Package io.milton.annotations

Annotation Interface AccessControlList

@Target(METHOD)
@Retention(RUNTIME)
public @interface AccessControlList

Marks a method as one which returns the Access Control List for a user on a given resource

The method must have at least 2 parameters:

• The object to return an access control list for. For example, if you want to return permissions for a Calendar, then this should be a Calendar
• The current user. This is the object returned by the @Authenticate method

Milton will search up the object hierarchy to find a @AccessControlList method. The first one found which returns a non-null value will be used. Returning null indicates the method is not able to determine an ACL, so Milton will continue the search up the parents.

So if a request is made to a URL like this: /users/brad/calenars/cal1

Then if cal1 represents an instance of a MyCalendar, and @Authenticate returned an instance of MyUser, then you should have a method like this:

@AccessControlList public List{@literal <}AccessControlledResource.Priviledge{@literal >} getUserPrivs(MyCalendar target, MyUser currentUser)

But if you want to apply permissions at a higher level, say at the level of the user object, and lets say that "brad" is an instance of a MyUser object then you would have this:

{@literal @}AccessControlList public List{@literal <}AccessControlledResource.Priviledge{@literal >} getUserPrivs(MyUser target, MyUser currentUser)