[ https://issues.apache.org/jira/browse/DELTASPIKE-1014?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Gerhard Petracek reassigned DELTASPIKE-1014: -------------------------------------------- Assignee: Gerhard Petracek > SecuredAnnotationAuthorizer overwrites method-level annotation metadata with > class-level annotation metadata > ------------------------------------------------------------------------------------------------------------ > > Key: DELTASPIKE-1014 > URL: https://issues.apache.org/jira/browse/DELTASPIKE-1014 > Project: DeltaSpike > Issue Type: Bug > Components: Security-Module > Affects Versions: 1.5.1 > Environment: Weld 2.2.15.Final > Reporter: The Alchemist > Assignee: Gerhard Petracek > Priority: Minor > Fix For: 1.5.2 > > > h2. Short Overview of What I'm trying to Do > I'm trying to make a CDI-based equivalent of > {{javax.annotation.security.RolesAllowed}} that uses my custom {{ROLE}} enum. > {code:java} > @Target({TYPE, METHOD, FIELD}) > @Retention(RUNTIME) > @Inherited > @Stereotype > @Secured(MyRoleAccessDecisionVoter.class) > public @interface MyRolesAllowed { > ROLE[] value(); > } > @RequestScoped > public class MyRoleAccessDecisionVoter extends AbstractAccessDecisionVoter { > @Inject > private Principal principal; > @Override > protected void checkPermission(AccessDecisionVoterContext voterContext, > Set<SecurityViolation> violations) { > // get the roles from the annotation > ROLE[] rolesAllowed = > voterContext.getMetaDataFor(MyRolesAllowed.class.getName(), > MyRolesAllowed.class).value(); > // BUG ABOVE! it'll have class-level annotation instead of the > method-level annotation > } > } > > @MyRolesAllowed({ADMIN, ROOT, USER}) > @Stateless > public class TestBean { > @MyRolesAllowed({ADMIN, ROOT}) > public List<String> getWhatever() { > return ImmutableList.of(); > } > } > {code} > h2. My Thoughts > It looks like > {{org.apache.deltaspike.security.impl.authorization.SecuredAnnotationAuthorizer}} > is where the bug is. > It parses both method- and class-level annotations in {{extractMetadata()}}, > in that order (method first, then class). > Then that data gets passed to > {{DefaultAccessDecisionVoterContext.addMetaData()}}, which puts it in a > {{HashMap}}. > Because the order is method-first, that entry in the map gets overwritten by > the class-level info. > h2. Possible Fixes? > * Flip the order in {{extractMetaData()}}: first get the class-level, then > the method-level, so the method level will overwrite the class-level > * {{getMetaData()}} should return a {{List}} instead, and down the road, > perhaps the super-class metadata can be put there too > I guess the issue is whether the annotations should be MERGED or OVERWRITTEN. > I'm guessing you guys had similar discussions for > {{org.apache.deltaspike.core.api.config.view.metadata.Aggregated}}. > I'm thinking that it should OVERWRITE by default. > h2. Workaround? > Unknown. :( Anyone have any suggestions? Is there a way to use a custom > {{DefaultAccessDecisionVoterContext}} or {{SecuredAnnotationAuthorizer}}? -- This message was sent by Atlassian JIRA (v6.3.4#6332)