We started a conversation about CDI, but the information cannot fit in a comment... So to address your concerns:
- CDI interceptors are portable.
- In order to access the
HttpServletRequest
, you need a front filter to put it in context (e.g.ThreadLocal
or CDI's@RequestScoped
together with some producer). But DeltaSpike has you covered with the servlet module. Also check out the security module. - Inject the
HttpServletRequest
to the interceptor, no need for extra arguments on the resources themselfes. - To change the returned response, just return something from the
@AroundInvoke
interceptor method. You can access the object returned by the original method usingInvocationContext.proceed()
.
To sum up (almost pseudocode):
@MySecurityInterceptorBinding
public class MySecurityInterceptor {
@Inject HttpServletRequest request;
@AroundInvoke
public Object secure(InvocationContext ctx) {
// check security
if( request.isUserInRole("foo") ) {
Object value = ctx.proceed();
// modify the returned value
((MyCustomResponseBase) value).setSecurityPassedFlag(true);
return value;
// or change it altogether (I'm not sure if this is entirely possible, try and see :)
MyResponseValueWrapper w = new MyResponseValueWrapper(value);
w.setXxxx("yyyy");
return w;
}
else {
// handle it...
}
}