Does the @RequireAuthentication work for anybody or is it a bug? I would like to figure out what I do wrong otherwise.

Simply I have @Remote SecuredService and its implementation (SecuredServiceImpl with @Service and @RequireAuthentication annotations) and I call it through RPC with injected Caller<SecuredService>. I really don't have any idea what can be wrong except it's a bug.

Hi Mike,

sure I can and yes I use CDI.

Here is the current implementation of securedServiceImpl.

@ApplicationScoped

@Service

@RequireAuthentication

public class SecuredServiceImpl implements SecuredService {

    @Inject

    private Logger _log; // that's provided by Resources with @Produces

    @Inject

    private DataManager _dm; // that's stateless bean

    @Inject

    private UserService _us; // this is also @Service but without @RequiredAuthentication

    private RequestDispatcher _dispatcher = ErraiBus.getDispatcher(); // I have plan to use it later but now it isn't.

    methods ... public Data getPrivateData(params) {...}

}

On the client side I have:

@Inject

private Caller<SecuredService> securedService;

private void someMethod() {

   securedService.call(new RemoteCallback<List<Scheme>>() {

            @Override

            public void callback(List<Data> response) {

                    action

            }

        }, new ErrorCallback() {

        @Override

        public boolean error(Message message, Throwable throwable) {

           display.error(...);

           return false;

       }

   }).getPrivateData(...);

}

And that's all, really simple example. All works fine except of the @RequireAuthentication. When the user is not connected, the getPrivateData is also called instead of returning message with SecurityChallenge command to "LoginClient".

.

Thank you, I will try to do that differently then. Good to know ... maybe I will try to use own interceptor to check the user is authenticated.

I confirm that it really works with my own security interceptor. Here is the interceptor that I created:

@RequireAuthentication // it's my own annotation with @InterceptorBinding for this interceptor

@Interceptor

public class SecurityInterceptor implements Serializable {

          private static final long serialVersionUID = -6545213208008101417L;

          @Inject

    MessageBus bus;

          public SecurityInterceptor() {

    }

    @AroundInvoke

    public Object isAuthenticated(InvocationContext invocationContext)

        throws Exception {

        HttpSession session = RpcContext.getHttpSession();

        if (session != null && check the session that user is authenticated) {

           return invocationContext.proceed();

        } else {

           MessageBuilder.createMessage()

            .toSubject("LoginClient")

            .command(SecurityCommands.SecurityChallenge)

            .getMessage().sendNowWith(bus);

           return null;

        }

    }

}