Uploaded image for project: 'Tools (JBoss Tools)'
  1. Tools (JBoss Tools)
  2. JBIDE-23173

Missing validation of @SecurityParameterBinding


    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • 4.30.x
    • 4.4.1.Final
    • cdi-extensions
    • None
    • -

      CDI extension DeltaSpike allows to create custom @SecurityParameterBinding types.
      These types allows to inject parameters values from the method invocation to authorizer bean. (See documentation of Deltaspike/Security Module).

      When I create my own security parameter

      public @interface MySecurityParameter {

      ...and authorizer

      public class CustomAuthorizer {
          public boolean check(@MySecurityParameter String parameter) {       
              return true;

      ...then I can secure some methods, but these methods must have appropriate input parameter with correct type and with the annotation

      public class SecuredBean {
          public SecuredBean doSomething(@MySecurityParameter String parameter) {
              return null;
      	//Not-OK (Missing @MySecurityParameter annotation)
          public SecuredBean doSomething2(String parameter) {
              return null;
      	//Not-OK (Bad type - Integer)
          public SecuredBean doSomething3(@MySecurityParameter Integer parameter) {
              return null;

      Methods doSomething 2 and 3 cause an exception "SecurityDefinitionException: No matching authorizer found for security". Validator doesn't detect any problems.

      The attached project can be use to reproduce this issue securityParameterBinding.zip.

            Unassigned Unassigned
            lvalach_jira Lukáš Valach (Inactive)
            0 Vote for this issue
            1 Start watching this issue