deltaspike-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Romain Manni-Bucau <rmannibu...@gmail.com>
Subject Re: [DISCUSS] DELTASPIKE-298 support post-method-authorization
Date Thu, 13 Dec 2012 10:45:49 GMT
Why @Secures is not fine?

if the rule is "on parameter" it is a post it can be enough.

Another solution is @Secure(hook = POST) with a default to PRE

Romain Manni-Bucau
Twitter: @rmannibucau
Blog: http://rmannibucau.wordpress.com/
LinkedIn: http://fr.linkedin.com/in/rmannibucau
Github: https://github.com/rmannibucau



2012/12/13 Arne Limburg <arne.limburg@openknowledge.de>:
> Feel free to make a suggestion.
> What about
>
> @SecuredResult
> or
> @SecuredReturnValue
> ?
>
> Am 13.12.12 10:50 schrieb "Gerhard Petracek" unter
> <gerhard.petracek@gmail.com>:
>
>>+1, but imo we need a better name for it.
>>
>>regards,
>>gerhard
>>
>>
>>
>>2012/12/13 Rudy De Busscher <rdebusscher@gmail.com>
>>
>>> All,
>>>
>>> I had once also such a requirement (post-method authorization) where
>>>this
>>> could be very handy.
>>>
>>> We kept information about persons (name, age, address, medical info,
>>>...)
>>> but there where some categories. One kind of category was linked to the
>>> Royals and you needed a special role before you could read the
>>>information.
>>>
>>> So we where only able to determine if the user was allowed to read the
>>> person information after we had read it frmo the database and matched
>>>the
>>> category.
>>>
>>> So
>>> +1
>>>
>>> Regards
>>> Rudy
>>>
>>>
>>> On 13 December 2012 09:26, Arne Limburg <arne.limburg@openknowledge.de
>>> >wrote:
>>>
>>> > Hi Jean-Louis,
>>> >
>>> > A simple use case is a method that creates an object, stores it to the
>>> > database and returns it.
>>> > You may want to check the object to decide if the user is allowed to
>>> > create it. With my proposal it is as easy as:
>>> >
>>> > public class MyObjectRepository {
>>> >   @Create
>>> >   public MyObject create() {
>>> >      ...
>>> >   }
>>> > }
>>> >
>>> > public class MyAuthorizer {
>>> >
>>> >   @Secures @Create
>>> >   public boolean canCreate(@Result MyObject object) {
>>> >     // security check here
>>> >   }
>>> > }
>>> >
>>> >
>>> > Hope that makes it clear. And note that the check may depend on the
>>>state
>>> > of the object, i.e. the user is just allowed to create the object, if
>>>he
>>> > is the owner...
>>> >
>>> > Cheers,
>>> > Arne
>>> >
>>> > Am 13.12.12 09:20 schrieb "Jean-Louis MONTEIRO" unter <
>>> jeanouii@gmail.com
>>> > >:
>>> >
>>> > >Hi Arne,
>>> > >
>>> > >Just read the JIRA but could not find a relevant use case for that.
>>> > >But if you proposed it, I probably missed something so if you could
>>> > >elaborate a bit more.
>>> > >
>>> > >Jean-Louis
>>> > >
>>> > >
>>> > >2012/12/13 Mark Struberg <struberg@yahoo.de>
>>> > >
>>> > >>
>>> > >>
>>> > >> +1
>>> > >>
>>> > >>
>>> > >> ------------------------------
>>> > >> Arne Limburg schrieb am Mi., 12. Dez 2012 23:38 PST:
>>> > >>
>>> > >> >Hi,
>>> > >> >
>>> > >> >What do you think of supporting post-method-authorization (see
>>>[1])
>>> in
>>> > >> addition to our current pre-method-authorization?
>>> > >> >I just started coding it and it is not much to do.
>>> > >> >
>>> > >> >Cheers,
>>> > >> >Arne
>>> > >> >
>>> > >> >[1] https://issues.apache.org/jira/browse/DELTASPIKE-298
>>> > >> >
>>> > >>
>>> > >>
>>> > >
>>> > >
>>> > >--
>>> > >Jean-Louis
>>> >
>>> >
>>>
>

Mime
View raw message