You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@deltaspike.apache.org by "Alexei Osipov (JIRA)" <ji...@apache.org> on 2016/06/09 09:08:20 UTC

[jira] [Commented] (DELTASPIKE-1172) Support processing of binding annotations on ViewConfig

    [ https://issues.apache.org/jira/browse/DELTASPIKE-1172?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15322201#comment-15322201 ] 

Alexei Osipov commented on DELTASPIKE-1172:
-------------------------------------------

Probably it's possible to implement an optional AccessDecisionVoter that checks security binding annotations on ViewConfig-s and include it in the Deltaspike API.

> Support processing of binding annotations on ViewConfig
> -------------------------------------------------------
>
>                 Key: DELTASPIKE-1172
>                 URL: https://issues.apache.org/jira/browse/DELTASPIKE-1172
>             Project: DeltaSpike
>          Issue Type: New Feature
>          Components: JSF-Module, Security-Module
>    Affects Versions: 1.6.1
>            Reporter: Alexei Osipov
>            Priority: Minor
>
> It would be nice to have a mechanism that allows to use security binding annotations on ViewConfig to define page access restrictions.
> {code}
> // View config
> @UserLoggedIn  // <- This is security binding annotation. Not a new class with @Secured
> public class MyPage implements ViewConfig {
> }{code}
> ----
> I'm working with type-safe view-config for my app an run in an issue with
> defining security restrictions for pages.
> Deltaspike documentation explains how to use @Secured annotation and
> implement AccessDecisionVoter-s to define permission checks for pages.
> I have a bunch of custom SecurityBindingType-s that checked via
> @Secures-annotated methods and I want to use those SecurityBindingType-s to
> configure permission checks on ViewConfig objects.
> Example (mostly just from Deltaspike docs):
> {code}// Custom security binding annotation:
> @Retention(value = RUNTIME)
> @Target({TYPE, METHOD})
> @Documented
> @SecurityBindingType
> public @interface UserLoggedIn {}
>  // Custom authorizer
> @ApplicationScoped
> public class LoggedInAuthorizer
> {
>     @Secures
>     @UserLoggedIn
>     public boolean doSecuredCheck(Identity identity) throws Exception
>     {
>         return identity.isLoggedIn();
>     }
> }
> // View config
> @UserLoggedIn  // <- Note that I want to use security binding annotation here. Not a new class with @Secured
> public class MyPage implements ViewConfig {
> }{code}
> Note: this example has only one annotation (UserLoggedIn) but my app has a dozen of them.
> So I want to use security binding annotations for ViewConfig classes in
> the same way we usually use them for beans.
> The problem is that I can't find easy way to do that type of security
> check declaration in Delatspike.
> Obviously, I can write a AccessDecisionVoter for each custom security
> binding type but I don't want to create so many classes just for view
> configuration.
> Also I can write an AccessDecisionVoter and list all my security binding
> annotations and check them one by one. However I don't want to hardcode the
> list of annotations. Too high risk that somebody forgets to update the list.
> Reference docs:
> https://deltaspike.apache.org/documentation/security.html
> https://deltaspike.apache.org/documentation/jsf.html



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)