Hi,
There's nothing preventing you going full programmatic. The SecurityContext from EE Security is there to help you even.
But, similarly to say any kind of interceptors where you could just do the work at the start and end of a method (perhaps using a try/finally), people do like to externalise that. And one way to do that is via Interceptors and Decorators.
That's where the security interceptors and the authorization rules come in.
Kind regards,
Arjan
Is there a good case for offering authorization logic programming functionality via annotations? Most applications I've come across require a single group and the RolesAllowed annotation is a great fit for that.
I find the programmatic authorization style prevalent in many JAX-RS applications to be very readable plus it allows the developer to reuse that knowledge when working with other access control models:
@GET
@Path("{id}")
public Thing doGetById(@PathParam("id") Long id) {
Thing thing = thingRepository.find(id).orElseThrow(NotFoundException::new);
if (securityContext.isUserInRole("Employee") && securityContext.isUserInRole("Administrator")) {
throw new ForbiddenException();
}
return thing;
}
_______________________________________________
es-dev mailing list
es-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/es-dev