[
https://issues.apache.org/jira/browse/ARIES-1316?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14622544#comment-14622544
]
Pavel Alekhin edited comment on ARIES-1316 at 7/10/15 4:30 PM:
---------------------------------------------------------------
It's injected by blueprint config.
<reference id="echoService"
interface="biz.lorien.umrp.kb.properties.EchoService" />
<shell:command>
<shell:action class="biz.lorien.umrp.kb.command.EchoCommand">
<shell:property name="echoService" ref="echoService" />
</shell:action>
</shell:command>
As I understood, exploring the code, the problem is that when bundle starts
with <authz:enable> in blueprint, AnnotationParser looks for security
annotations in a class (SimpleEchoService in our case):
private boolean isSecured(Class<?> clazz) {
if (clazz == Object.class) {
return false;
}
if (clazz.getAnnotation(RolesAllowed.class) != null ||
clazz.getAnnotation(DenyAll.class) != null) {
return true;
}
for (Method m : clazz.getMethods()) {
if (m.getAnnotation(RolesAllowed.class) != null) {
return true;
}
if (m.getAnnotation(DenyAll.class) != null) {
return true;
}
}
return false;
}
But later then in runtime AuthorizationInterceptor looks for security
annotations in an interface methods:
public Object preCall(ComponentMetadata cm, Method m, Object... parameters)
throws Throwable {
Annotation ann = new
SecurityAnotationParser().getEffectiveAnnotation(m);
...
}
Here it gets "Method m" from the interface.
was (Author: kuvalda):
It's injected by blueprint config.
<reference id="echoService"
interface="biz.lorien.umrp.kb.properties.EchoService" />
<shell:command>
<br> <shell:action class="biz.lorien.umrp.kb.command.EchoCommand">
<shell:property name="echoService" ref="echoService" />
</shell:action>
</shell:command>
As I understood, exploring the code, the problem is that when bundle starts
with <authz:enable> in blueprint, AnnotationParser looks for security
annotations in a class (SimpleEchoService in our case):
private boolean isSecured(Class<?> clazz) {
if (clazz == Object.class) {
return false;
}
if (clazz.getAnnotation(RolesAllowed.class) != null ||
clazz.getAnnotation(DenyAll.class) != null) {
return true;
}
for (Method m : clazz.getMethods()) {
if (m.getAnnotation(RolesAllowed.class) != null) {
return true;
}
if (m.getAnnotation(DenyAll.class) != null) {
return true;
}
}
return false;
}
But later then in runtime AuthorizationInterceptor looks for security
annotations in an interface methods:
public Object preCall(ComponentMetadata cm, Method m, Object... parameters)
throws Throwable {
Annotation ann = new
SecurityAnotationParser().getEffectiveAnnotation(m);
...
}
Here it gets "Method m" from the interface.
> Problem with intercepting authorizing annotations of a class declared as an
> interface
> -------------------------------------------------------------------------------------
>
> Key: ARIES-1316
> URL: https://issues.apache.org/jira/browse/ARIES-1316
> Project: Aries
> Issue Type: Bug
> Components: Blueprint
> Affects Versions: blueprint-authz-1.0.0
> Reporter: Pavel Alekhin
> Assignee: Christian Schneider
> Priority: Minor
>
> Using of interface variable causes empty roles' list error {color:red}Method
> call interface EchoService.echo denied. Roles allowed are []{color}, when
> interface doesn't have method authorizing annotations, while implementing
> class has.
> Code example:
> {code:title=EchoService.java|borderStyle=solid}
> public interface EchoService {
> //@RolesAllowed("admin")
> public String echo(String message);
> }
> {code}
> {code:title=SimpleEchoService.java|borderStyle=solid}
> public class SimpleEchoService implements EchoService {
> @RolesAllowed("admin")
> @Override
> public String echo(String message) {
> return message;
> }
> }
> {code}
> {code:title=EchoCommand.java|borderStyle=solid}
> @Command(scope = "kb", name = "echo")
> public class EchoCommand extends OsgiCommandSupport {
> private EchoService echoService;
> public EchoService getEchoService() {
> return echoService;
> }
> public void setEchoService(EchoService echoService) {
> this.echoService = echoService;
> }
> @Argument(index = 0, name = "message", required = true, multiValued =
> false)
> private String message;
> @Override
> protected Object doExecute() throws Exception {
> return echoService.echo(message);
> }
> }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
