[
https://issues.apache.org/jira/browse/DELTASPIKE-1014?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Gerhard Petracek updated DELTASPIKE-1014:
-----------------------------------------
Fix Version/s: 1.5.2
> SecuredAnnotationAuthorizer overwrites method-level annotation metadata with
> class-level annotation metadata
> ------------------------------------------------------------------------------------------------------------
>
> Key: DELTASPIKE-1014
> URL: https://issues.apache.org/jira/browse/DELTASPIKE-1014
> Project: DeltaSpike
> Issue Type: Bug
> Components: Security-Module
> Affects Versions: 1.5.1
> Environment: Weld 2.2.15.Final
> Reporter: The Alchemist
> Priority: Minor
> Fix For: 1.5.2
>
>
> h2. Short Overview of What I'm trying to Do
> I'm trying to make a CDI-based equivalent of
> {{javax.annotation.security.RolesAllowed}} that uses my custom {{ROLE}} enum.
> {code:java}
> @Target({TYPE, METHOD, FIELD})
> @Retention(RUNTIME)
> @Inherited
> @Stereotype
> @Secured(MyRoleAccessDecisionVoter.class)
> public @interface MyRolesAllowed {
> ROLE[] value();
> }
> @RequestScoped
> public class MyRoleAccessDecisionVoter extends AbstractAccessDecisionVoter {
> @Inject
> private Principal principal;
> @Override
> protected void checkPermission(AccessDecisionVoterContext voterContext,
> Set<SecurityViolation> violations) {
> // get the roles from the annotation
> ROLE[] rolesAllowed =
> voterContext.getMetaDataFor(MyRolesAllowed.class.getName(),
> MyRolesAllowed.class).value();
> // BUG ABOVE! it'll have class-level annotation instead of the
> method-level annotation
> }
> }
>
> @MyRolesAllowed({ADMIN, ROOT, USER})
> @Stateless
> public class TestBean {
> @MyRolesAllowed({ADMIN, ROOT})
> public List<String> getWhatever() {
> return ImmutableList.of();
> }
> }
> {code}
> h2. My Thoughts
> It looks like
> {{org.apache.deltaspike.security.impl.authorization.SecuredAnnotationAuthorizer}}
> is where the bug is.
> It parses both method- and class-level annotations in {{extractMetadata()}},
> in that order (method first, then class).
> Then that data gets passed to
> {{DefaultAccessDecisionVoterContext.addMetaData()}}, which puts it in a
> {{HashMap}}.
> Because the order is method-first, that entry in the map gets overwritten by
> the class-level info.
> h2. Possible Fixes?
> * Flip the order in {{extractMetaData()}}: first get the class-level, then
> the method-level, so the method level will overwrite the class-level
> * {{getMetaData()}} should return a {{List}} instead, and down the road,
> perhaps the super-class metadata can be put there too
> I guess the issue is whether the annotations should be MERGED or OVERWRITTEN.
> I'm guessing you guys had similar discussions for
> {{org.apache.deltaspike.core.api.config.view.metadata.Aggregated}}.
> I'm thinking that it should OVERWRITE by default.
> h2. Workaround?
> Unknown. :( Anyone have any suggestions? Is there a way to use a custom
> {{DefaultAccessDecisionVoterContext}} or {{SecuredAnnotationAuthorizer}}?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
