Next stop 1.9.0 ;)
Hi folks! I'd like to work towards a 1.9.0 release. Is there anything which we really need in 1.9.0 to be fixed before we start a release? Plus, is there anything from 1.8.1 which is not yet in 1.9.0? (don't think so, but asking to be sure). txs and LieGrue, strub
Re: [VOTE] Release Apache DeltaSpike-1.8.2
And my own +1
Will tally now.
txs and LieGrue,
strub
> Am 16.05.2018 um 21:08 schrieb Rafael Benevides :
>
> +1
>
> On Wed, May 16, 2018 at 3:14 AM, Thomas Andraschko <
> andraschko.tho...@gmail.com> wrote:
>
>> +1
>>
>> 2018-05-16 6:48 GMT+02:00 Romain Manni-Bucau :
>>
>>> +1
>>>
>>> Le mer. 16 mai 2018 00:11, Daniel Cunha a écrit
>> :
>>>
+1
On Tue, May 15, 2018, 18:36 Gerhard Petracek
>>> wrote:
> +1
>
> regards,
> gerhard
>
>
>
> 2018-05-15 23:26 GMT+02:00 Mark Struberg >> :
>
>> Hi lords and ladies!
>>
>> I would like to call a VOTE on releasing Apache DeltaSpike-1.8.2.
>> This is a maintenance release with java6 compatibility.
>>
>> The following tickets got resolved:
>>
>> Bug
>>
>>[DELTASPIKE-1276] - Multiple license headers
>>[DELTASPIKE-1299] - Order by items are applied in alphabetic
>>> order
>>[DELTASPIKE-1310] - Please use https (SSL) for links to KEYS,
hashes,
>> sigs
>>[DELTASPIKE-1313] - DeltaSpikeProxyInterceptorLookup fails on
>>> WAS
>>[DELTASPIKE-1316] - add dynamic annotations feature,
>> configurable
via
>> config
>>[DELTASPIKE-1317] - AnnotatedCallableImpl blows up with
>> ArrayOutofBounds when parsing enums
>>[DELTASPIKE-1344] - deltaspike-cdictrl-owb has a transient
>>> runtime
>> dependency on Shrinkwrap and Arquillian
>>
>> New Feature
>>
>>[DELTASPIKE-1319] - labeled alternatives
>>[DELTASPIKE-1320] - global alternative spi to support custom
>> (type-safe) mechanisms
>>[DELTASPIKE-1337] - optional ClassFilter spi
>>[DELTASPIKE-1338] - support class-filter per test
>>
>> Improvement
>>
>>[DELTASPIKE-1309] - Upgrade ASM
>>[DELTASPIKE-1311] - Allow Excluded Repositories
>>[DELTASPIKE-1329] - ProjectStageProducer should log changed
>>> values
>>[DELTASPIKE-1331] - minor type improvement of the
>> ViewConfigNode
spi
>>[DELTASPIKE-1332] - support further cases for custom
>>> view-meta-data
>>[DELTASPIKE-1334] - javadoc for
ConfigPreProcessor#beforeAddToConfig
>>[DELTASPIKE-1339] - Add support for dynamic interceptor
>> binding,
> added
>> via Extension
>>
>> Task
>>
>>[DELTASPIKE-1257] - Research why BOM isn't working right in a
release
>>[DELTASPIKE-1312] - Upgrade to quartz-2.3.0
>>
>>
>> Here is the staging repo:
>> https://repository.apache.org/content/repositories/
>> orgapachedeltaspike-1047/
>>
>> The source zip can be found at
>> https://repository.apache.org/content/repositories/
>> orgapachedeltaspike-1047/org/apache/deltaspike/deltaspike/1.8.2/
>> sha1 is add349e89314d9384dc9dc08772af275048343ba
>>
>> Please VOTE:
>>
>> [+1] yes, ship it
>> [+0] meh, don't care
>> [-1] stop there is a ${showstopper}
>>
>> The VOTE is open for 72h
>>
>> txs and LieGrue,
>> strub
>>
>>
>
>>>
>>
>
>
>
> --
> *Rafael Benevides | Senior Product Manager*
> Director of Developer Experience
> Follow me at Twitter: @rafabene
> M: +1-407-401-3555
> Register today at https://developers.redhat.com/
Re: [VOTE] [RESULT] Release Apache DeltaSpike-1.8.2
Good morning lords and ladies!
Time to tally the VOTE.
The VOTE did pass with the following:
+1: Gerhard Petracek, Daniel Cunha, Romain Manni-Bucau, Tomas Andraschko,
Rafael Benevides, Mark Struberg
No -1 nor 0
I'll continue with the release tasks.
Thanks to all who reviewed and voted!
LieGrue,
strub
> Am 16.05.2018 um 21:08 schrieb Rafael Benevides :
>
> +1
>
> On Wed, May 16, 2018 at 3:14 AM, Thomas Andraschko <
> andraschko.tho...@gmail.com> wrote:
>
>> +1
>>
>> 2018-05-16 6:48 GMT+02:00 Romain Manni-Bucau :
>>
>>> +1
>>>
>>> Le mer. 16 mai 2018 00:11, Daniel Cunha a écrit
>> :
>>>
+1
On Tue, May 15, 2018, 18:36 Gerhard Petracek
>>> wrote:
> +1
>
> regards,
> gerhard
>
>
>
> 2018-05-15 23:26 GMT+02:00 Mark Struberg >> :
>
>> Hi lords and ladies!
>>
>> I would like to call a VOTE on releasing Apache DeltaSpike-1.8.2.
>> This is a maintenance release with java6 compatibility.
>>
>> The following tickets got resolved:
>>
>> Bug
>>
>>[DELTASPIKE-1276] - Multiple license headers
>>[DELTASPIKE-1299] - Order by items are applied in alphabetic
>>> order
>>[DELTASPIKE-1310] - Please use https (SSL) for links to KEYS,
hashes,
>> sigs
>>[DELTASPIKE-1313] - DeltaSpikeProxyInterceptorLookup fails on
>>> WAS
>>[DELTASPIKE-1316] - add dynamic annotations feature,
>> configurable
via
>> config
>>[DELTASPIKE-1317] - AnnotatedCallableImpl blows up with
>> ArrayOutofBounds when parsing enums
>>[DELTASPIKE-1344] - deltaspike-cdictrl-owb has a transient
>>> runtime
>> dependency on Shrinkwrap and Arquillian
>>
>> New Feature
>>
>>[DELTASPIKE-1319] - labeled alternatives
>>[DELTASPIKE-1320] - global alternative spi to support custom
>> (type-safe) mechanisms
>>[DELTASPIKE-1337] - optional ClassFilter spi
>>[DELTASPIKE-1338] - support class-filter per test
>>
>> Improvement
>>
>>[DELTASPIKE-1309] - Upgrade ASM
>>[DELTASPIKE-1311] - Allow Excluded Repositories
>>[DELTASPIKE-1329] - ProjectStageProducer should log changed
>>> values
>>[DELTASPIKE-1331] - minor type improvement of the
>> ViewConfigNode
spi
>>[DELTASPIKE-1332] - support further cases for custom
>>> view-meta-data
>>[DELTASPIKE-1334] - javadoc for
ConfigPreProcessor#beforeAddToConfig
>>[DELTASPIKE-1339] - Add support for dynamic interceptor
>> binding,
> added
>> via Extension
>>
>> Task
>>
>>[DELTASPIKE-1257] - Research why BOM isn't working right in a
release
>>[DELTASPIKE-1312] - Upgrade to quartz-2.3.0
>>
>>
>> Here is the staging repo:
>> https://repository.apache.org/content/repositories/
>> orgapachedeltaspike-1047/
>>
>> The source zip can be found at
>> https://repository.apache.org/content/repositories/
>> orgapachedeltaspike-1047/org/apache/deltaspike/deltaspike/1.8.2/
>> sha1 is add349e89314d9384dc9dc08772af275048343ba
>>
>> Please VOTE:
>>
>> [+1] yes, ship it
>> [+0] meh, don't care
>> [-1] stop there is a ${showstopper}
>>
>> The VOTE is open for 72h
>>
>> txs and LieGrue,
>> strub
>>
>>
>
>>>
>>
>
>
>
> --
> *Rafael Benevides | Senior Product Manager*
> Director of Developer Experience
> Follow me at Twitter: @rafabene
> M: +1-407-401-3555
> Register today at https://developers.redhat.com/
[jira] [Commented] (DELTASPIKE-1345) Support JavaEE Security annotation
[
https://issues.apache.org/jira/browse/DELTASPIKE-1345?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16483091#comment-16483091
]
Jonathan Laterreur commented on DELTASPIKE-1345:
[~gpetracek]
At least, if it's not the case, it would be nice to add this example in the
deltaspike's doc and verify the possibility to use it with inheritance.
Maybe, there's no need to develop this interceptor. But... I think I will
continue to use mine because it is way more easier to understand (behave like
javaee spec and easy to new developer to use it). There's no need to understand
CDI or Deltaspike to extends it.
> Support JavaEE Security annotation
> --
>
> Key: DELTASPIKE-1345
> URL: https://issues.apache.org/jira/browse/DELTASPIKE-1345
> Project: DeltaSpike
> Issue Type: New Feature
> Components: Security-Module
>Reporter: Jonathan Laterreur
>Priority: Minor
>
> Deltaspike should take care of the standard JavaEE security annotation.
> {code:java}
> @RolesAllowed
> @PermitAll
> @DenyAll
> {code}
> Maybe a default interceptor should do the job.
> I did something like this (does not covers everything)
> {code:java}
> @Interceptor
> @RolesSecured
> public class RolesSecuredInterceptor {
> private static final Logger LOGGER =
> LoggerFactory.getLogger(RolesSecuredInterceptor.class);
> @Inject
> private HttpServletRequest request;
> @AroundInvoke
> public Object intercept(InvocationContext ctx) throws Exception {
> boolean allowed = ctx.getMethod().getAnnotation(PermitAll.class) !=
> null;
> if (!allowed) {
> RolesAllowed rolesAllowed =
> ctx.getMethod().getAnnotation(RolesAllowed.class);
> if (rolesAllowed != null) {
> allowed = verifyRolesAllowed(rolesAllowed);
> }
> if (!allowed) {
> allowed =
> ctx.getMethod().getDeclaringClass().getAnnotation(PermitAll.class) != null;
> if (!allowed) {
> rolesAllowed =
> ctx.getMethod().getDeclaringClass().getAnnotation(RolesAllowed.class);
> if (rolesAllowed != null) {
> allowed = verifyRolesAllowed(rolesAllowed);
> } else {
> allowed = true;
> }
> }
> }
> }
> if (!allowed) {
> LOGGER.error("Utilisateur « {} » ne possede pas les droits pour
> appeler cette fonction « {} »", request.getUserPrincipal() != null ?
> request.getUserPrincipal().getName() : "anonyme",
> ctx.getMethod().getName());
> throw new SecurityException("Ne possede pas les droits pour
> appeler ce bean CDI");
> }
> return ctx.proceed();
> }
> private boolean verifyRolesAllowed(RolesAllowed rolesAllowed) {
> boolean allowed = false;
> if (request.getUserPrincipal() != null) {
> String[] roles = rolesAllowed.value();
> for (String role : roles) {
> allowed = request.isUserInRole(role);
> if (allowed) {
> break;
> }
> }
> }
> return allowed;
> }
> }
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Comment Edited] (DELTASPIKE-1345) Support JavaEE Security annotation
[
https://issues.apache.org/jira/browse/DELTASPIKE-1345?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16483047#comment-16483047
]
Gerhard Petracek edited comment on DELTASPIKE-1345 at 5/21/18 8:50 PM:
---
[~princemtl]:
that's why i said +HttpServletRequest (and/or EjbContext), because i just
pointed to something which is out there already...
i never used it in a project (only @Secured), one of the ds-committers (rafael)
did the example, but it should be possible (at least i'm not aware of an
intended limitation).
"more code": if you count type-safe annotations representing your own roles -
then: yes (but at the same time it's more flexible) than a predefined
interceptor
was (Author: gpetracek):
[~princemtl]:
i never used it in a project (only @Secured), one of the ds-committers (rafael)
did the example, but it should be possible (at least i'm not aware of an
intended limitation).
"more code": if you count type-safe annotations representing your own roles -
then: yes (but at the same time it's more flexible) than a predefined
interceptor
> Support JavaEE Security annotation
> --
>
> Key: DELTASPIKE-1345
> URL: https://issues.apache.org/jira/browse/DELTASPIKE-1345
> Project: DeltaSpike
> Issue Type: New Feature
> Components: Security-Module
>Reporter: Jonathan Laterreur
>Priority: Minor
>
> Deltaspike should take care of the standard JavaEE security annotation.
> {code:java}
> @RolesAllowed
> @PermitAll
> @DenyAll
> {code}
> Maybe a default interceptor should do the job.
> I did something like this (does not covers everything)
> {code:java}
> @Interceptor
> @RolesSecured
> public class RolesSecuredInterceptor {
> private static final Logger LOGGER =
> LoggerFactory.getLogger(RolesSecuredInterceptor.class);
> @Inject
> private HttpServletRequest request;
> @AroundInvoke
> public Object intercept(InvocationContext ctx) throws Exception {
> boolean allowed = ctx.getMethod().getAnnotation(PermitAll.class) !=
> null;
> if (!allowed) {
> RolesAllowed rolesAllowed =
> ctx.getMethod().getAnnotation(RolesAllowed.class);
> if (rolesAllowed != null) {
> allowed = verifyRolesAllowed(rolesAllowed);
> }
> if (!allowed) {
> allowed =
> ctx.getMethod().getDeclaringClass().getAnnotation(PermitAll.class) != null;
> if (!allowed) {
> rolesAllowed =
> ctx.getMethod().getDeclaringClass().getAnnotation(RolesAllowed.class);
> if (rolesAllowed != null) {
> allowed = verifyRolesAllowed(rolesAllowed);
> } else {
> allowed = true;
> }
> }
> }
> }
> if (!allowed) {
> LOGGER.error("Utilisateur « {} » ne possede pas les droits pour
> appeler cette fonction « {} »", request.getUserPrincipal() != null ?
> request.getUserPrincipal().getName() : "anonyme",
> ctx.getMethod().getName());
> throw new SecurityException("Ne possede pas les droits pour
> appeler ce bean CDI");
> }
> return ctx.proceed();
> }
> private boolean verifyRolesAllowed(RolesAllowed rolesAllowed) {
> boolean allowed = false;
> if (request.getUserPrincipal() != null) {
> String[] roles = rolesAllowed.value();
> for (String role : roles) {
> allowed = request.isUserInRole(role);
> if (allowed) {
> break;
> }
> }
> }
> return allowed;
> }
> }
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (DELTASPIKE-1345) Support JavaEE Security annotation
[
https://issues.apache.org/jira/browse/DELTASPIKE-1345?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16483047#comment-16483047
]
Gerhard Petracek commented on DELTASPIKE-1345:
--
[~princemtl]:
i never used it in a project (only @Secured), one of the ds-committers (rafael)
did the example, but it should be possible (at least i'm not aware of an
intended limitation).
"more code": if you count type-safe annotations representing your own roles -
then: yes (but at the same time it's more flexible) than a predefined
interceptor
> Support JavaEE Security annotation
> --
>
> Key: DELTASPIKE-1345
> URL: https://issues.apache.org/jira/browse/DELTASPIKE-1345
> Project: DeltaSpike
> Issue Type: New Feature
> Components: Security-Module
>Reporter: Jonathan Laterreur
>Priority: Minor
>
> Deltaspike should take care of the standard JavaEE security annotation.
> {code:java}
> @RolesAllowed
> @PermitAll
> @DenyAll
> {code}
> Maybe a default interceptor should do the job.
> I did something like this (does not covers everything)
> {code:java}
> @Interceptor
> @RolesSecured
> public class RolesSecuredInterceptor {
> private static final Logger LOGGER =
> LoggerFactory.getLogger(RolesSecuredInterceptor.class);
> @Inject
> private HttpServletRequest request;
> @AroundInvoke
> public Object intercept(InvocationContext ctx) throws Exception {
> boolean allowed = ctx.getMethod().getAnnotation(PermitAll.class) !=
> null;
> if (!allowed) {
> RolesAllowed rolesAllowed =
> ctx.getMethod().getAnnotation(RolesAllowed.class);
> if (rolesAllowed != null) {
> allowed = verifyRolesAllowed(rolesAllowed);
> }
> if (!allowed) {
> allowed =
> ctx.getMethod().getDeclaringClass().getAnnotation(PermitAll.class) != null;
> if (!allowed) {
> rolesAllowed =
> ctx.getMethod().getDeclaringClass().getAnnotation(RolesAllowed.class);
> if (rolesAllowed != null) {
> allowed = verifyRolesAllowed(rolesAllowed);
> } else {
> allowed = true;
> }
> }
> }
> }
> if (!allowed) {
> LOGGER.error("Utilisateur « {} » ne possede pas les droits pour
> appeler cette fonction « {} »", request.getUserPrincipal() != null ?
> request.getUserPrincipal().getName() : "anonyme",
> ctx.getMethod().getName());
> throw new SecurityException("Ne possede pas les droits pour
> appeler ce bean CDI");
> }
> return ctx.proceed();
> }
> private boolean verifyRolesAllowed(RolesAllowed rolesAllowed) {
> boolean allowed = false;
> if (request.getUserPrincipal() != null) {
> String[] roles = rolesAllowed.value();
> for (String role : roles) {
> allowed = request.isUserInRole(role);
> if (allowed) {
> break;
> }
> }
> }
> return allowed;
> }
> }
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (DELTASPIKE-1345) Support JavaEE Security annotation
[
https://issues.apache.org/jira/browse/DELTASPIKE-1345?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16483033#comment-16483033
]
Jonathan Laterreur commented on DELTASPIKE-1345:
The link you provided is JSF only ... (yes you can replace it with
HttpServletRequest or EJbContext).
Wth your solution, can you get the same effect like : your bean is Admin only
but you can also have some function "PermitAll" in it. Do you have inheritance?
If yes, then it's a nice solution... but you have somehow more code than
before. Instead of having "RolesAllowed" on a class, you have a bean that does
the check, an annotation and the annotation on the bean.
Am I right?
> Support JavaEE Security annotation
> --
>
> Key: DELTASPIKE-1345
> URL: https://issues.apache.org/jira/browse/DELTASPIKE-1345
> Project: DeltaSpike
> Issue Type: New Feature
> Components: Security-Module
>Reporter: Jonathan Laterreur
>Priority: Minor
>
> Deltaspike should take care of the standard JavaEE security annotation.
> {code:java}
> @RolesAllowed
> @PermitAll
> @DenyAll
> {code}
> Maybe a default interceptor should do the job.
> I did something like this (does not covers everything)
> {code:java}
> @Interceptor
> @RolesSecured
> public class RolesSecuredInterceptor {
> private static final Logger LOGGER =
> LoggerFactory.getLogger(RolesSecuredInterceptor.class);
> @Inject
> private HttpServletRequest request;
> @AroundInvoke
> public Object intercept(InvocationContext ctx) throws Exception {
> boolean allowed = ctx.getMethod().getAnnotation(PermitAll.class) !=
> null;
> if (!allowed) {
> RolesAllowed rolesAllowed =
> ctx.getMethod().getAnnotation(RolesAllowed.class);
> if (rolesAllowed != null) {
> allowed = verifyRolesAllowed(rolesAllowed);
> }
> if (!allowed) {
> allowed =
> ctx.getMethod().getDeclaringClass().getAnnotation(PermitAll.class) != null;
> if (!allowed) {
> rolesAllowed =
> ctx.getMethod().getDeclaringClass().getAnnotation(RolesAllowed.class);
> if (rolesAllowed != null) {
> allowed = verifyRolesAllowed(rolesAllowed);
> } else {
> allowed = true;
> }
> }
> }
> }
> if (!allowed) {
> LOGGER.error("Utilisateur « {} » ne possede pas les droits pour
> appeler cette fonction « {} »", request.getUserPrincipal() != null ?
> request.getUserPrincipal().getName() : "anonyme",
> ctx.getMethod().getName());
> throw new SecurityException("Ne possede pas les droits pour
> appeler ce bean CDI");
> }
> return ctx.proceed();
> }
> private boolean verifyRolesAllowed(RolesAllowed rolesAllowed) {
> boolean allowed = false;
> if (request.getUserPrincipal() != null) {
> String[] roles = rolesAllowed.value();
> for (String role : roles) {
> allowed = request.isUserInRole(role);
> if (allowed) {
> break;
> }
> }
> }
> return allowed;
> }
> }
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (DELTASPIKE-1345) Support JavaEE Security annotation
[
https://issues.apache.org/jira/browse/DELTASPIKE-1345?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16482996#comment-16482996
]
Gerhard Petracek commented on DELTASPIKE-1345:
--
[~princemtl]:
yes i know, i was also surprised that "nobody" published such an integration.
however, the main question is if
https://github.com/wildfly/quickstart/blob/master/deltaspike-authorization/src/main/java/org/jboss/as/quickstarts/deltaspike/authorization/CustomAuthorizer.java
(+ e.g. HttpServletRequest), isn't just better than those (outdated)
annotations (since you still use the HttpServletRequest#isUserInRole and/or
EjbContext#isCallerInRole).
> Support JavaEE Security annotation
> --
>
> Key: DELTASPIKE-1345
> URL: https://issues.apache.org/jira/browse/DELTASPIKE-1345
> Project: DeltaSpike
> Issue Type: New Feature
> Components: Security-Module
>Reporter: Jonathan Laterreur
>Priority: Minor
>
> Deltaspike should take care of the standard JavaEE security annotation.
> {code:java}
> @RolesAllowed
> @PermitAll
> @DenyAll
> {code}
> Maybe a default interceptor should do the job.
> I did something like this (does not covers everything)
> {code:java}
> @Interceptor
> @RolesSecured
> public class RolesSecuredInterceptor {
> private static final Logger LOGGER =
> LoggerFactory.getLogger(RolesSecuredInterceptor.class);
> @Inject
> private HttpServletRequest request;
> @AroundInvoke
> public Object intercept(InvocationContext ctx) throws Exception {
> boolean allowed = ctx.getMethod().getAnnotation(PermitAll.class) !=
> null;
> if (!allowed) {
> RolesAllowed rolesAllowed =
> ctx.getMethod().getAnnotation(RolesAllowed.class);
> if (rolesAllowed != null) {
> allowed = verifyRolesAllowed(rolesAllowed);
> }
> if (!allowed) {
> allowed =
> ctx.getMethod().getDeclaringClass().getAnnotation(PermitAll.class) != null;
> if (!allowed) {
> rolesAllowed =
> ctx.getMethod().getDeclaringClass().getAnnotation(RolesAllowed.class);
> if (rolesAllowed != null) {
> allowed = verifyRolesAllowed(rolesAllowed);
> } else {
> allowed = true;
> }
> }
> }
> }
> if (!allowed) {
> LOGGER.error("Utilisateur « {} » ne possede pas les droits pour
> appeler cette fonction « {} »", request.getUserPrincipal() != null ?
> request.getUserPrincipal().getName() : "anonyme",
> ctx.getMethod().getName());
> throw new SecurityException("Ne possede pas les droits pour
> appeler ce bean CDI");
> }
> return ctx.proceed();
> }
> private boolean verifyRolesAllowed(RolesAllowed rolesAllowed) {
> boolean allowed = false;
> if (request.getUserPrincipal() != null) {
> String[] roles = rolesAllowed.value();
> for (String role : roles) {
> allowed = request.isUserInRole(role);
> if (allowed) {
> break;
> }
> }
> }
> return allowed;
> }
> }
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (DELTASPIKE-1345) Support JavaEE Security annotation
[
https://issues.apache.org/jira/browse/DELTASPIKE-1345?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16482975#comment-16482975
]
Jonathan Laterreur commented on DELTASPIKE-1345:
Just to let you know, my app was in a JavaEE context with EJB. Then I decided
to go full CDI and get rid of EJB (microservice instead of wildfly). I use
@Transactional with JTA and it works well. So, instead of rewriting everything
to manage security, I wrote this interceptor.
I think it can be a nice functionality and get new people to use your
framework. I didn't find other framework that could do it.
> Support JavaEE Security annotation
> --
>
> Key: DELTASPIKE-1345
> URL: https://issues.apache.org/jira/browse/DELTASPIKE-1345
> Project: DeltaSpike
> Issue Type: New Feature
> Components: Security-Module
>Reporter: Jonathan Laterreur
>Priority: Minor
>
> Deltaspike should take care of the standard JavaEE security annotation.
> {code:java}
> @RolesAllowed
> @PermitAll
> @DenyAll
> {code}
> Maybe a default interceptor should do the job.
> I did something like this (does not covers everything)
> {code:java}
> @Interceptor
> @RolesSecured
> public class RolesSecuredInterceptor {
> private static final Logger LOGGER =
> LoggerFactory.getLogger(RolesSecuredInterceptor.class);
> @Inject
> private HttpServletRequest request;
> @AroundInvoke
> public Object intercept(InvocationContext ctx) throws Exception {
> boolean allowed = ctx.getMethod().getAnnotation(PermitAll.class) !=
> null;
> if (!allowed) {
> RolesAllowed rolesAllowed =
> ctx.getMethod().getAnnotation(RolesAllowed.class);
> if (rolesAllowed != null) {
> allowed = verifyRolesAllowed(rolesAllowed);
> }
> if (!allowed) {
> allowed =
> ctx.getMethod().getDeclaringClass().getAnnotation(PermitAll.class) != null;
> if (!allowed) {
> rolesAllowed =
> ctx.getMethod().getDeclaringClass().getAnnotation(RolesAllowed.class);
> if (rolesAllowed != null) {
> allowed = verifyRolesAllowed(rolesAllowed);
> } else {
> allowed = true;
> }
> }
> }
> }
> if (!allowed) {
> LOGGER.error("Utilisateur « {} » ne possede pas les droits pour
> appeler cette fonction « {} »", request.getUserPrincipal() != null ?
> request.getUserPrincipal().getName() : "anonyme",
> ctx.getMethod().getName());
> throw new SecurityException("Ne possede pas les droits pour
> appeler ce bean CDI");
> }
> return ctx.proceed();
> }
> private boolean verifyRolesAllowed(RolesAllowed rolesAllowed) {
> boolean allowed = false;
> if (request.getUserPrincipal() != null) {
> String[] roles = rolesAllowed.value();
> for (String role : roles) {
> allowed = request.isUserInRole(role);
> if (allowed) {
> break;
> }
> }
> }
> return allowed;
> }
> }
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (DELTASPIKE-1345) Support JavaEE Security annotation
[
https://issues.apache.org/jira/browse/DELTASPIKE-1345?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16482902#comment-16482902
]
Gerhard Petracek commented on DELTASPIKE-1345:
--
the consensus we had back then was that we only provide logic which allows to
implement adapters. that was also the reason for dropping a lot again (which
was moved to picketlink afterwards).
the approach shown by
https://github.com/wildfly/quickstart/blob/master/deltaspike-authorization/src/main/java/org/jboss/as/quickstarts/deltaspike/authorization/CustomAuthorizer.java
is more cdi-like. with an useful documentation it's really simple, well
integrated and even better than @RolesAllowed.
> Support JavaEE Security annotation
> --
>
> Key: DELTASPIKE-1345
> URL: https://issues.apache.org/jira/browse/DELTASPIKE-1345
> Project: DeltaSpike
> Issue Type: New Feature
> Components: Security-Module
>Reporter: Jonathan Laterreur
>Priority: Minor
>
> Deltaspike should take care of the standard JavaEE security annotation.
> {code:java}
> @RolesAllowed
> @PermitAll
> @DenyAll
> {code}
> Maybe a default interceptor should do the job.
> I did something like this (does not covers everything)
> {code:java}
> @Interceptor
> @RolesSecured
> public class RolesSecuredInterceptor {
> private static final Logger LOGGER =
> LoggerFactory.getLogger(RolesSecuredInterceptor.class);
> @Inject
> private HttpServletRequest request;
> @AroundInvoke
> public Object intercept(InvocationContext ctx) throws Exception {
> boolean allowed = ctx.getMethod().getAnnotation(PermitAll.class) !=
> null;
> if (!allowed) {
> RolesAllowed rolesAllowed =
> ctx.getMethod().getAnnotation(RolesAllowed.class);
> if (rolesAllowed != null) {
> allowed = verifyRolesAllowed(rolesAllowed);
> }
> if (!allowed) {
> allowed =
> ctx.getMethod().getDeclaringClass().getAnnotation(PermitAll.class) != null;
> if (!allowed) {
> rolesAllowed =
> ctx.getMethod().getDeclaringClass().getAnnotation(RolesAllowed.class);
> if (rolesAllowed != null) {
> allowed = verifyRolesAllowed(rolesAllowed);
> } else {
> allowed = true;
> }
> }
> }
> }
> if (!allowed) {
> LOGGER.error("Utilisateur « {} » ne possede pas les droits pour
> appeler cette fonction « {} »", request.getUserPrincipal() != null ?
> request.getUserPrincipal().getName() : "anonyme",
> ctx.getMethod().getName());
> throw new SecurityException("Ne possede pas les droits pour
> appeler ce bean CDI");
> }
> return ctx.proceed();
> }
> private boolean verifyRolesAllowed(RolesAllowed rolesAllowed) {
> boolean allowed = false;
> if (request.getUserPrincipal() != null) {
> String[] roles = rolesAllowed.value();
> for (String role : roles) {
> allowed = request.isUserInRole(role);
> if (allowed) {
> break;
> }
> }
> }
> return allowed;
> }
> }
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (DELTASPIKE-1345) Support JavaEE Security annotation
[
https://issues.apache.org/jira/browse/DELTASPIKE-1345?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16482847#comment-16482847
]
Romain Manni-Bucau commented on DELTASPIKE-1345:
[~gpetracek] hmm, why can't we use the same evaluation than in security module
but triggered by javax.security annotation? We would have an event which would
set if we are allowed or not and [~princemtl] would observe it and use the
request to evaluate it. That's what I had in mind. Providing a default impl
using the request would not be as useful as just handling the interceptor and
preprocess roles etc from a standard API automatically IMO (secural contexts
wouldn't be handled based on the cdi request).
> Support JavaEE Security annotation
> --
>
> Key: DELTASPIKE-1345
> URL: https://issues.apache.org/jira/browse/DELTASPIKE-1345
> Project: DeltaSpike
> Issue Type: New Feature
> Components: Security-Module
>Reporter: Jonathan Laterreur
>Priority: Minor
>
> Deltaspike should take care of the standard JavaEE security annotation.
> {code:java}
> @RolesAllowed
> @PermitAll
> @DenyAll
> {code}
> Maybe a default interceptor should do the job.
> I did something like this (does not covers everything)
> {code:java}
> @Interceptor
> @RolesSecured
> public class RolesSecuredInterceptor {
> private static final Logger LOGGER =
> LoggerFactory.getLogger(RolesSecuredInterceptor.class);
> @Inject
> private HttpServletRequest request;
> @AroundInvoke
> public Object intercept(InvocationContext ctx) throws Exception {
> boolean allowed = ctx.getMethod().getAnnotation(PermitAll.class) !=
> null;
> if (!allowed) {
> RolesAllowed rolesAllowed =
> ctx.getMethod().getAnnotation(RolesAllowed.class);
> if (rolesAllowed != null) {
> allowed = verifyRolesAllowed(rolesAllowed);
> }
> if (!allowed) {
> allowed =
> ctx.getMethod().getDeclaringClass().getAnnotation(PermitAll.class) != null;
> if (!allowed) {
> rolesAllowed =
> ctx.getMethod().getDeclaringClass().getAnnotation(RolesAllowed.class);
> if (rolesAllowed != null) {
> allowed = verifyRolesAllowed(rolesAllowed);
> } else {
> allowed = true;
> }
> }
> }
> }
> if (!allowed) {
> LOGGER.error("Utilisateur « {} » ne possede pas les droits pour
> appeler cette fonction « {} »", request.getUserPrincipal() != null ?
> request.getUserPrincipal().getName() : "anonyme",
> ctx.getMethod().getName());
> throw new SecurityException("Ne possede pas les droits pour
> appeler ce bean CDI");
> }
> return ctx.proceed();
> }
> private boolean verifyRolesAllowed(RolesAllowed rolesAllowed) {
> boolean allowed = false;
> if (request.getUserPrincipal() != null) {
> String[] roles = rolesAllowed.value();
> for (String role : roles) {
> allowed = request.isUserInRole(role);
> if (allowed) {
> break;
> }
> }
> }
> return allowed;
> }
> }
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (DELTASPIKE-1345) Support JavaEE Security annotation
[
https://issues.apache.org/jira/browse/DELTASPIKE-1345?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16482836#comment-16482836
]
Gerhard Petracek commented on DELTASPIKE-1345:
--
it would mean the usage of quite a bit reflection - the lookup order would be:
# dyn. lookup of HttpServletRequest
# dyn lookup of HttpServletRequest + @DeltaSpike (if the servlet-module is
available)
# dyn lookup of the ejb-helper
techn. we could even add the interceptor dyn., however, i haven't started with
it because there is a quite simple alternative to it - see e.g.:
https://github.com/wildfly/quickstart/blob/master/deltaspike-authorization/src/main/java/org/jboss/as/quickstarts/deltaspike/authorization/CustomAuthorizer.java
instead of FacesContext, you can use the HttpServletRequest or the helper-ejb
easily.
so maybe we should just promote it to our documentation.
> Support JavaEE Security annotation
> --
>
> Key: DELTASPIKE-1345
> URL: https://issues.apache.org/jira/browse/DELTASPIKE-1345
> Project: DeltaSpike
> Issue Type: New Feature
> Components: Security-Module
>Reporter: Jonathan Laterreur
>Priority: Minor
>
> Deltaspike should take care of the standard JavaEE security annotation.
> {code:java}
> @RolesAllowed
> @PermitAll
> @DenyAll
> {code}
> Maybe a default interceptor should do the job.
> I did something like this (does not covers everything)
> {code:java}
> @Interceptor
> @RolesSecured
> public class RolesSecuredInterceptor {
> private static final Logger LOGGER =
> LoggerFactory.getLogger(RolesSecuredInterceptor.class);
> @Inject
> private HttpServletRequest request;
> @AroundInvoke
> public Object intercept(InvocationContext ctx) throws Exception {
> boolean allowed = ctx.getMethod().getAnnotation(PermitAll.class) !=
> null;
> if (!allowed) {
> RolesAllowed rolesAllowed =
> ctx.getMethod().getAnnotation(RolesAllowed.class);
> if (rolesAllowed != null) {
> allowed = verifyRolesAllowed(rolesAllowed);
> }
> if (!allowed) {
> allowed =
> ctx.getMethod().getDeclaringClass().getAnnotation(PermitAll.class) != null;
> if (!allowed) {
> rolesAllowed =
> ctx.getMethod().getDeclaringClass().getAnnotation(RolesAllowed.class);
> if (rolesAllowed != null) {
> allowed = verifyRolesAllowed(rolesAllowed);
> } else {
> allowed = true;
> }
> }
> }
> }
> if (!allowed) {
> LOGGER.error("Utilisateur « {} » ne possede pas les droits pour
> appeler cette fonction « {} »", request.getUserPrincipal() != null ?
> request.getUserPrincipal().getName() : "anonyme",
> ctx.getMethod().getName());
> throw new SecurityException("Ne possede pas les droits pour
> appeler ce bean CDI");
> }
> return ctx.proceed();
> }
> private boolean verifyRolesAllowed(RolesAllowed rolesAllowed) {
> boolean allowed = false;
> if (request.getUserPrincipal() != null) {
> String[] roles = rolesAllowed.value();
> for (String role : roles) {
> allowed = request.isUserInRole(role);
> if (allowed) {
> break;
> }
> }
> }
> return allowed;
> }
> }
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (DELTASPIKE-1345) Support JavaEE Security annotation
[
https://issues.apache.org/jira/browse/DELTASPIKE-1345?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16482822#comment-16482822
]
Jonathan Laterreur commented on DELTASPIKE-1345:
If you can manage the fact that you don't always have an ejb context, then It's
perfect. :)
> Support JavaEE Security annotation
> --
>
> Key: DELTASPIKE-1345
> URL: https://issues.apache.org/jira/browse/DELTASPIKE-1345
> Project: DeltaSpike
> Issue Type: New Feature
> Components: Security-Module
>Reporter: Jonathan Laterreur
>Priority: Minor
>
> Deltaspike should take care of the standard JavaEE security annotation.
> {code:java}
> @RolesAllowed
> @PermitAll
> @DenyAll
> {code}
> Maybe a default interceptor should do the job.
> I did something like this (does not covers everything)
> {code:java}
> @Interceptor
> @RolesSecured
> public class RolesSecuredInterceptor {
> private static final Logger LOGGER =
> LoggerFactory.getLogger(RolesSecuredInterceptor.class);
> @Inject
> private HttpServletRequest request;
> @AroundInvoke
> public Object intercept(InvocationContext ctx) throws Exception {
> boolean allowed = ctx.getMethod().getAnnotation(PermitAll.class) !=
> null;
> if (!allowed) {
> RolesAllowed rolesAllowed =
> ctx.getMethod().getAnnotation(RolesAllowed.class);
> if (rolesAllowed != null) {
> allowed = verifyRolesAllowed(rolesAllowed);
> }
> if (!allowed) {
> allowed =
> ctx.getMethod().getDeclaringClass().getAnnotation(PermitAll.class) != null;
> if (!allowed) {
> rolesAllowed =
> ctx.getMethod().getDeclaringClass().getAnnotation(RolesAllowed.class);
> if (rolesAllowed != null) {
> allowed = verifyRolesAllowed(rolesAllowed);
> } else {
> allowed = true;
> }
> }
> }
> }
> if (!allowed) {
> LOGGER.error("Utilisateur « {} » ne possede pas les droits pour
> appeler cette fonction « {} »", request.getUserPrincipal() != null ?
> request.getUserPrincipal().getName() : "anonyme",
> ctx.getMethod().getName());
> throw new SecurityException("Ne possede pas les droits pour
> appeler ce bean CDI");
> }
> return ctx.proceed();
> }
> private boolean verifyRolesAllowed(RolesAllowed rolesAllowed) {
> boolean allowed = false;
> if (request.getUserPrincipal() != null) {
> String[] roles = rolesAllowed.value();
> for (String role : roles) {
> allowed = request.isUserInRole(role);
> if (allowed) {
> break;
> }
> }
> }
> return allowed;
> }
> }
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (DELTASPIKE-1345) Support JavaEE Security annotation
[
https://issues.apache.org/jira/browse/DELTASPIKE-1345?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16482812#comment-16482812
]
Gerhard Petracek commented on DELTASPIKE-1345:
--
the point is that we don't have access to an injected HttpServletRequest with
our baseline (without the servlet-module).
we can use both for the evaluation (if one of them isn't available. in an
ee-server the approach via an ejb is compatible with our baseline).
> Support JavaEE Security annotation
> --
>
> Key: DELTASPIKE-1345
> URL: https://issues.apache.org/jira/browse/DELTASPIKE-1345
> Project: DeltaSpike
> Issue Type: New Feature
> Components: Security-Module
>Reporter: Jonathan Laterreur
>Priority: Minor
>
> Deltaspike should take care of the standard JavaEE security annotation.
> {code:java}
> @RolesAllowed
> @PermitAll
> @DenyAll
> {code}
> Maybe a default interceptor should do the job.
> I did something like this (does not covers everything)
> {code:java}
> @Interceptor
> @RolesSecured
> public class RolesSecuredInterceptor {
> private static final Logger LOGGER =
> LoggerFactory.getLogger(RolesSecuredInterceptor.class);
> @Inject
> private HttpServletRequest request;
> @AroundInvoke
> public Object intercept(InvocationContext ctx) throws Exception {
> boolean allowed = ctx.getMethod().getAnnotation(PermitAll.class) !=
> null;
> if (!allowed) {
> RolesAllowed rolesAllowed =
> ctx.getMethod().getAnnotation(RolesAllowed.class);
> if (rolesAllowed != null) {
> allowed = verifyRolesAllowed(rolesAllowed);
> }
> if (!allowed) {
> allowed =
> ctx.getMethod().getDeclaringClass().getAnnotation(PermitAll.class) != null;
> if (!allowed) {
> rolesAllowed =
> ctx.getMethod().getDeclaringClass().getAnnotation(RolesAllowed.class);
> if (rolesAllowed != null) {
> allowed = verifyRolesAllowed(rolesAllowed);
> } else {
> allowed = true;
> }
> }
> }
> }
> if (!allowed) {
> LOGGER.error("Utilisateur « {} » ne possede pas les droits pour
> appeler cette fonction « {} »", request.getUserPrincipal() != null ?
> request.getUserPrincipal().getName() : "anonyme",
> ctx.getMethod().getName());
> throw new SecurityException("Ne possede pas les droits pour
> appeler ce bean CDI");
> }
> return ctx.proceed();
> }
> private boolean verifyRolesAllowed(RolesAllowed rolesAllowed) {
> boolean allowed = false;
> if (request.getUserPrincipal() != null) {
> String[] roles = rolesAllowed.value();
> for (String role : roles) {
> allowed = request.isUserInRole(role);
> if (allowed) {
> break;
> }
> }
> }
> return allowed;
> }
> }
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (DELTASPIKE-1345) Support JavaEE Security annotation
[
https://issues.apache.org/jira/browse/DELTASPIKE-1345?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16482795#comment-16482795
]
Jonathan Laterreur commented on DELTASPIKE-1345:
It's because I don't run with ejb that I need this interceptor.
I mean, I would use a stateless bean instead of an regular CDI bean if I had
EJB.
You can access to the annotations with :
{code:java}
javax.annotation
javax.annotation-api
{code}
> Support JavaEE Security annotation
> --
>
> Key: DELTASPIKE-1345
> URL: https://issues.apache.org/jira/browse/DELTASPIKE-1345
> Project: DeltaSpike
> Issue Type: New Feature
> Components: Security-Module
>Reporter: Jonathan Laterreur
>Priority: Minor
>
> Deltaspike should take care of the standard JavaEE security annotation.
> {code:java}
> @RolesAllowed
> @PermitAll
> @DenyAll
> {code}
> Maybe a default interceptor should do the job.
> I did something like this (does not covers everything)
> {code:java}
> @Interceptor
> @RolesSecured
> public class RolesSecuredInterceptor {
> private static final Logger LOGGER =
> LoggerFactory.getLogger(RolesSecuredInterceptor.class);
> @Inject
> private HttpServletRequest request;
> @AroundInvoke
> public Object intercept(InvocationContext ctx) throws Exception {
> boolean allowed = ctx.getMethod().getAnnotation(PermitAll.class) !=
> null;
> if (!allowed) {
> RolesAllowed rolesAllowed =
> ctx.getMethod().getAnnotation(RolesAllowed.class);
> if (rolesAllowed != null) {
> allowed = verifyRolesAllowed(rolesAllowed);
> }
> if (!allowed) {
> allowed =
> ctx.getMethod().getDeclaringClass().getAnnotation(PermitAll.class) != null;
> if (!allowed) {
> rolesAllowed =
> ctx.getMethod().getDeclaringClass().getAnnotation(RolesAllowed.class);
> if (rolesAllowed != null) {
> allowed = verifyRolesAllowed(rolesAllowed);
> } else {
> allowed = true;
> }
> }
> }
> }
> if (!allowed) {
> LOGGER.error("Utilisateur « {} » ne possede pas les droits pour
> appeler cette fonction « {} »", request.getUserPrincipal() != null ?
> request.getUserPrincipal().getName() : "anonyme",
> ctx.getMethod().getName());
> throw new SecurityException("Ne possede pas les droits pour
> appeler ce bean CDI");
> }
> return ctx.proceed();
> }
> private boolean verifyRolesAllowed(RolesAllowed rolesAllowed) {
> boolean allowed = false;
> if (request.getUserPrincipal() != null) {
> String[] roles = rolesAllowed.value();
> for (String role : roles) {
> allowed = request.isUserInRole(role);
> if (allowed) {
> break;
> }
> }
> }
> return allowed;
> }
> }
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (DELTASPIKE-1345) Support JavaEE Security annotation
[
https://issues.apache.org/jira/browse/DELTASPIKE-1345?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16482771#comment-16482771
]
Gerhard Petracek commented on DELTASPIKE-1345:
--
i thought about almost the same last week.
however, we would need to add it to the servlet-module.
the alternative would be the injection of an ejb to delegate the evaluation to
EjbContext#isCallerInRole
> Support JavaEE Security annotation
> --
>
> Key: DELTASPIKE-1345
> URL: https://issues.apache.org/jira/browse/DELTASPIKE-1345
> Project: DeltaSpike
> Issue Type: New Feature
> Components: Security-Module
>Reporter: Jonathan Laterreur
>Priority: Minor
>
> Deltaspike should take care of the standard JavaEE security annotation.
> {code:java}
> @RolesAllowed
> @PermitAll
> @DenyAll
> {code}
> Maybe a default interceptor should do the job.
> I did something like this (does not covers everything)
> {code:java}
> @Interceptor
> @RolesSecured
> public class RolesSecuredInterceptor {
> private static final Logger LOGGER =
> LoggerFactory.getLogger(RolesSecuredInterceptor.class);
> @Inject
> private HttpServletRequest request;
> @AroundInvoke
> public Object intercept(InvocationContext ctx) throws Exception {
> boolean allowed = ctx.getMethod().getAnnotation(PermitAll.class) !=
> null;
> if (!allowed) {
> RolesAllowed rolesAllowed =
> ctx.getMethod().getAnnotation(RolesAllowed.class);
> if (rolesAllowed != null) {
> allowed = verifyRolesAllowed(rolesAllowed);
> }
> if (!allowed) {
> allowed =
> ctx.getMethod().getDeclaringClass().getAnnotation(PermitAll.class) != null;
> if (!allowed) {
> rolesAllowed =
> ctx.getMethod().getDeclaringClass().getAnnotation(RolesAllowed.class);
> if (rolesAllowed != null) {
> allowed = verifyRolesAllowed(rolesAllowed);
> } else {
> allowed = true;
> }
> }
> }
> }
> if (!allowed) {
> LOGGER.error("Utilisateur « {} » ne possede pas les droits pour
> appeler cette fonction « {} »", request.getUserPrincipal() != null ?
> request.getUserPrincipal().getName() : "anonyme",
> ctx.getMethod().getName());
> throw new SecurityException("Ne possede pas les droits pour
> appeler ce bean CDI");
> }
> return ctx.proceed();
> }
> private boolean verifyRolesAllowed(RolesAllowed rolesAllowed) {
> boolean allowed = false;
> if (request.getUserPrincipal() != null) {
> String[] roles = rolesAllowed.value();
> for (String role : roles) {
> allowed = request.isUserInRole(role);
> if (allowed) {
> break;
> }
> }
> }
> return allowed;
> }
> }
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
