[jira] [Created] (DELTASPIKE-64) review and discuss @Secured

Tue, 31 Jan 2012 03:02:38 -0800 

review and discuss @Secured
---------------------------

                 Key: DELTASPIKE-64
                 URL: https://issues.apache.org/jira/browse/DELTASPIKE-64
             Project: DeltaSpike
          Issue Type: Sub-task
          Components: Security-Module
    Affects Versions: 0.1
            Reporter: Gerhard Petracek
            Assignee: Gerhard Petracek
             Fix For: 0.2


this feature is listed at 
https://cwiki.apache.org/confluence/display/DeltaSpike/SE+Feature+Ranking and 
part of myfaces codi-core.

@Secured is a simple cdi interceptor annotation which allows to filter method 
calls to cdi beans based on custom rules.

it's possible to specify 1-n custom implementations of AccessDecisionVoter. 
those voters get invoked before the call is forwarded to the target method (a 
voter is a cdi bean which gets resolved by its concrete type). an 
implementation of AccessDecisionVoter can access the InvocationContext to get 
further details about the target method to trigger the corresponding 
evaluation. as a result voters return a set of violations (SecurityViolation). 
if there is no violation, the target-method gets executed. if there is at least 
one violation, an AccessDeniedException will be thrown.

in addition an AccessDecisionVoterContext is needed to detect if there is an 
ongoing security check (e.g. it's possible to use it in a custom scope to avoid 
that a security check postpones the expiration).
(in myfaces codi it's also used to secure views via view-configs, however, we 
will exclude this part for now.)

users can use those simple and generic apis to implement their own access 
control and it will get used by other deltaspike modules automatically (if they 
use the security-api).
(in an AccessDecisionVoter it's possible to integrate 3rd party 
security-frameworks.)

usage of @Secured:
//...
@Secured({MyAccessDecisionVoter1.class, MyAccessDecisionVoter2.class})
public class SecuredBean
{
    //...
}

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to