Is there a way to dynamically/programmatically sec...
# javalinr
Robert Jaros
02/25/2020, 12:18 PMIs there a way to dynamically/programmatically secure an existing endpoint (defined earlier without any roles)?
a
arthur
02/25/2020, 12:36 PMNot sure. Why can't you use roles?
r
Robert Jaros
02/25/2020, 12:38 PMJust experimenting with some integration code
Robert Jaros
02/25/2020, 12:40 PMBut I've already found a way to use roles, so the answer is no longer relevant :-)
s
sbyrne
02/25/2020, 1:14 PMRoles are not flexible enough for my situation, so I do authz right at the beginning of each handler and throw
io.javalin.http.ForbiddenResponsed
david-wg2
02/25/2020, 1:18 PM@sbyrne that’s essentially what the access manager does too (it wraps handlers) - could you explain why the role system isn’t flexible enough?
s
sbyrne
02/25/2020, 1:19 PMThe authz decision depends on the request content.
d
david-wg2
02/25/2020, 1:19 PMthe access manager has access to the full request context
david-wg2
02/25/2020, 1:20 PM(i’m @tipsy btw, this is my work account)
s
sbyrne
02/25/2020, 1:21 PMThen I would have to buffer the whole request in memory. They are often too large to do that.
d
david-wg2
02/25/2020, 1:21 PMaha
s
sbyrne
02/25/2020, 1:23 PMI do use roles in some of my endpoints. They work fine for most cases. But if you want to do authz in the handler, Javalin stays out of your way and helpfully provides
ForbiddenResponsed
david-wg2
02/25/2020, 1:23 PMthat sounds like a corner case, but feel free to make an issue if you think it can be solved in a generic way
s
sbyrne
02/25/2020, 1:23 PM"Makes the easy thing easy and stays out of your way if you want to do the hard thing yourself" is my favorite feature of frameworks.
➕ 1
5 Views