@ romain: i was going to post a similar suggestion (@PostSecured) regards, gerhard
2012/12/13 Romain Manni-Bucau <[email protected]> > so i'd go for @PreSecures and @PostSecures, just explicit > > but i wouldn't something not symmetrical > > Romain Manni-Bucau > Twitter: @rmannibucau > Blog: http://rmannibucau.wordpress.com/ > LinkedIn: http://fr.linkedin.com/in/rmannibucau > Github: https://github.com/rmannibucau > > > > 2012/12/13 Arne Limburg <[email protected]>: > > @Secures sounds cool at a first glance, but may it be confusing for > users? > > > > > > And also we should support a mixture of @SecurityParameterBindings and > > result, so the annotation should somehow indicate that the parameter is > > the return value of the method invocation. > > Consider the following example: > > > > @Copy > > public MyObject copy(@Source MyObject source) { > > ... > > } > > > > public class MyCopyAuthorizer { > > > > @Secures @Copy > > public boolean isCopyAllowed(@Source MyObject source, > > @SecuredReturnValue MyObject target) { > > ... > > } > > } > > > > where @Copy is a @SecurityBindingType and @Source is a > > @SecurityParameterBinding > > > > Cheers, > > Arne > > > > Am 13.12.12 11:45 schrieb "Romain Manni-Bucau" unter > > <[email protected]>: > > > >>Why @Secures is not fine? > >> > >>if the rule is "on parameter" it is a post it can be enough. > >> > >>Another solution is @Secure(hook = POST) with a default to PRE > >> > >>Romain Manni-Bucau > >>Twitter: @rmannibucau > >>Blog: http://rmannibucau.wordpress.com/ > >>LinkedIn: http://fr.linkedin.com/in/rmannibucau > >>Github: https://github.com/rmannibucau > >> > >> > >> > >>2012/12/13 Arne Limburg <[email protected]>: > >>> Feel free to make a suggestion. > >>> What about > >>> > >>> @SecuredResult > >>> or > >>> @SecuredReturnValue > >>> ? > >>> > >>> Am 13.12.12 10:50 schrieb "Gerhard Petracek" unter > >>> <[email protected]>: > >>> > >>>>+1, but imo we need a better name for it. > >>>> > >>>>regards, > >>>>gerhard > >>>> > >>>> > >>>> > >>>>2012/12/13 Rudy De Busscher <[email protected]> > >>>> > >>>>> All, > >>>>> > >>>>> I had once also such a requirement (post-method authorization) where > >>>>>this > >>>>> could be very handy. > >>>>> > >>>>> We kept information about persons (name, age, address, medical info, > >>>>>...) > >>>>> but there where some categories. One kind of category was linked to > >>>>>the > >>>>> Royals and you needed a special role before you could read the > >>>>>information. > >>>>> > >>>>> So we where only able to determine if the user was allowed to read > the > >>>>> person information after we had read it frmo the database and matched > >>>>>the > >>>>> category. > >>>>> > >>>>> So > >>>>> +1 > >>>>> > >>>>> Regards > >>>>> Rudy > >>>>> > >>>>> > >>>>> On 13 December 2012 09:26, Arne Limburg < > [email protected] > >>>>> >wrote: > >>>>> > >>>>> > Hi Jean-Louis, > >>>>> > > >>>>> > A simple use case is a method that creates an object, stores it to > >>>>>the > >>>>> > database and returns it. > >>>>> > You may want to check the object to decide if the user is allowed > to > >>>>> > create it. With my proposal it is as easy as: > >>>>> > > >>>>> > public class MyObjectRepository { > >>>>> > @Create > >>>>> > public MyObject create() { > >>>>> > ... > >>>>> > } > >>>>> > } > >>>>> > > >>>>> > public class MyAuthorizer { > >>>>> > > >>>>> > @Secures @Create > >>>>> > public boolean canCreate(@Result MyObject object) { > >>>>> > // security check here > >>>>> > } > >>>>> > } > >>>>> > > >>>>> > > >>>>> > Hope that makes it clear. And note that the check may depend on the > >>>>>state > >>>>> > of the object, i.e. the user is just allowed to create the object, > >>>>>if > >>>>>he > >>>>> > is the owner... > >>>>> > > >>>>> > Cheers, > >>>>> > Arne > >>>>> > > >>>>> > Am 13.12.12 09:20 schrieb "Jean-Louis MONTEIRO" unter < > >>>>> [email protected] > >>>>> > >: > >>>>> > > >>>>> > >Hi Arne, > >>>>> > > > >>>>> > >Just read the JIRA but could not find a relevant use case for > that. > >>>>> > >But if you proposed it, I probably missed something so if you > could > >>>>> > >elaborate a bit more. > >>>>> > > > >>>>> > >Jean-Louis > >>>>> > > > >>>>> > > > >>>>> > >2012/12/13 Mark Struberg <[email protected]> > >>>>> > > > >>>>> > >> > >>>>> > >> > >>>>> > >> +1 > >>>>> > >> > >>>>> > >> > >>>>> > >> ------------------------------ > >>>>> > >> Arne Limburg schrieb am Mi., 12. Dez 2012 23:38 PST: > >>>>> > >> > >>>>> > >> >Hi, > >>>>> > >> > > >>>>> > >> >What do you think of supporting post-method-authorization (see > >>>>>[1]) > >>>>> in > >>>>> > >> addition to our current pre-method-authorization? > >>>>> > >> >I just started coding it and it is not much to do. > >>>>> > >> > > >>>>> > >> >Cheers, > >>>>> > >> >Arne > >>>>> > >> > > >>>>> > >> >[1] https://issues.apache.org/jira/browse/DELTASPIKE-298 > >>>>> > >> > > >>>>> > >> > >>>>> > >> > >>>>> > > > >>>>> > > > >>>>> > >-- > >>>>> > >Jean-Louis > >>>>> > > >>>>> > > >>>>> > >>> > > >
