Sounds inconsistent indeed! Can you please create a jira ticket so we don't forget to look at it in more detail?
ts and LieGrue, strub > Am 14.09.2017 um 16:19 schrieb Andrew Schmidt > <[email protected]>: > > I have a @Secured @Stereotype annotation > > @Retention( RUNTIME ) > @Stereotype > @Inherited > @Secured( CustomAccessDecisionVoter.class ) > @Target( { ElementType.TYPE, ElementType.METHOD } ) > public @interface Permission > { > > } > > And my decision voter: > > @ApplicationScoped > public class CustomAccessDecisionVoter extends AbstractAccessDecisionVoter > { > @Override > protected void checkPermission( AccessDecisionVoterContext voterContext, > Set<SecurityViolation> violations ) > { > System.out.println( "Checking permission for " + > voterContext.<InvocationContext> getSource().getMethod().getName() ); > } > > } > > And now a bean that inherits from another class > > public class Animal > { > public String getParentName() > { > return "parent"; > } > } > > > @Named > @Permission > public class Dog extends Animal > { > public String getChildName() > { > return "dog"; > } > } > > > In JSF dogName: #{dog.childName} will invoke the checkPermission whereas > #{dog.parentName} will not > > Is this expected behavior? > > I tested a similar concept out with a demo from the docs for a > @SecurityBindingType annotation and it secured both methods. For example: > > @Retention( value = RetentionPolicy.RUNTIME ) > @Target( { ElementType.TYPE, ElementType.METHOD } ) > @Documented > @SecurityBindingType > public @interface UserLoggedIn > { > > } > > @ApplicationScoped > public class LoginAuthorizer > { > @Secures > @UserLoggedIn > public boolean doSecuredCheck( InvocationContext invocationContext ) > throws Exception > { > System.out.println( "doSecuredCheck called for: " + > invocationContext.getMethod().getName() ); > > return true; > } > } > > Now applying @UserLoggedIn to the Dog class will cause the doSecuredCheck to > fire for both getChildName and getParentName > >
