Why @Secures is not fine? if the rule is "on parameter" it is a post it can be enough.
Another solution is @Secure(hook = POST) with a default to PRE Romain Manni-Bucau Twitter: @rmannibucau Blog: http://rmannibucau.wordpress.com/ LinkedIn: http://fr.linkedin.com/in/rmannibucau Github: https://github.com/rmannibucau 2012/12/13 Arne Limburg <[email protected]>: > Feel free to make a suggestion. > What about > > @SecuredResult > or > @SecuredReturnValue > ? > > Am 13.12.12 10:50 schrieb "Gerhard Petracek" unter > <[email protected]>: > >>+1, but imo we need a better name for it. >> >>regards, >>gerhard >> >> >> >>2012/12/13 Rudy De Busscher <[email protected]> >> >>> All, >>> >>> I had once also such a requirement (post-method authorization) where >>>this >>> could be very handy. >>> >>> We kept information about persons (name, age, address, medical info, >>>...) >>> but there where some categories. One kind of category was linked to the >>> Royals and you needed a special role before you could read the >>>information. >>> >>> So we where only able to determine if the user was allowed to read the >>> person information after we had read it frmo the database and matched >>>the >>> category. >>> >>> So >>> +1 >>> >>> Regards >>> Rudy >>> >>> >>> On 13 December 2012 09:26, Arne Limburg <[email protected] >>> >wrote: >>> >>> > Hi Jean-Louis, >>> > >>> > A simple use case is a method that creates an object, stores it to the >>> > database and returns it. >>> > You may want to check the object to decide if the user is allowed to >>> > create it. With my proposal it is as easy as: >>> > >>> > public class MyObjectRepository { >>> > @Create >>> > public MyObject create() { >>> > ... >>> > } >>> > } >>> > >>> > public class MyAuthorizer { >>> > >>> > @Secures @Create >>> > public boolean canCreate(@Result MyObject object) { >>> > // security check here >>> > } >>> > } >>> > >>> > >>> > Hope that makes it clear. And note that the check may depend on the >>>state >>> > of the object, i.e. the user is just allowed to create the object, if >>>he >>> > is the owner... >>> > >>> > Cheers, >>> > Arne >>> > >>> > Am 13.12.12 09:20 schrieb "Jean-Louis MONTEIRO" unter < >>> [email protected] >>> > >: >>> > >>> > >Hi Arne, >>> > > >>> > >Just read the JIRA but could not find a relevant use case for that. >>> > >But if you proposed it, I probably missed something so if you could >>> > >elaborate a bit more. >>> > > >>> > >Jean-Louis >>> > > >>> > > >>> > >2012/12/13 Mark Struberg <[email protected]> >>> > > >>> > >> >>> > >> >>> > >> +1 >>> > >> >>> > >> >>> > >> ------------------------------ >>> > >> Arne Limburg schrieb am Mi., 12. Dez 2012 23:38 PST: >>> > >> >>> > >> >Hi, >>> > >> > >>> > >> >What do you think of supporting post-method-authorization (see >>>[1]) >>> in >>> > >> addition to our current pre-method-authorization? >>> > >> >I just started coding it and it is not much to do. >>> > >> > >>> > >> >Cheers, >>> > >> >Arne >>> > >> > >>> > >> >[1] https://issues.apache.org/jira/browse/DELTASPIKE-298 >>> > >> > >>> > >> >>> > >> >>> > > >>> > > >>> > >-- >>> > >Jean-Louis >>> > >>> > >>> >
