// Comprehensive guide to JUDO Access Manager API interfaces. Use when you need to understand operation authorization, implement custom authentication interceptors, work with signed identifiers, or integrate access control into your application.
Comprehensive guide to the JUDO authentication pipeline. Use when you need to understand how authentication works, debug auth issues, configure OAuth2/OpenID Connect, or integrate with identity providers like Keycloak.
Help write tests for JUDO applications using judo-runtime-core-guice-testkit. Use when writing interceptor tests, setting up JudoRuntimeFixture, or troubleshooting testkit issues.
Add Claude skill packages and agent-docs to a JUDO Runtime Core module. Use when making a module self-contained with embedded documentation, creating skills for interceptors/extensions, or packaging agent docs in JARs.
Comprehensive guide to configuring access control rules in JUDO Runtime. Use when you need to understand actor-based authorization, configure public vs authenticated access, set up exposedBy annotations, or implement custom authentication interceptors.
Detailed guide to the JUDO permission checking flow for CRUD operations. Use when you need to understand how CREATE, UPDATE, DELETE permissions work, debug authorization failures, or implement custom authorizers.
Understand JUDO DAO Core interface patterns including payload processors, statement types, instance collectors, and validation. Use when working with data access operations, implementing custom processors, or understanding the DAO architecture.
| name | judo-runtime:access-api-overview |
| description | Comprehensive guide to JUDO Access Manager API interfaces. Use when you need to understand operation authorization, implement custom authentication interceptors, work with signed identifiers, or integrate access control into your application. |
| metadata | {"author":"BlackBelt Technology","version":"${project.version}"} |
Complete guide to the Access Manager API interfaces in JUDO Runtime Core.
The Access Manager API module (judo-runtime-core-accessmanager-api) defines the core contracts for:
This is a pure API module with no dependencies on implementation details, making it suitable for use across different runtime configurations.
graph TB
subgraph "Client Request"
A[HTTP Request with JWT]
end
subgraph "Security Layer"
B[Authentication]
C[Principal Extraction]
end
subgraph "Access Manager API"
D[AccessManager]
E[AuthenticationInterceptor]
F[AuthenticationInterceptorProvider]
G[SignedIdentifier]
end
subgraph "Dispatcher"
H[Operation Execution]
end
A --> B
B --> C
C --> D
D --> E
F -.->|provides| E
D -->|uses| G
D -->|authorize| H
style D fill:#f9f,stroke:#333,stroke-width:2px
style E fill:#bbf,stroke:#333,stroke-width:2px
style G fill:#bfb,stroke:#333,stroke-width:2px
The primary interface for authorizing operation calls. Implementations decide whether a given operation is allowed based on the principal, operation metadata, and signed identifier.
package hu.blackbelt.judo.runtime.core.accessmanager.api;
/**
* Access manager is used to check if a given operation call is allowed.
*/
public interface AccessManager {
/**
* Authorize an operation call.
*
* @param operation operation to call (EMF EOperation)
* @param signedIdentifier signed identifier of bound operation
* @param exchange exchange map containing request context
*/
void authorizeOperation(EOperation operation,
SignedIdentifier signedIdentifier,
Map<String, Object> exchange);
}
Key Points:
AccessDeniedException if authorization failsAuthenticationRequiredException if authentication is neededexchange map contains Dispatcher.PRINCIPAL_KEY with the JudoPrincipalRepresents the identity of an entity instance used in bound operations. Contains metadata about how the instance was produced and its type information.
package hu.blackbelt.judo.runtime.core.accessmanager.api;
@Getter
@Builder
public class SignedIdentifier {
@NonNull
private final String identifier; // The unique identifier value
private final ETypedElement producedBy; // The operation/reference that produced this
private final String entityType; // Fully qualified entity type name
private final Integer version; // Optimistic locking version
private final Boolean immutable; // Whether the entity is read-only
}
Usage Example:
SignedIdentifier signedId = SignedIdentifier.builder()
.identifier("550e8400-e29b-41d4-a716-446655440000")
.entityType("Model.Customer")
.producedBy(getCustomerOperation)
.version(1)
.immutable(false)
.build();
Allows hooking into the authentication/authorization lifecycle at key points. Useful for custom logging, audit trails, or additional security checks.
package hu.blackbelt.judo.runtime.core.accessmanager.api;
/**
* Interceptor for authentication/authorization calls.
*/
public interface AuthenticationInterceptor {
/**
* Get the interceptor name for identification.
*/
String getName();
/**
* Determine if this interceptor should handle the given operation.
* Default: handles all operations.
*/
default boolean isSuitableForOperation(EOperation operation,
String claim,
String realm,
String client,
Map<String, Object> attributes) {
return true;
}
/**
* Called after principal extraction but BEFORE mapped principal load.
* CAUTION: Actor-based expressions cannot be used here.
*/
default void authenticate(String operationFullyQualifiedName,
Map<String, Object> exchange,
String claim,
String realm,
String client,
Map<String, Object> attributes) {}
/**
* Called after successful authorization, BEFORE operation execution.
*/
default void success(EOperation operation,
SignedIdentifier signedIdentifier,
Map<String, Object> exchange,
String claim,
String realm,
String client,
Map<String, Object> attributes) {}
}
Factory interface for providing authentication interceptors. Allows dynamic registration of interceptors.
package hu.blackbelt.judo.runtime.core.accessmanager.api;
public interface AuthenticationInterceptorProvider {
default Collection<AuthenticationInterceptor> getAuthenticationInterceptors() {
return new ArrayList<>();
}
}
sequenceDiagram
participant Client
participant Dispatcher
participant AccessManager
participant InterceptorProvider as AuthenticationInterceptorProvider
participant Interceptor as AuthenticationInterceptor
Client->>Dispatcher: Operation call with exchange
Dispatcher->>AccessManager: authorizeOperation(op, signedId, exchange)
AccessManager->>AccessManager: Extract JudoPrincipal from exchange
AccessManager->>AccessManager: Check operation exposure
alt Not Exposed to Actor
AccessManager-->>Dispatcher: throw AccessDeniedException
Dispatcher-->>Client: 403 Forbidden
end
alt No Principal & Not Public
AccessManager-->>Dispatcher: throw AuthenticationRequiredException
Dispatcher-->>Client: 401 Unauthorized
end
AccessManager->>InterceptorProvider: getAuthenticationInterceptors()
InterceptorProvider-->>AccessManager: List<AuthenticationInterceptor>
loop Each Interceptor
AccessManager->>Interceptor: isSuitableForOperation(...)
alt Suitable
AccessManager->>Interceptor: success(op, signedId, exchange, ...)
end
end
AccessManager->>AccessManager: Run behaviour authorizers
AccessManager-->>Dispatcher: Authorization passed
Dispatcher->>Dispatcher: Execute operation
Dispatcher-->>Client: Response
The judo-runtime-core-accessmanager module provides DefaultAccessManager, which:
@exposedBy annotationproducedBy must be accessible to the actorAuthenticationInterceptor instancesThe default implementation includes authorizers for standard operations:
| Authorizer | Operation Type |
|---|---|
ListAuthorizer | List/query operations |
CreateInstanceAuthorizer | Entity creation |
UpdateInstanceAuthorizer | Entity updates |
DeleteInstanceAuthorizer | Entity deletion |
RefreshAuthorizer | Entity refresh |
SetReferenceAuthorizer | Set single reference |
UnsetReferenceAuthorizer | Clear single reference |
AddReferenceAuthorizer | Add to collection reference |
RemoveReferenceAuthorizer | Remove from collection reference |
GetReferenceRangeAuthorizer | Get reference options |
GetInputRangeAuthorizer | Get input parameter options |
GetTemplateAuthorizer | Get entity templates |
public class AuditLoggingInterceptor implements AuthenticationInterceptor {
private final AuditService auditService;
public AuditLoggingInterceptor(AuditService auditService) {
this.auditService = auditService;
}
@Override
public String getName() {
return "audit-logging";
}
@Override
public boolean isSuitableForOperation(EOperation operation,
String claim,
String realm,
String client,
Map<String, Object> attributes) {
// Only audit write operations
Optional<AsmUtils.OperationBehaviour> behaviour = AsmUtils.getBehaviour(operation);
return behaviour.isPresent() &&
(behaviour.get() == AsmUtils.OperationBehaviour.CREATE_INSTANCE ||
behaviour.get() == AsmUtils.OperationBehaviour.UPDATE_INSTANCE ||
behaviour.get() == AsmUtils.OperationBehaviour.DELETE_INSTANCE);
}
@Override
public void success(EOperation operation,
SignedIdentifier signedIdentifier,
Map<String, Object> exchange,
String claim,
String realm,
String client,
Map<String, Object> attributes) {
auditService.log(AuditEvent.builder()
.user(claim)
.realm(realm)
.operation(AsmUtils.getOperationFQName(operation))
.entityId(signedIdentifier != null ? signedIdentifier.getIdentifier() : null)
.timestamp(Instant.now())
.build());
}
}
public class RateLimitingInterceptor implements AuthenticationInterceptor {
private final RateLimiter rateLimiter;
@Override
public String getName() {
return "rate-limiter";
}
@Override
public void authenticate(String operationFQN,
Map<String, Object> exchange,
String claim,
String realm,
String client,
Map<String, Object> attributes) {
String key = claim + ":" + client;
if (!rateLimiter.tryAcquire(key)) {
throw new AccessDeniedException(ValidationResult.builder()
.code("RATE_LIMIT_EXCEEDED")
.level(ValidationResult.Level.ERROR)
.build());
}
}
}
public class CustomSecurityModule extends AbstractModule {
@Override
protected void configure() {
bind(AuthenticationInterceptorProvider.class)
.to(CustomInterceptorProvider.class);
}
}
public class CustomInterceptorProvider implements AuthenticationInterceptorProvider {
@Inject
private AuditService auditService;
@Override
public Collection<AuthenticationInterceptor> getAuthenticationInterceptors() {
return Arrays.asList(
new AuditLoggingInterceptor(auditService),
new RateLimitingInterceptor()
);
}
}
graph LR
subgraph "judo-runtime-core-accessmanager-api"
A[AccessManager]
B[AuthenticationInterceptor]
C[SignedIdentifier]
end
subgraph "judo-runtime-core-accessmanager"
D[DefaultAccessManager]
E[BehaviourAuthorizers]
end
subgraph "judo-runtime-core-dispatcher"
F[DefaultDispatcher]
end
subgraph "judo-runtime-core-security"
G[JudoPrincipal]
end
subgraph "judo-runtime-core-guice"
H[Guice Bindings]
end
D -->|implements| A
D -->|uses| B
D -->|uses| C
D -->|contains| E
F -->|calls| A
F -->|creates| C
D -->|reads| G
H -->|binds| A
H -->|binds| D
| Exception | HTTP Status | When Thrown |
|---|---|---|
AccessDeniedException | 403 Forbidden | Operation not exposed to actor, CRUD permission denied |
AuthenticationRequiredException | 401 Unauthorized | No principal for non-public operation, invalid token |
| Code | Description |
|---|---|
ACCESS_DENIED | Actor has no access to the operation |
ACCESS_DENIED_FOR_INSTANCE_OF_BOUND_OPERATION | Actor cannot access the bound entity |
PERMISSION_DENIED | CRUD flag not set on model element |
AUTHENTICATION_REQUIRED | Operation requires authentication |
INVALID_TOKEN | Token required but invalid/missing |
hu.blackbelt.judo.runtime.core.accessmanager.api/
āāā AccessManager.java # Core authorization interface
āāā AuthenticationInterceptor.java # Lifecycle hook interface
āāā AuthenticationInterceptorProvider.java # Interceptor factory
āāā SignedIdentifier.java # Bound operation identifier
judo-runtime-core-accessmanager - Default AccessManager implementationjudo-runtime-core-security - Authentication and JudoPrincipaljudo-runtime-core-dispatcher - Operation dispatchingjudo-runtime-core-guice - Dependency injection bindings