org.glassfish.security.services.api.authorization

Interface AuthorizationService

All Superinterfaces:

SecurityService

All Known Implementing Classes:

AuthorizationServiceImpl

@Contract
public interface AuthorizationService
extends SecurityService

The AuthorizationService interface provides methods that allow server and container to determine whether access should be allowed to a particular resource. It is intended for internal use, not for use by applications.

Nested Class Summary

Nested Classes

Modifier and Type	Interface and Description
static interface	AuthorizationService.PolicyDeploymentContext This interface represents a PolicyDeploymentContext as returned by the Authorization Service's findOrCreateDeploymentContext() method.

Method Summary

Methods

Modifier and Type	Method and Description
boolean	appendAttributeResolver(AzAttributeResolver resolver) Appends the given AzAttributeResolver instance to the internal ordered list of AzAttributeResolver instances, if not currently in the list based on org.glassfish.security.services.api.authorization.AzAttributeResolver#equals.
AuthorizationService.PolicyDeploymentContext	findOrCreateDeploymentContext(String appContext) Finds an existing PolicyDeploymentContext, or create a new one if one does not already exist for the specified appContext.
List<AzAttributeResolver>	getAttributeResolvers() Determines the current list of AttributeResolver instances, in execution order.
AzResult	getAuthorizationDecision(AzSubject subject, AzResource resource, AzAction action) The primary authorization method.
boolean	isAuthorized(Subject subject, URI resource) Determines whether the given Subject is authorized to access the given resource, specified by a URI.
boolean	isAuthorized(Subject subject, URI resource, String action) Determines whether the given Subject is authorized to access the given resource, specified by a URI.
boolean	isPermissionGranted(Subject subject, Permission permission) Determines whether the given Subject has been granted the specified Permission by delegating to the configured java.security.Policy object.
AzAction	makeAzAction(String action) Converts an action, expressed as a String, into a typed attributes collection.
AzResource	makeAzResource(URI resource) Converts a resource, expressed as a URI, into a typed attributes collection.
AzSubject	makeAzSubject(Subject subject) Converts a Java Subject into a typed attributes collection.
boolean	removeAllAttributeResolvers() Removes all AttributeResolver instances from the current internal list of AttributeResolver instances.
void	setAttributeResolvers(List<AzAttributeResolver> resolverList) Replaces the internal list of AttributeResolver instances with the given list.

Methods inherited from interface org.glassfish.security.services.api.SecurityService

initialize

Method Detail

isPermissionGranted

boolean isPermissionGranted(Subject subject,
                          Permission permission)

Determines whether the given Subject has been granted the specified Permission by delegating to the configured java.security.Policy object. This method is a high-level convenience method that tests for a Subject-based permission grant without reference to the AccessControlContext of the caller. In addition, this method isolates the query from the underlying Policy configuration model. It could, for example, multiplex queries across multiple instances of Policy configured in an implementation-specific way such that different threads, or different applications, query different Policy objects. The initial implementation simply delegates to the configured Policy as defined by Java SE.

Parameters:

subject - The Subject for which permission is being tested.

permission - The Permission being queried.

Returns:

True or false, depending on whether the specified Permission is granted to the Subject by the configured Policy.

Throws:

IllegalArgumentException - Given null or illegal subject or permission

isAuthorized

boolean isAuthorized(Subject subject,
                   URI resource)

Determines whether the given Subject is authorized to access the given resource, specified by a URI.

Parameters:

subject - The Subject being tested.

resource - URI of the resource being tested.

Returns:

True or false, depending on whether the access is authorized.

Throws:

IllegalArgumentException - Given null or illegal subject or resource

IllegalStateException - Service was not initialized.

isAuthorized

boolean isAuthorized(Subject subject,
                   URI resource,
                   String action)

Determines whether the given Subject is authorized to access the given resource, specified by a URI.

Parameters:

subject - The Subject being tested.

resource - URI of the resource being tested.

action - The action, with respect to the resource parameter, for which authorization is desired. To check authorization for all actions, action is represented by null or "*".

Returns:

True or false, depending on whether the access is authorized.

Throws:

IllegalArgumentException - Given null or illegal subject or resource

IllegalStateException - Service was not initialized.

getAuthorizationDecision

AzResult getAuthorizationDecision(AzSubject subject,
                                AzResource resource,
                                AzAction action)

The primary authorization method. The isAuthorized() methods call this method after converting their arguments into the appropriate attribute collection type. It returns a full AzResult, including authorization status, decision, and obligations. This method performs two steps prior to invoking the configured AuthorizationProvider to evaluate the request: First, it acquires the current AzEnvironment attributes by calling the Security Context service. Second, it calls the Role Mapping service to determine which roles the subject has, and adds the resulting role attributes into the AzSubject.

Parameters:

subject - The attributes collection representing the Subject for which an authorization decision is requested.

resource - The attributes collection representing the resource for which access is being requested.

action - The attributes collection representing the action, with respect to the resource, for which access is being requested. A null action is interpreted as all actions, however all actions may also be represented by the AzAction instance. See AzAction.

Returns:

The AzResult indicating the result of the access decision.

Throws:

IllegalArgumentException - Given null or illegal subject or resource

IllegalStateException - Service was not initialized.

makeAzSubject

AzSubject makeAzSubject(Subject subject)

Converts a Java Subject into a typed attributes collection.

Parameters:

subject - The Subject to convert.

Returns:

The resulting AzSubject.

Throws:

IllegalArgumentException - Given null or illegal subject

makeAzResource

AzResource makeAzResource(URI resource)

Converts a resource, expressed as a URI, into a typed attributes collection.

Query parameters in the given URI are appended to this AzResource instance attributes collection.

Parameters:

resource - The URI to convert.

Returns:

The resulting AzResource.

Throws:

IllegalArgumentException - Given null or illegal resource

makeAzAction

AzAction makeAzAction(String action)

Converts an action, expressed as a String, into a typed attributes collection.

Parameters:

action - The action to convert. null or "*" represents all actions.

Returns:

The resulting AzAction.

findOrCreateDeploymentContext

AuthorizationService.PolicyDeploymentContext findOrCreateDeploymentContext(String appContext)

Finds an existing PolicyDeploymentContext, or create a new one if one does not already exist for the specified appContext. The context will be returned in an "open" state, and will stay that way until commit() or delete() is called.

Parameters:

appContext - The application context for which the PolicyDeploymentContext is desired.

Returns:

The resulting PolicyDeploymentContext, null if the configured providers do not support this feature.

Throws:

IllegalStateException - Service was not initialized.

appendAttributeResolver

boolean appendAttributeResolver(AzAttributeResolver resolver)

Appends the given AzAttributeResolver instance to the internal ordered list of AzAttributeResolver instances, if not currently in the list based on org.glassfish.security.services.api.authorization.AzAttributeResolver#equals.

Parameters:

resolver - The AzAttributeResolver instance to append.

Returns:

true if the AzAttributeResolver was added, false if the AzAttributeResolver was already in the list.

Throws:

IllegalArgumentException - Given AzAttributeResolver was null.

setAttributeResolvers

void setAttributeResolvers(List<AzAttributeResolver> resolverList)

Replaces the internal list of AttributeResolver instances with the given list. If multiple equivalent instances exist in the given list, only the first such instance will be inserted.

Parameters:

resolverList - Replacement list of AzAttributeResolver instances

Throws:

IllegalArgumentException - Given AzAttributeResolver list was null.

getAttributeResolvers

List<AzAttributeResolver> getAttributeResolvers()

Determines the current list of AttributeResolver instances, in execution order.

Returns:

The current list of AttributeResolver instances, in execution order.

removeAllAttributeResolvers

boolean removeAllAttributeResolvers()

Removes all AttributeResolver instances from the current internal list of AttributeResolver instances.

Returns:

true if any AttributeResolver instances were removed, false if the list was empty.