[jira] [Comment Edited] (DELTASPIKE-1294) Secured Stereotypes are not applied to inherited methods

2017-11-29 Thread Matej Novotny (JIRA) 

[ 
https://issues.apache.org/jira/browse/DELTASPIKE-1294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16270794#comment-16270794
 ] 

Matej Novotny edited comment on DELTASPIKE-1294 at 11/29/17 2:22 PM:
-

I'll try to explain a tad bit differently then... (sorry if it's too verbose)

Even on new servers (WildFly 11), where 
{{invocationContext.getTarget().getClass()}} will work and will be used but the 
tests will fail. In such case the code assumes that doing 
{{invocationContext.getTarget().getClass().getAnnotations()}} will return all 
the annotations, amongst which there should be {{@Secured}} or the 
{{@Stereotype}} with the Secured one hidden inside.
That is (and always was) untrue in Weld as 
{{invocationContext.getTarget().getClass()}} will give you a proxy of the 
actual bean instance and this proxy only contains annotations which are 
{{@Inherited}}.

Hence *the fallback you mention will never be used on, for instance, WildFly 
11* and the code will fail to find the annotations.
The reason why the previous solution (== current "fallback") worked is because 
{{invocationContext.getMethod().getDeclaringClass()}} returns the actual bean 
class (not proxy class) and that one has the annotation. But obviously, this 
fails for the test with parent class.

Is this understandable?


was (Author: manovotn):
I'll try to explain a tad bit differently then... (sorry if it's too verbose)

Even on new servers (WildFly 11), where 
{{invocationContext.getTarget().getClass()}} will work and will be used but the 
tests will fail. In such case the code assumes that doing 
{{invocationContext.getTarget().getClass().getAnnotations()}} will return all 
the annotations, amongst which there should be {{@Secured}} or the 
{{@Stereotype}} with the Secured one hidden inside.
That is (and always was) untrue in Weld as 
{{invocationContext.getTarget().getClass()}} will give you a proxy of the 
actual bean instance and this proxy only contains annotations which are 
{{@Inherited}}.

Hence *the fallback you mention will never be used on, for instance, WildFly 11 
*and the code will fail to find the annotations.
The reason why the previous solution (== current "fallback") worked is because 
{{invocationContext.getMethod().getDeclaringClass()}} returns the actual bean 
class (not proxy class) and that one has the annotation. But obviously, this 
fails for the test with parent class.

Is this understandable?

> Secured Stereotypes are not applied to inherited methods
> 
>
> Key: DELTASPIKE-1294
> URL: https://issues.apache.org/jira/browse/DELTASPIKE-1294
> Project: DeltaSpike
>  Issue Type: Bug
>  Components: Security-Module
>Affects Versions: 1.8.0
>Reporter: Andrew Schmidt
>Assignee: Mark Struberg
> Fix For: 1.8.1
>
>
> I have a @Secured @Stereotype annotation
> {code:java}
> @Retention( RUNTIME )
> @Stereotype
> @Inherited
> @Secured( CustomAccessDecisionVoter.class ) 
> @Target( { ElementType.TYPE, ElementType.METHOD } ) 
> public @interface Permission {
> }
> {code}
> And my decision voter:
> {code:java}
> @ApplicationScoped
> public class CustomAccessDecisionVoter extends AbstractAccessDecisionVoter {
> @Override
> protected void checkPermission( AccessDecisionVoterContext voterContext, 
> Set violations )
> {
> System.out.println( "Checking permission for " + 
> voterContext. getSource().getMethod().getName() );
> }
> }
> {code}
> And now a bean that inherits from another class
> {code:java}
> public class Animal
> {
> public String getParentName()
> {
> return "parent";
> }
> }
> {code}
> {code:java}
> @Named
> @Permission
> public class Dog extends Animal
> {
> public String getChildName()
> {
> return "dog";
> }
> }
> {code}
> In JSF dogName: 
> {code}#{dog.childName}{code} will invoke the checkPermission whereas   
> {code}#{dog.parentName}{code} will not
> This is in contrast to the @SecurityBindingType 
> {code:java}
> @Retention( value = RetentionPolicy.RUNTIME ) 
> @Target( { ElementType.TYPE, ElementType.METHOD } ) 
> @Documented 
> @SecurityBindingType
> public @interface UserLoggedIn {
> }
> {code}
> {code:java}
> @ApplicationScoped
> public class LoginAuthorizer
> {
> @Secures
> @UserLoggedIn
> public boolean doSecuredCheck( InvocationContext invocationContext ) 
> throws Exception
> {
> System.out.println( "doSecuredCheck called for: " + 
> invocationContext.getMethod().getName() );
> return true;
> }
> }
> {code}
> Now applying @UserLoggedIn to  the Dog class will cause the doSecuredCheck to 
> fire for both getChildName and getParentName



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Comment Edited] (DELTASPIKE-1294) Secured Stereotypes are not applied to inherited methods

2017-11-27 Thread Gerhard Petracek (JIRA) 

[ 
https://issues.apache.org/jira/browse/DELTASPIKE-1294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16266687#comment-16266687
 ] 

Gerhard Petracek edited comment on DELTASPIKE-1294 at 11/27/17 11:54 AM:
-

we could adjust SecuredAnnotationAuthorizer#extractMetadata to get rid of the 
inconsistency, however, we need a way to limit the evaluation to the mode we 
have currently.
as always both approaches have advantages and disadvantages.
i guess the reason for the inconsistency is caused by the origin of both 
annotations.
(@Secures came from seam3 whereas @Secured came from codi)

for now just annotate the base-class as well.
in case that isn't possible, because it is e.g. a class provided by a 3rd party 
library, it should be possible to override the methods (combined with a simple 
delegation to the method of the base class).


was (Author: gpetracek):
we could adjust SecuredAnnotationAuthorizer#extractMetadata to get rid of the 
inconsistency, however, we need a way to limit the evaluation to the mode we 
have currently.

for now just annotate the base-class as well.
in case that isn't possible, because it is e.g. a class provided by a 3rd party 
library, it should be possible to override the methods (combined with a simple 
delegation to the method of the base class).

> Secured Stereotypes are not applied to inherited methods
> 
>
> Key: DELTASPIKE-1294
> URL: https://issues.apache.org/jira/browse/DELTASPIKE-1294
> Project: DeltaSpike
>  Issue Type: Bug
>  Components: Security-Module
>Affects Versions: 1.8.0
>Reporter: Andrew Schmidt
>
> I have a @Secured @Stereotype annotation
> {code:java}
> @Retention( RUNTIME )
> @Stereotype
> @Inherited
> @Secured( CustomAccessDecisionVoter.class ) 
> @Target( { ElementType.TYPE, ElementType.METHOD } ) 
> public @interface Permission {
> }
> {code}
> And my decision voter:
> {code:java}
> @ApplicationScoped
> public class CustomAccessDecisionVoter extends AbstractAccessDecisionVoter {
> @Override
> protected void checkPermission( AccessDecisionVoterContext voterContext, 
> Set violations )
> {
> System.out.println( "Checking permission for " + 
> voterContext. getSource().getMethod().getName() );
> }
> }
> {code}
> And now a bean that inherits from another class
> {code:java}
> public class Animal
> {
> public String getParentName()
> {
> return "parent";
> }
> }
> {code}
> {code:java}
> @Named
> @Permission
> public class Dog extends Animal
> {
> public String getChildName()
> {
> return "dog";
> }
> }
> {code}
> In JSF dogName: 
> {code}#{dog.childName}{code} will invoke the checkPermission whereas   
> {code}#{dog.parentName}{code} will not
> This is in contrast to the @SecurityBindingType 
> {code:java}
> @Retention( value = RetentionPolicy.RUNTIME ) 
> @Target( { ElementType.TYPE, ElementType.METHOD } ) 
> @Documented 
> @SecurityBindingType
> public @interface UserLoggedIn {
> }
> {code}
> {code:java}
> @ApplicationScoped
> public class LoginAuthorizer
> {
> @Secures
> @UserLoggedIn
> public boolean doSecuredCheck( InvocationContext invocationContext ) 
> throws Exception
> {
> System.out.println( "doSecuredCheck called for: " + 
> invocationContext.getMethod().getName() );
> return true;
> }
> }
> {code}
> Now applying @UserLoggedIn to  the Dog class will cause the doSecuredCheck to 
> fire for both getChildName and getParentName



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)