[
https://issues.apache.org/jira/browse/DELTASPIKE-1294?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Matej Novotny reopened DELTASPIKE-1294:
---------------------------------------
The code change breaks this for Weld as it relies on OWB's internal behavior -
e.g. copying annotations onto proxy classes.
Namely on {{invocationContext.getTarget().getClass()}} (which will return
proxy) having the {{@Secured}} annotation present. See the
[code|https://github.com/apache/deltaspike/commit/b1903c2b3463dfa368d0fe973c72f2055c838bf6#diff-b97fd89797e4c626bf91e494fd981192R90].
With Weld, the annotations are only there if they are {{@Inherited}}. Therefore
making {{@Secured}} inherited would *partly* fix this issue, but it would be
still broken for stereotypes (which aren't inherited). Hence the only
full-blown fix would be to get the target class (via
{{invocationContext.getTarget().getClass()}}) and then inspect the hierarchy of
classes?
> Secured Stereotypes are not applied to inherited methods
> --------------------------------------------------------
>
> Key: DELTASPIKE-1294
> URL: https://issues.apache.org/jira/browse/DELTASPIKE-1294
> Project: DeltaSpike
> Issue Type: Bug
> Components: Security-Module
> Affects Versions: 1.8.0
> Reporter: Andrew Schmidt
> Assignee: Mark Struberg
> Fix For: 1.8.1
>
>
> I have a @Secured @Stereotype annotation
> {code:java}
> @Retention( RUNTIME )
> @Stereotype
> @Inherited
> @Secured( CustomAccessDecisionVoter.class )
> @Target( { ElementType.TYPE, ElementType.METHOD } )
> public @interface Permission {
> }
> {code}
> And my decision voter:
> {code:java}
> @ApplicationScoped
> public class CustomAccessDecisionVoter extends AbstractAccessDecisionVoter {
> @Override
> protected void checkPermission( AccessDecisionVoterContext voterContext,
> Set<SecurityViolation> violations )
> {
> System.out.println( "Checking permission for " +
> voterContext.<InvocationContext> getSource().getMethod().getName() );
> }
> }
> {code}
> And now a bean that inherits from another class
> {code:java}
> public class Animal
> {
> public String getParentName()
> {
> return "parent";
> }
> }
> {code}
> {code:java}
> @Named
> @Permission
> public class Dog extends Animal
> {
> public String getChildName()
> {
> return "dog";
> }
> }
> {code}
> In JSF dogName:
> {code}#{dog.childName}{code} will invoke the checkPermission whereas
> {code}#{dog.parentName}{code} will not
> This is in contrast to the @SecurityBindingType
> {code:java}
> @Retention( value = RetentionPolicy.RUNTIME )
> @Target( { ElementType.TYPE, ElementType.METHOD } )
> @Documented
> @SecurityBindingType
> public @interface UserLoggedIn {
> }
> {code}
> {code:java}
> @ApplicationScoped
> public class LoginAuthorizer
> {
> @Secures
> @UserLoggedIn
> public boolean doSecuredCheck( InvocationContext invocationContext )
> throws Exception
> {
> System.out.println( "doSecuredCheck called for: " +
> invocationContext.getMethod().getName() );
> return true;
> }
> }
> {code}
> Now applying @UserLoggedIn to the Dog class will cause the doSecuredCheck to
> fire for both getChildName and getParentName
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
