You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@deltaspike.apache.org by "Alexei Osipov (JIRA)" <ji...@apache.org> on 2016/06/09 09:06:20 UTC

[jira] [Created] (DELTASPIKE-1172) Support processing of binding annotations on ViewConfig

Alexei Osipov created DELTASPIKE-1172:
-----------------------------------------

             Summary: Support processing of binding annotations on ViewConfig
                 Key: DELTASPIKE-1172
                 URL: https://issues.apache.org/jira/browse/DELTASPIKE-1172
             Project: DeltaSpike
          Issue Type: New Feature
          Components: JSF-Module, Security-Module
    Affects Versions: 1.6.1
            Reporter: Alexei Osipov
            Priority: Minor


I would be nice to have a mechanism that allows to use security binding annotations on ViewConfig to define page access restrictions.
{code}
// View config
@UserLoggedIn  // <- This is security binding annotation. Not a new class with @Secured
public class MyPage implements ViewConfig {
}{code}

----

I'm working with type-safe view-config for my app an run in an issue with
defining security restrictions for pages.

Deltaspike documentation explains how to use @Secured annotation and
implement AccessDecisionVoter-s to define permission checks for pages.
I have a bunch of custom SecurityBindingType-s that checked via
@Secures-annotated methods and I want to use those SecurityBindingType-s to
configure permission checks on ViewConfig objects.

Example (mostly just from Deltaspike docs):
{code}// Custom security binding annotation:

@Retention(value = RUNTIME)
@Target({TYPE, METHOD})
@Documented
@SecurityBindingType
public @interface UserLoggedIn {}

 // Custom authorizer
@ApplicationScoped

public class LoggedInAuthorizer
{
    @Secures
    @UserLoggedIn
    public boolean doSecuredCheck(Identity identity) throws Exception
    {
        return identity.isLoggedIn();
    }
}

// View config
@UserLoggedIn  // <- Note that I want to use security binding annotation here. Not a new class with @Secured
public class MyPage implements ViewConfig {

}{code}
Note: this example has only one annotation (UserLoggedIn) but my app has a dozen of them.

So I want to use security binding annotations for ViewConfig classes in
the same way we usually use them for beans.
The problem is that I can't find easy way to do that type of security
check declaration in Delatspike.

Obviously, I can write a AccessDecisionVoter for each custom security
binding type but I don't want to create so many classes just for view
configuration.
Also I can write an AccessDecisionVoter and list all my security binding
annotations and check them one by one. However I don't want to hardcode the
list of annotations. Too high risk that somebody forgets to update the list.


Reference docs:
https://deltaspike.apache.org/documentation/security.html
https://deltaspike.apache.org/documentation/jsf.html




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)