Return-Path: X-Original-To: apmail-aries-dev-archive@www.apache.org Delivered-To: apmail-aries-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id D56B41851D for ; Fri, 10 Jul 2015 16:31:05 +0000 (UTC) Received: (qmail 61827 invoked by uid 500); 10 Jul 2015 16:31:05 -0000 Delivered-To: apmail-aries-dev-archive@aries.apache.org Received: (qmail 61792 invoked by uid 500); 10 Jul 2015 16:31:05 -0000 Mailing-List: contact dev-help@aries.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@aries.apache.org Delivered-To: mailing list dev@aries.apache.org Received: (qmail 61769 invoked by uid 99); 10 Jul 2015 16:31:05 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 10 Jul 2015 16:31:05 +0000 Date: Fri, 10 Jul 2015 16:31:05 +0000 (UTC) From: "Pavel Alekhin (JIRA)" To: dev@aries.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Comment Edited] (ARIES-1316) Problem with intercepting authorizing annotations of a class declared as an interface MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/ARIES-1316?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14622544#comment-14622544 ] Pavel Alekhin edited comment on ARIES-1316 at 7/10/15 4:30 PM: --------------------------------------------------------------- It's injected by blueprint config. As I understood, exploring the code, the problem is that when bundle starts with in blueprint, AnnotationParser looks for security annotations in a class (SimpleEchoService in our case): private boolean isSecured(Class clazz) { if (clazz == Object.class) { return false; } if (clazz.getAnnotation(RolesAllowed.class) != null || clazz.getAnnotation(DenyAll.class) != null) { return true; } for (Method m : clazz.getMethods()) { if (m.getAnnotation(RolesAllowed.class) != null) { return true; } if (m.getAnnotation(DenyAll.class) != null) { return true; } } return false; } But later then in runtime AuthorizationInterceptor looks for security annotations in an interface methods: public Object preCall(ComponentMetadata cm, Method m, Object... parameters) throws Throwable { Annotation ann = new SecurityAnotationParser().getEffectiveAnnotation(m); ... } Here it gets "Method m" from the interface. was (Author: kuvalda): It's injected by blueprint config.
As I understood, exploring the code, the problem is that when bundle starts with in blueprint, AnnotationParser looks for security annotations in a class (SimpleEchoService in our case): private boolean isSecured(Class clazz) { if (clazz == Object.class) { return false; } if (clazz.getAnnotation(RolesAllowed.class) != null || clazz.getAnnotation(DenyAll.class) != null) { return true; } for (Method m : clazz.getMethods()) { if (m.getAnnotation(RolesAllowed.class) != null) { return true; } if (m.getAnnotation(DenyAll.class) != null) { return true; } } return false; } But later then in runtime AuthorizationInterceptor looks for security annotations in an interface methods: public Object preCall(ComponentMetadata cm, Method m, Object... parameters) throws Throwable { Annotation ann = new SecurityAnotationParser().getEffectiveAnnotation(m); ... } Here it gets "Method m" from the interface. > Problem with intercepting authorizing annotations of a class declared as an interface > ------------------------------------------------------------------------------------- > > Key: ARIES-1316 > URL: https://issues.apache.org/jira/browse/ARIES-1316 > Project: Aries > Issue Type: Bug > Components: Blueprint > Affects Versions: blueprint-authz-1.0.0 > Reporter: Pavel Alekhin > Assignee: Christian Schneider > Priority: Minor > > Using of interface variable causes empty roles' list error {color:red}Method call interface EchoService.echo denied. Roles allowed are []{color}, when interface doesn't have method authorizing annotations, while implementing class has. > Code example: > {code:title=EchoService.java|borderStyle=solid} > public interface EchoService { > //@RolesAllowed("admin") > public String echo(String message); > } > {code} > {code:title=SimpleEchoService.java|borderStyle=solid} > public class SimpleEchoService implements EchoService { > @RolesAllowed("admin") > @Override > public String echo(String message) { > return message; > } > } > {code} > {code:title=EchoCommand.java|borderStyle=solid} > @Command(scope = "kb", name = "echo") > public class EchoCommand extends OsgiCommandSupport { > private EchoService echoService; > public EchoService getEchoService() { > return echoService; > } > public void setEchoService(EchoService echoService) { > this.echoService = echoService; > } > @Argument(index = 0, name = "message", required = true, multiValued = false) > private String message; > @Override > protected Object doExecute() throws Exception { > return echoService.echo(message); > } > } > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)