With dwr it is possible to define methods on a bean that can be invoked from dwr-ajax calls. That much is easily to achieve following all the default tutorials on dwr on the web. However I wanted to restrict access to certain methods based on the roles that the users have. Otherwise it would be possible for certain users to call ajax methods that are not allowed for that user. But how can I change that behaviour. Looking at the documentation it is not obvious how that can be done, so I started the debugger to see how the integration really works. After some researching I came upon the DwrController that has a method call to ContainerUtil.setupDefaults. In here you can change the default behaviour classes, like the DefaultAccessControl class. So after having changed my own AccessControl implementation all I had to do is add it as parameter to the dwrController tag like so:
<dwr:controller id="dwrController">
<dwr:config-param name="crossDomainSessionSecurity" value="false"/>
<dwr:config-param name="org.directwebremoting.extend.AccessControl" value="com.web.controller.UserRoleFromHttpHeader"/>
</dwr:controller>
And now I can use my own access control mechanism