[jira] [Commented] (DELTASPIKE-1345) Support JavaEE Security annotation

[Jonathan Laterreur (JIRA)]

    [ 
https://issues.apache.org/jira/browse/DELTASPIKE-1345?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16483091#comment-16483091
 ] 

Jonathan Laterreur commented on DELTASPIKE-1345:
------------------------------------------------

[~gpetracek]

At least, if it's not the case, it would be nice to add this example in the 
deltaspike's doc and verify the possibility to use it with inheritance.

Maybe, there's no need to develop this interceptor. But... I think I will 
continue to use mine because it is way more easier to understand (behave like 
javaee spec and easy to new developer to use it). There's no need to understand 
CDI or Deltaspike to extends it.

> Support JavaEE Security annotation
> ----------------------------------
>
>                 Key: DELTASPIKE-1345
>                 URL: https://issues.apache.org/jira/browse/DELTASPIKE-1345
>             Project: DeltaSpike
>          Issue Type: New Feature
>          Components: Security-Module
>            Reporter: Jonathan Laterreur
>            Priority: Minor
>
> Deltaspike should take care of the standard JavaEE security annotation.
> {code:java}
> @RolesAllowed
> @PermitAll
> @DenyAll
> {code}
> Maybe a default interceptor should do the job.
> I did something like this (does not covers everything)
> {code:java}
> @Interceptor
> @RolesSecured
> public class RolesSecuredInterceptor {
>     private static final Logger LOGGER = 
> LoggerFactory.getLogger(RolesSecuredInterceptor.class);
>     @Inject
>     private HttpServletRequest request;
>     @AroundInvoke
>     public Object intercept(InvocationContext ctx) throws Exception {
>         boolean allowed = ctx.getMethod().getAnnotation(PermitAll.class) != 
> null;
>         if (!allowed) {
>             RolesAllowed rolesAllowed = 
> ctx.getMethod().getAnnotation(RolesAllowed.class);
>             if (rolesAllowed != null) {
>                 allowed = verifyRolesAllowed(rolesAllowed);
>             }
>             if (!allowed) {
>                 allowed = 
> ctx.getMethod().getDeclaringClass().getAnnotation(PermitAll.class) != null;
>                 if (!allowed) {
>                     rolesAllowed = 
> ctx.getMethod().getDeclaringClass().getAnnotation(RolesAllowed.class);
>                     if (rolesAllowed != null) {
>                         allowed = verifyRolesAllowed(rolesAllowed);
>                     } else {
>                         allowed = true;
>                     }
>                 }
>             }
>         }
>         if (!allowed) {
>             LOGGER.error("Utilisateur « {} » ne possede pas les droits pour 
> appeler cette fonction « {} »", request.getUserPrincipal() != null ? 
> request.getUserPrincipal().getName() : "anonyme",
>                     ctx.getMethod().getName());
>             throw new SecurityException("Ne possede pas les droits pour 
> appeler ce bean CDI");
>         }
>         return ctx.proceed();
>     }
>     private boolean verifyRolesAllowed(RolesAllowed rolesAllowed) {
>         boolean allowed = false;
>         if (request.getUserPrincipal() != null) {
>             String[] roles = rolesAllowed.value();
>             for (String role : roles) {
>                 allowed = request.isUserInRole(role);
>                 if (allowed) {
>                     break;
>                 }
>             }
>         }
>         return allowed;
>     }
> }
> {code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)