Contact us
Create app
You're viewing an older version of Vaadin JavaDoc. Please see version 24.7.0 for the latest.
com.vaadin.flow.server.auth.

Class AccessAnnotationChecker

  • All Implemented Interfaces:

    Serializable

    public class AccessAnnotationChecker
extends Object
implements Serializable

    Checks if a given user has access to a given method.

    Check is performed as follows when called for a method:

    1. A security annotation (see below) is searched for on that particular method.
    2. If a security annotation was not found on the method, checks the class the method is declared in.
    3. If no security annotation was found, deny access by default

    The security annotations checked and their meaning are:

    • AnonymousAllowed - allows access to any logged on or not logged in user. Public access.
    • PermitAll - allows access to any logged in user but denies access to anonymous users.
    • RolesAllowed - allows access there is a logged in user that has any of the roles mentioned in the annotation
    • DenyAll - denies access.

    See Also:

    Serialized Form

    • Method Summary

      All Methods
      Modifier and Type Method Description
      AnnotatedElement getSecurityTarget​(Class<?> cls)

      Gets the class to check for security restrictions.
      AnnotatedElement getSecurityTarget​(Method method)

      Gets the method or class to check for security restrictions.
      boolean hasAccess​(Class<?> cls)

      Checks if the user defined by the current active servlet request (using HttpServletRequest.getUserPrincipal() and HttpServletRequest.isUserInRole(String) has access to the given class.
      boolean hasAccess​(Class<?> cls, Principal principal, Function<String,​Boolean> roleChecker)

      Checks if the user defined by the given Principal and role checker has access to the given class.
      boolean hasAccess​(Class<?> cls, javax.servlet.http.HttpServletRequest request)

      Checks if the user defined by the request (using HttpServletRequest.getUserPrincipal() and HttpServletRequest.isUserInRole(String) has access to the given class.
      boolean hasAccess​(Method method)

      Checks if the user defined by the current active servlet request (using HttpServletRequest.getUserPrincipal() and HttpServletRequest.isUserInRole(String) has access to the given method.
      boolean hasAccess​(Method method, Principal principal, Function<String,​Boolean> roleChecker)

      Checks if the user defined by the given Principal and role checker has access to the given method.
      boolean hasAccess​(Method method, javax.servlet.http.HttpServletRequest request)

      Checks if the user defined by the request (using HttpServletRequest.getUserPrincipal() and HttpServletRequest.isUserInRole(String) has access to the given method.

    • Constructor Detail

      • AccessAnnotationChecker

        public AccessAnnotationChecker()

    • Method Detail

      • hasAccess

        public boolean hasAccess​(Method method)

        Checks if the user defined by the current active servlet request (using HttpServletRequest.getUserPrincipal() and HttpServletRequest.isUserInRole(String) has access to the given method.

        Parameters:

        method - the method to check access to

        Returns:

        true if the user has access to the given method, false otherwise

      • hasAccess

        public boolean hasAccess​(Class<?> cls)

        Checks if the user defined by the current active servlet request (using HttpServletRequest.getUserPrincipal() and HttpServletRequest.isUserInRole(String) has access to the given class.

        Parameters:

        cls - the class to check access to

        Returns:

        true if the user has access to the given method, false otherwise

      • hasAccess

        public boolean hasAccess​(Method method,
                         javax.servlet.http.HttpServletRequest request)

        Checks if the user defined by the request (using HttpServletRequest.getUserPrincipal() and HttpServletRequest.isUserInRole(String) has access to the given method.

        Parameters:

        method - the method to check access to

        request - the http request to use for user information

        Returns:

        true if the user has access to the given method, false otherwise

      • hasAccess

        public boolean hasAccess​(Class<?> cls,
                         javax.servlet.http.HttpServletRequest request)

        Checks if the user defined by the request (using HttpServletRequest.getUserPrincipal() and HttpServletRequest.isUserInRole(String) has access to the given class.

        Parameters:

        cls - the class to check access to

        request - the http request to use for user information

        Returns:

        true if the user has access to the given method, false otherwise

      • hasAccess

        public boolean hasAccess​(Method method,
                         Principal principal,
                         Function<String,​Boolean> roleChecker)

        Checks if the user defined by the given Principal and role checker has access to the given method.

        Parameters:

        method - the method to check access to

        principal - the principal of the user

        roleChecker - a function that can answer if a user has a given role

        Returns:

        true if the user has access to the given method, false otherwise

      • hasAccess

        public boolean hasAccess​(Class<?> cls,
                         Principal principal,
                         Function<String,​Boolean> roleChecker)

        Checks if the user defined by the given Principal and role checker has access to the given class.

        Parameters:

        cls - the class to check access to

        principal - the principal of the user

        roleChecker - a function that can answer if a user has a given role

        Returns:

        true if the user has access to the given method, false otherwise

      • getSecurityTarget

        public AnnotatedElement getSecurityTarget​(Method method)

        Gets the method or class to check for security restrictions.

        Parameters:

        method - the method to look up

        Returns:

        the entity that is responsible for security settings for the method passed

        Throws:

        IllegalArgumentException - if the method is not public

      • getSecurityTarget

        public AnnotatedElement getSecurityTarget​(Class<?> cls)

        Gets the class to check for security restrictions.

        Parameters:

        cls - the class to check

        Returns:

        the first annotated class in cls's hierarchy that annotated with one of the access annotations, starting from the input cls class itself, going up in the hierarchy. Note: interfaces in the cls's hierarchy are ignored.

        If no class in the hierarchy was annotated with any of the access annotations, the cls input parameter itself would be returned.

        Access annotations that being checked are:

        • @AnonymousAllowed
        • @PermitAll
        • @RolesAllowed
        • @DenyAll

        Throws:

        NullPointerException - if the input cls is null