Hi Libor,
On Friday 08 August 2014 - 07:58:51, Libor Kramolis wrote:
> You can see RolesAllowedDynamicFeature uses
> requestContext.getSecurityContext().isUserInRole(role) [1] to implement
> security filtering.
I did some more tests and thought about given implementation, responsibility
...
with the conclusion: SecurityContext of WebComponent is wrong conceptually.
Why?
A request is just a chunk of bits sent from the client to the server, so a
request class may have methods to access the bits or even interpret subchunks
of bits ...
... but a request does not (and should not) know anything about a principal. A
UserPrincipal should be a very private information of the server/service.
Same is true for the roles of a user. So a request can't even respond to a
question like isUserInRole. That's a server question, not a request question.
So I think, getUserPrincipal and isUserInRole should be handled by
SecurityContext and definitely not delegated to HttpServletRequest. A request
context may know something about it, but not the request itself.
Service-developers / jersey users may then inject their own interpretation of
SecurityContext but not change/extend the request.
I would like to hear your thoughts about that detail.
br Django