Re: Using @Secures to secure JSF page (ViewConfig)

Thu, 09 Jun 2016 02:10:58 -0700

Ok, I've created ticket https://issues.apache.org/jira/browse/DELTASPIKE-1172 

On 09.06.2016 11:45, Gerhard Petracek wrote:

hi alexei,

it's currently not supported (intentionally).
-> please file a jira-ticket for it and we will re-visit this topic.

regards,
gerhard



2016-06-09 0:53 GMT+02:00 Осипов Алексей <[email protected]>:


Hello,

I'm working with type-safe view-config for my app an run in an issue with
defining security restrictions for pages.

Deltaspike documentation explains how to use @Secured annotation and
implement AccessDecisionVoter-s to define permission checks for pages.
I have a bunch of custom SecurityBindingType-s that checked via
@Secures-annotated methods and I want to use those SecurityBindingType-s to
configure permission checks on ViewConfig objects.

Example (mostly just from Deltaspike docs):
// Custom security binding annotation:

|@Retention(value = RUNTIME) @Target({TYPE, METHOD}) @Documented
@SecurityBindingType public @interface UserLoggedIn {}|

  // Custom /authorizer/|
@ApplicationScoped |

|public class LoggedInAuthorizer { @Secures @UserLoggedIn public boolean
doSecuredCheck(Identity identity) throws Exception { return
identity.isLoggedIn(); } }|

// View config
@|UserLoggedIn  // <- Note that I want to use |security binding annotation
here. Not a new class with @Secured
|public class MyPage implements ViewConfig||{ |

|}|
// Note: this example has only one annotation (|UserLoggedIn|) but my app
has a dozen of them.

So I want to use security binding annotations for ViewConfig classes in
the same way we usually use them for beans.
The problem is that I can't find easy way to do that type of security
check declaration in Delatspike.

Obviously, I can write a AccessDecisionVoter for each custom security
binding type but I don't want to create so many classes just for view
configuration.
Also I can write an AccessDecisionVoter and list all my security binding
annotations and check them one by one. However I don't want to hardcode the
list of annotations. To high risk that somebody forgets to update the list.

Is there better way to achieve that? Am I missing something?

||

Reference docs:
https://deltaspike.apache.org/documentation/security.html
https://deltaspike.apache.org/documentation/jsf.html

PS: I've run into that problem during migration from Seam 3. Seam allowed
to use security binding annotations in page configuration.

Best regards,
Alexei Osipov

























					Reply via email to