Details
-
New Feature
-
Status: In Progress
-
Minor
-
Resolution: Unresolved
-
None
-
None
-
None
Description
Deltaspike should take care of the standard JavaEE security annotation.
@RolesAllowed @PermitAll @DenyAll
Maybe a default interceptor should do the job.
I did something like this (does not covers everything)
@Interceptor @RolesSecured public class RolesSecuredInterceptor { private static final Logger LOGGER = LoggerFactory.getLogger(RolesSecuredInterceptor.class); @Inject private HttpServletRequest request; @AroundInvoke public Object intercept(InvocationContext ctx) throws Exception { boolean allowed = ctx.getMethod().getAnnotation(PermitAll.class) != null; if (!allowed) { RolesAllowed rolesAllowed = ctx.getMethod().getAnnotation(RolesAllowed.class); if (rolesAllowed != null) { allowed = verifyRolesAllowed(rolesAllowed); } if (!allowed) { allowed = ctx.getMethod().getDeclaringClass().getAnnotation(PermitAll.class) != null; if (!allowed) { rolesAllowed = ctx.getMethod().getDeclaringClass().getAnnotation(RolesAllowed.class); if (rolesAllowed != null) { allowed = verifyRolesAllowed(rolesAllowed); } else { allowed = true; } } } } if (!allowed) { LOGGER.error("Utilisateur « {} » ne possede pas les droits pour appeler cette fonction « {} »", request.getUserPrincipal() != null ? request.getUserPrincipal().getName() : "anonyme", ctx.getMethod().getName()); throw new SecurityException("Ne possede pas les droits pour appeler ce bean CDI"); } return ctx.proceed(); } private boolean verifyRolesAllowed(RolesAllowed rolesAllowed) { boolean allowed = false; if (request.getUserPrincipal() != null) { String[] roles = rolesAllowed.value(); for (String role : roles) { allowed = request.isUserInRole(role); if (allowed) { break; } } } return allowed; } }