[jira] [Commented] (DELTASPIKE-1345) Support JavaEE Security annotation
[ https://issues.apache.org/jira/browse/DELTASPIKE-1345?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16491761#comment-16491761 ] Jonathan Laterreur commented on DELTASPIKE-1345: (y) Perfect. Hope to see it soon on maven. :D > Support JavaEE Security annotation > -- > > Key: DELTASPIKE-1345 > URL: https://issues.apache.org/jira/browse/DELTASPIKE-1345 > Project: DeltaSpike > Issue Type: New Feature > Components: Security-Module >Reporter: Jonathan Laterreur >Assignee: Gerhard Petracek >Priority: Minor > > Deltaspike should take care of the standard JavaEE security annotation. > {code:java} > @RolesAllowed > @PermitAll > @DenyAll > {code} > Maybe a default interceptor should do the job. > I did something like this (does not covers everything) > {code:java} > @Interceptor > @RolesSecured > public class RolesSecuredInterceptor { > private static final Logger LOGGER = > LoggerFactory.getLogger(RolesSecuredInterceptor.class); > @Inject > private HttpServletRequest request; > @AroundInvoke > public Object intercept(InvocationContext ctx) throws Exception { > boolean allowed = ctx.getMethod().getAnnotation(PermitAll.class) != > null; > if (!allowed) { > RolesAllowed rolesAllowed = > ctx.getMethod().getAnnotation(RolesAllowed.class); > if (rolesAllowed != null) { > allowed = verifyRolesAllowed(rolesAllowed); > } > if (!allowed) { > allowed = > ctx.getMethod().getDeclaringClass().getAnnotation(PermitAll.class) != null; > if (!allowed) { > rolesAllowed = > ctx.getMethod().getDeclaringClass().getAnnotation(RolesAllowed.class); > if (rolesAllowed != null) { > allowed = verifyRolesAllowed(rolesAllowed); > } else { > allowed = true; > } > } > } > } > if (!allowed) { > LOGGER.error("Utilisateur « {} » ne possede pas les droits pour > appeler cette fonction « {} »", request.getUserPrincipal() != null ? > request.getUserPrincipal().getName() : "anonyme", > ctx.getMethod().getName()); > throw new SecurityException("Ne possede pas les droits pour > appeler ce bean CDI"); > } > return ctx.proceed(); > } > private boolean verifyRolesAllowed(RolesAllowed rolesAllowed) { > boolean allowed = false; > if (request.getUserPrincipal() != null) { > String[] roles = rolesAllowed.value(); > for (String role : roles) { > allowed = request.isUserInRole(role); > if (allowed) { > break; > } > } > } > return allowed; > } > } > {code} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (DELTASPIKE-1345) Support JavaEE Security annotation
[ https://issues.apache.org/jira/browse/DELTASPIKE-1345?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16491759#comment-16491759 ] Gerhard Petracek commented on DELTASPIKE-1345: -- ds supports cdi2 also out-of-the-box (and the bridge as well). fyi: i pushed some improvements (including additional examples) and published http://os890.blogspot.com/2018/05/add-on-javaxannotationsecurity-with.html > Support JavaEE Security annotation > -- > > Key: DELTASPIKE-1345 > URL: https://issues.apache.org/jira/browse/DELTASPIKE-1345 > Project: DeltaSpike > Issue Type: New Feature > Components: Security-Module >Reporter: Jonathan Laterreur >Assignee: Gerhard Petracek >Priority: Minor > > Deltaspike should take care of the standard JavaEE security annotation. > {code:java} > @RolesAllowed > @PermitAll > @DenyAll > {code} > Maybe a default interceptor should do the job. > I did something like this (does not covers everything) > {code:java} > @Interceptor > @RolesSecured > public class RolesSecuredInterceptor { > private static final Logger LOGGER = > LoggerFactory.getLogger(RolesSecuredInterceptor.class); > @Inject > private HttpServletRequest request; > @AroundInvoke > public Object intercept(InvocationContext ctx) throws Exception { > boolean allowed = ctx.getMethod().getAnnotation(PermitAll.class) != > null; > if (!allowed) { > RolesAllowed rolesAllowed = > ctx.getMethod().getAnnotation(RolesAllowed.class); > if (rolesAllowed != null) { > allowed = verifyRolesAllowed(rolesAllowed); > } > if (!allowed) { > allowed = > ctx.getMethod().getDeclaringClass().getAnnotation(PermitAll.class) != null; > if (!allowed) { > rolesAllowed = > ctx.getMethod().getDeclaringClass().getAnnotation(RolesAllowed.class); > if (rolesAllowed != null) { > allowed = verifyRolesAllowed(rolesAllowed); > } else { > allowed = true; > } > } > } > } > if (!allowed) { > LOGGER.error("Utilisateur « {} » ne possede pas les droits pour > appeler cette fonction « {} »", request.getUserPrincipal() != null ? > request.getUserPrincipal().getName() : "anonyme", > ctx.getMethod().getName()); > throw new SecurityException("Ne possede pas les droits pour > appeler ce bean CDI"); > } > return ctx.proceed(); > } > private boolean verifyRolesAllowed(RolesAllowed rolesAllowed) { > boolean allowed = false; > if (request.getUserPrincipal() != null) { > String[] roles = rolesAllowed.value(); > for (String role : roles) { > allowed = request.isUserInRole(role); > if (allowed) { > break; > } > } > } > return allowed; > } > } > {code} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (DELTASPIKE-1345) Support JavaEE Security annotation
[ https://issues.apache.org/jira/browse/DELTASPIKE-1345?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16491732#comment-16491732 ] Jonathan Laterreur commented on DELTASPIKE-1345: [~gpetracek] Yes. You're right. This is what confused me : "You will have to map the run-as role name to a given principal defined on the Enterprise Server if the given roles associate to more than one user principal. Mapping roles to principals is described in Part VII, ??Security,?? in ??The Java EE 6 Tutorial, Volume II??." Any plan to support CDI 2.0 in the future? > Support JavaEE Security annotation > -- > > Key: DELTASPIKE-1345 > URL: https://issues.apache.org/jira/browse/DELTASPIKE-1345 > Project: DeltaSpike > Issue Type: New Feature > Components: Security-Module >Reporter: Jonathan Laterreur >Assignee: Gerhard Petracek >Priority: Minor > > Deltaspike should take care of the standard JavaEE security annotation. > {code:java} > @RolesAllowed > @PermitAll > @DenyAll > {code} > Maybe a default interceptor should do the job. > I did something like this (does not covers everything) > {code:java} > @Interceptor > @RolesSecured > public class RolesSecuredInterceptor { > private static final Logger LOGGER = > LoggerFactory.getLogger(RolesSecuredInterceptor.class); > @Inject > private HttpServletRequest request; > @AroundInvoke > public Object intercept(InvocationContext ctx) throws Exception { > boolean allowed = ctx.getMethod().getAnnotation(PermitAll.class) != > null; > if (!allowed) { > RolesAllowed rolesAllowed = > ctx.getMethod().getAnnotation(RolesAllowed.class); > if (rolesAllowed != null) { > allowed = verifyRolesAllowed(rolesAllowed); > } > if (!allowed) { > allowed = > ctx.getMethod().getDeclaringClass().getAnnotation(PermitAll.class) != null; > if (!allowed) { > rolesAllowed = > ctx.getMethod().getDeclaringClass().getAnnotation(RolesAllowed.class); > if (rolesAllowed != null) { > allowed = verifyRolesAllowed(rolesAllowed); > } else { > allowed = true; > } > } > } > } > if (!allowed) { > LOGGER.error("Utilisateur « {} » ne possede pas les droits pour > appeler cette fonction « {} »", request.getUserPrincipal() != null ? > request.getUserPrincipal().getName() : "anonyme", > ctx.getMethod().getName()); > throw new SecurityException("Ne possede pas les droits pour > appeler ce bean CDI"); > } > return ctx.proceed(); > } > private boolean verifyRolesAllowed(RolesAllowed rolesAllowed) { > boolean allowed = false; > if (request.getUserPrincipal() != null) { > String[] roles = rolesAllowed.value(); > for (String role : roles) { > allowed = request.isUserInRole(role); > if (allowed) { > break; > } > } > } > return allowed; > } > } > {code} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (DELTASPIKE-1345) Support JavaEE Security annotation
[ https://issues.apache.org/jira/browse/DELTASPIKE-1345?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16490419#comment-16490419 ] Gerhard Petracek commented on DELTASPIKE-1345: -- [~princemtl]: i agree that the spec. wording for @RunAs isn't as clear as it should be, but all other parts (the only spec. example, all vendor-javadocs i found) clearly limit it to a role-value (and not a principal). i guess that's also the reason why there is e.g. org.jboss.ejb3.annotation.RunAsPrincipal. in any case supporting the principal here would be possible (depending on the proprietary container-api), but not portable. @"#1": ... is the cdi 1.1+ api topic (the baseline for ds is 1.0 and 1.1+ is supported via 1-2 workarounds using reflection) @"#2": ... is the javax.annotation-api topic (both mentioned in the same comment directly before...) > Support JavaEE Security annotation > -- > > Key: DELTASPIKE-1345 > URL: https://issues.apache.org/jira/browse/DELTASPIKE-1345 > Project: DeltaSpike > Issue Type: New Feature > Components: Security-Module >Reporter: Jonathan Laterreur >Assignee: Gerhard Petracek >Priority: Minor > > Deltaspike should take care of the standard JavaEE security annotation. > {code:java} > @RolesAllowed > @PermitAll > @DenyAll > {code} > Maybe a default interceptor should do the job. > I did something like this (does not covers everything) > {code:java} > @Interceptor > @RolesSecured > public class RolesSecuredInterceptor { > private static final Logger LOGGER = > LoggerFactory.getLogger(RolesSecuredInterceptor.class); > @Inject > private HttpServletRequest request; > @AroundInvoke > public Object intercept(InvocationContext ctx) throws Exception { > boolean allowed = ctx.getMethod().getAnnotation(PermitAll.class) != > null; > if (!allowed) { > RolesAllowed rolesAllowed = > ctx.getMethod().getAnnotation(RolesAllowed.class); > if (rolesAllowed != null) { > allowed = verifyRolesAllowed(rolesAllowed); > } > if (!allowed) { > allowed = > ctx.getMethod().getDeclaringClass().getAnnotation(PermitAll.class) != null; > if (!allowed) { > rolesAllowed = > ctx.getMethod().getDeclaringClass().getAnnotation(RolesAllowed.class); > if (rolesAllowed != null) { > allowed = verifyRolesAllowed(rolesAllowed); > } else { > allowed = true; > } > } > } > } > if (!allowed) { > LOGGER.error("Utilisateur « {} » ne possede pas les droits pour > appeler cette fonction « {} »", request.getUserPrincipal() != null ? > request.getUserPrincipal().getName() : "anonyme", > ctx.getMethod().getName()); > throw new SecurityException("Ne possede pas les droits pour > appeler ce bean CDI"); > } > return ctx.proceed(); > } > private boolean verifyRolesAllowed(RolesAllowed rolesAllowed) { > boolean allowed = false; > if (request.getUserPrincipal() != null) { > String[] roles = rolesAllowed.value(); > for (String role : roles) { > allowed = request.isUserInRole(role); > if (allowed) { > break; > } > } > } > return allowed; > } > } > {code} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (DELTASPIKE-1345) Support JavaEE Security annotation
[ https://issues.apache.org/jira/browse/DELTASPIKE-1345?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16490125#comment-16490125 ] Jonathan Laterreur commented on DELTASPIKE-1345: [~gpetracek] Awesome! Nice work. I think you covered all the spec. The only thing that you can't do is related to the RunAs annotation. RunAs can also be a user (I think... as I remember... it's something not really clear by the spec). Maybe it's just that we need to target a user if we have many users with the role. I don't understand what is #1 and #2 for ds. > Support JavaEE Security annotation > -- > > Key: DELTASPIKE-1345 > URL: https://issues.apache.org/jira/browse/DELTASPIKE-1345 > Project: DeltaSpike > Issue Type: New Feature > Components: Security-Module >Reporter: Jonathan Laterreur >Assignee: Gerhard Petracek >Priority: Minor > > Deltaspike should take care of the standard JavaEE security annotation. > {code:java} > @RolesAllowed > @PermitAll > @DenyAll > {code} > Maybe a default interceptor should do the job. > I did something like this (does not covers everything) > {code:java} > @Interceptor > @RolesSecured > public class RolesSecuredInterceptor { > private static final Logger LOGGER = > LoggerFactory.getLogger(RolesSecuredInterceptor.class); > @Inject > private HttpServletRequest request; > @AroundInvoke > public Object intercept(InvocationContext ctx) throws Exception { > boolean allowed = ctx.getMethod().getAnnotation(PermitAll.class) != > null; > if (!allowed) { > RolesAllowed rolesAllowed = > ctx.getMethod().getAnnotation(RolesAllowed.class); > if (rolesAllowed != null) { > allowed = verifyRolesAllowed(rolesAllowed); > } > if (!allowed) { > allowed = > ctx.getMethod().getDeclaringClass().getAnnotation(PermitAll.class) != null; > if (!allowed) { > rolesAllowed = > ctx.getMethod().getDeclaringClass().getAnnotation(RolesAllowed.class); > if (rolesAllowed != null) { > allowed = verifyRolesAllowed(rolesAllowed); > } else { > allowed = true; > } > } > } > } > if (!allowed) { > LOGGER.error("Utilisateur « {} » ne possede pas les droits pour > appeler cette fonction « {} »", request.getUserPrincipal() != null ? > request.getUserPrincipal().getName() : "anonyme", > ctx.getMethod().getName()); > throw new SecurityException("Ne possede pas les droits pour > appeler ce bean CDI"); > } > return ctx.proceed(); > } > private boolean verifyRolesAllowed(RolesAllowed rolesAllowed) { > boolean allowed = false; > if (request.getUserPrincipal() != null) { > String[] roles = rolesAllowed.value(); > for (String role : roles) { > allowed = request.isUserInRole(role); > if (allowed) { > break; > } > } > } > return allowed; > } > } > {code} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (DELTASPIKE-1345) Support JavaEE Security annotation
[ https://issues.apache.org/jira/browse/DELTASPIKE-1345?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16489571#comment-16489571 ] Gerhard Petracek commented on DELTASPIKE-1345: -- [~princemtl]: i've prototyped a cdi-role-bridge (as ds-addon) at https://github.com/os890/ds-role-bridge-addon it supports @DenyAll, @PermitAll, @RolesAllowed and @RunAs and works without an additional api (and without mandatory config). the demo-app (based on meecrowave) allows to check different role-constellations (at runtime). i also tested it in combination with ejbs (a corresponding demo-app might follow). the addon is based on cdi 1.2 (+ ds 1.x) and for sure it requires javax.annotation-api. for ds we could get over #1 (with the same workarounds we use already to support v1.1+). however, #2 would mean to use a significant amount of reflection or we provide a separated authentication-impl-module. > Support JavaEE Security annotation > -- > > Key: DELTASPIKE-1345 > URL: https://issues.apache.org/jira/browse/DELTASPIKE-1345 > Project: DeltaSpike > Issue Type: New Feature > Components: Security-Module >Reporter: Jonathan Laterreur >Assignee: Gerhard Petracek >Priority: Minor > > Deltaspike should take care of the standard JavaEE security annotation. > {code:java} > @RolesAllowed > @PermitAll > @DenyAll > {code} > Maybe a default interceptor should do the job. > I did something like this (does not covers everything) > {code:java} > @Interceptor > @RolesSecured > public class RolesSecuredInterceptor { > private static final Logger LOGGER = > LoggerFactory.getLogger(RolesSecuredInterceptor.class); > @Inject > private HttpServletRequest request; > @AroundInvoke > public Object intercept(InvocationContext ctx) throws Exception { > boolean allowed = ctx.getMethod().getAnnotation(PermitAll.class) != > null; > if (!allowed) { > RolesAllowed rolesAllowed = > ctx.getMethod().getAnnotation(RolesAllowed.class); > if (rolesAllowed != null) { > allowed = verifyRolesAllowed(rolesAllowed); > } > if (!allowed) { > allowed = > ctx.getMethod().getDeclaringClass().getAnnotation(PermitAll.class) != null; > if (!allowed) { > rolesAllowed = > ctx.getMethod().getDeclaringClass().getAnnotation(RolesAllowed.class); > if (rolesAllowed != null) { > allowed = verifyRolesAllowed(rolesAllowed); > } else { > allowed = true; > } > } > } > } > if (!allowed) { > LOGGER.error("Utilisateur « {} » ne possede pas les droits pour > appeler cette fonction « {} »", request.getUserPrincipal() != null ? > request.getUserPrincipal().getName() : "anonyme", > ctx.getMethod().getName()); > throw new SecurityException("Ne possede pas les droits pour > appeler ce bean CDI"); > } > return ctx.proceed(); > } > private boolean verifyRolesAllowed(RolesAllowed rolesAllowed) { > boolean allowed = false; > if (request.getUserPrincipal() != null) { > String[] roles = rolesAllowed.value(); > for (String role : roles) { > allowed = request.isUserInRole(role); > if (allowed) { > break; > } > } > } > return allowed; > } > } > {code} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (DELTASPIKE-1345) Support JavaEE Security annotation
[ https://issues.apache.org/jira/browse/DELTASPIKE-1345?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16483091#comment-16483091 ] Jonathan Laterreur commented on DELTASPIKE-1345: [~gpetracek] At least, if it's not the case, it would be nice to add this example in the deltaspike's doc and verify the possibility to use it with inheritance. Maybe, there's no need to develop this interceptor. But... I think I will continue to use mine because it is way more easier to understand (behave like javaee spec and easy to new developer to use it). There's no need to understand CDI or Deltaspike to extends it. > Support JavaEE Security annotation > -- > > Key: DELTASPIKE-1345 > URL: https://issues.apache.org/jira/browse/DELTASPIKE-1345 > Project: DeltaSpike > Issue Type: New Feature > Components: Security-Module >Reporter: Jonathan Laterreur >Priority: Minor > > Deltaspike should take care of the standard JavaEE security annotation. > {code:java} > @RolesAllowed > @PermitAll > @DenyAll > {code} > Maybe a default interceptor should do the job. > I did something like this (does not covers everything) > {code:java} > @Interceptor > @RolesSecured > public class RolesSecuredInterceptor { > private static final Logger LOGGER = > LoggerFactory.getLogger(RolesSecuredInterceptor.class); > @Inject > private HttpServletRequest request; > @AroundInvoke > public Object intercept(InvocationContext ctx) throws Exception { > boolean allowed = ctx.getMethod().getAnnotation(PermitAll.class) != > null; > if (!allowed) { > RolesAllowed rolesAllowed = > ctx.getMethod().getAnnotation(RolesAllowed.class); > if (rolesAllowed != null) { > allowed = verifyRolesAllowed(rolesAllowed); > } > if (!allowed) { > allowed = > ctx.getMethod().getDeclaringClass().getAnnotation(PermitAll.class) != null; > if (!allowed) { > rolesAllowed = > ctx.getMethod().getDeclaringClass().getAnnotation(RolesAllowed.class); > if (rolesAllowed != null) { > allowed = verifyRolesAllowed(rolesAllowed); > } else { > allowed = true; > } > } > } > } > if (!allowed) { > LOGGER.error("Utilisateur « {} » ne possede pas les droits pour > appeler cette fonction « {} »", request.getUserPrincipal() != null ? > request.getUserPrincipal().getName() : "anonyme", > ctx.getMethod().getName()); > throw new SecurityException("Ne possede pas les droits pour > appeler ce bean CDI"); > } > return ctx.proceed(); > } > private boolean verifyRolesAllowed(RolesAllowed rolesAllowed) { > boolean allowed = false; > if (request.getUserPrincipal() != null) { > String[] roles = rolesAllowed.value(); > for (String role : roles) { > allowed = request.isUserInRole(role); > if (allowed) { > break; > } > } > } > return allowed; > } > } > {code} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (DELTASPIKE-1345) Support JavaEE Security annotation
[ https://issues.apache.org/jira/browse/DELTASPIKE-1345?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16483047#comment-16483047 ] Gerhard Petracek commented on DELTASPIKE-1345: -- [~princemtl]: i never used it in a project (only @Secured), one of the ds-committers (rafael) did the example, but it should be possible (at least i'm not aware of an intended limitation). "more code": if you count type-safe annotations representing your own roles - then: yes (but at the same time it's more flexible) than a predefined interceptor > Support JavaEE Security annotation > -- > > Key: DELTASPIKE-1345 > URL: https://issues.apache.org/jira/browse/DELTASPIKE-1345 > Project: DeltaSpike > Issue Type: New Feature > Components: Security-Module >Reporter: Jonathan Laterreur >Priority: Minor > > Deltaspike should take care of the standard JavaEE security annotation. > {code:java} > @RolesAllowed > @PermitAll > @DenyAll > {code} > Maybe a default interceptor should do the job. > I did something like this (does not covers everything) > {code:java} > @Interceptor > @RolesSecured > public class RolesSecuredInterceptor { > private static final Logger LOGGER = > LoggerFactory.getLogger(RolesSecuredInterceptor.class); > @Inject > private HttpServletRequest request; > @AroundInvoke > public Object intercept(InvocationContext ctx) throws Exception { > boolean allowed = ctx.getMethod().getAnnotation(PermitAll.class) != > null; > if (!allowed) { > RolesAllowed rolesAllowed = > ctx.getMethod().getAnnotation(RolesAllowed.class); > if (rolesAllowed != null) { > allowed = verifyRolesAllowed(rolesAllowed); > } > if (!allowed) { > allowed = > ctx.getMethod().getDeclaringClass().getAnnotation(PermitAll.class) != null; > if (!allowed) { > rolesAllowed = > ctx.getMethod().getDeclaringClass().getAnnotation(RolesAllowed.class); > if (rolesAllowed != null) { > allowed = verifyRolesAllowed(rolesAllowed); > } else { > allowed = true; > } > } > } > } > if (!allowed) { > LOGGER.error("Utilisateur « {} » ne possede pas les droits pour > appeler cette fonction « {} »", request.getUserPrincipal() != null ? > request.getUserPrincipal().getName() : "anonyme", > ctx.getMethod().getName()); > throw new SecurityException("Ne possede pas les droits pour > appeler ce bean CDI"); > } > return ctx.proceed(); > } > private boolean verifyRolesAllowed(RolesAllowed rolesAllowed) { > boolean allowed = false; > if (request.getUserPrincipal() != null) { > String[] roles = rolesAllowed.value(); > for (String role : roles) { > allowed = request.isUserInRole(role); > if (allowed) { > break; > } > } > } > return allowed; > } > } > {code} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (DELTASPIKE-1345) Support JavaEE Security annotation
[ https://issues.apache.org/jira/browse/DELTASPIKE-1345?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16483033#comment-16483033 ] Jonathan Laterreur commented on DELTASPIKE-1345: The link you provided is JSF only ... (yes you can replace it with HttpServletRequest or EJbContext). Wth your solution, can you get the same effect like : your bean is Admin only but you can also have some function "PermitAll" in it. Do you have inheritance? If yes, then it's a nice solution... but you have somehow more code than before. Instead of having "RolesAllowed" on a class, you have a bean that does the check, an annotation and the annotation on the bean. Am I right? > Support JavaEE Security annotation > -- > > Key: DELTASPIKE-1345 > URL: https://issues.apache.org/jira/browse/DELTASPIKE-1345 > Project: DeltaSpike > Issue Type: New Feature > Components: Security-Module >Reporter: Jonathan Laterreur >Priority: Minor > > Deltaspike should take care of the standard JavaEE security annotation. > {code:java} > @RolesAllowed > @PermitAll > @DenyAll > {code} > Maybe a default interceptor should do the job. > I did something like this (does not covers everything) > {code:java} > @Interceptor > @RolesSecured > public class RolesSecuredInterceptor { > private static final Logger LOGGER = > LoggerFactory.getLogger(RolesSecuredInterceptor.class); > @Inject > private HttpServletRequest request; > @AroundInvoke > public Object intercept(InvocationContext ctx) throws Exception { > boolean allowed = ctx.getMethod().getAnnotation(PermitAll.class) != > null; > if (!allowed) { > RolesAllowed rolesAllowed = > ctx.getMethod().getAnnotation(RolesAllowed.class); > if (rolesAllowed != null) { > allowed = verifyRolesAllowed(rolesAllowed); > } > if (!allowed) { > allowed = > ctx.getMethod().getDeclaringClass().getAnnotation(PermitAll.class) != null; > if (!allowed) { > rolesAllowed = > ctx.getMethod().getDeclaringClass().getAnnotation(RolesAllowed.class); > if (rolesAllowed != null) { > allowed = verifyRolesAllowed(rolesAllowed); > } else { > allowed = true; > } > } > } > } > if (!allowed) { > LOGGER.error("Utilisateur « {} » ne possede pas les droits pour > appeler cette fonction « {} »", request.getUserPrincipal() != null ? > request.getUserPrincipal().getName() : "anonyme", > ctx.getMethod().getName()); > throw new SecurityException("Ne possede pas les droits pour > appeler ce bean CDI"); > } > return ctx.proceed(); > } > private boolean verifyRolesAllowed(RolesAllowed rolesAllowed) { > boolean allowed = false; > if (request.getUserPrincipal() != null) { > String[] roles = rolesAllowed.value(); > for (String role : roles) { > allowed = request.isUserInRole(role); > if (allowed) { > break; > } > } > } > return allowed; > } > } > {code} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (DELTASPIKE-1345) Support JavaEE Security annotation
[ https://issues.apache.org/jira/browse/DELTASPIKE-1345?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16482996#comment-16482996 ] Gerhard Petracek commented on DELTASPIKE-1345: -- [~princemtl]: yes i know, i was also surprised that "nobody" published such an integration. however, the main question is if https://github.com/wildfly/quickstart/blob/master/deltaspike-authorization/src/main/java/org/jboss/as/quickstarts/deltaspike/authorization/CustomAuthorizer.java (+ e.g. HttpServletRequest), isn't just better than those (outdated) annotations (since you still use the HttpServletRequest#isUserInRole and/or EjbContext#isCallerInRole). > Support JavaEE Security annotation > -- > > Key: DELTASPIKE-1345 > URL: https://issues.apache.org/jira/browse/DELTASPIKE-1345 > Project: DeltaSpike > Issue Type: New Feature > Components: Security-Module >Reporter: Jonathan Laterreur >Priority: Minor > > Deltaspike should take care of the standard JavaEE security annotation. > {code:java} > @RolesAllowed > @PermitAll > @DenyAll > {code} > Maybe a default interceptor should do the job. > I did something like this (does not covers everything) > {code:java} > @Interceptor > @RolesSecured > public class RolesSecuredInterceptor { > private static final Logger LOGGER = > LoggerFactory.getLogger(RolesSecuredInterceptor.class); > @Inject > private HttpServletRequest request; > @AroundInvoke > public Object intercept(InvocationContext ctx) throws Exception { > boolean allowed = ctx.getMethod().getAnnotation(PermitAll.class) != > null; > if (!allowed) { > RolesAllowed rolesAllowed = > ctx.getMethod().getAnnotation(RolesAllowed.class); > if (rolesAllowed != null) { > allowed = verifyRolesAllowed(rolesAllowed); > } > if (!allowed) { > allowed = > ctx.getMethod().getDeclaringClass().getAnnotation(PermitAll.class) != null; > if (!allowed) { > rolesAllowed = > ctx.getMethod().getDeclaringClass().getAnnotation(RolesAllowed.class); > if (rolesAllowed != null) { > allowed = verifyRolesAllowed(rolesAllowed); > } else { > allowed = true; > } > } > } > } > if (!allowed) { > LOGGER.error("Utilisateur « {} » ne possede pas les droits pour > appeler cette fonction « {} »", request.getUserPrincipal() != null ? > request.getUserPrincipal().getName() : "anonyme", > ctx.getMethod().getName()); > throw new SecurityException("Ne possede pas les droits pour > appeler ce bean CDI"); > } > return ctx.proceed(); > } > private boolean verifyRolesAllowed(RolesAllowed rolesAllowed) { > boolean allowed = false; > if (request.getUserPrincipal() != null) { > String[] roles = rolesAllowed.value(); > for (String role : roles) { > allowed = request.isUserInRole(role); > if (allowed) { > break; > } > } > } > return allowed; > } > } > {code} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (DELTASPIKE-1345) Support JavaEE Security annotation
[ https://issues.apache.org/jira/browse/DELTASPIKE-1345?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16482975#comment-16482975 ] Jonathan Laterreur commented on DELTASPIKE-1345: Just to let you know, my app was in a JavaEE context with EJB. Then I decided to go full CDI and get rid of EJB (microservice instead of wildfly). I use @Transactional with JTA and it works well. So, instead of rewriting everything to manage security, I wrote this interceptor. I think it can be a nice functionality and get new people to use your framework. I didn't find other framework that could do it. > Support JavaEE Security annotation > -- > > Key: DELTASPIKE-1345 > URL: https://issues.apache.org/jira/browse/DELTASPIKE-1345 > Project: DeltaSpike > Issue Type: New Feature > Components: Security-Module >Reporter: Jonathan Laterreur >Priority: Minor > > Deltaspike should take care of the standard JavaEE security annotation. > {code:java} > @RolesAllowed > @PermitAll > @DenyAll > {code} > Maybe a default interceptor should do the job. > I did something like this (does not covers everything) > {code:java} > @Interceptor > @RolesSecured > public class RolesSecuredInterceptor { > private static final Logger LOGGER = > LoggerFactory.getLogger(RolesSecuredInterceptor.class); > @Inject > private HttpServletRequest request; > @AroundInvoke > public Object intercept(InvocationContext ctx) throws Exception { > boolean allowed = ctx.getMethod().getAnnotation(PermitAll.class) != > null; > if (!allowed) { > RolesAllowed rolesAllowed = > ctx.getMethod().getAnnotation(RolesAllowed.class); > if (rolesAllowed != null) { > allowed = verifyRolesAllowed(rolesAllowed); > } > if (!allowed) { > allowed = > ctx.getMethod().getDeclaringClass().getAnnotation(PermitAll.class) != null; > if (!allowed) { > rolesAllowed = > ctx.getMethod().getDeclaringClass().getAnnotation(RolesAllowed.class); > if (rolesAllowed != null) { > allowed = verifyRolesAllowed(rolesAllowed); > } else { > allowed = true; > } > } > } > } > if (!allowed) { > LOGGER.error("Utilisateur « {} » ne possede pas les droits pour > appeler cette fonction « {} »", request.getUserPrincipal() != null ? > request.getUserPrincipal().getName() : "anonyme", > ctx.getMethod().getName()); > throw new SecurityException("Ne possede pas les droits pour > appeler ce bean CDI"); > } > return ctx.proceed(); > } > private boolean verifyRolesAllowed(RolesAllowed rolesAllowed) { > boolean allowed = false; > if (request.getUserPrincipal() != null) { > String[] roles = rolesAllowed.value(); > for (String role : roles) { > allowed = request.isUserInRole(role); > if (allowed) { > break; > } > } > } > return allowed; > } > } > {code} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (DELTASPIKE-1345) Support JavaEE Security annotation
[ https://issues.apache.org/jira/browse/DELTASPIKE-1345?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16482902#comment-16482902 ] Gerhard Petracek commented on DELTASPIKE-1345: -- the consensus we had back then was that we only provide logic which allows to implement adapters. that was also the reason for dropping a lot again (which was moved to picketlink afterwards). the approach shown by https://github.com/wildfly/quickstart/blob/master/deltaspike-authorization/src/main/java/org/jboss/as/quickstarts/deltaspike/authorization/CustomAuthorizer.java is more cdi-like. with an useful documentation it's really simple, well integrated and even better than @RolesAllowed. > Support JavaEE Security annotation > -- > > Key: DELTASPIKE-1345 > URL: https://issues.apache.org/jira/browse/DELTASPIKE-1345 > Project: DeltaSpike > Issue Type: New Feature > Components: Security-Module >Reporter: Jonathan Laterreur >Priority: Minor > > Deltaspike should take care of the standard JavaEE security annotation. > {code:java} > @RolesAllowed > @PermitAll > @DenyAll > {code} > Maybe a default interceptor should do the job. > I did something like this (does not covers everything) > {code:java} > @Interceptor > @RolesSecured > public class RolesSecuredInterceptor { > private static final Logger LOGGER = > LoggerFactory.getLogger(RolesSecuredInterceptor.class); > @Inject > private HttpServletRequest request; > @AroundInvoke > public Object intercept(InvocationContext ctx) throws Exception { > boolean allowed = ctx.getMethod().getAnnotation(PermitAll.class) != > null; > if (!allowed) { > RolesAllowed rolesAllowed = > ctx.getMethod().getAnnotation(RolesAllowed.class); > if (rolesAllowed != null) { > allowed = verifyRolesAllowed(rolesAllowed); > } > if (!allowed) { > allowed = > ctx.getMethod().getDeclaringClass().getAnnotation(PermitAll.class) != null; > if (!allowed) { > rolesAllowed = > ctx.getMethod().getDeclaringClass().getAnnotation(RolesAllowed.class); > if (rolesAllowed != null) { > allowed = verifyRolesAllowed(rolesAllowed); > } else { > allowed = true; > } > } > } > } > if (!allowed) { > LOGGER.error("Utilisateur « {} » ne possede pas les droits pour > appeler cette fonction « {} »", request.getUserPrincipal() != null ? > request.getUserPrincipal().getName() : "anonyme", > ctx.getMethod().getName()); > throw new SecurityException("Ne possede pas les droits pour > appeler ce bean CDI"); > } > return ctx.proceed(); > } > private boolean verifyRolesAllowed(RolesAllowed rolesAllowed) { > boolean allowed = false; > if (request.getUserPrincipal() != null) { > String[] roles = rolesAllowed.value(); > for (String role : roles) { > allowed = request.isUserInRole(role); > if (allowed) { > break; > } > } > } > return allowed; > } > } > {code} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (DELTASPIKE-1345) Support JavaEE Security annotation
[ https://issues.apache.org/jira/browse/DELTASPIKE-1345?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16482847#comment-16482847 ] Romain Manni-Bucau commented on DELTASPIKE-1345: [~gpetracek] hmm, why can't we use the same evaluation than in security module but triggered by javax.security annotation? We would have an event which would set if we are allowed or not and [~princemtl] would observe it and use the request to evaluate it. That's what I had in mind. Providing a default impl using the request would not be as useful as just handling the interceptor and preprocess roles etc from a standard API automatically IMO (secural contexts wouldn't be handled based on the cdi request). > Support JavaEE Security annotation > -- > > Key: DELTASPIKE-1345 > URL: https://issues.apache.org/jira/browse/DELTASPIKE-1345 > Project: DeltaSpike > Issue Type: New Feature > Components: Security-Module >Reporter: Jonathan Laterreur >Priority: Minor > > Deltaspike should take care of the standard JavaEE security annotation. > {code:java} > @RolesAllowed > @PermitAll > @DenyAll > {code} > Maybe a default interceptor should do the job. > I did something like this (does not covers everything) > {code:java} > @Interceptor > @RolesSecured > public class RolesSecuredInterceptor { > private static final Logger LOGGER = > LoggerFactory.getLogger(RolesSecuredInterceptor.class); > @Inject > private HttpServletRequest request; > @AroundInvoke > public Object intercept(InvocationContext ctx) throws Exception { > boolean allowed = ctx.getMethod().getAnnotation(PermitAll.class) != > null; > if (!allowed) { > RolesAllowed rolesAllowed = > ctx.getMethod().getAnnotation(RolesAllowed.class); > if (rolesAllowed != null) { > allowed = verifyRolesAllowed(rolesAllowed); > } > if (!allowed) { > allowed = > ctx.getMethod().getDeclaringClass().getAnnotation(PermitAll.class) != null; > if (!allowed) { > rolesAllowed = > ctx.getMethod().getDeclaringClass().getAnnotation(RolesAllowed.class); > if (rolesAllowed != null) { > allowed = verifyRolesAllowed(rolesAllowed); > } else { > allowed = true; > } > } > } > } > if (!allowed) { > LOGGER.error("Utilisateur « {} » ne possede pas les droits pour > appeler cette fonction « {} »", request.getUserPrincipal() != null ? > request.getUserPrincipal().getName() : "anonyme", > ctx.getMethod().getName()); > throw new SecurityException("Ne possede pas les droits pour > appeler ce bean CDI"); > } > return ctx.proceed(); > } > private boolean verifyRolesAllowed(RolesAllowed rolesAllowed) { > boolean allowed = false; > if (request.getUserPrincipal() != null) { > String[] roles = rolesAllowed.value(); > for (String role : roles) { > allowed = request.isUserInRole(role); > if (allowed) { > break; > } > } > } > return allowed; > } > } > {code} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (DELTASPIKE-1345) Support JavaEE Security annotation
[ https://issues.apache.org/jira/browse/DELTASPIKE-1345?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16482836#comment-16482836 ] Gerhard Petracek commented on DELTASPIKE-1345: -- it would mean the usage of quite a bit reflection - the lookup order would be: # dyn. lookup of HttpServletRequest # dyn lookup of HttpServletRequest + @DeltaSpike (if the servlet-module is available) # dyn lookup of the ejb-helper techn. we could even add the interceptor dyn., however, i haven't started with it because there is a quite simple alternative to it - see e.g.: https://github.com/wildfly/quickstart/blob/master/deltaspike-authorization/src/main/java/org/jboss/as/quickstarts/deltaspike/authorization/CustomAuthorizer.java instead of FacesContext, you can use the HttpServletRequest or the helper-ejb easily. so maybe we should just promote it to our documentation. > Support JavaEE Security annotation > -- > > Key: DELTASPIKE-1345 > URL: https://issues.apache.org/jira/browse/DELTASPIKE-1345 > Project: DeltaSpike > Issue Type: New Feature > Components: Security-Module >Reporter: Jonathan Laterreur >Priority: Minor > > Deltaspike should take care of the standard JavaEE security annotation. > {code:java} > @RolesAllowed > @PermitAll > @DenyAll > {code} > Maybe a default interceptor should do the job. > I did something like this (does not covers everything) > {code:java} > @Interceptor > @RolesSecured > public class RolesSecuredInterceptor { > private static final Logger LOGGER = > LoggerFactory.getLogger(RolesSecuredInterceptor.class); > @Inject > private HttpServletRequest request; > @AroundInvoke > public Object intercept(InvocationContext ctx) throws Exception { > boolean allowed = ctx.getMethod().getAnnotation(PermitAll.class) != > null; > if (!allowed) { > RolesAllowed rolesAllowed = > ctx.getMethod().getAnnotation(RolesAllowed.class); > if (rolesAllowed != null) { > allowed = verifyRolesAllowed(rolesAllowed); > } > if (!allowed) { > allowed = > ctx.getMethod().getDeclaringClass().getAnnotation(PermitAll.class) != null; > if (!allowed) { > rolesAllowed = > ctx.getMethod().getDeclaringClass().getAnnotation(RolesAllowed.class); > if (rolesAllowed != null) { > allowed = verifyRolesAllowed(rolesAllowed); > } else { > allowed = true; > } > } > } > } > if (!allowed) { > LOGGER.error("Utilisateur « {} » ne possede pas les droits pour > appeler cette fonction « {} »", request.getUserPrincipal() != null ? > request.getUserPrincipal().getName() : "anonyme", > ctx.getMethod().getName()); > throw new SecurityException("Ne possede pas les droits pour > appeler ce bean CDI"); > } > return ctx.proceed(); > } > private boolean verifyRolesAllowed(RolesAllowed rolesAllowed) { > boolean allowed = false; > if (request.getUserPrincipal() != null) { > String[] roles = rolesAllowed.value(); > for (String role : roles) { > allowed = request.isUserInRole(role); > if (allowed) { > break; > } > } > } > return allowed; > } > } > {code} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (DELTASPIKE-1345) Support JavaEE Security annotation
[ https://issues.apache.org/jira/browse/DELTASPIKE-1345?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16482822#comment-16482822 ] Jonathan Laterreur commented on DELTASPIKE-1345: If you can manage the fact that you don't always have an ejb context, then It's perfect. :) > Support JavaEE Security annotation > -- > > Key: DELTASPIKE-1345 > URL: https://issues.apache.org/jira/browse/DELTASPIKE-1345 > Project: DeltaSpike > Issue Type: New Feature > Components: Security-Module >Reporter: Jonathan Laterreur >Priority: Minor > > Deltaspike should take care of the standard JavaEE security annotation. > {code:java} > @RolesAllowed > @PermitAll > @DenyAll > {code} > Maybe a default interceptor should do the job. > I did something like this (does not covers everything) > {code:java} > @Interceptor > @RolesSecured > public class RolesSecuredInterceptor { > private static final Logger LOGGER = > LoggerFactory.getLogger(RolesSecuredInterceptor.class); > @Inject > private HttpServletRequest request; > @AroundInvoke > public Object intercept(InvocationContext ctx) throws Exception { > boolean allowed = ctx.getMethod().getAnnotation(PermitAll.class) != > null; > if (!allowed) { > RolesAllowed rolesAllowed = > ctx.getMethod().getAnnotation(RolesAllowed.class); > if (rolesAllowed != null) { > allowed = verifyRolesAllowed(rolesAllowed); > } > if (!allowed) { > allowed = > ctx.getMethod().getDeclaringClass().getAnnotation(PermitAll.class) != null; > if (!allowed) { > rolesAllowed = > ctx.getMethod().getDeclaringClass().getAnnotation(RolesAllowed.class); > if (rolesAllowed != null) { > allowed = verifyRolesAllowed(rolesAllowed); > } else { > allowed = true; > } > } > } > } > if (!allowed) { > LOGGER.error("Utilisateur « {} » ne possede pas les droits pour > appeler cette fonction « {} »", request.getUserPrincipal() != null ? > request.getUserPrincipal().getName() : "anonyme", > ctx.getMethod().getName()); > throw new SecurityException("Ne possede pas les droits pour > appeler ce bean CDI"); > } > return ctx.proceed(); > } > private boolean verifyRolesAllowed(RolesAllowed rolesAllowed) { > boolean allowed = false; > if (request.getUserPrincipal() != null) { > String[] roles = rolesAllowed.value(); > for (String role : roles) { > allowed = request.isUserInRole(role); > if (allowed) { > break; > } > } > } > return allowed; > } > } > {code} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (DELTASPIKE-1345) Support JavaEE Security annotation
[ https://issues.apache.org/jira/browse/DELTASPIKE-1345?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16482812#comment-16482812 ] Gerhard Petracek commented on DELTASPIKE-1345: -- the point is that we don't have access to an injected HttpServletRequest with our baseline (without the servlet-module). we can use both for the evaluation (if one of them isn't available. in an ee-server the approach via an ejb is compatible with our baseline). > Support JavaEE Security annotation > -- > > Key: DELTASPIKE-1345 > URL: https://issues.apache.org/jira/browse/DELTASPIKE-1345 > Project: DeltaSpike > Issue Type: New Feature > Components: Security-Module >Reporter: Jonathan Laterreur >Priority: Minor > > Deltaspike should take care of the standard JavaEE security annotation. > {code:java} > @RolesAllowed > @PermitAll > @DenyAll > {code} > Maybe a default interceptor should do the job. > I did something like this (does not covers everything) > {code:java} > @Interceptor > @RolesSecured > public class RolesSecuredInterceptor { > private static final Logger LOGGER = > LoggerFactory.getLogger(RolesSecuredInterceptor.class); > @Inject > private HttpServletRequest request; > @AroundInvoke > public Object intercept(InvocationContext ctx) throws Exception { > boolean allowed = ctx.getMethod().getAnnotation(PermitAll.class) != > null; > if (!allowed) { > RolesAllowed rolesAllowed = > ctx.getMethod().getAnnotation(RolesAllowed.class); > if (rolesAllowed != null) { > allowed = verifyRolesAllowed(rolesAllowed); > } > if (!allowed) { > allowed = > ctx.getMethod().getDeclaringClass().getAnnotation(PermitAll.class) != null; > if (!allowed) { > rolesAllowed = > ctx.getMethod().getDeclaringClass().getAnnotation(RolesAllowed.class); > if (rolesAllowed != null) { > allowed = verifyRolesAllowed(rolesAllowed); > } else { > allowed = true; > } > } > } > } > if (!allowed) { > LOGGER.error("Utilisateur « {} » ne possede pas les droits pour > appeler cette fonction « {} »", request.getUserPrincipal() != null ? > request.getUserPrincipal().getName() : "anonyme", > ctx.getMethod().getName()); > throw new SecurityException("Ne possede pas les droits pour > appeler ce bean CDI"); > } > return ctx.proceed(); > } > private boolean verifyRolesAllowed(RolesAllowed rolesAllowed) { > boolean allowed = false; > if (request.getUserPrincipal() != null) { > String[] roles = rolesAllowed.value(); > for (String role : roles) { > allowed = request.isUserInRole(role); > if (allowed) { > break; > } > } > } > return allowed; > } > } > {code} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (DELTASPIKE-1345) Support JavaEE Security annotation
[ https://issues.apache.org/jira/browse/DELTASPIKE-1345?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16482795#comment-16482795 ] Jonathan Laterreur commented on DELTASPIKE-1345: It's because I don't run with ejb that I need this interceptor. I mean, I would use a stateless bean instead of an regular CDI bean if I had EJB. You can access to the annotations with : {code:java} javax.annotation javax.annotation-api {code} > Support JavaEE Security annotation > -- > > Key: DELTASPIKE-1345 > URL: https://issues.apache.org/jira/browse/DELTASPIKE-1345 > Project: DeltaSpike > Issue Type: New Feature > Components: Security-Module >Reporter: Jonathan Laterreur >Priority: Minor > > Deltaspike should take care of the standard JavaEE security annotation. > {code:java} > @RolesAllowed > @PermitAll > @DenyAll > {code} > Maybe a default interceptor should do the job. > I did something like this (does not covers everything) > {code:java} > @Interceptor > @RolesSecured > public class RolesSecuredInterceptor { > private static final Logger LOGGER = > LoggerFactory.getLogger(RolesSecuredInterceptor.class); > @Inject > private HttpServletRequest request; > @AroundInvoke > public Object intercept(InvocationContext ctx) throws Exception { > boolean allowed = ctx.getMethod().getAnnotation(PermitAll.class) != > null; > if (!allowed) { > RolesAllowed rolesAllowed = > ctx.getMethod().getAnnotation(RolesAllowed.class); > if (rolesAllowed != null) { > allowed = verifyRolesAllowed(rolesAllowed); > } > if (!allowed) { > allowed = > ctx.getMethod().getDeclaringClass().getAnnotation(PermitAll.class) != null; > if (!allowed) { > rolesAllowed = > ctx.getMethod().getDeclaringClass().getAnnotation(RolesAllowed.class); > if (rolesAllowed != null) { > allowed = verifyRolesAllowed(rolesAllowed); > } else { > allowed = true; > } > } > } > } > if (!allowed) { > LOGGER.error("Utilisateur « {} » ne possede pas les droits pour > appeler cette fonction « {} »", request.getUserPrincipal() != null ? > request.getUserPrincipal().getName() : "anonyme", > ctx.getMethod().getName()); > throw new SecurityException("Ne possede pas les droits pour > appeler ce bean CDI"); > } > return ctx.proceed(); > } > private boolean verifyRolesAllowed(RolesAllowed rolesAllowed) { > boolean allowed = false; > if (request.getUserPrincipal() != null) { > String[] roles = rolesAllowed.value(); > for (String role : roles) { > allowed = request.isUserInRole(role); > if (allowed) { > break; > } > } > } > return allowed; > } > } > {code} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (DELTASPIKE-1345) Support JavaEE Security annotation
[ https://issues.apache.org/jira/browse/DELTASPIKE-1345?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16482771#comment-16482771 ] Gerhard Petracek commented on DELTASPIKE-1345: -- i thought about almost the same last week. however, we would need to add it to the servlet-module. the alternative would be the injection of an ejb to delegate the evaluation to EjbContext#isCallerInRole > Support JavaEE Security annotation > -- > > Key: DELTASPIKE-1345 > URL: https://issues.apache.org/jira/browse/DELTASPIKE-1345 > Project: DeltaSpike > Issue Type: New Feature > Components: Security-Module >Reporter: Jonathan Laterreur >Priority: Minor > > Deltaspike should take care of the standard JavaEE security annotation. > {code:java} > @RolesAllowed > @PermitAll > @DenyAll > {code} > Maybe a default interceptor should do the job. > I did something like this (does not covers everything) > {code:java} > @Interceptor > @RolesSecured > public class RolesSecuredInterceptor { > private static final Logger LOGGER = > LoggerFactory.getLogger(RolesSecuredInterceptor.class); > @Inject > private HttpServletRequest request; > @AroundInvoke > public Object intercept(InvocationContext ctx) throws Exception { > boolean allowed = ctx.getMethod().getAnnotation(PermitAll.class) != > null; > if (!allowed) { > RolesAllowed rolesAllowed = > ctx.getMethod().getAnnotation(RolesAllowed.class); > if (rolesAllowed != null) { > allowed = verifyRolesAllowed(rolesAllowed); > } > if (!allowed) { > allowed = > ctx.getMethod().getDeclaringClass().getAnnotation(PermitAll.class) != null; > if (!allowed) { > rolesAllowed = > ctx.getMethod().getDeclaringClass().getAnnotation(RolesAllowed.class); > if (rolesAllowed != null) { > allowed = verifyRolesAllowed(rolesAllowed); > } else { > allowed = true; > } > } > } > } > if (!allowed) { > LOGGER.error("Utilisateur « {} » ne possede pas les droits pour > appeler cette fonction « {} »", request.getUserPrincipal() != null ? > request.getUserPrincipal().getName() : "anonyme", > ctx.getMethod().getName()); > throw new SecurityException("Ne possede pas les droits pour > appeler ce bean CDI"); > } > return ctx.proceed(); > } > private boolean verifyRolesAllowed(RolesAllowed rolesAllowed) { > boolean allowed = false; > if (request.getUserPrincipal() != null) { > String[] roles = rolesAllowed.value(); > for (String role : roles) { > allowed = request.isUserInRole(role); > if (allowed) { > break; > } > } > } > return allowed; > } > } > {code} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (DELTASPIKE-1345) Support JavaEE Security annotation
[ https://issues.apache.org/jira/browse/DELTASPIKE-1345?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16481990#comment-16481990 ] Romain Manni-Bucau commented on DELTASPIKE-1345: +1 to have this feature but 1. Not activated by default 2. Abstracted at the role evaluation (not assume request is the source of truth all the time). > Support JavaEE Security annotation > -- > > Key: DELTASPIKE-1345 > URL: https://issues.apache.org/jira/browse/DELTASPIKE-1345 > Project: DeltaSpike > Issue Type: New Feature > Components: Security-Module >Reporter: Jonathan Laterreur >Priority: Minor > > Deltaspike should take care of the standard JavaEE security annotation. > {code:java} > @RolesAllowed > @PermitAll > @DenyAll > {code} > Maybe a default interceptor should do the job. > I did something like this (does not covers everything) > {code:java} > @Interceptor > @RolesSecured > public class RolesSecuredInterceptor { > private static final Logger LOGGER = > LoggerFactory.getLogger(RolesSecuredInterceptor.class); > @Inject > private HttpServletRequest request; > @AroundInvoke > public Object intercept(InvocationContext ctx) throws Exception { > boolean allowed = ctx.getMethod().getAnnotation(PermitAll.class) != > null; > if (!allowed) { > RolesAllowed rolesAllowed = > ctx.getMethod().getAnnotation(RolesAllowed.class); > if (rolesAllowed != null) { > allowed = verifyRolesAllowed(rolesAllowed); > } > if (!allowed) { > allowed = > ctx.getMethod().getDeclaringClass().getAnnotation(PermitAll.class) != null; > if (!allowed) { > rolesAllowed = > ctx.getMethod().getDeclaringClass().getAnnotation(RolesAllowed.class); > if (rolesAllowed != null) { > allowed = verifyRolesAllowed(rolesAllowed); > } else { > allowed = true; > } > } > } > } > if (!allowed) { > LOGGER.error("Utilisateur « {} » ne possede pas les droits pour > appeler cette fonction « {} »", request.getUserPrincipal() != null ? > request.getUserPrincipal().getName() : "anonyme", > ctx.getMethod().getName()); > throw new SecurityException("Ne possede pas les droits pour > appeler ce bean CDI"); > } > return ctx.proceed(); > } > private boolean verifyRolesAllowed(RolesAllowed rolesAllowed) { > boolean allowed = false; > if (request.getUserPrincipal() != null) { > String[] roles = rolesAllowed.value(); > for (String role : roles) { > allowed = request.isUserInRole(role); > if (allowed) { > break; > } > } > } > return allowed; > } > } > {code} -- This message was sent by Atlassian JIRA (v7.6.3#76005)