How can you make specific methods in java require admin rights?

Question

I am creating a password utility that is accessible to both my client and the user, however I want specific methods to be run only by administrators(my client) and not the user.

What options are there for doing this?

You can add a `@UserLevel` annotation, to each method, that has a `UserType` parameter which controls the minimum user level required to access the method. These class names are made up, but they should be good to use. You can use introspection to determine, at runtime, if the method can be accessed. Check out this tutorial on [Custom Annotations](https://www.mkyong.com/java/java-custom-annotations-example/) by Yong Mook Kim — Mr. Polywhirl, Dec 02 '16 at 14:09
Do you mean an admin on OS level ? This can't be done with native Java. If a user can execute `java` and has read access to a `jar` file, the user can always run the program `java -jar a.jar`. You can distribute two `jar`s and give read access only to admins for the `jar` with the specific method. Maybe read here: http://stackoverflow.com/questions/9477643/how-to-check-access-level-of-user-on-any-system — PeterMmm, Dec 02 '16 at 14:56

score 0 · Accepted Answer · answered Dec 02 '16 at 15:44

The following is an example of using levels for different users. I am mimicking the way Java and other vendors handle logging levels.

By using reflection, I can check if the requesting user has or lacks the proper user level to view the method.

This is a simple way to filter out who can or can't access a method at runtime.

UserType

package auth;

public enum UserType {
    ADMIN(Integer.MIN_VALUE),
    SYSTEM(10000),
    GENERAL(20000),
    NONE(Integer.MAX_VALUE);

    int level;

    public int getLevel() {
        return level;
    }

    private UserType(int level) {
        this.level = level;
    }
}

UserLevel

package auth;

import java.lang.annotation.ElementType;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;

@Retention(RetentionPolicy.RUNTIME)
@Target(ElementType.METHOD)
public @interface UserLevel {
    UserType type() default UserType.GENERAL;
}

ControlService

import auth.UserLevel;
import auth.UserType;

public class ControlService {
    @UserLevel(type=UserType.ADMIN)
    public String[] getUsers() {
        return new String[] {  };
    }

    @UserLevel(type=UserType.SYSTEM)
    public String[] getCommands() {
        return new String[] {  };
    }

    @UserLevel(type=UserType.GENERAL)
    public String[] getCategories() {
        return new String[] {  };
    }
}

UserServiceAccessCheck

import java.lang.annotation.Annotation;
import java.lang.reflect.Method;

import auth.UserLevel;
import auth.UserType;

public class UserServiceAccessCheck {
    public static void requestMethods(Class<?> serviceClass, UserType type) {
        System.out.printf("Methods accessible to %s users...%n", type);

        int allowed = 0,
            disallowed = 0,
            count = 0,
            ignore = 0;

        for (Method method : serviceClass.getDeclaredMethods()) {
            if (method.isAnnotationPresent(UserLevel.class)) {
                Annotation annotation = method.getAnnotation(UserLevel.class);
                UserLevel level = (UserLevel) annotation;

                if (level.type().getLevel() >= type.getLevel()) {
                    try {
                        method.invoke(serviceClass.newInstance());
                        System.out.printf("  %s - Can access? %-13s - allowed %n", ++count, method.getName());
                        allowed++;
                    } catch (Throwable ex) {
                        System.out.printf("  %s - Can access? %-13s - disallowed: %s %n", ++count, method.getName(), ex.getCause());
                        disallowed++;
                    }
                } else {
                    System.out.printf("  %s - Can access? %-13s - disallowed%n", ++count, method.getName());
                    disallowed++;
                }

            }
        }

        System.out.printf("%nResult : Total : %d, Allowed: %d, Disallowed: %d, Ignore: %d%n%n",
                count, allowed, disallowed, ignore);
    }

    public static void main(String[] args) throws Exception {
        for (UserType type : UserType.values()) {
            requestMethods(ControlService.class, type);
        }
    }
}

Output

Methods accessible to ADMIN users...
  1 - Can access? getUsers      - allowed 
  2 - Can access? getCommands   - allowed 
  3 - Can access? getCategories - allowed 

Result : Total : 3, Allowed: 3, Disallowed: 0, Ignore: 0

Methods accessible to SYSTEM users...
  1 - Can access? getUsers      - disallowed
  2 - Can access? getCommands   - allowed 
  3 - Can access? getCategories - allowed 

Result : Total : 3, Allowed: 2, Disallowed: 1, Ignore: 0

Methods accessible to GENERAL users...
  1 - Can access? getUsers      - disallowed
  2 - Can access? getCommands   - disallowed
  3 - Can access? getCategories - allowed 

Result : Total : 3, Allowed: 1, Disallowed: 2, Ignore: 0

Methods accessible to NONE users...
  1 - Can access? getUsers      - disallowed
  2 - Can access? getCommands   - disallowed
  3 - Can access? getCategories - disallowed

Result : Total : 3, Allowed: 0, Disallowed: 3, Ignore: 0

Yes, thank you, this is exactly what i was looking for! – AKrauss Dec 05 '16 at 14:43 — AKrauss, Dec 05 '16 at 14:43