Reputation: 23
@Check does not work when action is called from other action
I have an action in Controller that is secured with @Check annotation.
@With(Secure.class)
public class Application extends Controller {
@Check("admin")
public static void securedMethod() {
//secured code
}
When I call this action from browser, it calls boolean check(String profile) from Security class. But when I call this action from another action:
Application.securedMethod();
it just calls secured code, omitting Security.check() call. I thought, @Check should not allow execution of securedMethod() unless Security.check() return true. Any ideas how can I make it behave like this?
Upvotes: 2
Views: 152
Answers (1)
Reputation: 16439
The reason is the way the Secure controller works. The @Check annotation is only validated at the beginning of a request, via a method annotated with @Before. You can see how it's done in the sample code.
Usually it should not be a problem as you should not call a method with bigger restrictions from a method with less security restrictions (as it may lead to security issues). In your case you should validate the workflow you are using, as you may want to avoid that call.
Upvotes: 4
Related Questions
- Action not found in play framework
- Action Composition for Authentication
- How return forbidden in play framework 2 Java action composition
- Play framework: How to require login for some actions, but not all
- Trying to use simple authentication in Play Framework, but my action is called twice
- set conditions to access play framework 2 actions
- How to check if the current user can do something in view?
- Play customized Security Controller validation by annotation doesn`t work
- @Check (and its associated method) is never run
- Incorrect behaviour of the authenticate controller in the Secure controller