deltaspike-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Schmidt <Andrew.Schm...@impactmobile.com>
Subject Secured Stereotype annotations and parent class methods do not invoke decision voter
Date Thu, 14 Sep 2017 14:19:18 GMT
I have a @Secured @Stereotype annotation

@Retention( RUNTIME )
@Stereotype
@Inherited
@Secured( CustomAccessDecisionVoter.class )
@Target( { ElementType.TYPE, ElementType.METHOD } )
public @interface Permission
{

}

And my decision voter:

@ApplicationScoped
public class CustomAccessDecisionVoter extends AbstractAccessDecisionVoter
{
    @Override
    protected void checkPermission( AccessDecisionVoterContext voterContext, Set<SecurityViolation>
violations )
    {
        System.out.println( "Checking permission for " + voterContext.<InvocationContext>
getSource().getMethod().getName() );
    }

}

And now a bean that inherits from another class

public class Animal
{
    public String getParentName()
    {
        return "parent";
    }
}


@Named
@Permission
public class Dog extends Animal
{
    public String getChildName()
    {
        return "dog";
    }
}


In JSF dogName: #{dog.childName}  will invoke the checkPermission whereas   #{dog.parentName}
 will not

Is this expected behavior?

I tested a similar concept out with a demo from the docs for a @SecurityBindingType annotation
and it secured both methods.  For example:

@Retention( value = RetentionPolicy.RUNTIME )
@Target( { ElementType.TYPE, ElementType.METHOD } )
@Documented
@SecurityBindingType
public @interface UserLoggedIn
{

}

@ApplicationScoped
public class LoginAuthorizer
{
    @Secures
    @UserLoggedIn
    public boolean doSecuredCheck( InvocationContext invocationContext ) throws Exception
    {
        System.out.println( "doSecuredCheck called for: " + invocationContext.getMethod().getName()
);

        return true;
    }
}

Now applying @UserLoggedIn to  the Dog class will cause the doSecuredCheck to fire for both
getChildName and getParentName



Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message