org.directwebremoting.impl
Class DefaultAccessControl

java.lang.Object
  extended by org.directwebremoting.impl.DefaultAccessControl
All Implemented Interfaces:
AccessControl

public class DefaultAccessControl
extends java.lang.Object
implements AccessControl

Control who should be accessing which methods on which classes.

Author:
Joe Walker [joe at getahead dot ltd dot uk]

Field Summary
protected  boolean exposeInternals
          Do we allow DWR classes to be remoted?
protected static java.lang.String PACKAGE_DWR_DENY
          My package name, so we can ban DWR classes from being created or marshalled
protected  java.util.Map policyMap
          A map of Creators to policies
protected  java.util.Map roleRestrictMap
          What role based restrictions are there?
 
Constructor Summary
DefaultAccessControl()
           
 
Method Summary
 void addExcludeRule(java.lang.String scriptName, java.lang.String methodName)
          Add an exclude rule.
 void addIncludeRule(java.lang.String scriptName, java.lang.String methodName)
          Add an include rule.
 void addRoleRestriction(java.lang.String scriptName, java.lang.String methodName, java.lang.String role)
          J2EE role based security allows us to restrict methods to only being used by people in certain roles.
protected  void assertAllowedByRoles(HttpServletRequest req, java.util.Set roles)
          Is this current user in the given list of roles
protected  void assertAreParametersDwrInternal(java.lang.reflect.Method method)
          Check the parameters are not DWR internal either
protected  void assertAuthenticationIsValid(HttpServletRequest req)
          Check the users session for validity
 void assertExecutionIsPossible(Creator creator, java.lang.String className, java.lang.reflect.Method method)
          Check the method for accessibility at runtime, and return an error message if anything is wrong.
protected  void assertIsClassDwrInternal(Creator creator)
          Is the class that we are executing a method on part of DWR?
 void assertIsDisplayable(Creator creator, java.lang.String className, java.lang.reflect.Method method)
          Check the method for accessibility at 'compile-time' (i.e.
protected  void assertIsExecutable(java.lang.String scriptName, java.lang.String methodName)
          Test to see if a method is excluded or included.
protected  void assertIsMethodPublic(java.lang.reflect.Method method)
          Is the method public?
protected  void assertIsNotOnBaseObject(java.lang.reflect.Method method)
          We ban some methods from Object
protected  void assertIsRestrictedByRole(java.lang.String scriptName, java.lang.reflect.Method method)
           
protected  org.directwebremoting.impl.DefaultAccessControl.Policy getPolicy(java.lang.String type)
          Find the policy for the given type and create one if none exists.
protected  java.util.Set getRoleRestrictions(java.lang.String scriptName, java.lang.String methodName)
           
 void setExposeInternals(boolean exposeInternals)
           
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

exposeInternals

protected boolean exposeInternals
Do we allow DWR classes to be remoted?

See Also:
PACKAGE_DWR_DENY

policyMap

protected java.util.Map policyMap
A map of Creators to policies


roleRestrictMap

protected java.util.Map roleRestrictMap
What role based restrictions are there?


PACKAGE_DWR_DENY

protected static final java.lang.String PACKAGE_DWR_DENY
My package name, so we can ban DWR classes from being created or marshalled

See Also:
Constant Field Values
Constructor Detail

DefaultAccessControl

public DefaultAccessControl()
Method Detail

assertExecutionIsPossible

public void assertExecutionIsPossible(Creator creator,
                                      java.lang.String className,
                                      java.lang.reflect.Method method)
                               throws java.lang.SecurityException
Description copied from interface: AccessControl
Check the method for accessibility at runtime, and return an error message if anything is wrong. If nothing is wrong, return null.

See notes on getReasonToNotDisplay(). This method should duplicate the tests made by that method.

This is not a great becuase it mixes 2 bits of information in the same variable (is it wrong, and what is wrong) but without multi-value returns in Java this seems like the most simple implementation.

Specified by:
assertExecutionIsPossible in interface AccessControl
Parameters:
creator - Where does the method come from?
className - The Javascript name of the class
method - What is the method to execute?
Throws:
java.lang.SecurityException - If the given method is disallowed
See Also:
AccessControl.assertIsDisplayable(Creator, String, Method)

assertIsDisplayable

public void assertIsDisplayable(Creator creator,
                                java.lang.String className,
                                java.lang.reflect.Method method)
                         throws java.lang.SecurityException
Description copied from interface: AccessControl
Check the method for accessibility at 'compile-time' (i.e. when the app is downloaded), and return an error message if anything is wrong. If nothing is wrong, return null.

This method is similar to getReasonToNotExecute() except that there may be checks (like security checks) that we wish to make only at runtime in case the situation changes between 'compile-time' and runtime.

This is not a great becuase it mixes 2 bits of information in the same variable (is it wrong, and what is wrong) but without multi-value returns in Java this seems like the most simple implementation.

Specified by:
assertIsDisplayable in interface AccessControl
Parameters:
creator - Where does the method come from?
className - The Javascript name of the class
method - What is the method to execute?
Throws:
java.lang.SecurityException - If the given method is disallowed
See Also:
AccessControl.assertExecutionIsPossible(Creator, String, Method)

addRoleRestriction

public void addRoleRestriction(java.lang.String scriptName,
                               java.lang.String methodName,
                               java.lang.String role)
Description copied from interface: AccessControl
J2EE role based security allows us to restrict methods to only being used by people in certain roles.

Specified by:
addRoleRestriction in interface AccessControl
Parameters:
scriptName - The name of the creator to Javascript
methodName - The name of the method (without brackets)
role - The new role name to add to the list for the given scriptName and methodName

addIncludeRule

public void addIncludeRule(java.lang.String scriptName,
                           java.lang.String methodName)
Description copied from interface: AccessControl
Add an include rule. Each creator can have either a list of inclusions or a list of exclusions but not both. If a creator has a list of inclusions then the default policy is to deny any method that is not specifically included. If the creator has a list of exclusions then the default policy is to allow any method not listed. If there are no included or excluded rules then the default policy is to allow all methods

Specified by:
addIncludeRule in interface AccessControl
Parameters:
scriptName - The name of the creator to Javascript
methodName - The name of the method (without brackets)

addExcludeRule

public void addExcludeRule(java.lang.String scriptName,
                           java.lang.String methodName)
Description copied from interface: AccessControl
Add an exclude rule.

Specified by:
addExcludeRule in interface AccessControl
Parameters:
scriptName - The name of the creator to Javascript
methodName - The name of the method (without brackets)
See Also:
AccessControl.addIncludeRule(String, String)

assertIsRestrictedByRole

protected void assertIsRestrictedByRole(java.lang.String scriptName,
                                        java.lang.reflect.Method method)
Parameters:
scriptName - The name of the creator to Javascript
method - The method to execute

getRoleRestrictions

protected java.util.Set getRoleRestrictions(java.lang.String scriptName,
                                            java.lang.String methodName)
Parameters:
scriptName - The name of the creator to Javascript
methodName - The name of the method (without brackets)
Returns:
A Set of all the roles for the given script and method

assertAuthenticationIsValid

protected void assertAuthenticationIsValid(HttpServletRequest req)
                                    throws java.lang.SecurityException
Check the users session for validity

Parameters:
req - The users request
Throws:
java.lang.SecurityException - if the users session is invalid

assertAllowedByRoles

protected void assertAllowedByRoles(HttpServletRequest req,
                                    java.util.Set roles)
                             throws java.lang.SecurityException
Is this current user in the given list of roles

Parameters:
req - The users request
roles - The list of roles to check
Throws:
java.lang.SecurityException - if this user is not allowed by the list of roles

assertIsMethodPublic

protected void assertIsMethodPublic(java.lang.reflect.Method method)
Is the method public?

Parameters:
method - The method that we wish to execute

assertIsNotOnBaseObject

protected void assertIsNotOnBaseObject(java.lang.reflect.Method method)
We ban some methods from Object

Parameters:
method - The method that should not be owned by Object

assertIsExecutable

protected void assertIsExecutable(java.lang.String scriptName,
                                  java.lang.String methodName)
                           throws java.lang.SecurityException
Test to see if a method is excluded or included.

Parameters:
scriptName - The name of the creator to Javascript
methodName - The name of the method (without brackets)
Throws:
java.lang.SecurityException - if the method is allowed by the rules in addIncludeRule()
See Also:
AccessControl.addIncludeRule(String, String)

assertAreParametersDwrInternal

protected void assertAreParametersDwrInternal(java.lang.reflect.Method method)
Check the parameters are not DWR internal either

Parameters:
method - The method that we want to execute

assertIsClassDwrInternal

protected void assertIsClassDwrInternal(Creator creator)
Is the class that we are executing a method on part of DWR?

Parameters:
creator - The Creator that exposes the class

getPolicy

protected org.directwebremoting.impl.DefaultAccessControl.Policy getPolicy(java.lang.String type)
Find the policy for the given type and create one if none exists.

Parameters:
type - The name of the creator
Returns:
The policy for the given Creator

setExposeInternals

public void setExposeInternals(boolean exposeInternals)
Parameters:
exposeInternals - the exposeInternals to set