[ https://issues.apache.org/jira/browse/DELTASPIKE-1294?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Matej Novotny reopened DELTASPIKE-1294: --------------------------------------- The code change breaks this for Weld as it relies on OWB's internal behavior - e.g. copying annotations onto proxy classes. Namely on {{invocationContext.getTarget().getClass()}} (which will return proxy) having the {{@Secured}} annotation present. See the [code|https://github.com/apache/deltaspike/commit/b1903c2b3463dfa368d0fe973c72f2055c838bf6#diff-b97fd89797e4c626bf91e494fd981192R90]. With Weld, the annotations are only there if they are {{@Inherited}}. Therefore making {{@Secured}} inherited would *partly* fix this issue, but it would be still broken for stereotypes (which aren't inherited). Hence the only full-blown fix would be to get the target class (via {{invocationContext.getTarget().getClass()}}) and then inspect the hierarchy of classes? > Secured Stereotypes are not applied to inherited methods > -------------------------------------------------------- > > Key: DELTASPIKE-1294 > URL: https://issues.apache.org/jira/browse/DELTASPIKE-1294 > Project: DeltaSpike > Issue Type: Bug > Components: Security-Module > Affects Versions: 1.8.0 > Reporter: Andrew Schmidt > Assignee: Mark Struberg > Fix For: 1.8.1 > > > I have a @Secured @Stereotype annotation > {code:java} > @Retention( RUNTIME ) > @Stereotype > @Inherited > @Secured( CustomAccessDecisionVoter.class ) > @Target( { ElementType.TYPE, ElementType.METHOD } ) > public @interface Permission { > } > {code} > And my decision voter: > {code:java} > @ApplicationScoped > public class CustomAccessDecisionVoter extends AbstractAccessDecisionVoter { > @Override > protected void checkPermission( AccessDecisionVoterContext voterContext, > Set<SecurityViolation> violations ) > { > System.out.println( "Checking permission for " + > voterContext.<InvocationContext> getSource().getMethod().getName() ); > } > } > {code} > And now a bean that inherits from another class > {code:java} > public class Animal > { > public String getParentName() > { > return "parent"; > } > } > {code} > {code:java} > @Named > @Permission > public class Dog extends Animal > { > public String getChildName() > { > return "dog"; > } > } > {code} > In JSF dogName: > {code}#{dog.childName}{code} will invoke the checkPermission whereas > {code}#{dog.parentName}{code} will not > This is in contrast to the @SecurityBindingType > {code:java} > @Retention( value = RetentionPolicy.RUNTIME ) > @Target( { ElementType.TYPE, ElementType.METHOD } ) > @Documented > @SecurityBindingType > public @interface UserLoggedIn { > } > {code} > {code:java} > @ApplicationScoped > public class LoginAuthorizer > { > @Secures > @UserLoggedIn > public boolean doSecuredCheck( InvocationContext invocationContext ) > throws Exception > { > System.out.println( "doSecuredCheck called for: " + > invocationContext.getMethod().getName() ); > return true; > } > } > {code} > Now applying @UserLoggedIn to the Dog class will cause the doSecuredCheck to > fire for both getChildName and getParentName -- This message was sent by Atlassian JIRA (v6.4.14#64029)