All,
Attached is an idea for an injectable SecurityContext interface that would
provide access to security related information. Usage of this interface
would be as follows:
class PeopleResource {
@HttpContext SecurityContext securityContext;
@UriTemplate("{id}")
PersonResource getPerson(@UriParam("id) String id) {
if (securityContext.isUserInRole("paidSubscriber")) {
return PaidPersonResource(id);
} else {
return CheapSkatePersonResource(id);
}
}
}
Additionally, you could test that the PaidPersonResource is being requested
over a secure channel:
class PeopleResource {
@HttpContext SecurityContext securityContext;
@UriTemplate("{id}")
PersonResource getPerson(@UriParam("id) String id) {
if (securityContext.isUserInRole("paidSubscriber")) {
if(securityContext.isTransportSecure()) {
return PaidPersonResource(id);
}else {
//-- Return Error
}
} else {
return CheapSkatePersonResource(id);
}
}
}
Optionally, we could use JSR-250 annotation to perform the same task
declaratively:
class PeopleResource {
@UriTemplate("{id}")
@RolesAllowed({"paidSubscriber"})
PersonResource getPaidPersonResource(@UriParam("id) String id) {
return PaidPersonResource(id);
}
@UriTemplate("{id}")
@RolesAllowed({"basic"})
PersonResource getCheapSkatePersonResource(UriParam("id) String id) {
return CheapSkatePersonResource(id);
}
}
As far as configuring a security domain, this is probably something best
left to the container, but I haven't worked out the exact details yet.
Ryan-
--
Ryan J. McDonough
http://www.damnhandy.com