org.directwebremoting.impl
Class DefaultAccessControl

java.lang.Object
  extended by org.directwebremoting.impl.DefaultAccessControl
All Implemented Interfaces:
AccessControl

public class DefaultAccessControl
extends java.lang.Object
implements AccessControl

Control who should be accessing which methods on which classes.

Author:
Joe Walker [joe at getahead dot ltd dot uk]

Constructor Summary
DefaultAccessControl()
           
 
Method Summary
 void addExcludeRule(java.lang.String scriptName, java.lang.String methodName)
          Add an exclude rule.
 void addIncludeRule(java.lang.String scriptName, java.lang.String methodName)
          Add an include rule.
 void addRoleRestriction(java.lang.String scriptName, java.lang.String methodName, java.lang.String role)
          J2EE role based security allows us to restrict methods to only being used by people in certain roles.
 void assertGeneralDisplayable(java.lang.String scriptName, MethodDeclaration method)
          Check the method for accessibility at 'compile-time' (i.e.
 void assertGeneralExecutionIsPossible(java.lang.String scriptName, MethodDeclaration method)
          Check the method for accessibility at runtime, and return an error message if anything is wrong.
 void assertMethodDisplayable(java.lang.Class<?> clazz, java.lang.reflect.Method method)
          Complementing checks for a remoted Java class and method.
 void assertMethodExecutionIsPossible(java.lang.Class<?> clazz, java.lang.reflect.Method method)
          Complementing checks for a remoted Java class and method.
 void setExposeInternals(boolean exposeInternals)
           
 
Methods inherited from class java.lang.Object
equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

DefaultAccessControl

public DefaultAccessControl()
Method Detail

assertGeneralExecutionIsPossible

public void assertGeneralExecutionIsPossible(java.lang.String scriptName,
                                             MethodDeclaration method)
                                      throws java.lang.SecurityException
Description copied from interface: AccessControl
Check the method for accessibility at runtime, and return an error message if anything is wrong. If nothing is wrong, return null.

See notes on getReasonToNotDisplay(). This method should duplicate the tests made by that method.

This is not a great because it mixes 2 bits of information in the same variable (is it wrong, and what is wrong) but without multi-value returns in Java this seems like the most simple implementation.

Specified by:
assertGeneralExecutionIsPossible in interface AccessControl
Parameters:
scriptName - The Javascript name of the class
method - A logical method declaration
Throws:
java.lang.SecurityException - If the given method is disallowed
See Also:
AccessControl.assertGeneralDisplayable(String, MethodDeclaration)

assertMethodExecutionIsPossible

public void assertMethodExecutionIsPossible(java.lang.Class<?> clazz,
                                            java.lang.reflect.Method method)
                                     throws java.lang.SecurityException
Description copied from interface: AccessControl
Complementing checks for a remoted Java class and method.

Specified by:
assertMethodExecutionIsPossible in interface AccessControl
Parameters:
clazz - An actual Java class
method - An actual reflected Java method
Throws:
java.lang.SecurityException
See Also:
AccessControl.assertGeneralExecutionIsPossible(String, MethodDeclaration)

assertGeneralDisplayable

public void assertGeneralDisplayable(java.lang.String scriptName,
                                     MethodDeclaration method)
                              throws java.lang.SecurityException
Description copied from interface: AccessControl
Check the method for accessibility at 'compile-time' (i.e. when the application is downloaded), and return an error message if anything is wrong. If nothing is wrong, return null.

This method is similar to getReasonToNotExecute() except that there may be checks (like security checks) that we wish to make only at runtime in case the situation changes between 'compile-time' and runtime.

This is not a great because it mixes 2 bits of information in the same variable (is it wrong, and what is wrong) but without multi-value returns in Java this seems like the most simple implementation.

Specified by:
assertGeneralDisplayable in interface AccessControl
Parameters:
scriptName - The Javascript name of the class
method - A logical method declaration
Throws:
java.lang.SecurityException - If the given method is disallowed
See Also:
AccessControl.assertGeneralExecutionIsPossible(String, MethodDeclaration)

assertMethodDisplayable

public void assertMethodDisplayable(java.lang.Class<?> clazz,
                                    java.lang.reflect.Method method)
                             throws java.lang.SecurityException
Description copied from interface: AccessControl
Complementing checks for a remoted Java class and method.

Specified by:
assertMethodDisplayable in interface AccessControl
Parameters:
clazz - An actual Java class
method - An actual reflected Java method
Throws:
java.lang.SecurityException
See Also:
AccessControl.assertGeneralDisplayable(String, MethodDeclaration)

addRoleRestriction

public void addRoleRestriction(java.lang.String scriptName,
                               java.lang.String methodName,
                               java.lang.String role)
Description copied from interface: AccessControl
J2EE role based security allows us to restrict methods to only being used by people in certain roles.

Specified by:
addRoleRestriction in interface AccessControl
Parameters:
scriptName - The name of the creator to Javascript
methodName - The name of the method (without brackets)
role - The new role name to add to the list for the given scriptName and methodName

addIncludeRule

public void addIncludeRule(java.lang.String scriptName,
                           java.lang.String methodName)
Description copied from interface: AccessControl
Add an include rule. Each creator can have either a list of inclusions or a list of exclusions but not both. If a creator has a list of inclusions then the default policy is to deny any method that is not specifically included. If the creator has a list of exclusions then the default policy is to allow any method not listed. If there are no included or excluded rules then the default policy is to allow all methods

Specified by:
addIncludeRule in interface AccessControl
Parameters:
scriptName - The name of the creator to Javascript
methodName - The name of the method (without brackets)

addExcludeRule

public void addExcludeRule(java.lang.String scriptName,
                           java.lang.String methodName)
Description copied from interface: AccessControl
Add an exclude rule.

Specified by:
addExcludeRule in interface AccessControl
Parameters:
scriptName - The name of the creator to Javascript
methodName - The name of the method (without brackets)
See Also:
AccessControl.addIncludeRule(String, String)

setExposeInternals

public void setExposeInternals(boolean exposeInternals)
Parameters:
exposeInternals - the exposeInternals to set

Copyright 2008