|
|||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Objectorg.directwebremoting.impl.DefaultAccessControl
public class DefaultAccessControl
Control who should be accessing which methods on which classes.
Field Summary | |
---|---|
protected boolean |
exposeInternals
Do we allow DWR classes to be remoted? |
protected static java.lang.String |
PACKAGE_DWR_DENY
My package name, so we can ban DWR classes from being created or marshalled |
protected java.util.Map |
policyMap
A map of Creators to policies |
protected java.util.Map |
roleRestrictMap
What role based restrictions are there? |
Constructor Summary | |
---|---|
DefaultAccessControl()
|
Method Summary | |
---|---|
void |
addExcludeRule(java.lang.String scriptName,
java.lang.String methodName)
Add an exclude rule. |
void |
addIncludeRule(java.lang.String scriptName,
java.lang.String methodName)
Add an include rule. |
void |
addRoleRestriction(java.lang.String scriptName,
java.lang.String methodName,
java.lang.String role)
J2EE role based security allows us to restrict methods to only being used by people in certain roles. |
protected void |
assertAllowedByRoles(HttpServletRequest req,
java.util.Set roles)
Is this current user in the given list of roles |
protected void |
assertAreParametersDwrInternal(java.lang.reflect.Method method)
Check the parameters are not DWR internal either |
protected void |
assertAuthenticationIsValid(HttpServletRequest req)
Check the users session for validity |
void |
assertExecutionIsPossible(Creator creator,
java.lang.String className,
java.lang.reflect.Method method)
Check the method for accessibility at runtime, and return an error message if anything is wrong. |
protected void |
assertIsClassDwrInternal(Creator creator)
Is the class that we are executing a method on part of DWR? |
void |
assertIsDisplayable(Creator creator,
java.lang.String className,
java.lang.reflect.Method method)
Check the method for accessibility at 'compile-time' (i.e. |
protected void |
assertIsExecutable(java.lang.String scriptName,
java.lang.String methodName)
Test to see if a method is excluded or included. |
protected void |
assertIsMethodPublic(java.lang.reflect.Method method)
Is the method public? |
protected void |
assertIsNotOnBaseObject(java.lang.reflect.Method method)
We ban some methods from Object |
protected void |
assertIsRestrictedByRole(java.lang.String scriptName,
java.lang.reflect.Method method)
|
protected org.directwebremoting.impl.DefaultAccessControl.Policy |
getPolicy(java.lang.String type)
Find the policy for the given type and create one if none exists. |
protected java.util.Set |
getRoleRestrictions(java.lang.String scriptName,
java.lang.String methodName)
|
void |
setExposeInternals(boolean exposeInternals)
|
Methods inherited from class java.lang.Object |
---|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
Field Detail |
---|
protected boolean exposeInternals
PACKAGE_DWR_DENY
protected java.util.Map policyMap
protected java.util.Map roleRestrictMap
protected static final java.lang.String PACKAGE_DWR_DENY
Constructor Detail |
---|
public DefaultAccessControl()
Method Detail |
---|
public void assertExecutionIsPossible(Creator creator, java.lang.String className, java.lang.reflect.Method method) throws java.lang.SecurityException
AccessControl
See notes on getReasonToNotDisplay()
. This method should
duplicate the tests made by that method.
This is not a great becuase it mixes 2 bits of information in the same variable (is it wrong, and what is wrong) but without multi-value returns in Java this seems like the most simple implementation.
assertExecutionIsPossible
in interface AccessControl
creator
- Where does the method come from?className
- The Javascript name of the classmethod
- What is the method to execute?
java.lang.SecurityException
- If the given method is disallowedAccessControl.assertIsDisplayable(Creator, String, Method)
public void assertIsDisplayable(Creator creator, java.lang.String className, java.lang.reflect.Method method) throws java.lang.SecurityException
AccessControl
This method is similar to getReasonToNotExecute()
except
that there may be checks (like security checks) that we wish to make only
at runtime in case the situation changes between 'compile-time' and
runtime.
This is not a great becuase it mixes 2 bits of information in the same variable (is it wrong, and what is wrong) but without multi-value returns in Java this seems like the most simple implementation.
assertIsDisplayable
in interface AccessControl
creator
- Where does the method come from?className
- The Javascript name of the classmethod
- What is the method to execute?
java.lang.SecurityException
- If the given method is disallowedAccessControl.assertExecutionIsPossible(Creator, String, Method)
public void addRoleRestriction(java.lang.String scriptName, java.lang.String methodName, java.lang.String role)
AccessControl
addRoleRestriction
in interface AccessControl
scriptName
- The name of the creator to JavascriptmethodName
- The name of the method (without brackets)role
- The new role name to add to the list for the given scriptName and methodNamepublic void addIncludeRule(java.lang.String scriptName, java.lang.String methodName)
AccessControl
addIncludeRule
in interface AccessControl
scriptName
- The name of the creator to JavascriptmethodName
- The name of the method (without brackets)public void addExcludeRule(java.lang.String scriptName, java.lang.String methodName)
AccessControl
addExcludeRule
in interface AccessControl
scriptName
- The name of the creator to JavascriptmethodName
- The name of the method (without brackets)AccessControl.addIncludeRule(String, String)
protected void assertIsRestrictedByRole(java.lang.String scriptName, java.lang.reflect.Method method)
scriptName
- The name of the creator to Javascriptmethod
- The method to executeprotected java.util.Set getRoleRestrictions(java.lang.String scriptName, java.lang.String methodName)
scriptName
- The name of the creator to JavascriptmethodName
- The name of the method (without brackets)
protected void assertAuthenticationIsValid(HttpServletRequest req) throws java.lang.SecurityException
req
- The users request
java.lang.SecurityException
- if the users session is invalidprotected void assertAllowedByRoles(HttpServletRequest req, java.util.Set roles) throws java.lang.SecurityException
req
- The users requestroles
- The list of roles to check
java.lang.SecurityException
- if this user is not allowed by the list of rolesprotected void assertIsMethodPublic(java.lang.reflect.Method method)
method
- The method that we wish to executeprotected void assertIsNotOnBaseObject(java.lang.reflect.Method method)
Object
method
- The method that should not be owned by Object
protected void assertIsExecutable(java.lang.String scriptName, java.lang.String methodName) throws java.lang.SecurityException
scriptName
- The name of the creator to JavascriptmethodName
- The name of the method (without brackets)
java.lang.SecurityException
- if the method is allowed by the rules in addIncludeRule()AccessControl.addIncludeRule(String, String)
protected void assertAreParametersDwrInternal(java.lang.reflect.Method method)
method
- The method that we want to executeprotected void assertIsClassDwrInternal(Creator creator)
creator
- The Creator
that exposes the classprotected org.directwebremoting.impl.DefaultAccessControl.Policy getPolicy(java.lang.String type)
type
- The name of the creator
public void setExposeInternals(boolean exposeInternals)
exposeInternals
- the exposeInternals to set
|
|||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |