Package org.glassfish.security.services.impl.authorization

Class AuthorizationServiceImpl

java.lang.Object

org.glassfish.security.services.impl.authorization.AuthorizationServiceImpl

All Implemented Interfaces:

org.glassfish.hk2.api.PostConstruct, AuthorizationService, SecurityService

@Service
@Singleton
public final class AuthorizationServiceImpl
extends Object
implements AuthorizationService, org.glassfish.hk2.api.PostConstruct

AuthorizationServiceImpl implements AuthorizationService by delegating authorization decisions to configured org.glassfish.security.services.spi.AuthorizationProvider instances.

Nested Class Summary

Nested classes/interfaces inherited from interface org.glassfish.security.services.api.authorization.AuthorizationService

AuthorizationService.PolicyDeploymentContext

Constructor Summary

Constructors

Constructor	Description
AuthorizationServiceImpl()

Method Summary

Modifier and Type	Method	Description
boolean	appendAttributeResolver(AzAttributeResolver resolver)	Appends the given AzAttributeResolver instance to the internal ordered list of AzAttributeResolver instances, if not currently in the list based on org.glassfish.security.services.api.authorization.AzAttributeResolver#equals.
AuthorizationService.PolicyDeploymentContext	findOrCreateDeploymentContext(String appContext)	Find an existing PolicyDeploymentContext, or create a new one if one does not already exist for the specified appContext.
List<AzAttributeResolver>	getAttributeResolvers()	Determines the current list of AttributeResolver instances, in execution order.
AzResult	getAuthorizationDecision(AzSubject subject, AzResource resource, AzAction action)	The primary authorization method.
void	initialize(SecurityConfiguration securityServiceConfiguration)	Initialize the security service instance with the specific security service configuration.
boolean	isAuthorized(Subject subject, URI resource)	Determine whether the given Subject is authorized to access the given resource, specified by a URI.
boolean	isAuthorized(Subject subject, URI resource, String action)	Determine whether the given Subject is authorized to access the given resource, specified by a URI.
boolean	isPermissionGranted(Subject subject, Permission permission)	Determine whether the given Subject has been granted the specified Permission by delegating to the configured java.security.Policy object.
AzAction	makeAzAction(String action)	Convert an action, expressed as a String, into a typed attributes collection.
AzResource	makeAzResource(URI resource)	Convert a resource, expressed as a URI, into a typed attributes collection.
AzSubject	makeAzSubject(Subject subject)	Convert a Java Subject into a typed attributes collection.
void	postConstruct()	Called when the instance has been created and the component is about to be place into commission.
boolean	removeAllAttributeResolvers()	Removes all AttributeResolver instances from the current internal list of AttributeResolver instances.
void	setAttributeResolvers(List<AzAttributeResolver> resolverList)	Replaces the internal list of AttributeResolver instances with the given list.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

AuthorizationServiceImpl

public AuthorizationServiceImpl()

Method Details

initialize

public void initialize(SecurityConfiguration securityServiceConfiguration)

Initialize the security service instance with the specific security service configuration.

Specified by:

initialize in interface SecurityService

See Also:

• SecurityService.initialize(org.glassfish.security.services.config.SecurityConfiguration)

isPermissionGranted

public boolean isPermissionGranted(Subject subject,
 Permission permission)

Determine whether the given Subject has been granted the specified Permission by delegating to the configured java.security.Policy object. This method is a high-level convenience method that tests for a Subject-based permission grant without reference to the AccessControlContext of the caller. In addition, this method isolates the query from the underlying Policy configuration model. It could, for example, multiplex queries across multiple instances of Policy configured in an implementation-specific way such that different threads, or different applications, query different Policy objects. The initial implementation simply delegates to the configured Policy as defined by Java SE.

Specified by:

isPermissionGranted in interface AuthorizationService

Parameters:

subject - The Subject for which permission is being tested.

permission - The Permission being queried.

Returns:

True or false, depending on whether the specified Permission is granted to the Subject by the configured Policy.

Throws:

IllegalArgumentException - Given null or illegal subject or permission

See Also:

• AuthorizationService.isPermissionGranted(javax.security.auth.Subject, java.security.Permission)

isAuthorized

public boolean isAuthorized(Subject subject,
 URI resource)

Determine whether the given Subject is authorized to access the given resource, specified by a URI.

Specified by:

isAuthorized in interface AuthorizationService

Parameters:

subject - The Subject being tested.

resource - URI of the resource being tested.

Returns:

True or false, depending on whether the access is authorized.

Throws:

IllegalArgumentException - Given null or illegal subject or resource

IllegalStateException - Service was not initialized.

See Also:

• AuthorizationService.isAuthorized(javax.security.auth.Subject, java.net.URI)

isAuthorized

public boolean isAuthorized(Subject subject,
 URI resource,
 String action)

Determine whether the given Subject is authorized to access the given resource, specified by a URI.

Specified by:

isAuthorized in interface AuthorizationService

Parameters:

subject - The Subject being tested.

resource - URI of the resource being tested.

action - The action, with respect to the resource parameter, for which authorization is desired. To check authorization for all actions, action is represented by null or "*".

Returns:

True or false, depending on whether the access is authorized.

Throws:

IllegalArgumentException - Given null or illegal subject or resource

IllegalStateException - Service was not initialized.

See Also:

• AuthorizationService.isAuthorized(javax.security.auth.Subject, java.net.URI, String)

getAuthorizationDecision

public AzResult getAuthorizationDecision(AzSubject subject,
 AzResource resource,
 AzAction action)

The primary authorization method. The isAuthorized() methods call this method after converting their arguments into the appropriate attribute collection type. It returns a full AzResult, including authorization status, decision, and obligations. This method performs two steps prior to invoking the configured AuthorizationProvider to evaluate the request: First, it acquires the current AzEnvironment attributes by calling the Security Context service. Second, it calls the Role Mapping service to determine which roles the subject has, and adds the resulting role attributes into the AzSubject.

Specified by:

getAuthorizationDecision in interface AuthorizationService

Parameters:

subject - The attributes collection representing the Subject for which an authorization decision is requested.

resource - The attributes collection representing the resource for which access is being requested.

action - The attributes collection representing the action, with respect to the resource, for which access is being requested. A null action is interpreted as all actions, however all actions may also be represented by the AzAction instance. See AzAction.

Returns:

The AzResult indicating the result of the access decision.

Throws:

IllegalArgumentException - Given null or illegal subject or resource

IllegalStateException - Service was not initialized.

See Also:

• AuthorizationService.getAuthorizationDecision(org.glassfish.security.services.api.authorization.AzSubject, org.glassfish.security.services.api.authorization.AzResource, org.glassfish.security.services.api.authorization.AzAction)

makeAzSubject

public AzSubject makeAzSubject(Subject subject)

Convert a Java Subject into a typed attributes collection.

Specified by:

makeAzSubject in interface AuthorizationService

Parameters:

subject - The Subject to convert.

Returns:

The resulting AzSubject.

Throws:

IllegalArgumentException - Given null or illegal subject

See Also:

• AuthorizationService.makeAzSubject(javax.security.auth.Subject)

makeAzResource

public AzResource makeAzResource(URI resource)

Convert a resource, expressed as a URI, into a typed attributes collection.

Query parameters in the given URI are appended to this AzResource instance attributes collection.

Specified by:

makeAzResource in interface AuthorizationService

Parameters:

resource - The URI to convert.

Returns:

The resulting AzResource.

Throws:

IllegalArgumentException - Given null or illegal resource

See Also:

• AuthorizationService.makeAzResource(java.net.URI)

makeAzAction

public AzAction makeAzAction(String action)

Convert an action, expressed as a String, into a typed attributes collection.

Specified by:

makeAzAction in interface AuthorizationService

Parameters:

action - The action to convert. null or "*" represents all actions.

Returns:

The resulting AzAction.

See Also:

• AuthorizationService.makeAzAction(String)

findOrCreateDeploymentContext

public AuthorizationService.PolicyDeploymentContext findOrCreateDeploymentContext(String appContext)

Find an existing PolicyDeploymentContext, or create a new one if one does not already exist for the specified appContext. The context will be returned in an "open" state, and will stay that way until commit() or delete() is called.

Specified by:

findOrCreateDeploymentContext in interface AuthorizationService

Parameters:

appContext - The application context for which the PolicyDeploymentContext is desired.

Returns:

The resulting PolicyDeploymentContext, null if the configured providers do not support this feature.

Throws:

IllegalStateException - Service was not initialized.

See Also:

• AuthorizationService.findOrCreateDeploymentContext(String)

postConstruct

public void postConstruct()

Called when the instance has been created and the component is about to be place into commission.

The component has been injected with any dependency and will be placed into commission by the subsystem.

Hk2 will catch all unchecked exceptions, and will consequently cause the backing inhabitant to be released.

Specified by:

postConstruct in interface org.glassfish.hk2.api.PostConstruct

See Also:

• PostConstruct.postConstruct()

appendAttributeResolver

public boolean appendAttributeResolver(AzAttributeResolver resolver)

Appends the given AzAttributeResolver instance to the internal ordered list of AzAttributeResolver instances, if not currently in the list based on org.glassfish.security.services.api.authorization.AzAttributeResolver#equals.

Specified by:

appendAttributeResolver in interface AuthorizationService

Parameters:

resolver - The AzAttributeResolver instance to append.

Returns:

true if the AzAttributeResolver was added, false if the AzAttributeResolver was already in the list.

Throws:

IllegalArgumentException - Given AzAttributeResolver was null.

See Also:

• AuthorizationService.appendAttributeResolver(org.glassfish.security.services.api.authorization.AzAttributeResolver)

setAttributeResolvers

public void setAttributeResolvers(List<AzAttributeResolver> resolverList)

Replaces the internal list of AttributeResolver instances with the given list. If multiple equivalent instances exist in the given list, only the first such instance will be inserted.

Specified by:

setAttributeResolvers in interface AuthorizationService

Parameters:

resolverList - Replacement list of AzAttributeResolver instances

Throws:

IllegalArgumentException - Given AzAttributeResolver list was null.

See Also:

• AuthorizationService.setAttributeResolvers(java.util.List<org.glassfish.security.services.api.authorization.AzAttributeResolver>)

getAttributeResolvers

public List<AzAttributeResolver> getAttributeResolvers()

Determines the current list of AttributeResolver instances, in execution order.

Specified by:

getAttributeResolvers in interface AuthorizationService

Returns:

The current list of AttributeResolver instances, in execution order.

See Also:

• AuthorizationService.getAttributeResolvers()

removeAllAttributeResolvers

public boolean removeAllAttributeResolvers()

Removes all AttributeResolver instances from the current internal list of AttributeResolver instances.

Specified by:

removeAllAttributeResolvers in interface AuthorizationService

Returns:

true if any AttributeResolver instances were removed, false if the list was empty.

See Also:

• AuthorizationService.removeAllAttributeResolvers()