If possible, I would annotate the commands themselves and use an interceptor to validate commands against the roles of the principal sending them.
On my own projects, I use a specific command gateway instance for internal components (e.g. sagas) that attaches a special authentication token to commands.
AuthenticationInterceptor implements CommandDispatchInterceptor
AuthorizationInterceptor implements CommandHandlerInterceptor
On my own projects, I use a specific command gateway instance for internal components (e.g. sagas) that attaches a special authentication token to commands.
AsyncSagaEventProcessor::onEvent - Can't extend, it's final class
AbstractAnnotatedSaga::handle - Can't extend, it's final method
So, to cut a long story short, I'm stuck again...
BTW, the presentation yesterday was excellent, even considering I'm playing with Axon for quite some months it was clarifying for me.Cheers.
public void invoke(Object target, EventMessage message) {
if (!isHandlerAvailable()) {
return;
}
try {
handlerMethod.invoke(target, message);
} catch (IllegalAccessException e) {
...
--
You received this message because you are subscribed to the Google Groups "Axon Framework Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to axonframewor...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Hi Antonio,
since your saga probably extends AbstractAnnotatedSaga, you can simply override the handle method there and do your ThreadLocal stuff around a super.handle call.
One thing I'd like to point out is that event handling isn't -really- done in the context of a user action. It's the systems response to activity of a specific user. Will you ever want to refuse to handle an event because a user doesn't have specific right? The decisions have been made, and security concerns were part of that decision.
Regarding the annotations for security on commands, I don't see how that allows for a man in the middle attack. The command objects are part of your own application. They are constructed based on serialized data, but the annotations are part of the static class data.
@SagaEventHandler(associationProperty = "aggregateId")
public void handle(ProcessCreatedEvent event) {
aggregateId = event.getAggregateId();
CreateTaskCommand command = new CreateTaskCommand(aggregateId);commandGateway.send(command);}
@Override
public void handle(EventMessage event) {this.auth = event.getMetaData().get("AUTH");super.handle(event);}
@Override
public void run(Object command) {CommandMessage cm = new GenericCommandMessage<Object>(command);cm.withMetaData("AUTH", this.auth); // as a mapcommandBus.dispatch(cm);}and in my Saga just@StartSaga()@SagaEventHandler(associationProperty = "aggregateId")
public void handle(ProcessCreatedEvent event) {
aggregateId = event.getAggregateId();CreateTaskCommand command = new CreateTaskCommand(aggregateId);run(command);}
AnnotationEventListenerAdapter and override it's handle method?
@Override
public void handle(EventMessage event) {
String auth = event.getMetaData().get("AUTH");
SecurityContextHolder.getContext().setAuthentication(auth); invoker.invokeHandlerMethod(event);
}
Hi thanks for that. I did knew I could get the metadata as a param, but we don't want to do that because we want our programmers to be aware of "business-only" aspects of the sagas. And that correlation is more a "infrastructure" thing.
I didn't knew that it was so simple to add the metadata to the command, however, and that can be very useful, yes. I'll try with that tomorrow.
Thanks for your help.
You received this message because you are subscribed to a topic in the Google Groups "Axon Framework Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/axonframework/RAHHZTFWii0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to axonframewor...@googlegroups.com.