SecurityResultInterceptor.java

package com.softwaremill.common.cdi.security;

import com.google.common.collect.ImmutableMap;
import com.softwaremill.common.cdi.el.ELEvaluator;

import javax.inject.Inject;
import javax.interceptor.AroundInvoke;
import javax.interceptor.Interceptor;
import javax.interceptor.InvocationContext;
import java.io.Serializable;

/**
 * @author Adam Warski (adam at warski dot org)
 */
@Interceptor
@SecureResult("")
public class SecurityResultInterceptor implements Serializable {
    @Inject
    private ELEvaluator elEvaluator;

    @AroundInvoke
    public Object invoke(InvocationContext ctx) throws Exception {

        // Getting the result
        Object result = ctx.proceed();

        // And checking the condition
        SecureResult sr = ctx.getMethod().getAnnotation(SecureResult.class);
        Boolean expressionValue = evaluateSecureResultExp(result, sr);

        if (expressionValue == null || !expressionValue) {
            // TODO: message
            throw new SecurityConditionException();
        }

        return result;
    }

    public Boolean evaluateSecureResultExp(Object base, SecureResult secureResult) {
        return elEvaluator.evaluate(secureResult.value(), Boolean.class, ImmutableMap.of("result", base));
    }
}