https://kotlinlang.org logo
#javalin
Title
# javalin
r

Robert Jaros

02/25/2020, 12:18 PM
Is there a way to dynamically/programmatically secure an existing endpoint (defined earlier without any roles)?
a

arthur

02/25/2020, 12:36 PM
Not sure. Why can't you use roles?
r

Robert Jaros

02/25/2020, 12:38 PM
Just experimenting with some integration code
But I've already found a way to use roles, so the answer is no longer relevant :-)
s

sbyrne

02/25/2020, 1:14 PM
Roles are not flexible enough for my situation, so I do authz right at the beginning of each handler and throw
io.javalin.http.ForbiddenResponse
. I see no downside to doing authz in my application code.
d

david-wg2

02/25/2020, 1:18 PM
@sbyrne that’s essentially what the access manager does too (it wraps handlers) - could you explain why the role system isn’t flexible enough?
s

sbyrne

02/25/2020, 1:19 PM
The authz decision depends on the request content.
d

david-wg2

02/25/2020, 1:19 PM
the access manager has access to the full request context
(i’m @tipsy btw, this is my work account)
s

sbyrne

02/25/2020, 1:21 PM
Then I would have to buffer the whole request in memory. They are often too large to do that.
d

david-wg2

02/25/2020, 1:21 PM
aha
s

sbyrne

02/25/2020, 1:23 PM
I do use roles in some of my endpoints. They work fine for most cases. But if you want to do authz in the handler, Javalin stays out of your way and helpfully provides
ForbiddenResponse
.
d

david-wg2

02/25/2020, 1:23 PM
that sounds like a corner case, but feel free to make an issue if you think it can be solved in a generic way
s

sbyrne

02/25/2020, 1:23 PM
"Makes the easy thing easy and stays out of your way if you want to do the hard thing yourself" is my favorite feature of frameworks.
1
5 Views