org.jboss.as.controller.access.management

Class WritableAuthorizerConfiguration

java.lang.Object

org.jboss.as.controller.access.management.WritableAuthorizerConfiguration

All Implemented Interfaces:

AuthorizerConfiguration, AccessConstraintUtilizationRegistry

public class WritableAuthorizerConfiguration
extends Object
implements AuthorizerConfiguration, AccessConstraintUtilizationRegistry

Standard AuthorizerConfiguration implementation that also exposes mutator APIs for use by the WildFly management layer.

Author:

Brian Stansberry (c) 2013 Red Hat Inc.

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	WritableAuthorizerConfiguration.MatchType Types of matching strategies used in org.jboss.as.controller.access.Caller to AuthorizerConfiguration.RoleMapping mapping.

Nested classes/interfaces inherited from interface org.jboss.as.controller.access.AuthorizerConfiguration

AuthorizerConfiguration.MappingPrincipal, AuthorizerConfiguration.PrincipalType, AuthorizerConfiguration.RoleMapping, AuthorizerConfiguration.ScopedRole, AuthorizerConfiguration.ScopedRoleListener

Constructor Summary

Constructors

Constructor and Description
WritableAuthorizerConfiguration(Authorizer.AuthorizerDescription authorizerDescription)

Method Summary

Modifier and Type	Method and Description
void	addRoleMapping(String roleName) Adds a new role to the list of defined roles.
void	addRoleMappingImmediate(String roleName)
boolean	addRoleMappingPrincipal(String roleName, AuthorizerConfiguration.PrincipalType principalType, WritableAuthorizerConfiguration.MatchType matchType, String name, String realm, boolean immediate)
void	addScopedRole(AuthorizerConfiguration.ScopedRole toAdd)
AuthorizerConfiguration.MappingPrincipal	createPrincipal(AuthorizerConfiguration.PrincipalType principalType, String name, String realm)
Map<PathAddress,AccessConstraintUtilization>	getAccessConstraintUtilizations(AccessConstraintKey accessConstraintKey)
Set<String>	getAllRoles() Gets the names of the all roles used by the authorizer, including both built-in roles and roles added via end user configuration.
CombinationPolicy	getPermissionCombinationPolicy() Gets the policy for combining access control permissions when the configuration grants the user more than one type of permission for a given action.
Map<String,AuthorizerConfiguration.RoleMapping>	getRoleMappings() Gets the configured role mappings, keyed by the name of the role.
Map<String,AuthorizerConfiguration.ScopedRole>	getScopedRoles() Gets the configured scoped roles, keyed by the name of the role.
Set<String>	getStandardRoles() Gets the names of the "standard" "built-in" roles used by the authorizer.
boolean	hasRole(String roleName) Gets whether the current set of roles contains the given role, with the check performed using a case-insensitive algorithm.
boolean	isMapUsingIdentityRoles() Gets whether role mapping should use roles obtained from the SecurityIdentity.
boolean	isNonFacadeMBeansSensitive() Gets whether JMX calls to non-facade mbeans (i.e.
boolean	isRoleBased() Gets whether the authorizer uses a role-based authorization mechanism.
void	registerAccessConstraintAttributeUtilization(AccessConstraintKey key, PathAddress address, String attribute)
void	registerAccessConstraintOperationUtilization(AccessConstraintKey key, PathAddress address, String operation)
void	registerAccessConstraintResourceUtilization(AccessConstraintKey key, PathAddress address)
void	registerScopedRoleListener(AuthorizerConfiguration.ScopedRoleListener listener) Register a listener for changes in the configured scoped roles.
Object	removeRoleMapping(String roleName) Remove a role from the list of defined roles.
boolean	removeRoleMappingPrincipal(String roleName, AuthorizerConfiguration.PrincipalType principalType, WritableAuthorizerConfiguration.MatchType matchType, String name, String realm)
void	removeScopedRole(String toRemove)
void	reset() Reset the internal state of this object back to what it originally was.
void	setPermissionCombinationPolicy(CombinationPolicy combinationPolicy)
void	setRoleMappingIncludeAll(String roleName, boolean includeAll)
void	setUseIdentityRoles(boolean useIdentityRoles)
boolean	undoRoleMappingRemove(Object removalKey) Undo a prior removal using the supplied undo key.
void	unregisterAccessConstraintUtilizations(PathAddress address)
void	unregisterScopedRoleListener(AuthorizerConfiguration.ScopedRoleListener listener) Unregister a listener for changes in the configured scoped roles.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

WritableAuthorizerConfiguration

public WritableAuthorizerConfiguration(Authorizer.AuthorizerDescription authorizerDescription)

Method Detail

reset

public void reset()

Reset the internal state of this object back to what it originally was. Used then reloading a server or in a slave host controller following a post-boot reconnect to the master.

registerScopedRoleListener

public void registerScopedRoleListener(AuthorizerConfiguration.ScopedRoleListener listener)

Description copied from interface: AuthorizerConfiguration

Register a listener for changes in the configured scoped roles.

Specified by:

registerScopedRoleListener in interface AuthorizerConfiguration

Parameters:

listener - the listener. Cannot be null

unregisterScopedRoleListener

public void unregisterScopedRoleListener(AuthorizerConfiguration.ScopedRoleListener listener)

Description copied from interface: AuthorizerConfiguration

Unregister a listener for changes in the configured scoped roles.

Specified by:

unregisterScopedRoleListener in interface AuthorizerConfiguration

Parameters:

listener - the listener. Cannot be null

getPermissionCombinationPolicy

public CombinationPolicy getPermissionCombinationPolicy()

Description copied from interface: AuthorizerConfiguration

Gets the policy for combining access control permissions when the configuration grants the user more than one type of permission for a given action. For example, in the standard WildFly access control system, a user may map to more than one role. This property would control how the permissions associated with those roles should be combined to make access control decisions.

Specified by:

getPermissionCombinationPolicy in interface AuthorizerConfiguration

Returns:

the combination policy. Will not be null.

isRoleBased

public boolean isRoleBased()

Description copied from interface: AuthorizerConfiguration

Gets whether the authorizer uses a role-based authorization mechanism.

Specified by:

isRoleBased in interface AuthorizerConfiguration

Returns:

true if a role-based mechanism is used; false if not

isMapUsingIdentityRoles

public boolean isMapUsingIdentityRoles()

Description copied from interface: AuthorizerConfiguration

Gets whether role mapping should use roles obtained from the SecurityIdentity. Any configured exclusions are still checked. The configured inclusions will also be checked meaning additional roles may also be granted.

Specified by:

isMapUsingIdentityRoles in interface AuthorizerConfiguration

Returns:

true if role

getStandardRoles

public Set<String> getStandardRoles()

Description copied from interface: AuthorizerConfiguration

Gets the names of the "standard" "built-in" roles used by the authorizer. A built-in role requires no end user configuration.

Specified by:

getStandardRoles in interface AuthorizerConfiguration

Returns:

the standard role names. Will not be null, but may be an empty set if roles are not used or no built-in roles are used.

getScopedRoles

public Map<String,AuthorizerConfiguration.ScopedRole> getScopedRoles()

Description copied from interface: AuthorizerConfiguration

Gets the configured scoped roles, keyed by the name of the role.

Specified by:

getScopedRoles in interface AuthorizerConfiguration

Returns:

the scoped roles. Will not be null

getAllRoles

public Set<String> getAllRoles()

Description copied from interface: AuthorizerConfiguration

Gets the names of the all roles used by the authorizer, including both built-in roles and roles added via end user configuration.

Specified by:

getAllRoles in interface AuthorizerConfiguration

Returns:

the role names. Will not be null, but may be an empty set if roles are not used or no built-in roles are used and no end user configured roles exist.

hasRole

public boolean hasRole(String roleName)

Description copied from interface: AuthorizerConfiguration

Gets whether the current set of roles contains the given role, with the check performed using a case-insensitive algorithm.

Specified by:

hasRole in interface AuthorizerConfiguration

Parameters:

roleName - the name of the role

Returns:

true if the current role set includes an item that equals ignoring case the given roleName

getRoleMappings

public Map<String,AuthorizerConfiguration.RoleMapping> getRoleMappings()

Description copied from interface: AuthorizerConfiguration

Gets the configured role mappings, keyed by the name of the role.

Specified by:

getRoleMappings in interface AuthorizerConfiguration

Returns:

the role mappings. Will not be null

setUseIdentityRoles

public void setUseIdentityRoles(boolean useIdentityRoles)

addScopedRole

public void addScopedRole(AuthorizerConfiguration.ScopedRole toAdd)

removeScopedRole

public void removeScopedRole(String toRemove)

isNonFacadeMBeansSensitive

public boolean isNonFacadeMBeansSensitive()

Description copied from interface: AuthorizerConfiguration

Gets whether JMX calls to non-facade mbeans (i.e. those that result in invocations to Authorizer#authorizeJmxOperation(Caller, Environment, JmxAction)) should be treated as 'sensitive'.

Specified by:

isNonFacadeMBeansSensitive in interface AuthorizerConfiguration

Returns:

true if non-facade mbean calls are sensitive; false otherwise

addRoleMappingImmediate

public void addRoleMappingImmediate(String roleName)

addRoleMapping

public void addRoleMapping(String roleName)

Adds a new role to the list of defined roles.

Parameters:

roleName - - The name of the role being added.

removeRoleMapping

public Object removeRoleMapping(String roleName)

Remove a role from the list of defined roles.

Parameters:

roleName - - The name of the role to be removed.

Returns:

A key that can be used to undo the removal.

undoRoleMappingRemove

public boolean undoRoleMappingRemove(Object removalKey)

Undo a prior removal using the supplied undo key.

Parameters:

removalKey - - The key returned from the call to removeRoleMapping.

Returns:

true if the undo was successful, false otherwise.

setRoleMappingIncludeAll

public void setRoleMappingIncludeAll(String roleName,
                                     boolean includeAll)

addRoleMappingPrincipal

public boolean addRoleMappingPrincipal(String roleName,
                                       AuthorizerConfiguration.PrincipalType principalType,
                                       WritableAuthorizerConfiguration.MatchType matchType,
                                       String name,
                                       String realm,
                                       boolean immediate)

removeRoleMappingPrincipal

public boolean removeRoleMappingPrincipal(String roleName,
                                          AuthorizerConfiguration.PrincipalType principalType,
                                          WritableAuthorizerConfiguration.MatchType matchType,
                                          String name,
                                          String realm)

createPrincipal

public AuthorizerConfiguration.MappingPrincipal createPrincipal(AuthorizerConfiguration.PrincipalType principalType,
                                                                String name,
                                                                String realm)

setPermissionCombinationPolicy

public void setPermissionCombinationPolicy(CombinationPolicy combinationPolicy)

getAccessConstraintUtilizations

public Map<PathAddress,AccessConstraintUtilization> getAccessConstraintUtilizations(AccessConstraintKey accessConstraintKey)

Specified by:

getAccessConstraintUtilizations in interface AccessConstraintUtilizationRegistry

registerAccessConstraintResourceUtilization

public void registerAccessConstraintResourceUtilization(AccessConstraintKey key,
                                                        PathAddress address)

Specified by:

registerAccessConstraintResourceUtilization in interface AccessConstraintUtilizationRegistry

registerAccessConstraintAttributeUtilization

public void registerAccessConstraintAttributeUtilization(AccessConstraintKey key,
                                                         PathAddress address,
                                                         String attribute)

Specified by:

registerAccessConstraintAttributeUtilization in interface AccessConstraintUtilizationRegistry

registerAccessConstraintOperationUtilization

public void registerAccessConstraintOperationUtilization(AccessConstraintKey key,
                                                         PathAddress address,
                                                         String operation)

Specified by:

registerAccessConstraintOperationUtilization in interface AccessConstraintUtilizationRegistry

unregisterAccessConstraintUtilizations

public void unregisterAccessConstraintUtilizations(PathAddress address)

Specified by:

unregisterAccessConstraintUtilizations in interface AccessConstraintUtilizationRegistry