-
Bug
-
Resolution: Unresolved
-
Major
-
4.4.1.Final
-
None
-
-
CDI extension DeltaSpike allows to create custom @SecurityParameterBinding types.
These types allows to inject parameters values from the method invocation to authorizer bean. (See documentation of Deltaspike/Security Module).
When I create my own security parameter
@SecurityParameterBinding public @interface MySecurityParameter { }
...and authorizer
public class CustomAuthorizer { @Secures @CustomSecurityBinding() public boolean check(@MySecurityParameter String parameter) { return true; } }
...then I can secure some methods, but these methods must have appropriate input parameter with correct type and with the annotation
public class SecuredBean { //OK @CustomSecurityBinding() public SecuredBean doSomething(@MySecurityParameter String parameter) { return null; } //Not-OK (Missing @MySecurityParameter annotation) @CustomSecurityBinding() public SecuredBean doSomething2(String parameter) { return null; } //Not-OK (Bad type - Integer) @CustomSecurityBinding() public SecuredBean doSomething3(@MySecurityParameter Integer parameter) { return null; } }
Methods doSomething 2 and 3 cause an exception "SecurityDefinitionException: No matching authorizer found for security". Validator doesn't detect any problems.
The attached project can be use to reproduce this issue securityParameterBinding.zip
.
