Package com.vaadin.flow.server.auth

Class AccessAnnotationChecker

  • All Implemented Interfaces:
    Serializable
    public class AccessAnnotationChecker
extends Object
implements Serializable
    Checks if a given user has access to a given method.

    Check is performed as follows when called for a method:

    1. A security annotation (see below) is searched for on that particular method.
    2. If a security annotation was not found on the method, checks the class the method is declared in.
    3. If no security annotation was found, deny access by default

    The security annotations checked and their meaning are:

    • AnonymousAllowed - allows access to any logged on or not logged in user. Public access.
    • PermitAll - allows access to any logged in user but denies access to anonymous users.
    • RolesAllowed - allows access there is a logged in user that has any of the roles mentioned in the annotation
    • DenyAll - denies access.
    See Also:
    Serialized Form

    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      AnnotatedElement getSecurityTarget​(Class<?> cls)
      Gets the class to check for security restrictions.
      AnnotatedElement getSecurityTarget​(Method method)
      Gets the method or class to check for security restrictions.
      boolean hasAccess​(Class<?> cls)
      Checks if the user defined by the current active servlet request (using HttpServletRequest.getUserPrincipal() and HttpServletRequest.isUserInRole(String) has access to the given class.
      boolean hasAccess​(Class<?> cls, Principal principal, Function<String,​Boolean> roleChecker)
      Checks if the user defined by the given Principal and role checker has access to the given class.
      boolean hasAccess​(Class<?> cls, javax.servlet.http.HttpServletRequest request)
      Checks if the user defined by the request (using HttpServletRequest.getUserPrincipal() and HttpServletRequest.isUserInRole(String) has access to the given class.
      boolean hasAccess​(Method method)
      Checks if the user defined by the current active servlet request (using HttpServletRequest.getUserPrincipal() and HttpServletRequest.isUserInRole(String) has access to the given method.
      boolean hasAccess​(Method method, Principal principal, Function<String,​Boolean> roleChecker)
      Checks if the user defined by the given Principal and role checker has access to the given method.
      boolean hasAccess​(Method method, javax.servlet.http.HttpServletRequest request)
      Checks if the user defined by the request (using HttpServletRequest.getUserPrincipal() and HttpServletRequest.isUserInRole(String) has access to the given method.

    • Constructor Detail

      • AccessAnnotationChecker

        public AccessAnnotationChecker()

    • Method Detail

      • hasAccess

        public boolean hasAccess​(Method method)
        Checks if the user defined by the current active servlet request (using HttpServletRequest.getUserPrincipal() and HttpServletRequest.isUserInRole(String) has access to the given method.
        Parameters:
        method - the method to check access to
        Returns:
        true if the user has access to the given method, false otherwise

      • hasAccess

        public boolean hasAccess​(Class<?> cls)
        Checks if the user defined by the current active servlet request (using HttpServletRequest.getUserPrincipal() and HttpServletRequest.isUserInRole(String) has access to the given class.
        Parameters:
        cls - the class to check access to
        Returns:
        true if the user has access to the given method, false otherwise

      • hasAccess

        public boolean hasAccess​(Method method,
                         javax.servlet.http.HttpServletRequest request)
        Checks if the user defined by the request (using HttpServletRequest.getUserPrincipal() and HttpServletRequest.isUserInRole(String) has access to the given method.
        Parameters:
        method - the method to check access to
        request - the http request to use for user information
        Returns:
        true if the user has access to the given method, false otherwise

      • hasAccess

        public boolean hasAccess​(Class<?> cls,
                         javax.servlet.http.HttpServletRequest request)
        Checks if the user defined by the request (using HttpServletRequest.getUserPrincipal() and HttpServletRequest.isUserInRole(String) has access to the given class.
        Parameters:
        cls - the class to check access to
        request - the http request to use for user information
        Returns:
        true if the user has access to the given method, false otherwise

      • hasAccess

        public boolean hasAccess​(Method method,
                         Principal principal,
                         Function<String,​Boolean> roleChecker)
        Checks if the user defined by the given Principal and role checker has access to the given method.
        Parameters:
        method - the method to check access to
        principal - the principal of the user
        roleChecker - a function that can answer if a user has a given role
        Returns:
        true if the user has access to the given method, false otherwise

      • hasAccess

        public boolean hasAccess​(Class<?> cls,
                         Principal principal,
                         Function<String,​Boolean> roleChecker)
        Checks if the user defined by the given Principal and role checker has access to the given class.
        Parameters:
        cls - the class to check access to
        principal - the principal of the user
        roleChecker - a function that can answer if a user has a given role
        Returns:
        true if the user has access to the given method, false otherwise

      • getSecurityTarget

        public AnnotatedElement getSecurityTarget​(Method method)
        Gets the method or class to check for security restrictions.
        Parameters:
        method - the method to look up
        Returns:
        the entity that is responsible for security settings for the method passed
        Throws:
        IllegalArgumentException - if the method is not public

      • getSecurityTarget

        public AnnotatedElement getSecurityTarget​(Class<?> cls)
        Gets the class to check for security restrictions.
        Parameters:
        cls - the class to check
        Returns:
        the first annotated class in cls's hierarchy that annotated with one of the access annotations, starting from the input cls class itself, going up in the hierarchy. Note: interfaces in the cls's hierarchy are ignored.

        If no class in the hierarchy was annotated with any of the access annotations, the cls input parameter itself would be returned.

        Access annotations that being checked are:

        • @AnonymousAllowed
        • @PermitAll
        • @RolesAllowed
        • @DenyAll
        Throws:
        NullPointerException - if the input cls is null