Btw. are we talking about another name for @Secures or for @Result? Thinking about @Secures it should not be too confusing (talking with myself here ;-) ), since the developer knows, if he needs the result for evaluation or not. So either he adds @Result and will know that the method needs to be invoked before the authorization. Or he doesn't need the result, then the intuitive thing is, that the authorization takes place before the business method invocation...
Am 13.12.12 11:55 schrieb "Romain Manni-Bucau" unter <[email protected]>: >so i'd go for @PreSecures and @PostSecures, just explicit > >but i wouldn't something not symmetrical > >Romain Manni-Bucau >Twitter: @rmannibucau >Blog: http://rmannibucau.wordpress.com/ >LinkedIn: http://fr.linkedin.com/in/rmannibucau >Github: https://github.com/rmannibucau > > > >2012/12/13 Arne Limburg <[email protected]>: >> @Secures sounds cool at a first glance, but may it be confusing for >>users? >> >> >> And also we should support a mixture of @SecurityParameterBindings and >> result, so the annotation should somehow indicate that the parameter is >> the return value of the method invocation. >> Consider the following example: >> >> @Copy >> public MyObject copy(@Source MyObject source) { >> ... >> } >> >> public class MyCopyAuthorizer { >> >> @Secures @Copy >> public boolean isCopyAllowed(@Source MyObject source, >> @SecuredReturnValue MyObject target) { >> ... >> } >> } >> >> where @Copy is a @SecurityBindingType and @Source is a >> @SecurityParameterBinding >> >> Cheers, >> Arne >> >> Am 13.12.12 11:45 schrieb "Romain Manni-Bucau" unter >> <[email protected]>: >> >>>Why @Secures is not fine? >>> >>>if the rule is "on parameter" it is a post it can be enough. >>> >>>Another solution is @Secure(hook = POST) with a default to PRE >>> >>>Romain Manni-Bucau >>>Twitter: @rmannibucau >>>Blog: http://rmannibucau.wordpress.com/ >>>LinkedIn: http://fr.linkedin.com/in/rmannibucau >>>Github: https://github.com/rmannibucau >>> >>> >>> >>>2012/12/13 Arne Limburg <[email protected]>: >>>> Feel free to make a suggestion. >>>> What about >>>> >>>> @SecuredResult >>>> or >>>> @SecuredReturnValue >>>> ? >>>> >>>> Am 13.12.12 10:50 schrieb "Gerhard Petracek" unter >>>> <[email protected]>: >>>> >>>>>+1, but imo we need a better name for it. >>>>> >>>>>regards, >>>>>gerhard >>>>> >>>>> >>>>> >>>>>2012/12/13 Rudy De Busscher <[email protected]> >>>>> >>>>>> All, >>>>>> >>>>>> I had once also such a requirement (post-method authorization) where >>>>>>this >>>>>> could be very handy. >>>>>> >>>>>> We kept information about persons (name, age, address, medical info, >>>>>>...) >>>>>> but there where some categories. One kind of category was linked to >>>>>>the >>>>>> Royals and you needed a special role before you could read the >>>>>>information. >>>>>> >>>>>> So we where only able to determine if the user was allowed to read >>>>>>the >>>>>> person information after we had read it frmo the database and >>>>>>matched >>>>>>the >>>>>> category. >>>>>> >>>>>> So >>>>>> +1 >>>>>> >>>>>> Regards >>>>>> Rudy >>>>>> >>>>>> >>>>>> On 13 December 2012 09:26, Arne Limburg >>>>>><[email protected] >>>>>> >wrote: >>>>>> >>>>>> > Hi Jean-Louis, >>>>>> > >>>>>> > A simple use case is a method that creates an object, stores it to >>>>>>the >>>>>> > database and returns it. >>>>>> > You may want to check the object to decide if the user is allowed >>>>>>to >>>>>> > create it. With my proposal it is as easy as: >>>>>> > >>>>>> > public class MyObjectRepository { >>>>>> > @Create >>>>>> > public MyObject create() { >>>>>> > ... >>>>>> > } >>>>>> > } >>>>>> > >>>>>> > public class MyAuthorizer { >>>>>> > >>>>>> > @Secures @Create >>>>>> > public boolean canCreate(@Result MyObject object) { >>>>>> > // security check here >>>>>> > } >>>>>> > } >>>>>> > >>>>>> > >>>>>> > Hope that makes it clear. And note that the check may depend on >>>>>>the >>>>>>state >>>>>> > of the object, i.e. the user is just allowed to create the object, >>>>>>if >>>>>>he >>>>>> > is the owner... >>>>>> > >>>>>> > Cheers, >>>>>> > Arne >>>>>> > >>>>>> > Am 13.12.12 09:20 schrieb "Jean-Louis MONTEIRO" unter < >>>>>> [email protected] >>>>>> > >: >>>>>> > >>>>>> > >Hi Arne, >>>>>> > > >>>>>> > >Just read the JIRA but could not find a relevant use case for >>>>>>that. >>>>>> > >But if you proposed it, I probably missed something so if you >>>>>>could >>>>>> > >elaborate a bit more. >>>>>> > > >>>>>> > >Jean-Louis >>>>>> > > >>>>>> > > >>>>>> > >2012/12/13 Mark Struberg <[email protected]> >>>>>> > > >>>>>> > >> >>>>>> > >> >>>>>> > >> +1 >>>>>> > >> >>>>>> > >> >>>>>> > >> ------------------------------ >>>>>> > >> Arne Limburg schrieb am Mi., 12. Dez 2012 23:38 PST: >>>>>> > >> >>>>>> > >> >Hi, >>>>>> > >> > >>>>>> > >> >What do you think of supporting post-method-authorization (see >>>>>>[1]) >>>>>> in >>>>>> > >> addition to our current pre-method-authorization? >>>>>> > >> >I just started coding it and it is not much to do. >>>>>> > >> > >>>>>> > >> >Cheers, >>>>>> > >> >Arne >>>>>> > >> > >>>>>> > >> >[1] https://issues.apache.org/jira/browse/DELTASPIKE-298 >>>>>> > >> > >>>>>> > >> >>>>>> > >> >>>>>> > > >>>>>> > > >>>>>> > >-- >>>>>> > >Jean-Louis >>>>>> > >>>>>> > >>>>>> >>>> >>
