CONTROLE DE PERMISSÃO

@wbotelhos | wbotelhos.com.br | #qconsp / 11

WASHINGTON BOTELHO

public enum Perfil {

MEMBRO, MODERADOR, ADMINISTRADOR

}

public class Usuario {

private Long id; private String nome; private Perfil perfil;

}

@Post("/usuario")public void salvar(Usuario usuario) {

}

@Resourcepublic class AdminController {

}

Annotation

@Permission(Perfil.ADMINISTRADOR)

public @interface Permission { Perfil[] value();}

public @interface Permission { Perfil[] value();}

@Retention(RetentionPolicy.RUNTIME)@Target({ ElementType.TYPE, ElementType.METHOD })

@Post("/usuario")public void salvar(Usuario usuario) {

}

@Permission({ Perfil.MODERADOR, Perfil.ADMINISTRADOR })

@Resourcepublic class AdminController {

}

@Permission(Perfil.ADMINISTRADOR)

Interceptor

@Intercepts

accepts(){ true | false }

intercept(){ next | redirect | error }

public boolean accepts(ResourceMethod method) {

return !method.getMethod().isAnnotationPresent(Public.class)

}

public void intercept( InterceptorStack stack, ResourceMethod method, Object resource) {

Permission methodPermission =method.getMethod().getAnnotation(Permission.class);

Permission controllerPermission =method.getResource().getType().getAnnotation(Permission.class);

// ...

}

private boolean hasAccess(Permission permission) {if (permission == null) return true;

Collection<Perfil> perfis = Arrays.asList(permission.value());

return perfis.contains(userSession.getUser().getPerfil());}

if (hasAccess(methodPermission) && hasAccess(controllerPermission))

stack.next(method, resource);

else

result.redirectTo(UsuarioController.class).negado();

result.use(http()).sendError(500, "Permission denied!");

Ajax Error

result.use(http()).sendError(404);

Not Found

@wbotelhos | wbotelhos.com.br

WASHINGTON BOTELHO

Obrigado! (: