[jira] [Created] (DELTASPIKE-1345) Support JavaEE Security annotation

Sun, 20 May 2018 08:03:11 -0700 

Jonathan Laterreur created DELTASPIKE-1345:
----------------------------------------------

             Summary: Support JavaEE Security annotation
                 Key: DELTASPIKE-1345
                 URL: https://issues.apache.org/jira/browse/DELTASPIKE-1345
             Project: DeltaSpike
          Issue Type: New Feature
          Components: Security-Module
            Reporter: Jonathan Laterreur


Deltaspike should take care of the standard JavaEE security annotation.
{code:java}
@RolesAllowed
@PermitAll
@DenyAll
{code}
Maybe a default interceptor should do the job.

I did something like this (does not covers everything)
{code:java}
@Interceptor
@RolesSecured
public class RolesSecuredInterceptor {

    private static final Logger LOGGER = 
LoggerFactory.getLogger(RolesSecuredInterceptor.class);

    @Inject
    private HttpServletRequest request;

    @AroundInvoke
    public Object intercept(InvocationContext ctx) throws Exception {
        boolean allowed = ctx.getMethod().getAnnotation(PermitAll.class) != 
null;

        if (!allowed) {
            RolesAllowed rolesAllowed = 
ctx.getMethod().getAnnotation(RolesAllowed.class);
            if (rolesAllowed != null) {
                allowed = verifyRolesAllowed(rolesAllowed);
            }

            if (!allowed) {
                allowed = 
ctx.getMethod().getDeclaringClass().getAnnotation(PermitAll.class) != null;
                if (!allowed) {
                    rolesAllowed = 
ctx.getMethod().getDeclaringClass().getAnnotation(RolesAllowed.class);
                    if (rolesAllowed != null) {
                        allowed = verifyRolesAllowed(rolesAllowed);
                    } else {
                        allowed = true;
                    }
                }
            }
        }

        if (!allowed) {
            LOGGER.error("Utilisateur « {} » ne possede pas les droits pour 
appeler cette fonction « {} »", request.getUserPrincipal() != null ? 
request.getUserPrincipal().getName() : "anonyme",
                    ctx.getMethod().getName());
            throw new SecurityException("Ne possede pas les droits pour appeler 
ce bean CDI");
        }

        return ctx.proceed();
    }

    private boolean verifyRolesAllowed(RolesAllowed rolesAllowed) {
        boolean allowed = false;
        if (request.getUserPrincipal() != null) {
            String[] roles = rolesAllowed.value();
            for (String role : roles) {
                allowed = request.isUserInRole(role);
                if (allowed) {
                    break;
                }
            }
        }
        return allowed;
    }

}
{code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to