Javajax security System

JavAjax offers a mechanism to limit the access to an Action or even an Action method to the user, based on the "role(s)" the user is in.
Each Action or method can be annotated with a @Security annotation to specify the role or list of roles authorized to execute it.
At invocation time, these roles are checked against the roles assigned to the user, using the Security Manager configured on the Filter.
Please note that if you specify a @Security annotation on both the Action and the Method, roles defined at Action level are checked first, so any definition at method level can only restrict the access.

Security defined at Action level
@Security(roles={"user","superuser","admin"})
public class MyAction extends GenericAction {
    ...
}

Security defined at Method level
protected Response myFirstMethod() {
    ...
}

@Security(roles={"superuser","admin"})
protected Response mySecondMethod() {
    ...
}

@Security(roles={"admin"})
protected Response myThirdMethod() {
    ...
}

Method myFirstMethod does not define a Security constraint, so it inherits roles defined at Action level.
Method mySecondMethod defines a Security constraint for the roles "superuser" and "admin", so, although the Action can be called by users with "user" role, they don't have access to this method.
In the same way, Method myThirdMethod can be accessed only by users having the role "admin".

There is a default J2EE Security Manager in the framework, which checks the roles with those assigned to the user at login time, following the J2EE specification.
Security Manager can be customized implementing the interface org.thinkjava.javajax.security.JavajaxSecurityManager and specifying the class name in the security.manager filter config parameter.

On the view, the Security Tag can help to control what the user can see or do. Some client code can be embedded in a Security tag to ensure this is available only when the user has access to a specific portion of code.

<j:security actionUrl="MyAction">
    <input type="button" onclick="callMyAction()">
</j:security>
This tag will check user roles against those defined in the @Security tag specified at Action level.

<j:security actionUrl="MyAction.myMethod">
    <input type="button" onclick="callMyAction()">
</j:security>
This button code will be sent to the client only if user has access to the method "myMethod" in Action "MyAction".