Package security

Class AbstractSecuredResourceScanner

java.lang.Object
security.AbstractSecuredResourceScanner
All Implemented Interfaces:
jakarta.servlet.ServletContextListener, EventListener
Direct Known Subclasses:
InMemorySecuredResourceScanner
public abstract class AbstractSecuredResourceScanner extends Object implements jakarta.servlet.ServletContextListener
Abstract base class for a ServletContextListener that scans CDI bean classes at deploy time and discovers secured resources.

Reads the CDI beans package name from the "cdiBeansPackage" context-param in web.xml:


 <context-param>
     <param-name>cdiBeansPackage</param-name>
     <param-value>com.myapp.cdibeans</param-value>
 </context-param>

Loads all classes from that package and scans for:

Two implementation strategies:

  1. Declarative (InMemory): Use InMemorySecuredResourceScanner, which stores secured resources AND their allowed roles (from @DynTab.allowedRoles / @AccessCheck.allowedRoles) in memory. Paired with InMemoryAccessCheckInterceptor. This is the default approach provided by the DynTabs library — zero configuration, access rules are declared directly in annotations.
  2. DB-based: The developer creates a custom DBSecuredResourceScanner that writes only the secured resource identifiers to a database table (ignoring allowedRoles). Access rules are managed through an Admin UI where an administrator grants roles permissions on resources. Paired with a custom DBAccessCheckInterceptor that reads allowed roles from the database.
Author:
DynTabs
See Also:

  • Field Details

    • log

      protected static final org.slf4j.Logger log

  • Constructor Details

    • AbstractSecuredResourceScanner

      public AbstractSecuredResourceScanner()

  • Method Details

    • contextInitialized

      public void contextInitialized(jakarta.servlet.ServletContextEvent event)
      Specified by:
      contextInitialized in interface jakarta.servlet.ServletContextListener

    • contextDestroyed

      public void contextDestroyed(jakarta.servlet.ServletContextEvent event)
      Specified by:
      contextDestroyed in interface jakarta.servlet.ServletContextListener

    • registerSecuredResource

      protected abstract void registerSecuredResource(Class<?> cls, String resource, String resourceDisplayName, String[] allowedRoles)
      Called when a secured resource is discovered (a @DynTab with securedResource=true, or a method annotated with @AccessCheck).

      InMemory implementations store both the resource and its allowedRoles in memory. DB implementations write the resource to a database table (typically ignoring allowedRoles, since roles are managed via Admin UI).

      Parameters:
      cls - the class containing the secured resource
      resource - the resource identifier (uniqueIdentifier for tabs, fully qualified method name for methods)
      resourceDisplayName - human-readable name for admin UIs
      allowedRoles - roles declared in the annotation (may be empty; used by InMemory implementations, ignored by DB implementations)

    • un_registerSecuredResource

      protected abstract void un_registerSecuredResource(Class<?> cls, String resource, String resourceDisplayName)
      Called when a resource is found NOT to be secured (e.g., @DynTab with securedResource=false, or a method without @AccessCheck).

      Useful for cleanup — removing previously registered resources that have been un-secured in a redeployment.

      Parameters:
      cls - the class containing the resource
      resource - the resource identifier
      resourceDisplayName - human-readable name (may be null)