I give up!
Thanks a lot Shane for all your help.
I wasn't able to use the interceptor you suggested. I tried to add it to the
default stack by Component.forName("...").addInterceptor(...) but ended up with
ArrayIndexOutOfBounds etc.
My second try was to use a regular EJB3 interceptor which does the Seam
login/logout and basically all the thing in SecurityInterceptor from Seam.
It's really a copy of your code:
| public class ExternalClientSecurityInterceptor {
|
| @AroundInvoke
| public Object aroundInvoke(final InvocationContext theInvocationContext)
| throws Exception {
|
| try {
| // Perform a Seam login
| this.doSeamLogin();
|
| // Get the invoked method
| final Method theInterfaceMethod =
theInvocationContext.getMethod();
|
| // TODO: optimize this:
| // Check if there's a Seam @Restrict annotation on
invoked method
| final Object theTarget =
theInvocationContext.getTarget();
| final Method theMethod = this.getComponent(theTarget)
|
.getBeanClass().getMethod(theInterfaceMethod.getName(),
|
theInterfaceMethod.getParameterTypes());
| final Restrict theRestriction =
this.getRestriction(theMethod,
| theTarget);
|
| // Perform security check if a restriction is found
| if (null != theRestriction &&
Identity.isSecurityEnabled()) {
| final String theRestrictionExpression = !Strings
|
.isEmpty(theRestriction.value()) ? theRestriction
| .value() :
this.createDefaultExpr(theMethod, theTarget);
|
Identity.instance().checkRestriction(theRestrictionExpression);
| }
| return theInvocationContext.proceed();
| } finally {
|
| // Always logout after invocation
| this.doSeamLogout();
| }
| }
|
| private Component getComponent(final Object theTarget) {
| // Get the Seam component name of the target class
| final String theComponentName =
Component.getComponentName(theTarget
| .getClass());
| // Return the component
| return Component.forName(theComponentName);
| }
|
| private void doSeamLogin() {
| Identity.instance().setUsername("user");
| Identity.instance().setPassword("Demo987!");
| Identity.instance().login();
| }
|
| private void doSeamLogout() {
| Identity.instance().logout();
| }
|
| private Restrict getRestriction(final Method theMethod,
| final Object theTarget) {
| if (theMethod.isAnnotationPresent(Restrict.class)) {
| return theMethod.getAnnotation(Restrict.class);
| } else if (this.getComponent(theTarget).getBeanClass()
| .isAnnotationPresent(Restrict.class)) {
| if
(!this.getComponent(theTarget).isLifecycleMethod(theMethod)) {
| return
this.getComponent(theTarget).getBeanClass()
| .getAnnotation(Restrict.class);
| }
| }
| return null;
| }
|
| /**
| * Creates a default security expression for a specified method. The
method
| * must be a method of a Seam component.
| *
| * @param theMethod
| * The method for which to create a default permission
expression
| * @return The generated security expression.
| */
| private String createDefaultExpr(final Method theMethod,
| final Object theTarget) {
| return String.format("#{s:hasPermission('%s','%s', null)}", this
| .getComponent(theTarget).getName(),
theMethod.getName());
| }
| }
|
This enabled the recognition of the @Restrict("s:hasRole('user')") annotation
on EJB methods.
Next problem - the Drools rules doesn't seem to work. Well, they work if I run
from the JSF's but not from my Quartz POJO job.
I've tried to debug to see how and if my RuleBasedIdentity uses the rules but I
got lost in the Drools code :-(
At least I can see that the RuleBasedIdentity is created and that my Drools
rule file is read.
I'll guess I'll use default Java EE security and where I need more advanced
security constraints I'll have to implement it myself... too bad.
Is there a possibility to file this feature to JIRA?
Kind regards, Andreas
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4109040#4109040
Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4109040
_______________________________________________
jboss-user mailing list
[email protected]
https://lists.jboss.org/mailman/listinfo/jboss-user
