8 Replies Latest reply: Aug 7, 2012 9:57 AM by deri dzen RSS

    Is it possible to pass arbitrary argument to Seam Securiy Check?

    deri dzen Newbie

      My question is pretty straightforward but I am going to back it up with an example.

       

      Let's say that I have a some rest service like this:

       

      @Path("/res")
      public @LoggedIn interface MyRestService {
        
                @Foo(bar = "res")
                @GET
                @Path("/myRestService1")
                @Produces(MediaType.APPLICATION_XML)
                public ResponseObject getVeryImportantData(@QueryParam("veryImportantParam") Integer veryImportantParam);
      }
      
      

       

      and we have a class that does security check on this @Foo security annotation:

       

          public @Secures @Foo(bar = "res") boolean is(Identity identity) {
                    if (identity.getUser().getId().equals(HERE SHOULD VERY IMPORANT PARAM GO)
                          return true;
                     return false;
          }
      
      

       

      Ofcourse, the logic is much complicated in my project, but it I have written it in this manner so it is easy to understand what do I want.

       

      So, how to pass this veryImporantParam that we receive through service call to our security check method??

        • 1. Re: Is it possible to pass arbitrary argument to Seam Securiy Check?
          zeeman Novice

          You need to have a @produce method for param you want, inject it in your is security method. I think I have seen an example of that in ones of seam examples. Check them out on github.com/seam, param being injected was an item. If you download seam examples source and search for it you'll find it.

          • 3. Re: Is it possible to pass arbitrary argument to Seam Securiy Check?
            deri dzen Newbie

            I've been trying to implement this for some time now, and I have come to this:

             

            @Path("/path")

            @LoggedIn

            public interface MyClassInterface {

             

                @GET

                @Path("/method")

                Response getMyValue(@QueryParam("input") Integer input);
            }

             

            public class MyClass implements MyClassInterface {

             

                @Override

                @ParameterInterceptorBinding

                public Response getMyValue(@CheckedParameter Integer input) {

                     //some stuff

                }

             

            }

             

            public class Restrictions {

             

                @Secures

                @ParameterInterceptorBinding

                public boolean isOk(@CheckedParameter Integer input) {

                     if (input.equals(getValueFromBackend()) {

                         return true;

                     }

                     return false;

                }

             

            }

             

            @Retention(RetentionPolicy.RUNTIME)

            @Target(ElementType.PARAMETER)

            @Documented

            @SecurityParameterBinding

            public @interface CheckedParameter {

             

            }

             

            @Retention(RetentionPolicy.RUNTIME)

            @Target({ElementType.TYPE, ElementType.METHOD})

            @Documented

            @SecurityBindingType

            public @interface ParameterInterceptorBinding {

             

            }

             

            If I call my REST service nothing happens. If I delete @CheckedParameter from "getMyValue()" method and also "isOk()" method it works (ofcourse, now I cannot check my parameter because I don't know how to transfer it to authorizer...)

             

            Also, if I write method like this:

            public boolean isOk(InvocationContext context) {

            ...

            }

            still does not work, like there is an error and it just ignores it and acts as it is true always.

             

             

             

            What am I doing wrong?

            • 4. Re: Is it possible to pass arbitrary argument to Seam Securiy Check?
              Jason Porter Master

              Have you enabled the interceptor in the beans.xml file?

              • 5. Re: Is it possible to pass arbitrary argument to Seam Securiy Check?
                deri dzen Newbie

                My beans.xml looks like this:

                 

                <beans xmlns="http://java.sun.com/xml/ns/javaee"

                   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

                   xmlns:s="urn:java:ee"

                   xmlns:security="urn:java:org.jboss.seam.security"

                   xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://jboss.org/schema/cdi/beans_1_0.xsd">

                 

                          <interceptors>

                        <class>org.jboss.seam.security.SecurityInterceptor</class>

                    </interceptors>

                 

                          <security:IdentityImpl>

                      <s:modifies/>     

                      <security:authenticatorClass>xxxxxxxx.ACNAuthenticator</security:authenticatorClass>

                   </security:IdentityImpl>

                 

                 

                </beans>

                • 6. Re: Is it possible to pass arbitrary argument to Seam Securiy Check?
                  deri dzen Newbie

                  Guys, does anyone has an idea what might be the problem?

                   

                  This works:

                  public boolean isOk(Identity identity) {

                  identity.randomMethod... //works

                  }

                   

                   

                  This whole method gets ignored

                   

                  public boolean isOk(InvocationContext context) {

                  }

                   

                   

                  And also this

                  public boolean isOk(@CheckedParameter Object o) {

                  ...

                  }

                  • 7. Re: Is it possible to pass arbitrary argument to Seam Securiy Check?
                    Jason Porter Master

                    I don't know that bit of security very well. You'll probably have to get the source and start debugging, but I suspect it's simply that the invocation context isn't available for whatever reason.

                    • 8. Re: Is it possible to pass arbitrary argument to Seam Securiy Check?
                      deri dzen Newbie

                      Okay, I solved it. It was a rookie mistake because I though that DeltaSpike and Seam are more compatible, whereas DeltaSpike makes Seam redundant. I've deleted ALL seam dependencies and added these (pom.xml):

                       

                      <dependency>

                                      <groupId>org.apache.deltaspike.core</groupId>

                                      <artifactId>deltaspike-core-api</artifactId>

                                      <version>${deltaspike.version}</version>

                                  </dependency>

                                  <dependency>

                                      <groupId>org.apache.deltaspike.core</groupId>

                                      <artifactId>deltaspike-core-impl</artifactId>

                                      <version>${deltaspike.version}</version>

                                  </dependency>

                                  <dependency>

                                      <groupId>org.apache.deltaspike.modules</groupId>

                                      <artifactId>deltaspike-security-module-api</artifactId>

                                      <version>${deltaspike.version}</version>

                                  </dependency>

                                  <dependency>

                                      <groupId>org.apache.deltaspike.modules</groupId>

                                      <artifactId>deltaspike-security-module-impl</artifactId>

                                      <version>${deltaspike.version}</version>

                                  </dependency>

                       

                      And instead of seam SecurityInterceptor in beans.xml I added deltaspike one:

                       

                      <interceptors>

                              <class>org.apache.deltaspike.security.impl.authorization.SecurityInterceptor</class>

                          </interceptors>