deltaspike-authorization: Demonstrate the creation of a custom authorization example using @SecurityBindingType from DeltaSpike

Security binding is DeltaSpike feature that restricts who can invoke a method (under the covers, it uses interceptors).

To restrict who can invoke a method, we create an annotation, called a security binding type. This quickstart has two security binding types - @AdminAllowed and @GuestAllowed.

The quickstart defines an Authorizer class that implements the restrictions for the security binding types. The authorizer is a CDI bean which defines methods (annotated with `@Secures) which perform the authorization checks for each security binding we create.

In this quickstart the Authorizer we delegate authentication to JAAS, but other authentication solutions could be used.

Methods on the Controller bean have been restricted using the security binding types.

The application this project produces is designed to be run on WildFly Application Server 13 or later.

All you need to build this project is Java 8.0 (Java SDK 1.8) or later and Maven 3.3.1 or later. See Configure Maven to Build and Deploy the Quickstarts to make sure you are configured correctly for testing the quickstarts.

In the following instructions, replace WILDFLY_HOME with the actual path to your WildFly installation. The installation path is described in detail here: Use of WILDFLY_HOME and JBOSS_HOME Variables.

This quickstart uses secured management interfaces and requires that you create the following application user to access the running application.

To add the application user, open a terminal and type the following command:

If you prefer, you can use the add-user utility interactively. For an example of how to use the add-user utility, see the instructions located here: Add an Application User.

This deploys the deltaspike-authorization/target/deltaspike-authorization.war to the running instance of the server.

You should see a message in the server log indicating that the archive deployed successfully.

The application will be running at the following URL: http://localhost:8080/deltaspike-authorization/.

When you access the application you are redirected to a login form, already filled in with the details of the application user you set up above. Once you have logged into the application you see a page showing your username and two buttons.

When you click on the Employee Method button you will see the following message: You executed a @EmployeeAllowed method - you are authorized to invoke this method.

When you click on the Admin Method button, you are redirected to an error page with the following exception: org.apache.deltaspike.security.api.authorization.AccessDeniedException because you aren’t authorized to invoke this method.

When you are finished testing the quickstart, follow these steps to undeploy the archive.

You can also start the server and deploy the quickstarts or run the Arquillian tests in Red Hat JBoss Developer Studio or from Eclipse using JBoss tools. For general information about how to import a quickstart, add a WildFly server, and build and deploy a quickstart, see Use JBoss Developer Studio or Eclipse to Run the Quickstarts.

If you want to debug the source code or look at the Javadocs of any library in the project, run either of the following commands to pull them into your local repository. The IDE should then detect them.