Uploaded image for project: 'DeltaSpike'
  1. DeltaSpike
  2. DELTASPIKE-1172

Support processing of binding annotations on ViewConfig

    XMLWordPrintableJSON

Details

    • New Feature
    • Status: Open
    • Minor
    • Resolution: Unresolved
    • 1.6.1
    • None
    • JSF-Module, Security-Module
    • None

    Description

      It would be nice to have a mechanism that allows to use security binding annotations on ViewConfig to define page access restrictions.

      // View config
@UserLoggedIn  // <- This is security binding annotation. Not a new class with @Secured
public class MyPage implements ViewConfig {
}

      I'm working with type-safe view-config for my app an run in an issue with
      defining security restrictions for pages.

      Deltaspike documentation explains how to use @Secured annotation and
      implement AccessDecisionVoter-s to define permission checks for pages.
      I have a bunch of custom SecurityBindingType-s that checked via
      @Secures-annotated methods and I want to use those SecurityBindingType-s to
      configure permission checks on ViewConfig objects.

      Example (mostly just from Deltaspike docs):

      // Custom security binding annotation:
@Retention(value = RUNTIME)
@Target({TYPE, METHOD})
@Documented
@SecurityBindingType
public @interface UserLoggedIn {}


 // Custom authorizer
@ApplicationScoped
public class LoggedInAuthorizer {
    @Secures
    @UserLoggedIn
    public boolean doSecuredCheck(Identity identity) throws Exception {
        return identity.isLoggedIn();
    }
}


// View config
@UserLoggedIn  // <- Note that I want to use security binding annotation here. Not a new class with @Secured
public class MyPage implements ViewConfig {
}

      Note: this example has only one annotation (UserLoggedIn) but my app has a dozen of them.

      So I want to use security binding annotations for ViewConfig classes in
      the same way we usually use them for beans.
      The problem is that I can't find easy way to do that type of security
      check declaration in Delatspike.

      Obviously, I can write a AccessDecisionVoter for each custom security
      binding type but I don't want to create so many classes just for view
      configuration.
      Also I can write an AccessDecisionVoter and list all my security binding
      annotations and check them one by one. However I don't want to hardcode the
      list of annotations. Too high risk that somebody forgets to update the list.

      Reference docs:
      https://deltaspike.apache.org/documentation/security.html
      https://deltaspike.apache.org/documentation/jsf.html

      Attachments

        Activity

          People

            gpetracek Gerhard Petracek
            AlexeiOsipov Alexei Osipov
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated: