4 Replies Latest reply on Feb 16, 2011 12:44 PM by tknerr

    Using JSR 250 security annotations on private methods?

    tknerr
    tknerr Feb 16, 2011 5:11 AM

      Dear Experts (and JSR 250 Expert Group Members),

       

      while trying to apply the JSR 250 security annotations in my code, I'm wondering whether they are applicable to public methods/types only or for private/protected/package protected as well.

       

      The spec does not say anything about it. For example, consider the description of @RolesAllowed:

       

      The RolesAllowed annotation can be specified on a class or on method(s).

      Specifying it at a class level means that it applies to all the methods in the class.

      Specifying it on a method means that it is applicable to that method only.

      If applied at both the class and method level, the method value overrides the class value.

       

      The one thing it does not mention is whether it is limited to public methods and/or types or not. All the examples in the spec are using public methods / types though.

       

      What about applying @RolesAllowed to private/protected/package protected methods? Would that be valid according to the spec?

       

      Thanks a lot and best regards,

      Torben

        • 1. Using JSR 250 security annotations on private methods?
          wdfink
          wdfink Feb 16, 2011 5:54 AM (in response to tknerr)

          AFAIK this will only work if the container infoke the method.

          So private and protected are not visible.

          Same will be for other annotations like transaction ...

            • Actions
          • 2. Using JSR 250 security annotations on private methods?
            tknerr
            tknerr Feb 16, 2011 8:00 AM (in response to wdfink)

            Hi Wolf-Dieter,

             

            thanks for the quick reply!

             

            Probably I'm in the wrong discussion forum, as my question is really not JBoss AS specific, but I couldn't find a better place to put it :-/

            Still, I thought it might be a good place to ask it here as some JBoss members were in the expert group for JSR 250.

             

            To be honest, I'm not familiar how JBoss AS 'decorates' or 'advises' (in AOP speak) the JSR-250 annotated classes with the security-checking aspect. My assumption was that JBoss AS uses some kind of proxying approach (e.g. JDK dynamic proxies or cglib), which - as you said - means that only external method calls going through the proxy are advised. And from external point I can call only public (or even package protected) methods, thus you could argue that the JSR-250 annotations should be applicable to public methods only.

             

            In our case we are considering to use AspectJ to weave in the security-checking aspect into the bytecode of the JSR-250 annotated beans. When using such a weaving-based approach it makes perfect sense to allow the JSR-250 annotations to be applied to private and protected methods as well IMHO.

             

            What do you think about it?

             

            It's actually really a question about the specification, not JBoss AS...

             

            Best regards,

            Torben

              • Actions
            • 3. Using JSR 250 security annotations on private methods?
              wolfc
              wolfc Feb 16, 2011 10:45 AM (in response to tknerr)

              The EJB specification limits the way security annotation are applicable. See EJB 3.1 FR 17.3.2.

              So it is as you say, only methods on the views are 'advised'.

               

              If you go for another invocation mechanism you can go whichever way you want. The JSR 250 specification doesn't put up any limitations in that regard.

              1 of 1 people found this helpful
                • Actions
              • 4. Using JSR 250 security annotations on private methods?
                tknerr
                tknerr Feb 16, 2011 12:44 PM (in response to wolfc)

                Carlo, thanks a lot! This definitely clarifies the situtation in the EJB case!

                 

                For the non-EJB case I was hoping to get a definite answer on whether:

                (a) the JSR-250 spec does not explicitly prohibit to put the security annotations on private methods, thus it is valid according to the spec, or

                (b) it is not mentioned / foreseen in the spec, thus it is not valid according to the spec and is currently a "blank spot" that might be fixed somewhen

                 

                Probably I'm asking too much to get a "definitive answer" on that. My hope was that someone of you might have more insight (even into the JSR 250 expert group) and/or background information.

                 

                For example, I could imagine that the context/mindset of the expert group was very EJB-driven. If so, there might have been an implicit expectation that the annotations make sense on public methods only at the time the spec was written? (hope not) 

                 

                It's still unclear to me how it was really intended...

                  • Actions