Secured Stereotype annotations and parent class methods do not invoke decision voter

Andrew Schmidt Thu, 14 Sep 2017 07:20:05 -0700

I have a @Secured @Stereotype annotation

@Retention( RUNTIME )
@Stereotype
@Inherited
@Secured( CustomAccessDecisionVoter.class )
@Target( { ElementType.TYPE, ElementType.METHOD } )
public @interface Permission
{


}

And my decision voter:

@ApplicationScoped
public class CustomAccessDecisionVoter extends AbstractAccessDecisionVoter
{
    @Override
    protected void checkPermission( AccessDecisionVoterContext voterContext, 
Set<SecurityViolation> violations )
    {
        System.out.println( "Checking permission for " + 
voterContext.<InvocationContext> getSource().getMethod().getName() );
    }

}

And now a bean that inherits from another class

public class Animal
{
    public String getParentName()
    {
        return "parent";
    }
}


@Named
@Permission
public class Dog extends Animal
{
    public String getChildName()
    {
        return "dog";
    }
}


In JSF dogName: #{dog.childName}  will invoke the checkPermission whereas   
#{dog.parentName}  will not

Is this expected behavior?

I tested a similar concept out with a demo from the docs for a 
@SecurityBindingType annotation and it secured both methods.  For example:

@Retention( value = RetentionPolicy.RUNTIME )
@Target( { ElementType.TYPE, ElementType.METHOD } )
@Documented
@SecurityBindingType
public @interface UserLoggedIn
{

}

@ApplicationScoped
public class LoginAuthorizer
{
    @Secures
    @UserLoggedIn
    public boolean doSecuredCheck( InvocationContext invocationContext ) throws 
Exception
    {
        System.out.println( "doSecuredCheck called for: " + 
invocationContext.getMethod().getName() );

        return true;
    }
}

Now applying @UserLoggedIn to  the Dog class will cause the doSecuredCheck to 
fire for both getChildName and getParentName

Secured Stereotype annotations and parent class methods do not invoke decision voter

Reply via email to