[ https://issues.apache.org/jira/browse/DELTASPIKE-1345?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16490419#comment-16490419 ]
Gerhard Petracek commented on DELTASPIKE-1345: ---------------------------------------------- [~princemtl]: i agree that the spec. wording for @RunAs isn't as clear as it should be, but all other parts (the only spec. example, all vendor-javadocs i found) clearly limit it to a role-value (and not a principal). i guess that's also the reason why there is e.g. org.jboss.ejb3.annotation.RunAsPrincipal. in any case supporting the principal here would be possible (depending on the proprietary container-api), but not portable. @"#1": ... is the cdi 1.1+ api topic (the baseline for ds is 1.0 and 1.1+ is supported via 1-2 workarounds using reflection) @"#2": ... is the javax.annotation-api topic (both mentioned in the same comment directly before...) > Support JavaEE Security annotation > ---------------------------------- > > Key: DELTASPIKE-1345 > URL: https://issues.apache.org/jira/browse/DELTASPIKE-1345 > Project: DeltaSpike > Issue Type: New Feature > Components: Security-Module > Reporter: Jonathan Laterreur > Assignee: Gerhard Petracek > Priority: Minor > > Deltaspike should take care of the standard JavaEE security annotation. > {code:java} > @RolesAllowed > @PermitAll > @DenyAll > {code} > Maybe a default interceptor should do the job. > I did something like this (does not covers everything) > {code:java} > @Interceptor > @RolesSecured > public class RolesSecuredInterceptor { > private static final Logger LOGGER = > LoggerFactory.getLogger(RolesSecuredInterceptor.class); > @Inject > private HttpServletRequest request; > @AroundInvoke > public Object intercept(InvocationContext ctx) throws Exception { > boolean allowed = ctx.getMethod().getAnnotation(PermitAll.class) != > null; > if (!allowed) { > RolesAllowed rolesAllowed = > ctx.getMethod().getAnnotation(RolesAllowed.class); > if (rolesAllowed != null) { > allowed = verifyRolesAllowed(rolesAllowed); > } > if (!allowed) { > allowed = > ctx.getMethod().getDeclaringClass().getAnnotation(PermitAll.class) != null; > if (!allowed) { > rolesAllowed = > ctx.getMethod().getDeclaringClass().getAnnotation(RolesAllowed.class); > if (rolesAllowed != null) { > allowed = verifyRolesAllowed(rolesAllowed); > } else { > allowed = true; > } > } > } > } > if (!allowed) { > LOGGER.error("Utilisateur « {} » ne possede pas les droits pour > appeler cette fonction « {} »", request.getUserPrincipal() != null ? > request.getUserPrincipal().getName() : "anonyme", > ctx.getMethod().getName()); > throw new SecurityException("Ne possede pas les droits pour > appeler ce bean CDI"); > } > return ctx.proceed(); > } > private boolean verifyRolesAllowed(RolesAllowed rolesAllowed) { > boolean allowed = false; > if (request.getUserPrincipal() != null) { > String[] roles = rolesAllowed.value(); > for (String role : roles) { > allowed = request.isUserInRole(role); > if (allowed) { > break; > } > } > } > return allowed; > } > } > {code} -- This message was sent by Atlassian JIRA (v7.6.3#76005)