2

I have an action in Controller that is secured with @Check annotation.

@With(Secure.class)
public class Application extends Controller {

    @Check("admin")
    public static void securedMethod() {
        //secured code
    }

When I call this action from browser, it calls boolean check(String profile) from Security class. But when I call this action from another action:

Application.securedMethod();

it just calls secured code, omitting Security.check() call. I thought, @Check should not allow execution of securedMethod() unless Security.check() return true. Any ideas how can I make it behave like this?

user829812
  • 23
  • 2

1 Answers1

4

The reason is the way the Secure controller works. The @Check annotation is only validated at the beginning of a request, via a method annotated with @Before. You can see how it's done in the sample code.

Usually it should not be a problem as you should not call a method with bigger restrictions from a method with less security restrictions (as it may lead to security issues). In your case you should validate the workflow you are using, as you may want to avoid that call.

Pere Villega
  • 16,379
  • 4
  • 59
  • 99
  • But why there is no redirect? If my [description](http://stackoverflow.com/questions/3899670/how-can-i-influence-the-redirect-behavior-in-a-play-controller) is correct there should be a redirect and so a new request. – niels Jul 05 '11 at 18:06
  • I was wondering the same, but we would need to see your code and routes for that – Pere Villega Jul 06 '11 at 08:36