The JDistil framework uses a security manager to determine action and field level access within an application. This access information is used by the UI components to preemptively alter the elements displayed in the application UI. This includes hiding action based UI elements when an action is restricted, hiding data based UI elements when a field is restricted, and displaying data based UI elements as read-only when a field is read-only. Back-end framework components use the access information to validate and restrict requests submitted for an application. This includes prohibiting invocation of action specific processors when an action is restricted and ignoring submitted field data when a field is restricted or read-only.

The "com.bws.jdistil.core.security.DefaultSecurityManager" class is used by default and allows access to all actions and fields defined within an application. This security manager can be overridden with an application specific security manager by specifying a security manager factory class in the application specific "core.properties" file.

All security managers class must implement the "com.bws.jdistil.core.security.ISecurityManager" interface. An application specific security manager can choose to implement the interface directly or extend the "com.bws.jdistil.core.security.DefaultSecurityManager" class if only implementing a portion of the interface. The following documents the "com.bws.jdistil.core.security.ISecurityManager" interface.

public interface ISecurityManager {

    public IDomain getDomain(HttpSession session) throws SecurityException;
    public boolean isDomainAdmin(HttpSession session) throws SecurityException;
    public boolean isAuthenticated(HttpSession session) throws SecurityException;
    public void setAuthenticated(boolean isAuthenticated, HttpSession session) throws SecurityException;
    public boolean isAuthorizationRequired(String actionId, HttpSession session) throws SecurityException;
    public boolean isAuthorized(String actionId, HttpSession session) throws SecurityException;
    public boolean isFieldHidden(String fieldId, HttpSession session) throws SecurityException;
    public boolean isFieldReadOnly(String fieldId, HttpSession session) throws SecurityException;

}
				

An application's security manager is accessible using the "com.bws.jdistil.core.security.SecurityManagerFactory" class. This class returns an instance of the application specific security manager factory if a class is defined in the "core.properties" file or an instance of a singleton POJO factory supporting access to the "com.bws.jdistil.core.security.DefaultSecurityManager" if no class is defined. The following excerpt provides an example using the security manager factory provided by the JDistil security module.

# Security manager factory class name
security.manager.factory=com.bws.jdistil.security.SecurityManagerFactory