Deltaspike and @Stateless Bean
I want to secure my "stateless" EJb with DeltaSpike-API.
@Stateless
@Remote(UserServiceRemote.class)
public class UserService implements UserServiceRemote
At the method level I have a custom annotation "Support"
@Support
public void doSomething() {}
So I wrote a custom annotation "@Support":
@Retention(value = RetentionPolicy.RUNTIME)
@Target({ElementType.TYPE, ElementType.METHOD })
@Documented
@SecurityBindingType
public @interface Support {
My custom Authorizer looks like this:
@Secures
@Support
public boolean doAdminCheck(Identity identity, IdentityManager identityManager, RelationshipManager relationshipManager)
throws Exception {
return hasRole(relationshipManager, identity.getAccount(), getRole(identityManager, "Support"));
}
In my beans.xml file, I have included:
<interceptors>
<class>org.apache.deltaspike.security.impl.extension.SecurityInterceptor</class>
</interceptors>
But after I register my application and call the doSomething method for remote invocation, the "Support" annotation is ignored, regardless of whether I have a role or not.
What am I doing wrong? Thanx for any suggestions !!!
source to share
Ejb and CDI are two different concepts. The stateless session bean and the CDI managed bean are managed by different containers. Therefore you cannot use Deltaspike on a stateless session bean. If you want to use deltaspike protection use a named bean and use a different delete strategy.
source to share
In my case, I had to make sure that the module (jar) containing the service that I wanted to protect with the annotation had a beans.xml file with the deltaspike interceptor (previously I only added the file to the protected module the code itself, which was a problem) ...
Also I found out that I had to decouple the business logic service from the SOAP endpoint declaration itself. This custom EJB @Stateles (or any other) service can be @ Inject-ed in SOAP and security annotations (@Support here) will work on it.
In my opinion, decoupling the endpoint declaration from the business code is a good design anyway, since we can have multiple interfaces referencing the same business logic. (and simpler unit test, etc.)
source to share