[
http://www.stripesframework.org/jira/browse/STS-495?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Frederic Daoud closed STS-495.
------------------------------
Resolution: Won't Fix
I agree with Gregg. I believe that Stripes should continue to stay focused on
its task and not fall into the trap of scope creep. Trying to provide a
security solution does not make sense for Stripes, when needs are so diverse
that whole frameworks exist solely for that purpose (for example, Spring
Security, JSecurity -> Apache Ki -> Apache Shiro).
> EventPermission annotation for Stripes events methods
> -----------------------------------------------------
>
> Key: STS-495
> URL: http://www.stripesframework.org/jira/browse/STS-495
> Project: Stripes
> Issue Type: New Feature
> Components: ActionBean Dispatching
> Affects Versions: Release 1.4.3
> Environment: All
> Reporter: Andrew Jaquith
> Assignee: Tim Fennell
> Attachments: EventPermission.java, EventPermissionInfo.java,
> WikiInterceptor.java
>
>
> Hi Tim and all -
> We're planning to use Stripes in an a future release of Apache JSPWiki. While
> doing the integration, I wrote an a method annotation and supporting classes
> that turned out to be quite generic, and could be quite useful for all
> Stripes users. So I thought I'd write it up in the hopes of getting it into
> Stripes 1.5. The idea is pretty simple: use the method annotation
> @EventPermission to identify what Java Permissions would be needed to
> successfully execute an event.
> Here's how it works. Suppose we have an Actionbean whose default event is the
> "view()" method, but we want to make sure the caller possesses a particular
> Permission. Here's the method signature:
> @DefaultHandler
> @HandlesEvent("view")
> @EventPermission(
> permissionClass=PagePermission.class,
> target="${page.qualifiedName}",
> actions=PagePermission.VIEW_ACTION)
> public Resolution view() { ... }
> Note the @EventPermission annotation. It defines the Permission class and its
> target and actions. The "permissionClass" attribute tells use that the
> Permission class this method needs is "PagePermission" (a custom Permission
> class). Note also the JSTL-style syntax in the target and actions attributes
> -- these allow JSTL-access to bean properties for the instantiated
> ViewActionBean. In this case, "${page}" is the bean attribute that returns
> the value of this ViewActionBean's getPage() method. The nested syntax
> "${page.qualifiedName}" is equivalent to getPage().getQualifiedName(). Neat,
> huh?
> An annotation like this would collaborate with a security interceptor that
> fires during the binding/validation stage:
> @Intercepts( { LifecycleStage.BindingAndValidation })
> public class WikiInterceptor implements Interceptor
> public Resolution intercept(ExecutionContext context) throws Exception {
> ...
> // Does the event handler have a required permission?
> boolean allowed = true;
> EventPermissionInfo permInfo = beanContext.getPermissionInfo(handler);
> if ( permInfo != null )
> {
> Permission requiredPermission =
> permInfo.getPermission(actionBean);
> if ( requiredPermission != null )
> {
> // security checking code goes here...
> }
> }
> // If not allowed, redirect to login page with all parameters intact;
> // otherwise proceed
> if (!allowed)
> {
> r = new RedirectResolution(LoginActionBean.class);
> ((RedirectResolution) r).includeRequestParameters(true);
> return r;
> }
> }
> I have attached several sample source files. I have not "cleansed" them yet
> -- so if they are of interest to you, I'll do that.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://www.stripesframework.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
------------------------------------------------------------------------------
Come build with us! The BlackBerry® Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9-12, 2009. Register now!
http://p.sf.net/sfu/devconf
_______________________________________________
Stripes-development mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/stripes-development
