Package security

Class InMemoryAccessCheckInterceptor

java.lang.Object
security.AbstractAccessCheckInterceptor
security.InMemoryAccessCheckInterceptor
All Implemented Interfaces:
Serializable
@Interceptor public class InMemoryAccessCheckInterceptor extends AbstractAccessCheckInterceptor
In-memory implementation of AbstractAccessCheckInterceptor.

This is the declarative (InMemory) approach to access control — the default provided by the DynTabs library. Must be paired with InMemorySecuredResourceScanner.

How access rules are resolved:

  1. First, checks roles declared in annotations (@DynTab(allowedRoles=...) or @AccessCheck(allowedRoles=...)), which are stored by InMemorySecuredResourceScanner at deploy time.
  2. Then, checks roles added programmatically via grantAccess(String, String...) (useful for adding rules at runtime without redeployment).
  3. If a resource is secured but has no allowed roles from either source, access is allowed (there is no point in having a dead resource).

Declarative access (primary — recommended):


 @DynTab(name = "AllDocsDynTab", uniqueIdentifier = "AllDocs",
         securedResource = true, allowedRoles = {"ADMIN", "MANAGER"}, ...)

Programmatic access (supplementary):


 // In your application startup (e.g., ServletContextListener)
 InMemoryAccessCheckInterceptor.grantAccess("AllDocs", "AUDITOR");

Alternative: For applications needing dynamic, admin-managed access rules, the developer creates a custom DBAccessCheckInterceptor (extending AbstractAccessCheckInterceptor) paired with a custom DBSecuredResourceScanner. In this approach, the allowedRoles annotation attribute is ignored — roles are managed through an Admin UI and stored in the database.

Registration in beans.xml:


 <interceptors>
     <class>security.InMemoryAccessCheckInterceptor</class>
 </interceptors>
Author:
DynTabs
See Also:

  • Constructor Details

    • InMemoryAccessCheckInterceptor

      public InMemoryAccessCheckInterceptor()

  • Method Details

    • grantAccess

      public static void grantAccess(String resource, String... roles)
      Grants access to a resource for the specified roles.

      Can be called multiple times for the same resource — roles are accumulated.

      Parameters:
      resource - the resource identifier (@DynTab.uniqueIdentifier or fully qualified method name)
      roles - one or more role names that should have access

    • revokeAccess

      public static void revokeAccess(String resource)
      Revokes all access rules for a resource.
      Parameters:
      resource - the resource identifier

    • getAllowedRoles

      public static Set<String> getAllowedRoles(String resource)
      Returns the roles that have access to a resource.
      Parameters:
      resource - the resource identifier
      Returns:
      unmodifiable set of role names, or empty set if no rules defined

    • clearAllRules

      public static void clearAllRules()
      Clears all access rules. Useful for testing.

    • isResourceSecured

      protected boolean isResourceSecured(String resource)
      Description copied from class: AbstractAccessCheckInterceptor
      Checks whether the given resource is secured (requires access control).

      If this returns false, access is allowed without any role check.

      Specified by:
      isResourceSecured in class AbstractAccessCheckInterceptor
      Parameters:
      resource - the resource identifier (uniqueIdentifier for tabs, or fully qualified method name)
      Returns:
      true if the resource is secured and requires permission check

    • hasPermission

      protected boolean hasPermission(String resource, Set<String> userRoles)
      Description copied from class: AbstractAccessCheckInterceptor
      Checks whether the given user roles grant access to the specified resource.

      Called only if AbstractAccessCheckInterceptor.isResourceSecured(String) returned true.

      Specified by:
      hasPermission in class AbstractAccessCheckInterceptor
      Parameters:
      resource - the resource identifier
      userRoles - the current user's roles
      Returns:
      true if access should be granted