so i'd go for @PreSecures and @PostSecures, just explicit but i wouldn't something not symmetrical
Romain Manni-Bucau Twitter: @rmannibucau Blog: http://rmannibucau.wordpress.com/ LinkedIn: http://fr.linkedin.com/in/rmannibucau Github: https://github.com/rmannibucau 2012/12/13 Arne Limburg <[email protected]>: > @Secures sounds cool at a first glance, but may it be confusing for users? > > > And also we should support a mixture of @SecurityParameterBindings and > result, so the annotation should somehow indicate that the parameter is > the return value of the method invocation. > Consider the following example: > > @Copy > public MyObject copy(@Source MyObject source) { > ... > } > > public class MyCopyAuthorizer { > > @Secures @Copy > public boolean isCopyAllowed(@Source MyObject source, > @SecuredReturnValue MyObject target) { > ... > } > } > > where @Copy is a @SecurityBindingType and @Source is a > @SecurityParameterBinding > > Cheers, > Arne > > Am 13.12.12 11:45 schrieb "Romain Manni-Bucau" unter > <[email protected]>: > >>Why @Secures is not fine? >> >>if the rule is "on parameter" it is a post it can be enough. >> >>Another solution is @Secure(hook = POST) with a default to PRE >> >>Romain Manni-Bucau >>Twitter: @rmannibucau >>Blog: http://rmannibucau.wordpress.com/ >>LinkedIn: http://fr.linkedin.com/in/rmannibucau >>Github: https://github.com/rmannibucau >> >> >> >>2012/12/13 Arne Limburg <[email protected]>: >>> Feel free to make a suggestion. >>> What about >>> >>> @SecuredResult >>> or >>> @SecuredReturnValue >>> ? >>> >>> Am 13.12.12 10:50 schrieb "Gerhard Petracek" unter >>> <[email protected]>: >>> >>>>+1, but imo we need a better name for it. >>>> >>>>regards, >>>>gerhard >>>> >>>> >>>> >>>>2012/12/13 Rudy De Busscher <[email protected]> >>>> >>>>> All, >>>>> >>>>> I had once also such a requirement (post-method authorization) where >>>>>this >>>>> could be very handy. >>>>> >>>>> We kept information about persons (name, age, address, medical info, >>>>>...) >>>>> but there where some categories. One kind of category was linked to >>>>>the >>>>> Royals and you needed a special role before you could read the >>>>>information. >>>>> >>>>> So we where only able to determine if the user was allowed to read the >>>>> person information after we had read it frmo the database and matched >>>>>the >>>>> category. >>>>> >>>>> So >>>>> +1 >>>>> >>>>> Regards >>>>> Rudy >>>>> >>>>> >>>>> On 13 December 2012 09:26, Arne Limburg <[email protected] >>>>> >wrote: >>>>> >>>>> > Hi Jean-Louis, >>>>> > >>>>> > A simple use case is a method that creates an object, stores it to >>>>>the >>>>> > database and returns it. >>>>> > You may want to check the object to decide if the user is allowed to >>>>> > create it. With my proposal it is as easy as: >>>>> > >>>>> > public class MyObjectRepository { >>>>> > @Create >>>>> > public MyObject create() { >>>>> > ... >>>>> > } >>>>> > } >>>>> > >>>>> > public class MyAuthorizer { >>>>> > >>>>> > @Secures @Create >>>>> > public boolean canCreate(@Result MyObject object) { >>>>> > // security check here >>>>> > } >>>>> > } >>>>> > >>>>> > >>>>> > Hope that makes it clear. And note that the check may depend on the >>>>>state >>>>> > of the object, i.e. the user is just allowed to create the object, >>>>>if >>>>>he >>>>> > is the owner... >>>>> > >>>>> > Cheers, >>>>> > Arne >>>>> > >>>>> > Am 13.12.12 09:20 schrieb "Jean-Louis MONTEIRO" unter < >>>>> [email protected] >>>>> > >: >>>>> > >>>>> > >Hi Arne, >>>>> > > >>>>> > >Just read the JIRA but could not find a relevant use case for that. >>>>> > >But if you proposed it, I probably missed something so if you could >>>>> > >elaborate a bit more. >>>>> > > >>>>> > >Jean-Louis >>>>> > > >>>>> > > >>>>> > >2012/12/13 Mark Struberg <[email protected]> >>>>> > > >>>>> > >> >>>>> > >> >>>>> > >> +1 >>>>> > >> >>>>> > >> >>>>> > >> ------------------------------ >>>>> > >> Arne Limburg schrieb am Mi., 12. Dez 2012 23:38 PST: >>>>> > >> >>>>> > >> >Hi, >>>>> > >> > >>>>> > >> >What do you think of supporting post-method-authorization (see >>>>>[1]) >>>>> in >>>>> > >> addition to our current pre-method-authorization? >>>>> > >> >I just started coding it and it is not much to do. >>>>> > >> > >>>>> > >> >Cheers, >>>>> > >> >Arne >>>>> > >> > >>>>> > >> >[1] https://issues.apache.org/jira/browse/DELTASPIKE-298 >>>>> > >> > >>>>> > >> >>>>> > >> >>>>> > > >>>>> > > >>>>> > >-- >>>>> > >Jean-Louis >>>>> > >>>>> > >>>>> >>> >
