Not possible to restrict authentication to just methods with authorisation restrictions #12
Description
I have a Play v1.2.5 app that integrates DeadBolt with SecureSocial. I would like to just authorise a specific method so I've annotated the controller with @with(Deadbolt.class) and the specific method with @RoleHolderPresent.
The problem is that in Deadbolt.checkRestrictions(), the call to DEADBOLT_HANDLER.beforeRoleCheck(), which calls back into SecureSocial to authenticate the user, is done before the call to getRestrictionType() which means that authentication is required for methods that are not restricted.
It seems like this could be resolved by swapping the order of these two calls so that the check for a restriction takes place first and then if there is a restriction then to check for an authenticated user, e.g.:
RestrictionType restrictionType = getRestrictionType();
if (restrictionType != null && restrictionType != RestrictionType.NONE) {
DEADBOLT_HANDLER.beforeRoleCheck();
RoleHolder roleHolder = getRoleHolder();
if (restrictionType == RestrictionType.DYNAMIC)
{
handleDynamicChecks(roleHolder);
}
else if (restrictionType == RestrictionType.STATIC)
{
handleStaticChecks(roleHolder);
}
else if (restrictionType == RestrictionType.BASIC)
{
handleRoleHolderPresent(roleHolder);
}
}
Can you see a problem with this?
cheers,
Chris