Skip to content

Access control for dwr with spring

18 March 2011

With dwr it is possible to define methods on a bean that can be invoked from dwr-ajax calls. That much is easily to achieve following all the default tutorials on dwr on the web. However I wanted to restrict access to certain methods based on the roles that the users have. Otherwise it would be possible for certain users to call ajax methods that are not allowed for that user. But how can I change that behaviour. Looking at the documentation it is not obvious how that can be done, so I started the debugger to see how the integration really works. After some researching I came upon the DwrController that has a method call to ContainerUtil.setupDefaults. In here you can change the default behaviour classes, like the DefaultAccessControl class. So after having changed my own AccessControl implementation all I had to do is add it as parameter to the dwrController tag like so:

<dwr:controller id="dwrController">
<dwr:config-param name="crossDomainSessionSecurity" value="false"/>
<dwr:config-param name="org.directwebremoting.extend.AccessControl" value="com.web.controller.UserRoleFromHttpHeader"/>

And now I can use my own access control mechanism


From → java, Uncategorized

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: