[jira] [Assigned] (DELTASPIKE-1345) Support JavaEE Security annotation

Tue, 22 May 2018 20:37:14 -0700 

     [ 
https://issues.apache.org/jira/browse/DELTASPIKE-1345?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Gerhard Petracek reassigned DELTASPIKE-1345:
--------------------------------------------

    Assignee: Gerhard Petracek

> Support JavaEE Security annotation
> ----------------------------------
>
>                 Key: DELTASPIKE-1345
>                 URL: https://issues.apache.org/jira/browse/DELTASPIKE-1345
>             Project: DeltaSpike
>          Issue Type: New Feature
>          Components: Security-Module
>            Reporter: Jonathan Laterreur
>            Assignee: Gerhard Petracek
>            Priority: Minor
>
> Deltaspike should take care of the standard JavaEE security annotation.
> {code:java}
> @RolesAllowed
> @PermitAll
> @DenyAll
> {code}
> Maybe a default interceptor should do the job.
> I did something like this (does not covers everything)
> {code:java}
> @Interceptor
> @RolesSecured
> public class RolesSecuredInterceptor {
>     private static final Logger LOGGER = 
> LoggerFactory.getLogger(RolesSecuredInterceptor.class);
>     @Inject
>     private HttpServletRequest request;
>     @AroundInvoke
>     public Object intercept(InvocationContext ctx) throws Exception {
>         boolean allowed = ctx.getMethod().getAnnotation(PermitAll.class) != 
> null;
>         if (!allowed) {
>             RolesAllowed rolesAllowed = 
> ctx.getMethod().getAnnotation(RolesAllowed.class);
>             if (rolesAllowed != null) {
>                 allowed = verifyRolesAllowed(rolesAllowed);
>             }
>             if (!allowed) {
>                 allowed = 
> ctx.getMethod().getDeclaringClass().getAnnotation(PermitAll.class) != null;
>                 if (!allowed) {
>                     rolesAllowed = 
> ctx.getMethod().getDeclaringClass().getAnnotation(RolesAllowed.class);
>                     if (rolesAllowed != null) {
>                         allowed = verifyRolesAllowed(rolesAllowed);
>                     } else {
>                         allowed = true;
>                     }
>                 }
>             }
>         }
>         if (!allowed) {
>             LOGGER.error("Utilisateur « {} » ne possede pas les droits pour 
> appeler cette fonction « {} »", request.getUserPrincipal() != null ? 
> request.getUserPrincipal().getName() : "anonyme",
>                     ctx.getMethod().getName());
>             throw new SecurityException("Ne possede pas les droits pour 
> appeler ce bean CDI");
>         }
>         return ctx.proceed();
>     }
>     private boolean verifyRolesAllowed(RolesAllowed rolesAllowed) {
>         boolean allowed = false;
>         if (request.getUserPrincipal() != null) {
>             String[] roles = rolesAllowed.value();
>             for (String role : roles) {
>                 allowed = request.isUserInRole(role);
>                 if (allowed) {
>                     break;
>                 }
>             }
>         }
>         return allowed;
>     }
> }
> {code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to