JRDS does not manage by itself the authentication, it delegates it to the web server container. The container should provide a list of roles the user belongs to. That's the information jrds uses.
By default, JRDS doesn't use security. A boolean property called
security should be set to true to make it use authorizations.
For every object that JRDS manages (at the moment custom graph, sum and filters) can be associated a list of roles that are allowed to see it. For every role, a
role element should be declared with it's name.
In the properties, the admin role, one with special privileges like reload, should be declared and a list of default roles assigned to object without explicit roles can also be given.
The implementation use abstract classes that are derived to manage different kind of authorizations. So other kind of restrictions (IP, time of day) could be implemented latter.