Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
1.8.0
-
None
Description
I have a @Secured @Stereotype annotation
@Retention( RUNTIME )
@Stereotype
@Inherited
@Secured( CustomAccessDecisionVoter.class )
@Target( { ElementType.TYPE, ElementType.METHOD } )
public @interface Permission {
}
And my decision voter:
@ApplicationScoped public class CustomAccessDecisionVoter extends AbstractAccessDecisionVoter { @Override protected void checkPermission( AccessDecisionVoterContext voterContext, Set<SecurityViolation> violations ) { System.out.println( "Checking permission for " + voterContext.<InvocationContext> getSource().getMethod().getName() ); } }
And now a bean that inherits from another class
public class Animal { public String getParentName() { return "parent"; } }
@Named @Permission public class Dog extends Animal { public String getChildName() { return "dog"; } }
In JSF dogName:
#{dog.childName}
will invoke the checkPermission whereas
#{dog.parentName}
will not
This is in contrast to the @SecurityBindingType
@Retention( value = RetentionPolicy.RUNTIME )
@Target( { ElementType.TYPE, ElementType.METHOD } )
@Documented
@SecurityBindingType
public @interface UserLoggedIn {
}
@ApplicationScoped public class LoginAuthorizer { @Secures @UserLoggedIn public boolean doSecuredCheck( InvocationContext invocationContext ) throws Exception { System.out.println( "doSecuredCheck called for: " + invocationContext.getMethod().getName() ); return true; } }
Now applying @UserLoggedIn to the Dog class will cause the doSecuredCheck to fire for both getChildName and getParentName