org.jboss.as.controller.access.rbac

Class StandardRBACAuthorizer

java.lang.Object

org.jboss.as.controller.access.permission.ManagementPermissionAuthorizer

org.jboss.as.controller.access.rbac.StandardRBACAuthorizer

All Implemented Interfaces:

Authorizer

public final class StandardRBACAuthorizer
extends ManagementPermissionAuthorizer

Standard Authorizer implementation that uses a provided RoleMapper to construct a DefaultPermissionFactory, with that permission factory used for the permissions used by the superclass implementation.

Also supports the allowed roles being specified via a roles operation-header in the top level operation whose value is the name of a role or a DMR list of strings each of which is the name of a role.

This operation-header based approach is only secure to the extent the clients using it are secure. To use this approach the client must authenticate, and the underlying. So, by adding the roles operation-header to the request the client can only reduce its privileges, not increase them.

Author:

Brian Stansberry (c) 2013 Red Hat Inc.

Nested Class Summary

Nested classes/interfaces inherited from interface org.jboss.as.controller.access.Authorizer

Authorizer.AuthorizerDescription

Field Summary

Fields

Modifier and Type	Field and Description
static Authorizer.AuthorizerDescription	AUTHORIZER_DESCRIPTION

Method Summary

Modifier and Type	Method and Description
static StandardRBACAuthorizer	create(AuthorizerConfiguration configuration, RoleMapper roleMapper)
Set<String>	getCallerRoles(Caller caller, Environment callEnvironment, Set<String> runAsRoles) Gets the set of roles the caller can run as taking into account any requested 'run as' roles.
Authorizer.AuthorizerDescription	getDescription() Gets a description of the characteristics of this authorizer
void	shutdown()

Methods inherited from class org.jboss.as.controller.access.permission.ManagementPermissionAuthorizer

authorize, authorize, authorizeJmxOperation

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

AUTHORIZER_DESCRIPTION

public static final Authorizer.AuthorizerDescription AUTHORIZER_DESCRIPTION

Method Detail

create

public static StandardRBACAuthorizer create(AuthorizerConfiguration configuration,
                                            RoleMapper roleMapper)

getCallerRoles

public Set<String> getCallerRoles(Caller caller,
                                  Environment callEnvironment,
                                  Set<String> runAsRoles)

Description copied from interface: Authorizer

Gets the set of roles the caller can run as taking into account any requested 'run as' roles.

Specified by:

getCallerRoles in interface Authorizer

Overrides:

getCallerRoles in class ManagementPermissionAuthorizer

Parameters:

caller - the caller. Cannot be null

callEnvironment - the call environment. Cannot be null

runAsRoles - any requested 'run as' roles. May be null

Returns:

The set of roles assigned to the caller; an empty set will be returned if no roles are assigned or null will be returned if the access control provider does not support role mapping.

getDescription

public Authorizer.AuthorizerDescription getDescription()

Description copied from interface: Authorizer

Gets a description of the characteristics of this authorizer

Specified by:

getDescription in interface Authorizer

Overrides:

getDescription in class ManagementPermissionAuthorizer

Returns:

the description. Cannot be null

shutdown

public void shutdown()