8 Replies Latest reply: Aug 7, 2012 9:57 AM by deri dzen RSS

Is it possible to pass arbitrary argument to Seam Securiy Check?

deri dzen Newbie

My question is pretty straightforward but I am going to back it up with an example.

 

Let's say that I have a some rest service like this:

 

@Path("/res")
public @LoggedIn interface MyRestService {
  
          @Foo(bar = "res")
          @GET
          @Path("/myRestService1")
          @Produces(MediaType.APPLICATION_XML)
          public ResponseObject getVeryImportantData(@QueryParam("veryImportantParam") Integer veryImportantParam);
}

 

and we have a class that does security check on this @Foo security annotation:

 

    public @Secures @Foo(bar = "res") boolean is(Identity identity) {
              if (identity.getUser().getId().equals(HERE SHOULD VERY IMPORANT PARAM GO)
                    return true;
               return false;
    }

 

Ofcourse, the logic is much complicated in my project, but it I have written it in this manner so it is easy to understand what do I want.

 

So, how to pass this veryImporantParam that we receive through service call to our security check method??

  • 1. Re: Is it possible to pass arbitrary argument to Seam Securiy Check?
    zeeman Novice

    You need to have a @produce method for param you want, inject it in your is security method. I think I have seen an example of that in ones of seam examples. Check them out on github.com/seam, param being injected was an item. If you download seam examples source and search for it you'll find it.

  • 3. Re: Is it possible to pass arbitrary argument to Seam Securiy Check?
    deri dzen Newbie

    I've been trying to implement this for some time now, and I have come to this:

     

    @Path("/path")

    @LoggedIn

    public interface MyClassInterface {

     

        @GET

        @Path("/method")

        Response getMyValue(@QueryParam("input") Integer input);
    }

     

    public class MyClass implements MyClassInterface {

     

        @Override

        @ParameterInterceptorBinding

        public Response getMyValue(@CheckedParameter Integer input) {

             //some stuff

        }

     

    }

     

    public class Restrictions {

     

        @Secures

        @ParameterInterceptorBinding

        public boolean isOk(@CheckedParameter Integer input) {

             if (input.equals(getValueFromBackend()) {

                 return true;

             }

             return false;

        }

     

    }

     

    @Retention(RetentionPolicy.RUNTIME)

    @Target(ElementType.PARAMETER)

    @Documented

    @SecurityParameterBinding

    public @interface CheckedParameter {

     

    }

     

    @Retention(RetentionPolicy.RUNTIME)

    @Target({ElementType.TYPE, ElementType.METHOD})

    @Documented

    @SecurityBindingType

    public @interface ParameterInterceptorBinding {

     

    }

     

    If I call my REST service nothing happens. If I delete @CheckedParameter from "getMyValue()" method and also "isOk()" method it works (ofcourse, now I cannot check my parameter because I don't know how to transfer it to authorizer...)

     

    Also, if I write method like this:

    public boolean isOk(InvocationContext context) {

    ...

    }

    still does not work, like there is an error and it just ignores it and acts as it is true always.

     

     

     

    What am I doing wrong?

  • 4. Re: Is it possible to pass arbitrary argument to Seam Securiy Check?
    Jason Porter Master

    Have you enabled the interceptor in the beans.xml file?

  • 5. Re: Is it possible to pass arbitrary argument to Seam Securiy Check?
    deri dzen Newbie

    My beans.xml looks like this:

     

    <beans xmlns="http://java.sun.com/xml/ns/javaee"

       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

       xmlns:s="urn:java:ee"

       xmlns:security="urn:java:org.jboss.seam.security"

       xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://jboss.org/schema/cdi/beans_1_0.xsd">

     

              <interceptors>

            <class>org.jboss.seam.security.SecurityInterceptor</class>

        </interceptors>

     

              <security:IdentityImpl>

          <s:modifies/>     

          <security:authenticatorClass>xxxxxxxx.ACNAuthenticator</security:authenticatorClass>

       </security:IdentityImpl>

     

     

    </beans>

  • 6. Re: Is it possible to pass arbitrary argument to Seam Securiy Check?
    deri dzen Newbie

    Guys, does anyone has an idea what might be the problem?

     

    This works:

    public boolean isOk(Identity identity) {

    identity.randomMethod... //works

    }

     

     

    This whole method gets ignored

     

    public boolean isOk(InvocationContext context) {

    }

     

     

    And also this

    public boolean isOk(@CheckedParameter Object o) {

    ...

    }

  • 7. Re: Is it possible to pass arbitrary argument to Seam Securiy Check?
    Jason Porter Master

    I don't know that bit of security very well. You'll probably have to get the source and start debugging, but I suspect it's simply that the invocation context isn't available for whatever reason.

  • 8. Re: Is it possible to pass arbitrary argument to Seam Securiy Check?
    deri dzen Newbie

    Okay, I solved it. It was a rookie mistake because I though that DeltaSpike and Seam are more compatible, whereas DeltaSpike makes Seam redundant. I've deleted ALL seam dependencies and added these (pom.xml):

     

    <dependency>

                    <groupId>org.apache.deltaspike.core</groupId>

                    <artifactId>deltaspike-core-api</artifactId>

                    <version>${deltaspike.version}</version>

                </dependency>

                <dependency>

                    <groupId>org.apache.deltaspike.core</groupId>

                    <artifactId>deltaspike-core-impl</artifactId>

                    <version>${deltaspike.version}</version>

                </dependency>

                <dependency>

                    <groupId>org.apache.deltaspike.modules</groupId>

                    <artifactId>deltaspike-security-module-api</artifactId>

                    <version>${deltaspike.version}</version>

                </dependency>

                <dependency>

                    <groupId>org.apache.deltaspike.modules</groupId>

                    <artifactId>deltaspike-security-module-impl</artifactId>

                    <version>${deltaspike.version}</version>

                </dependency>

     

    And instead of seam SecurityInterceptor in beans.xml I added deltaspike one:

     

    <interceptors>

            <class>org.apache.deltaspike.security.impl.authorization.SecurityInterceptor</class>

        </interceptors>