Package io.fluxcapacitor.javaclient.tracking.handling.authentication

Annotation Interface ForbidsAnyRole

@Documented @Target({TYPE,CONSTRUCTOR,METHOD,ANNOTATION_TYPE,PACKAGE}) @Retention(RUNTIME) @Inherited public @interface ForbidsAnyRole
Indicates that a handler method, class, package, or payload should not be invoked or processed if the current user has any of the specified roles.

Usage

This annotation acts as a negative filter for message handling based on user roles.
  • On a handler method, class, or package: the handler is skipped if the user has a forbidden role. This allows other handlers to take over instead.
  • On a payload: an exception is thrown if the user has a forbidden role.

This is useful in scenarios where certain roles (e.g. admins) should receive different behavior or be excluded from specific processing paths.

Example: Preventing admin users from handling a message


 @ForbidsAnyRole("admin")
 @HandleCommand
 void handle(UserRequest request) {
     // This handler will only run if the user is NOT an admin
 }

Fallback pattern with multiple handlers


 @ForbidsAnyRole("admin")
 @HandleCommand
 void handleAsUserOnly(MyCommand command) { ... }

 @RequiresAnyRole(value = "admin", throwIfUnauthorized = false)
 @HandleCommand
 void handleAsAdmin(MyCommand command) { ... }

Notes

  • Role checks are performed via the configured UserProvider.
  • For unauthenticated users or missing roles, this restriction does not apply.
  • This annotation supports usage as a meta-annotation for reusable constraints.
See Also:

  • Optional Element Summary

    Optional Elements
    Modifier and Type
    Optional Element
    Description
    boolean
    throwIfUnauthorized
    Determines whether an exception should be thrown when the authorization check fails.
    String[]
    value
    One or more roles that should be excluded.

  • Element Details

    • value

      String[] value
      One or more roles that should be excluded. If the user has any of these roles, the handler or payload will not be used.
      Default:
      {}

    • throwIfUnauthorized

      boolean throwIfUnauthorized
      Determines whether an exception should be thrown when the authorization check fails.

      If true (the default), an exception will be thrown when the user is unauthorized:

      If false, the annotated handler or message will be silently skipped instead. This opt-out strategy is useful for conditionally invoked handlers where fallback behavior is preferred.

      Defaults to true.

      Default:
      true