Various fixes to the deltaspike-authorization quickstart

deltaspike-security/README.md → deltaspike-authorization/README.md

@@ -1,4 +1,4 @@
-jboss-as-deltaspike-projectstage: Demonstrate the creation of a custom authorization example using @SecurityBindingType from DeltaSpike
+jboss-as-deltaspike-authorization: Demonstrate the creation of a custom authorization example using @SecurityBindingType from DeltaSpike
 ======================================================
 Author: Rafael Benevides
 Level: Beginner
@@ -10,15 +10,15 @@ Target Product: WFK
 What is it?
 -----------
 
-SecurityBinding is a feature of the security module that acts by intercepting method calls, and performing a security check before invocation is allowed to proceed.
+Security binding is DeltaSpike feature that restricts who can invoke a method (under the covers, it uses interceptors).
 
-To use it, it's needed to create a security parameter binding annotation. In this application we created `@AdminAllowed` and `@GuestAllowed` annotations.
+To restrict who can invoke a method, we create an annotation, called a security binding type. This quickstart has two security binding types - `@AdminAllowed` and `@GuestAllowed`.
 
-The application also defines an `Authorizer` class that implements behavior for both `SecurityBindingType`. This class is simply a CDI bean which declares a @Secures method, qualified with the security binding annotation we created.
+The quickstart defines an `Authorizer` class that implements the restrictions for the security binding types. The authorizer is a CDI bean which defines methods (annotated with `@Secures) which perform the authorization checks for each security binding we create.
 
-This `Authorizer` is integrated with JAAS so the check is delegated to JAAS API through `FacesContext`, but any other ways to check if the method is allowed could be used. 
+In this quickstart the `Authorizer` we delegate authentication to JAAS, but other authentication solutions could be used.
 
-Both annotations was applied to methods on `SecuredController` class.
+Methods on the `Controller` bean have been restricted using the security binding types.
 
 
 System requirements
@@ -35,7 +35,6 @@ Configure Maven
 If you have not yet done so, you must [Configure Maven](../README.md#mavenconfiguration) before testing the quickstarts.
 
 
-
 Add an Application User
 ----------------
 This quickstart uses secured management interfaces and requires that you create an application user to access the running application. Instructions to set up the quickstart application user can be found here: [Add an Application User](../README.md#addapplicationuser)
@@ -60,20 +59,19 @@ _NOTE: The following build command assumes you have configured your Maven user s
 3. Type this command to build and deploy the archive:
 
         mvn clean package jboss-as:deploy
-4. This will deploy `target/jboss-as-deltaspike-security.war` to the running instance of the server.
+4. This will deploy `target/jboss-as-deltaspike-authorization.war` to the running instance of the server.
+
 
 Access the application
 ---------------------
 
-Access the running application in a browser at the following URL:  <localhost:8080/jboss-as-deltaspike-security/>
-
-When you try to access the application, you're redirected to a Login form already filled. (remember to setup the Application User).
+You can access the running application in a browser at the following URL: <localhost:8080/jboss-as-deltaspike-authorization/>
 
-Log in application and you see the secured page showing your username and two buttons. 
+When you access the application you are redirected to a login form, already filled in with the details of the application user you set up above. Once you have logged into the application you see a page showing your username and two buttons. 
 
-Click on `Guest Method` button and realize that you will see the following message: `You executed a @GuestAllowed method`.
+When you click on the `Employee Method` button you will see the following message: `You executed a @EmployeeAllowed method` - you are authorized to invoke this method.
 
-Now, click on `Admin Method` button and you will be redirected to a error page with the following exception: `org.apache.deltaspike.security.api.authorization.AccessDeniedException`
+When you click on the `Admin Method` button you will be redirected to a error page with the following exception: `org.apache.deltaspike.security.api.authorization.AccessDeniedException` - you aren't authorized to invole thos method.
 
 Undeploy the Archive
 --------------------

deltaspike-security/pom.xml → deltaspike-authorization/pom.xml

@@ -14,11 +14,11 @@
     <modelVersion>4.0.0</modelVersion>
 
     <groupId>org.jboss.as.quickstarts</groupId>
-    <artifactId>jboss-as-deltaspike-security</artifactId>
+    <artifactId>jboss-as-deltaspike-authorization</artifactId>
     <version>7.1.2-SNAPSHOT</version>
     <packaging>war</packaging>
-    <name>JBoss AS Quickstarts: DeltaSpike Security</name>
-    <description>DeltaSpike Security: shows a custom authorization example using @SecurityBindingType from DeltaSpike</description>
+    <name>JBoss AS Quickstarts: DeltaSpike Authorization</name>
+    <description>DeltaSpike Authorization: shows a custom authorization example using security binding types from DeltaSpike</description>
 
     <url>http://jboss.org/jbossas</url>
     <licenses>
@@ -126,30 +126,30 @@
             <scope>provided</scope>
         </dependency>
 
-        <!-- Deltaspike API. we use compile scope as we need its API -->
+        <!-- Deltaspike API. We use compile scope as we need compile against its API -->
         <dependency>
             <groupId>org.apache.deltaspike.core</groupId>
             <artifactId>deltaspike-core-api</artifactId>
             <scope>compile</scope>
         </dependency>
 
-        <!-- Deltaspike Impl. we use runtime scope as we its implementation 
+        <!-- Deltaspike Impl. we use runtime scope as we need its implementation 
             dependencies only on runtime -->
         <dependency>
             <groupId>org.apache.deltaspike.core</groupId>
             <artifactId>deltaspike-core-impl</artifactId>
             <scope>runtime</scope>
         </dependency>
 
-        <!-- Deltaspike Security Module API. we use compile scope as we need 
-            its API -->
+        <!-- Deltaspike Security Module API. We use compile scope as we need 
+            to compile against its API -->
         <dependency>
             <groupId>org.apache.deltaspike.modules</groupId>
             <artifactId>deltaspike-security-module-api</artifactId>
             <scope>compile</scope>
         </dependency>
 
-        <!-- Deltaspike Security Impl. we use runtime scope as we its implementation 
+        <!-- Deltaspike Security Impl. we use runtime scope as we need its implementation 
             dependencies only on runtime -->
         <dependency>
             <groupId>org.apache.deltaspike.modules</groupId>

deltaspike-security/src/main/java/org/jboss/as/quickstarts/deltaspike/security/annotations/AdminAllowed.java → deltaspike-authorization/src/main/java/org/jboss/as/quickstarts/deltaspike/authorization/AdminAllowed.java

@@ -20,7 +20,7 @@
  * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
  */
 
-package org.jboss.as.quickstarts.deltaspike.security.annotations;
+package org.jboss.as.quickstarts.deltaspike.authorization;
 
 import java.lang.annotation.Documented;
 import java.lang.annotation.ElementType;
@@ -31,7 +31,7 @@
 import org.apache.deltaspike.security.api.authorization.annotation.SecurityBindingType;
 
 /**
- * This annotation is used to to add security behavior to our business classes and methods
+ * This annotation is used to to add authorization restrictions to beans and methods
  * 
  * @author <a href="mailto:benevides@redhat.com">Rafael Benevides</a>
  * 

deltaspike-security/src/main/java/org/jboss/as/quickstarts/deltaspike/security/SecuredController.java → deltaspike-authorization/src/main/java/org/jboss/as/quickstarts/deltaspike/authorization/Controller.java

@@ -20,41 +20,38 @@
  * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
  */
 
-package org.jboss.as.quickstarts.deltaspike.security;
+package org.jboss.as.quickstarts.deltaspike.authorization;
 
 import java.io.IOException;
 
-import javax.enterprise.inject.Model;
 import javax.faces.application.FacesMessage;
 import javax.faces.context.FacesContext;
 import javax.inject.Inject;
+import javax.inject.Named;
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
 
-import org.jboss.as.quickstarts.deltaspike.security.annotations.AdminAllowed;
-import org.jboss.as.quickstarts.deltaspike.security.annotations.GuestAllowed;
 
 /**
+ * The secured controller restricts access to certain method
+ * 
  * @author <a href="mailto:benevides@redhat.com">Rafael Benevides</a>
  * 
  */
-// The @Model stereotype is a convenience mechanism to make this a request-scoped bean that has an
-// EL name
-// Read more about the @Model stereotype in this FAQ:
-// http://sfwk.org/Documentation/WhatIsThePurposeOfTheModelAnnotation
-@Model
-public class SecuredController {
+// Expose the bean to EL
+@Named
+public class Controller {
 
     @Inject
     private FacesContext facesContext;
 
-    //This method is allowed only to users with Guest role
-    @GuestAllowed
-    public void guestMethod() {
-        facesContext.addMessage(null, new FacesMessage("You executed a @GuestAllowed method"));
+    //This method is allowed only to users with employee role
+    @EmployeeAllowed
+    public void employeeMethod() {
+        facesContext.addMessage(null, new FacesMessage("You executed a @EmployeeAllowed method"));
     }
 
-    //This method is allowed only to users with Admin role
+    //This method is allowed only to users with admin role
     @AdminAllowed
     public void adminMethod() {
         facesContext.addMessage(null, new FacesMessage("You executed a @AdminAllowed method"));
@@ -68,5 +65,16 @@ public void logout() throws IOException {
         response.sendRedirect("index.html");
         facesContext.responseComplete();
     }
+
+    //This method return the stack trace string from the Exception
+    public String getStackTrace() {
+        Throwable throwable = (Throwable)  FacesContext.getCurrentInstance().getExternalContext().getRequestMap().get("javax.servlet.error.exception");
+        StringBuilder builder = new StringBuilder();
+        builder.append(throwable.getMessage()).append("\n");
+        for (StackTraceElement element : throwable.getStackTrace()) {
+            builder.append(element).append("\n");
+        }
+        return builder.toString();
+    }
 
 }

deltaspike-security/src/main/java/org/jboss/as/quickstarts/deltaspike/util/CustomAuthorizer.java → deltaspike-authorization/src/main/java/org/jboss/as/quickstarts/deltaspike/authorization/CustomAuthorizer.java

@@ -20,7 +20,7 @@
  * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
  */
 
-package org.jboss.as.quickstarts.deltaspike.util;
+package org.jboss.as.quickstarts.deltaspike.authorization;
 
 import javax.enterprise.context.ApplicationScoped;
 import javax.enterprise.inject.spi.BeanManager;
@@ -29,11 +29,9 @@
 import javax.interceptor.InvocationContext;
 
 import org.apache.deltaspike.security.api.authorization.annotation.Secures;
-import org.jboss.as.quickstarts.deltaspike.security.annotations.AdminAllowed;
-import org.jboss.as.quickstarts.deltaspike.security.annotations.GuestAllowed;
 
 /**
- * This Authorizer class implements behavior for our custom SecurityBindingType. This class is simply a CDI bean which declares
+ * This Authorizer class implements behavior for our security binding types. This class is simply a CDI bean which declares
  * a @Secures method, qualified with the security binding annotation.
  * 
  * @author <a href="mailto:benevides@redhat.com">Rafael Benevides</a>
@@ -61,7 +59,7 @@ public boolean doAdminCheck(InvocationContext invocationContext, BeanManager man
     }
 
     /**
-     * This method is used to check if classes and methods annotated with {@link GuestAllowed} can perform
+     * This method is used to check if classes and methods annotated with {@link EmployeeAllowed} can perform
      * the operation or not
      * 
      * @param invocationContext
@@ -70,7 +68,7 @@ public boolean doAdminCheck(InvocationContext invocationContext, BeanManager man
      * @throws Exception
      */
     @Secures
-    @GuestAllowed
+    @EmployeeAllowed
     public boolean doGuestCheck(InvocationContext invocationContext, BeanManager manager) throws Exception {
         return facesContext.getExternalContext().isUserInRole("guest");
     }

deltaspike-security/src/main/java/org/jboss/as/quickstarts/deltaspike/security/annotations/GuestAllowed.java → deltaspike-authorization/src/main/java/org/jboss/as/quickstarts/deltaspike/authorization/EmployeeAllowed.java

@@ -20,7 +20,7 @@
  * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
  */
 
-package org.jboss.as.quickstarts.deltaspike.security.annotations;
+package org.jboss.as.quickstarts.deltaspike.authorization;
 
 import java.lang.annotation.Documented;
 import java.lang.annotation.ElementType;
@@ -31,7 +31,7 @@
 import org.apache.deltaspike.security.api.authorization.annotation.SecurityBindingType;
 
 /**
- * This annotation is used to to add security behavior to our business classes and methods
+ * This annotation is used to to add authorization restrictions to beans and methods
  * 
  * @author <a href="mailto:benevides@redhat.com">Rafael Benevides</a>
  * 
@@ -40,6 +40,6 @@
 @Target({ ElementType.TYPE, ElementType.METHOD })
 @Documented
 @SecurityBindingType
-public @interface GuestAllowed {
+public @interface EmployeeAllowed {
 
 }

deltaspike-security/src/main/java/org/jboss/as/quickstarts/deltaspike/util/Resources.java → deltaspike-authorization/src/main/java/org/jboss/as/quickstarts/deltaspike/authorization/util/Resources.java

@@ -14,8 +14,9 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package org.jboss.as.quickstarts.deltaspike.util;
+package org.jboss.as.quickstarts.deltaspike.authorization.util;
 
+import java.security.Principal;
 import java.util.logging.Logger;
 
 import javax.enterprise.context.RequestScoped;
@@ -43,5 +44,10 @@ public FacesContext getFacesContext() {
         return FacesContext.getCurrentInstance();
     }
 
+    @Named
+    @Produces
+    public String getLoggedInUserName(Principal principal) {
+        return principal.getName();
+    }
 
 }

deltaspike-security/src/main/webapp/error.xhtml → deltaspike-authorization/src/main/webapp/error.xhtml

@@ -41,7 +41,7 @@ limitations under the License.
                    </font>  
                    <p />  
                    <textarea rows="30" cols="100">  
-                       <h:outputText escape="false" value="#{errorController.stackTrace}"/>  
+                       <h:outputText escape="false" value="#{controller.stackTrace}"/>  
                    </textarea>  
                    <p />
                </h:form>

deltaspike-security/src/main/webapp/welcome.xhtml → deltaspike-authorization/src/main/webapp/welcome.xhtml

@@ -26,15 +26,15 @@ limitations under the License.
 	 -->
 	<ui:composition template="/template.xhtml">
 			<ui:define name="pageTitle">Welcome</ui:define>
-			<ui:define name="pageHeader">Welcome to the secured page!</ui:define>
+			<ui:define name="pageHeader">Welcome to the restricted page!</ui:define>
 			<ui:define name="body">
                  <h:form>
-    			     Welcome <b>#{facesContext.externalContext.userPrincipal.name}</b>!
-                     <h:commandButton value="Logout" action="#{securedController.logout()}" />
+    			     Welcome <b>#{loggedInUserName}</b>!
+                     <h:commandButton value="Logout" action="#{controller.logout}" />
                      <p />
-                     Execute some action:                  
-                     <h:commandButton value="Guest Method" action="#{securedController.guestMethod()}" />
-                     <h:commandButton value="Admin Method" action="#{securedController.adminMethod()}" />
+                     Execute an action:                  
+                     <h:commandButton value="Employees only Method" action="#{controller.employeeMethod}" />
+                     <h:commandButton value="Admins only Method" action="#{controller.adminMethod}" />
                  </h:form>
 			</ui:define>
 	</ui:composition>