Using @Secures to secure JSF page (ViewConfig)

Wed, 08 Jun 2016 15:54:07 -0700 

Hello,
I'm working with type-safe view-config for my app an run in an issue with defining security restrictions for pages. 


Deltaspike documentation explains how to use @Secured annotation and 
implement AccessDecisionVoter-s to define permission checks for pages.
I have a bunch of custom SecurityBindingType-s that checked via 
@Secures-annotated methods and I want to use those SecurityBindingType-s 
to configure permission checks on ViewConfig objects.


Example (mostly just from Deltaspike docs):
// Custom security binding annotation:


|@Retention(value = RUNTIME) @Target({TYPE, METHOD}) @Documented 
@SecurityBindingType public @interface UserLoggedIn {}|


 // Custom /authorizer/|
@ApplicationScoped |


|public class LoggedInAuthorizer { @Secures @UserLoggedIn public boolean 
doSecuredCheck(Identity identity) throws Exception { return 
identity.isLoggedIn(); } }|


// View config

@|UserLoggedIn  // <- Note that I want to use |security binding 
annotation here. Not a new class with @Secured

|public class MyPage implements ViewConfig||{ |

|}|
// Note: this example has only one annotation (|UserLoggedIn|) but my app has a 
dozen of them.


So I want to use security binding annotations for ViewConfig classes in 
the same way we usually use them for beans.
The problem is that I can't find easy way to do that type of security 
check declaration in Delatspike.



Obviously, I can write a AccessDecisionVoter for each custom security 
binding type but I don't want to create so many classes just for view 
configuration.
Also I can write an AccessDecisionVoter and list all my security binding 
annotations and check them one by one. However I don't want to hardcode 
the list of annotations. To high risk that somebody forgets to update 
the list.


Is there better way to achieve that? Am I missing something?

||

Reference docs:
https://deltaspike.apache.org/documentation/security.html
https://deltaspike.apache.org/documentation/jsf.html


PS: I've run into that problem during migration from Seam 3. Seam 
allowed to use security binding annotations in page configuration.


Best regards,
Alexei Osipov






















					Reply via email to