security support only for public methods

lucas84 Sep 14, 2009 11:06 AM

hi guys,

security served by annotations (@Restrict, etc.) works only on public methods. Look at Component.initSecurity(), internally it calls class.getMethods(), which returns only public methods. In contrary to other annotations (scanMethod()) it uses class.getDeclaredMethods() which returns all methods (public, protected, private, package), so others annotation can be applied to all methods. In security case is it a bug or a feature ?? If you chose to apply security on public methods, can you explain me why ?? I use template method pattern, which calls internally protected method (invocation is made on proxy, so interceptors are fired ) implemented by inherited class. But in my case security doesn't work because method is protected and @Restrict wasn't detected.

1. Re: security support only for public methods

cash1981 Sep 14, 2009 12:41 PM (in response to lucas84)
Well in that case just do this in the method:

Identity.instance().hasRole("myRole")
Actions
2. Re: security support only for public methods

lucas84 Sep 14, 2009 1:02 PM (in response to lucas84)

thx 4 reply,

I know I can do that manually (this is my temporary workaround), but I want to separate this logic (checking and asserting restriction) from my business logic by annotating method with @Restrict. That's why I wonder whether vendors made it in some purpose (which is unknown for me), or it is a bug. Like I mentioned before scanning for other annotations is made on all methods
Actions

Go to original post