8 Replies Latest reply on Aug 7, 2012 9:57 AM by sijalica

    Is it possible to pass arbitrary argument to Seam Securiy Check?

    sijalica

      My question is pretty straightforward but I am going to back it up with an example.

       

      Let's say that I have a some rest service like this:

       

      @Path("/res")
      public @LoggedIn interface MyRestService {
        
                @Foo(bar = "res")
                @GET
                @Path("/myRestService1")
                @Produces(MediaType.APPLICATION_XML)
                public ResponseObject getVeryImportantData(@QueryParam("veryImportantParam") Integer veryImportantParam);
      }
      
      

       

      and we have a class that does security check on this @Foo security annotation:

       

          public @Secures @Foo(bar = "res") boolean is(Identity identity) {
                    if (identity.getUser().getId().equals(HERE SHOULD VERY IMPORANT PARAM GO)
                          return true;
                     return false;
          }
      
      

       

      Ofcourse, the logic is much complicated in my project, but it I have written it in this manner so it is easy to understand what do I want.

       

      So, how to pass this veryImporantParam that we receive through service call to our security check method??

        • 1. Re: Is it possible to pass arbitrary argument to Seam Securiy Check?
          zeeman

          You need to have a @produce method for param you want, inject it in your is security method. I think I have seen an example of that in ones of seam examples. Check them out on github.com/seam, param being injected was an item. If you download seam examples source and search for it you'll find it.

          1 of 1 people found this helpful
          • 2. Re: Is it possible to pass arbitrary argument to Seam Securiy Check?
            lightguard

            You may also want to looking what Apache DeltaSpike (https://cwiki.apache.org/DeltaSpike/temporary-documentation.html#TemporaryDocumentation-SecurityModule) with the param binding

            1 of 1 people found this helpful
            • 3. Re: Is it possible to pass arbitrary argument to Seam Securiy Check?
              sijalica

              I've been trying to implement this for some time now, and I have come to this:

               

              @Path("/path")

              @LoggedIn

              public interface MyClassInterface {

               

                  @GET

                  @Path("/method")

                  Response getMyValue(@QueryParam("input") Integer input);
              }

               

              public class MyClass implements MyClassInterface {

               

                  @Override

                  @ParameterInterceptorBinding

                  public Response getMyValue(@CheckedParameter Integer input) {

                       //some stuff

                  }

               

              }

               

              public class Restrictions {

               

                  @Secures

                  @ParameterInterceptorBinding

                  public boolean isOk(@CheckedParameter Integer input) {

                       if (input.equals(getValueFromBackend()) {

                           return true;

                       }

                       return false;

                  }

               

              }

               

              @Retention(RetentionPolicy.RUNTIME)

              @Target(ElementType.PARAMETER)

              @Documented

              @SecurityParameterBinding

              public @interface CheckedParameter {

               

              }

               

              @Retention(RetentionPolicy.RUNTIME)

              @Target({ElementType.TYPE, ElementType.METHOD})

              @Documented

              @SecurityBindingType

              public @interface ParameterInterceptorBinding {

               

              }

               

              If I call my REST service nothing happens. If I delete @CheckedParameter from "getMyValue()" method and also "isOk()" method it works (ofcourse, now I cannot check my parameter because I don't know how to transfer it to authorizer...)

               

              Also, if I write method like this:

              public boolean isOk(InvocationContext context) {

              ...

              }

              still does not work, like there is an error and it just ignores it and acts as it is true always.

               

               

               

              What am I doing wrong?

              • 4. Re: Is it possible to pass arbitrary argument to Seam Securiy Check?
                lightguard

                Have you enabled the interceptor in the beans.xml file?

                • 5. Re: Is it possible to pass arbitrary argument to Seam Securiy Check?
                  sijalica

                  My beans.xml looks like this:

                   

                  <beans xmlns="http://java.sun.com/xml/ns/javaee"

                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

                     xmlns:s="urn:java:ee"

                     xmlns:security="urn:java:org.jboss.seam.security"

                     xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://jboss.org/schema/cdi/beans_1_0.xsd">

                   

                            <interceptors>

                          <class>org.jboss.seam.security.SecurityInterceptor</class>

                      </interceptors>

                   

                            <security:IdentityImpl>

                        <s:modifies/>     

                        <security:authenticatorClass>xxxxxxxx.ACNAuthenticator</security:authenticatorClass>

                     </security:IdentityImpl>

                   

                   

                  </beans>

                  • 6. Re: Is it possible to pass arbitrary argument to Seam Securiy Check?
                    sijalica

                    Guys, does anyone has an idea what might be the problem?

                     

                    This works:

                    public boolean isOk(Identity identity) {

                    identity.randomMethod... //works

                    }

                     

                     

                    This whole method gets ignored

                     

                    public boolean isOk(InvocationContext context) {

                    }

                     

                     

                    And also this

                    public boolean isOk(@CheckedParameter Object o) {

                    ...

                    }

                    • 7. Re: Is it possible to pass arbitrary argument to Seam Securiy Check?
                      lightguard

                      I don't know that bit of security very well. You'll probably have to get the source and start debugging, but I suspect it's simply that the invocation context isn't available for whatever reason.

                      • 8. Re: Is it possible to pass arbitrary argument to Seam Securiy Check?
                        sijalica

                        Okay, I solved it. It was a rookie mistake because I though that DeltaSpike and Seam are more compatible, whereas DeltaSpike makes Seam redundant. I've deleted ALL seam dependencies and added these (pom.xml):

                         

                        <dependency>

                                        <groupId>org.apache.deltaspike.core</groupId>

                                        <artifactId>deltaspike-core-api</artifactId>

                                        <version>${deltaspike.version}</version>

                                    </dependency>

                                    <dependency>

                                        <groupId>org.apache.deltaspike.core</groupId>

                                        <artifactId>deltaspike-core-impl</artifactId>

                                        <version>${deltaspike.version}</version>

                                    </dependency>

                                    <dependency>

                                        <groupId>org.apache.deltaspike.modules</groupId>

                                        <artifactId>deltaspike-security-module-api</artifactId>

                                        <version>${deltaspike.version}</version>

                                    </dependency>

                                    <dependency>

                                        <groupId>org.apache.deltaspike.modules</groupId>

                                        <artifactId>deltaspike-security-module-impl</artifactId>

                                        <version>${deltaspike.version}</version>

                                    </dependency>

                         

                        And instead of seam SecurityInterceptor in beans.xml I added deltaspike one:

                         

                        <interceptors>

                                <class>org.apache.deltaspike.security.impl.authorization.SecurityInterceptor</class>

                            </interceptors>