Controller constraints
Controller constraints are defined through annotations. These annotations can be applied at the class level, in which case they are applied to every action within the controller, or on specific action methods.
SubjectPresent and SubjectNotPresent
Sometimes, you don't need fine-grained checked - you just need to see if there is a user present (or not present).
@SubjectPresent
public CompletionStage<Result> someMethodA() {
// method will execute if the current DeadboltHandler's getSubject returns Some
}
@SubjectNotPresent
public CompletionStage<Result> someMethodB() {
// method will execute if the current DeadboltHandler's getSubject returns None
}
Restrict
This uses the Subject
's Role
s to perform AND/OR/NOT checks. The values given to the builder must match the Role.name
of the subject's roles.
AND is defined as an @Group
, OR is an array of @Group
, and NOT is a rolename with a !
preceding it.
@Restrict(@Group("foo"))
public CompletionStage<Result> someMethodA() {
// method will execute of subject has the "foo" role
}
@Restrict(@Group("foo", "bar"))
public CompletionStage<Result> someMethodB() {
// method will execute of subject has the "foo" AND "bar" roles
}
@Restrict({@Group("foo"), @Group("bar")})
public CompletionStage<Result> someMethodC() {
// method will execute of subject has the "foo"OR "bar" roles
}
Pattern
This uses the Subject
's Permission
s to perform a variety of checks.
@Pattern("admin.printer")
public CompletionStage<Result> someMethodA() {
// subject must have a permission with the exact value "admin.printer"
}
@Pattern(value = "(.)*\.printer", patternType = PatternType.REGEX)
public CompletionStage<Result> someMethodB() {
// subject must have a permission that matches the regular expression (without quotes) "(.)*\.printer"
}
@Pattern(value = "something arbitrary", patternType = PatternType.CUSTOM)
public CompletionStage<Result> someMethodC() {
// the checkPermssion method of the current handler's DynamicResourceHandler will be used. This is a user-defined test
}
If you want to invert the result, i.e. deny access if there's a match, set the invert
attribute to true
.
@Pattern(value = "admin.printer", invert = true)
public CompletionStage<Result> someMethodA() {
// subject with a permission with the exact value "admin.printer" will by denied
}
Dynamic
The most flexible constraint - this is a completely user-defined constraint that uses DynamicResourceHandler#isAllowed
to determine access.
@Dynamic(name = "name of the test")
public CompletionStage<Result> someMethod() {
// the method will execute if the user-defined test returns true
}
Using non-default DeadboltHandler implementations
Each annotation has a handlerKey
parameter. If you don't specify anything, the default DeadboltHandler will be used. If you want to use another implementation, the value of the handlerKey
argument can be anything defined in your HandlerCache
. See Integrating Deadbolt for information on how to define this configuration.
Updated less than a minute ago