Seam 2.1 security questions
jervisliu Jul 10, 2008 9:24 AMHi,
I’ve been using some new SEAM security features in Drools project for a while, very good stuff. Below please find two specific problems I encountered and not sure how to solve using the SEAM security API. Any suggestions or comments would be highly appreciated.
1. Access method input parameters from the @Restrict annotation.
It would be great if we can access method input parameters from the @Restrict annotation. Ideally I would like to use sth like below:
@Restrict("#{s:hasPermission('ignoredanyway','update', uuid)}")
public ValidatedResponse savePackage(String uuid) {
…
}
In the EL, the “uuid” refers to the input parameter of savePackage(String uuid)
As this doesn’t work at the moment, I have to work around this like below, it works, but it is ugly:
`public ValidatedResponse savePackage(String uuid) {
if (Contexts.isSessionContextActive()) {
Identity.instance().checkPermission("ignoredanyway", "update", uuid);
}
…
}`
So is it a good idea to access method input parameters in @Restrict annotation? Or there are other recommended ways to do this?
2. Question about Identity. hasPermission(String name, String action, Object...arg)
I have a scenario where I need to check if the user can be granted permission based on the specific object he/she is operating on. An example of this is Identity.instance().checkPermission("ignoredanyway", "update", uuid). Under the scene, the called is delegated to my own PermissionResolver to check if the current user has permission to operate the update operation on the specific object whose uuid is xxx. However I found two problems with this API. Firstly, the first input parameter is simply ignored when the third parameter is provided (See Identity’s public boolean hasPermission(String name, String action, Object...arg) method. ). Secondly, the PermissionResolver doesn’t have a corresponding API which takes three input parameters, so the call of Identity.checkPermission(String name, String action, Object...arg) can not be delegated to my own PermissionResolver implementation.
Is there any way to fix this?
Thanks,
Jervis Liu
I’ve been using some new SEAM security features in Drools project for a while, very good stuff. Below please find two specific problems I encountered and not sure how to solve using the SEAM security API. Any suggestions or comments would be highly appreciated.
1. Access method input parameters from the @Restrict annotation.
It would be great if we can access method input parameters from the @Restrict annotation. Ideally I would like to use sth like below:
@Restrict("#{s:hasPermission('ignoredanyway','update', uuid)}")
public ValidatedResponse savePackage(String uuid) {
…
}
In the EL, the “uuid” refers to the input parameter of savePackage(String uuid)
As this doesn’t work at the moment, I have to work around this like below, it works, but it is ugly:
`public ValidatedResponse savePackage(String uuid) {
if (Contexts.isSessionContextActive()) {
Identity.instance().checkPermission("ignoredanyway", "update", uuid);
}
…
}`
So is it a good idea to access method input parameters in @Restrict annotation? Or there are other recommended ways to do this?
2. Question about Identity. hasPermission(String name, String action, Object...arg)
I have a scenario where I need to check if the user can be granted permission based on the specific object he/she is operating on. An example of this is Identity.instance().checkPermission("ignoredanyway", "update", uuid). Under the scene, the called is delegated to my own PermissionResolver to check if the current user has permission to operate the update operation on the specific object whose uuid is xxx. However I found two problems with this API. Firstly, the first input parameter is simply ignored when the third parameter is provided (See Identity’s public boolean hasPermission(String name, String action, Object...arg) method. ). Secondly, the PermissionResolver doesn’t have a corresponding API which takes three input parameters, so the call of Identity.checkPermission(String name, String action, Object...arg) can not be delegated to my own PermissionResolver implementation.
Is there any way to fix this?
Thanks,
Jervis Liu