8 +423,8 @@ This also starts and stops one request a
</div>
</div>
</div>
-<div class="sect3">
-<h4 id="_cditestsuiterunner">CdiTestSuiteRunner</h4>
+<div class="sect2">
+<h3 id="_cditestsuiterunner">CdiTestSuiteRunner</h3>
<div class="paragraph">
<p>Extend automated CDI container start and stop actions to whole test suites with CdiTestSuiteRunner, a JUnit Test-Suite-Runner.</p>
</div>
@@ -444,17 +442,19 @@ This also starts and stops one request a
</div>
</div>
</div>
-<div class="sect3">
-<h4 id="_optional_shutdown_configuration">Optional Shutdown Configuration</h4>
+<div class="sect2">
+<h3 id="_optional_shutdown_configuration">Optional Shutdown Configuration</h3>
<div class="paragraph">
<p>You can set <code>deltaspike.testcontrol.stop_container</code> to <code>false</code> (via the standard DeltaSpike config), resulting in the CDI Container being started just once for all tests.</p>
</div>
</div>
</div>
+</div>
+<div class="sect1">
+<h2 id="_test_customization">Test Customization</h2>
+<div class="sectionbody">
<div class="sect2">
-<h3 id="_test_customization">Test Customization</h3>
-<div class="sect3">
-<h4 id="__testcontrol">@TestControl</h4>
+<h3 id="__testcontrol">@TestControl</h3>
<div class="paragraph">
<p>Customize the default behavior of CdiTestRunner with @TestControl. In the following
case only one session for all test-methods (of the test-class) will be
@@ -472,8 +472,8 @@ created.</p>
</div>
</div>
</div>
-<div class="sect3">
-<h4 id="_projectstage_control">ProjectStage Control</h4>
+<div class="sect2">
+<h3 id="_projectstage_control">ProjectStage Control</h3>
<div class="paragraph">
<p>Override the default ProjectStage for unit tests with <code>ProjectStage.UnitTest.class</code>.</p>
</div>
@@ -498,8 +498,10 @@ created.</p>
</div>
</div>
</div>
-<div class="sect2">
-<h3 id="_optional_configuration">Optional Configuration</h3>
+</div>
+<div class="sect1">
+<h2 id="_optional_configuration">Optional Configuration</h2>
+<div class="sectionbody">
<div class="paragraph">
<p>From DeltaSpike 1.2, it is possible to provide a configuration for the underlying test-container.
However, currently only the adapter for OpenEJB embedded (available in CDI-Control) supports it out-of-the-box.
@@ -510,8 +512,8 @@ The content of the file are key/value pa
Therefore, it is a configuration which is not used by DeltaSpike itself
(it is just forwarded (as it is) to the underlying test-container).</p>
</div>
-<div class="sect3">
-<h4 id="_reconfigure_the_config_file_name_or_location">Reconfigure the config-file Name or Location</h4>
+<div class="sect2">
+<h3 id="_reconfigure_the_config_file_name_or_location">Reconfigure the config-file Name or Location</h3>
<div class="paragraph">
<p>If you would like to point to an existing config-file, you have to add for example:</p>
</div>
@@ -533,10 +535,12 @@ Therefore, it is a configuration which i
</div>
</div>
</div>
+</div>
+<div class="sect1">
+<h2 id="_optional_integrations">Optional Integrations</h2>
+<div class="sectionbody">
<div class="sect2">
-<h3 id="_optional_integrations">Optional Integrations</h3>
-<div class="sect3">
-<h4 id="_mock_frameworks">Mock Frameworks</h4>
+<h3 id="_mock_frameworks">Mock Frameworks</h3>
<div class="paragraph">
<p>From DeltaSpike 1.0, it is possible to mock CDI-Beans. Usually @Exclude (+
ProjectStage) is enough, however, for some cases mocked beans might be
@@ -738,8 +742,8 @@ mocked implementation via <code>@Exclude
constructor) and specify the target-type via <code>@TypedMock</code>.</p>
</div>
</div>
-<div class="sect3">
-<h4 id="_jsf_via_myfaces_test">JSF (via MyFaces-Test)</h4>
+<div class="sect2">
+<h3 id="_jsf_via_myfaces_test">JSF (via MyFaces-Test)</h3>
<div class="paragraph">
<p>add on of</p>
</div>
@@ -770,8 +774,10 @@ constructor) and specify the target-type
</div>
</div>
</div>
-<div class="sect2">
-<h3 id="_using_jersey_test_with_test_control">Using jersey-test with test-control</h3>
+</div>
+<div class="sect1">
+<h2 id="_using_jersey_test_with_test_control">Using jersey-test with test-control</h2>
+<div class="sectionbody">
<div class="paragraph">
<p>Jersey-test starts jetty which answers requests in a separated thread. Since ds test-control just handles the thread of the test itself, it’s needed to integrate jetty and jersey with the cdi-container. Usually that’s done via a ServletRequestListener - the following part describes an alternative approach for jersey-test:</p>
</div>
@@ -855,8 +861,10 @@ cdiHandlerWrapper.setHandler(<span class
</div>
</div>
</div>
-<div class="sect2">
-<h3 id="_mixed_tests">Mixed Tests</h3>
+</div>
+<div class="sect1">
+<h2 id="_mixed_tests">Mixed Tests</h2>
+<div class="sectionbody">
<div class="paragraph">
<p>Usually you should have one kind of tests per test-module. However, if
you need to add, for example, a test without an external-container to your
@@ -874,10 +882,12 @@ with:</p>
</div>
</div>
</div>
+</div>
+<div class="sect1">
+<h2 id="_known_restrictions">Known Restrictions</h2>
+<div class="sectionbody">
<div class="sect2">
-<h3 id="_known_restrictions">Known Restrictions</h3>
-<div class="sect3">
-<h4 id="_liquibase">Liquibase</h4>
+<h3 id="_liquibase">Liquibase</h3>
<div class="paragraph">
<p>Liquibase invokes <code>#toString</code> in a <code>AfterDeploymentValidation</code> observer.
<strong>that is not portable</strong> and therefore you have to deactivate the
@@ -905,8 +915,8 @@ mocking-support via:</p>
<p>Further details are available at deactivatable.</p>
</div>
</div>
-<div class="sect3">
-<h4 id="_gradle">Gradle</h4>
+<div class="sect2">
+<h3 id="_gradle">Gradle</h3>
<div class="paragraph">
<p>Gradle by default does not put resources and compiled sources in to the same directory.
When running a test using Gradle, this means your classes will not be in bean archives as
@@ -929,10 +939,12 @@ for resources to point to where the comp
</div>
</div>
</div>
+</div>
+<div class="sect1">
+<h2 id="_spi">SPI</h2>
+<div class="sectionbody">
<div class="sect2">
-<h3 id="_spi">SPI</h3>
-<div class="sect3">
-<h4 id="_externalcontainer">ExternalContainer</h4>
+<h3 id="_externalcontainer">ExternalContainer</h3>
<div class="paragraph">
<p>org.apache.deltaspike.testcontrol.spi.ExternalContainer allows to
integrate containers which get started after the CDI container.
@@ -948,7 +960,6 @@ Currently DeltaSpike provides:</p>
</div>
</div>
</div>
-</div>
</div>
</div>
@@ -983,7 +994,7 @@ Currently DeltaSpike provides:</p>
<div class="fallback-toc">
<ul class="sectlevel1">
<li><a href="#_overview">Overview</a></li>
-<li><a href="#_configure_your_projects">Configure Your Projects</a>
+<li><a href="#_project_setup">Project Setup</a>
<ul class="sectlevel2">
<li><a href="#_1_declare_test_control_module_dependencies">1. Declare Test-Control Module Dependencies</a></li>
<li><a href="#_2_declare_cdi_implementation_specific_dependencies">2. Declare CDI-implementation-specific dependencies</a>
@@ -996,28 +1007,26 @@ Currently DeltaSpike provides:</p>
<li><a href="#_3_complete_additional_project_configuration">3. Complete Additional Project Configuration</a></li>
</ul>
</li>
-<li><a href="#_use_the_module_features">Use the Module Features</a>
-<ul class="sectlevel2">
<li><a href="#_automated_container_booting_and_shutdown">Automated Container Booting and Shutdown</a>
-<ul class="sectlevel3">
+<ul class="sectlevel2">
<li><a href="#_cditestrunner">CdiTestRunner</a></li>
<li><a href="#_cditestsuiterunner">CdiTestSuiteRunner</a></li>
<li><a href="#_optional_shutdown_configuration">Optional Shutdown Configuration</a></li>
</ul>
</li>
<li><a href="#_test_customization">Test Customization</a>
-<ul class="sectlevel3">
+<ul class="sectlevel2">
<li><a href="#__testcontrol">@TestControl</a></li>
<li><a href="#_projectstage_control">ProjectStage Control</a></li>
</ul>
</li>
<li><a href="#_optional_configuration">Optional Configuration</a>
-<ul class="sectlevel3">
+<ul class="sectlevel2">
<li><a href="#_reconfigure_the_config_file_name_or_location">Reconfigure the config-file Name or Location</a></li>
</ul>
</li>
<li><a href="#_optional_integrations">Optional Integrations</a>
-<ul class="sectlevel3">
+<ul class="sectlevel2">
<li><a href="#_mock_frameworks">Mock Frameworks</a></li>
<li><a href="#_jsf_via_myfaces_test">JSF (via MyFaces-Test)</a></li>
</ul>
@@ -1025,19 +1034,17 @@ Currently DeltaSpike provides:</p>
<li><a href="#_using_jersey_test_with_test_control">Using jersey-test with test-control</a></li>
<li><a href="#_mixed_tests">Mixed Tests</a></li>
<li><a href="#_known_restrictions">Known Restrictions</a>
-<ul class="sectlevel3">
+<ul class="sectlevel2">
<li><a href="#_liquibase">Liquibase</a></li>
<li><a href="#_gradle">Gradle</a></li>
</ul>
</li>
<li><a href="#_spi">SPI</a>
-<ul class="sectlevel3">
+<ul class="sectlevel2">
<li><a href="#_externalcontainer">ExternalContainer</a></li>
</ul>
</li>
</ul>
-</li>
-</ul>
</div>
</div>