The Alchemist created DELTASPIKE-1014: -----------------------------------------
Summary: SecuredAnnotationAuthorizer overwrites method-level annotation metadata with class-level annotation metadata Key: DELTASPIKE-1014 URL: https://issues.apache.org/jira/browse/DELTASPIKE-1014 Project: DeltaSpike Issue Type: Bug Components: Security-Module Affects Versions: 1.5.1 Environment: Weld 2.2.15.Final Reporter: The Alchemist h2. Short Overview of What I'm trying to Do I'm trying to make a CDI-based equivalent of {{javax.annotation.security.RolesAllowed}} that uses my custom {{ROLE}} enum. {code:java} @Target({TYPE, METHOD, FIELD}) @Retention(RUNTIME) @Inherited @Stereotype @Secured(MyRoleAccessDecisionVoter.class) public @interface MyRolesAllowed { ROLE[] value(); } @RequestScoped public class MyRoleAccessDecisionVoter extends AbstractAccessDecisionVoter { @Inject private Principal principal; @Override protected void checkPermission(AccessDecisionVoterContext voterContext, Set<SecurityViolation> violations) { // get the roles from the annotation ROLE[] rolesAllowed = voterContext.getMetaDataFor(MyRolesAllowed.class.getName(), MyRolesAllowed.class).value(); // BUG ABOVE! it'll have class-level annotation instead of the method-level annotation } } @MyRolesAllowed({ADMIN, ROOT, USER}) @Stateless public class TestBean { @MyRolesAllowed({ADMIN, ROOT}) public List<String> getWhatever() { return ImmutableList.of(); } } {code} h2. My Thoughts It looks like {{org.apache.deltaspike.security.impl.authorization.SecuredAnnotationAuthorizer}} is where the bug is. It parses both method- and class-level annotations in {{extractMetadata()}}, in that order (method first, then class). Then that data gets passed to {{DefaultAccessDecisionVoterContext.addMetaData()}}, which puts it in a {{HashMap}}. Because the order is method-first, that entry in the map gets overwritten by the class-level info. h2. Possible Fixes? * Flip the order in {{extractMetaData()}}: first get the class-level, then the method-level, so the method level will overwrite the class-level * {{getMetaData()}} should return a {{List}} instead, and down the road, perhaps the super-class metadata can be put there too I guess the issue is whether the annotations should be MERGED or OVERWRITTEN. I'm guessing you guys had similar discussions for {{org.apache.deltaspike.core.api.config.view.metadata.Aggregated}}. I'm thinking that it should OVERWRITE by default. h2. Workaround? Unknown. :( Anyone have any suggestions? Is there a way to use a custom {{DefaultAccessDecisionVoterContext}} or {{SecuredAnnotationAuthorizer}}? -- This message was sent by Atlassian JIRA (v6.3.4#6332)