deltaspike-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Shane Bryzak <sbry...@redhat.com>
Subject Re: AW: [DISCUSS][SECURITY-API] [DELTASPIKE-64] @Secured
Date Tue, 31 Jan 2012 12:45:03 GMT
Yep, all parameters are injection points so shouldn't be a problem to 
inject the InvocationContext or InjectionPoint or whatever other 
contextual information we like.


On 31/01/12 22:37, Arne Limburg wrote:
> Hi Shane,
>
> I like that. I guess, it is possible to inject the InjectionPoint into the @Secures method?
>
> Cheers,
> Arne
>
> -----Urspr√ľngliche Nachricht-----
> Von: Shane Bryzak [mailto:sbryzak@redhat.com]
> Gesendet: Dienstag, 31. Januar 2012 13:25
> An: deltaspike-dev@incubator.apache.org
> Cc: Gerhard Petracek
> Betreff: Re: [DISCUSS][SECURITY-API] [DELTASPIKE-64] @Secured
>
> Oops, I posted my respone on the JIRA issue - copying to this thread
> instead:
>
> In Seam Security we have a system of typesafe security annotations.  Essentially, it's
up to the developer to create the annotations required for the authorization checks in their
application.  The security binding annotations are annotated with @SecurityBindingType, here's
an example:
>
> @SecurityBindingType
> @Retention(RetentionPolicy.RUNTIME)
> @Target({ElementType.TYPE, ElementType.METHOD}) public @interface Admin { }
>
> The annotation may declare member variables also which are taken into account for the
authorization check, unless the member is annotated @Nonbinding.
>
> Authorizer methods are used to determine whether a user has sufficient privileges to
invoke a secured method.  The @Secures annotation is used in combination with the security
binding type annotation to declare the authorizer method, eg:
>
>       public @Secures @Admin boolean isAdmin(Identity identity) {
>           return identity.hasRole("admin", "USERS", "GROUP");
>       }
>
> This allows combinations of security binding types to be declared on a single method
or class, and also has the advantage of allowing the user to declare all of their security
"business logic" in a single bean.  Once the security binding type annotation and the authorizer
method is declared, it is then a simple matter of applying the annotation:
>
>       @Admin
>       public void doSomethingRestricted() {
>           messages.info("doSomethingRestricted() invoked");
>       }
>
>
>
> On 31/01/12 21:59, Gerhard Petracek wrote:
>> hi @ all,
>>
>> imo this feature of myfaces codi-core is a nice starting point for the
>> security-api discussion, because the basic idea behind it is a very
>> thin integration layer (which can be used by other modules).
>>
>> the basic concept:
>> a cdi interceptor invokes (inline) voters to secure the target method/s.
>> a voter is a (custom) cdi bean which implements a specific interface
>> and therefore has access to the InvocationContext.
>> furthermore, a voter detects 0-n violations and>can<   be used to
>> integrate 3rd party security-frameworks.
>> [1] provides a bit more details of the basic concept as well as the
>> basic usage of @Secured.
>>
>> please send
>> +1, +0 or -1 because...
>> for the>basic concept<.
>>
>> (please add>basic<   objections also to [2]. we can discuss details e.g.
>> further objections about the concrete implementation (e.g. internal
>> classes,...) as soon as we agreed on including this concept.)
>>
>> regards,
>> gerhard
>>
>> [1] https://issues.apache.org/jira/browse/DELTASPIKE-64
>> [2]
>> https://cwiki.apache.org/confluence/display/DeltaSpike/SE+Feature+Rank
>> ing
>>


Mime
View raw message