deltaspike-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Struberg <strub...@yahoo.de.INVALID>
Subject Re: Secured Stereotype annotations and parent class methods do not invoke decision voter
Date Fri, 15 Sep 2017 05:16:29 GMT
Sounds inconsistent indeed!

Can you please create a jira ticket so we don't forget to look at it in more detail?

ts and LieGrue,
strub


> Am 14.09.2017 um 16:19 schrieb Andrew Schmidt <Andrew.Schmidt@impactmobile.com>:
> 
> I have a @Secured @Stereotype annotation
> 
> @Retention( RUNTIME )
> @Stereotype
> @Inherited
> @Secured( CustomAccessDecisionVoter.class )
> @Target( { ElementType.TYPE, ElementType.METHOD } )
> public @interface Permission
> {
> 
> }
> 
> And my decision voter:
> 
> @ApplicationScoped
> public class CustomAccessDecisionVoter extends AbstractAccessDecisionVoter
> {
>    @Override
>    protected void checkPermission( AccessDecisionVoterContext voterContext, Set<SecurityViolation>
violations )
>    {
>        System.out.println( "Checking permission for " + voterContext.<InvocationContext>
getSource().getMethod().getName() );
>    }
> 
> }
> 
> And now a bean that inherits from another class
> 
> public class Animal
> {
>    public String getParentName()
>    {
>        return "parent";
>    }
> }
> 
> 
> @Named
> @Permission
> public class Dog extends Animal
> {
>    public String getChildName()
>    {
>        return "dog";
>    }
> }
> 
> 
> In JSF dogName: #{dog.childName}  will invoke the checkPermission whereas   #{dog.parentName}
 will not
> 
> Is this expected behavior?
> 
> I tested a similar concept out with a demo from the docs for a @SecurityBindingType annotation
and it secured both methods.  For example:
> 
> @Retention( value = RetentionPolicy.RUNTIME )
> @Target( { ElementType.TYPE, ElementType.METHOD } )
> @Documented
> @SecurityBindingType
> public @interface UserLoggedIn
> {
> 
> }
> 
> @ApplicationScoped
> public class LoginAuthorizer
> {
>    @Secures
>    @UserLoggedIn
>    public boolean doSecuredCheck( InvocationContext invocationContext ) throws Exception
>    {
>        System.out.println( "doSecuredCheck called for: " + invocationContext.getMethod().getName()
);
> 
>        return true;
>    }
> }
> 
> Now applying @UserLoggedIn to  the Dog class will cause the doSecuredCheck to fire for
both getChildName and getParentName
> 
> 


Mime
View raw message