Guards
Guards are classes that control access to REST classes and methods.
Guards are associated with resource classes and methods via the following:
- {@link oajr.annotation.Rest#guards() Rest(guards)}
- {@link oajr.annotation.RestMethod#guards() RestMethod(guards)}
- {@link oajr.RestContextBuilder#guards(Class...)}
// Define a guard that only lets Billy make a request
public BillyGuard extends RestGuard {
@Override /* RestGuard */
public boolean isRequestAllowed(RestRequest req) {
return req.getUserPrincipal().getName().equals("Billy");
}
}
// Servlet with class-level guard applied
@Rest(guards=BillyGuard.class)
public MyRestServlet extends BasicRestServlet {
// Delete method that only Billy is allowed to call.
@RestMethod(name="DELETE")
public doDelete(RestRequest req, RestResponse res) throws Exception {...}
}
A common use for guards is to only allow admin access to certain Java methods...
// DELETE method
@RestMethod(name=DELETE, guards={AdminGuard.class})
public void doDelete(RestRequest req, RestResponse res) throws Exception {...}
public class AdminGuard extends RestGuard {
@Override /* RestGuard */
public boolean isRequestAllowed(RestRequest req) {
return req.getUserPrincipal().isUserInRole("ADMIN");
}
}
A guard failure results in an HTTP 401 Unauthorized response.
However, this can be configured by overriding the
{@link oajr.RestGuard#guard(RestRequest,RestResponse)} and processing the response
yourself.
public class AdminGuard extends RestGuard {
@Override /* RestGuard */
public boolean guard(RestRequest req, RestResponse res) throws RestException {
if (! isOkay(req))
throw new RestException(SC_FORBIDDEN, "Access denied!!!");
return true;
}
}
When guards are associated at the class-level, it's equivalent to associating guards on all Java methods on
the servlet.
If multiple guards are present, ALL guards must pass.
- {@link oajr.RestContext#REST_guards}