Class AuthorizationServiceImpl
- java.lang.Object
-
- org.glassfish.security.services.impl.authorization.AuthorizationServiceImpl
-
- All Implemented Interfaces:
org.glassfish.hk2.api.PostConstruct
,AuthorizationService
,SecurityService
@Service @Singleton public final class AuthorizationServiceImpl extends Object implements AuthorizationService, org.glassfish.hk2.api.PostConstruct
AuthorizationServiceImpl
implements
by delegating authorization decisions to configuredAuthorizationService
instances.org.glassfish.security.services.spi.AuthorizationProvider
-
-
Nested Class Summary
-
Nested classes/interfaces inherited from interface org.glassfish.security.services.api.authorization.AuthorizationService
AuthorizationService.PolicyDeploymentContext
-
-
Constructor Summary
Constructors Constructor Description AuthorizationServiceImpl()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description boolean
appendAttributeResolver(AzAttributeResolver resolver)
Appends the given
instance to the internal ordered list ofAzAttributeResolver
AzAttributeResolver
instances, if not currently in the list based on
.org.glassfish.security.services.api.authorization.AzAttributeResolver#equals
AuthorizationService.PolicyDeploymentContext
findOrCreateDeploymentContext(String appContext)
Find an existing PolicyDeploymentContext, or create a new one if one does not already exist for the specified appContext.List<AzAttributeResolver>
getAttributeResolvers()
Determines the current list ofAttributeResolver
instances, in execution order.AzResult
getAuthorizationDecision(AzSubject subject, AzResource resource, AzAction action)
The primary authorization method.void
initialize(SecurityConfiguration securityServiceConfiguration)
Initialize the security service instance with the specific security service configuration.boolean
isAuthorized(Subject subject, URI resource)
Determine whether the given Subject is authorized to access the given resource, specified by a URI.boolean
isAuthorized(Subject subject, URI resource, String action)
Determine whether the given Subject is authorized to access the given resource, specified by a URI.boolean
isPermissionGranted(Subject subject, Permission permission)
Determine whether the given Subject has been granted the specified Permission by delegating to the configured java.security.Policy object.AzAction
makeAzAction(String action)
Convert an action, expressed as a String, into a typed attributes collection.AzResource
makeAzResource(URI resource)
Convert a resource, expressed as a URI, into a typed attributes collection.AzSubject
makeAzSubject(Subject subject)
Convert a Java Subject into a typed attributes collection.void
postConstruct()
Called when the instance has been created and the component is about to be place into commission.boolean
removeAllAttributeResolvers()
Removes allAttributeResolver
instances from the current internal list ofAttributeResolver
instances.void
setAttributeResolvers(List<AzAttributeResolver> resolverList)
Replaces the internal list ofAttributeResolver
instances with the given list.
-
-
-
Method Detail
-
initialize
public void initialize(SecurityConfiguration securityServiceConfiguration)
Initialize the security service instance with the specific security service configuration.- Specified by:
initialize
in interfaceSecurityService
- Parameters:
securityServiceConfiguration
-- See Also:
SecurityService.initialize(org.glassfish.security.services.config.SecurityConfiguration)
-
isPermissionGranted
public boolean isPermissionGranted(Subject subject, Permission permission)
Determine whether the given Subject has been granted the specified Permission by delegating to the configured java.security.Policy object. This method is a high-level convenience method that tests for a Subject-based permission grant without reference to the AccessControlContext of the caller. In addition, this method isolates the query from the underlying Policy configuration model. It could, for example, multiplex queries across multiple instances of Policy configured in an implementation-specific way such that different threads, or different applications, query different Policy objects. The initial implementation simply delegates to the configured Policy as defined by Java SE.- Specified by:
isPermissionGranted
in interfaceAuthorizationService
- Parameters:
subject
- The Subject for which permission is being tested.permission
- The Permission being queried.- Returns:
- True or false, depending on whether the specified Permission is granted to the Subject by the configured Policy.
- Throws:
IllegalArgumentException
- Given null or illegal subject or permission- See Also:
AuthorizationService.isPermissionGranted(javax.security.auth.Subject, java.security.Permission)
-
isAuthorized
public boolean isAuthorized(Subject subject, URI resource)
Determine whether the given Subject is authorized to access the given resource, specified by a URI.- Specified by:
isAuthorized
in interfaceAuthorizationService
- Parameters:
subject
- The Subject being tested.resource
- URI of the resource being tested.- Returns:
- True or false, depending on whether the access is authorized.
- Throws:
IllegalArgumentException
- Given null or illegal subject or resourceIllegalStateException
- Service was not initialized.- See Also:
AuthorizationService.isAuthorized(javax.security.auth.Subject, java.net.URI)
-
isAuthorized
public boolean isAuthorized(Subject subject, URI resource, String action)
Determine whether the given Subject is authorized to access the given resource, specified by a URI.- Specified by:
isAuthorized
in interfaceAuthorizationService
- Parameters:
subject
- The Subject being tested.resource
- URI of the resource being tested.action
- The action, with respect to the resource parameter, for which authorization is desired. To check authorization for all actions, action is represented by null or "*".- Returns:
- True or false, depending on whether the access is authorized.
- Throws:
IllegalArgumentException
- Given null or illegal subject or resourceIllegalStateException
- Service was not initialized.- See Also:
AuthorizationService.isAuthorized(javax.security.auth.Subject, java.net.URI, String)
-
getAuthorizationDecision
public AzResult getAuthorizationDecision(AzSubject subject, AzResource resource, AzAction action)
The primary authorization method. The isAuthorized() methods call this method after converting their arguments into the appropriate attribute collection type. It returns a full AzResult, including authorization status, decision, and obligations. This method performs two steps prior to invoking the configured AuthorizationProvider to evaluate the request: First, it acquires the current AzEnvironment attributes by calling the Security Context service. Second, it calls the Role Mapping service to determine which roles the subject has, and adds the resulting role attributes into the AzSubject.- Specified by:
getAuthorizationDecision
in interfaceAuthorizationService
- Parameters:
subject
- The attributes collection representing the Subject for which an authorization decision is requested.resource
- The attributes collection representing the resource for which access is being requested.action
- The attributes collection representing the action, with respect to the resource, for which access is being requested. A null action is interpreted as all actions, however all actions may also be represented by the AzAction instance. See
.AzAction
- Returns:
- The AzResult indicating the result of the access decision.
- Throws:
IllegalArgumentException
- Given null or illegal subject or resourceIllegalStateException
- Service was not initialized.- See Also:
AuthorizationService.getAuthorizationDecision(org.glassfish.security.services.api.authorization.AzSubject, org.glassfish.security.services.api.authorization.AzResource, org.glassfish.security.services.api.authorization.AzAction)
-
makeAzSubject
public AzSubject makeAzSubject(Subject subject)
Convert a Java Subject into a typed attributes collection.- Specified by:
makeAzSubject
in interfaceAuthorizationService
- Parameters:
subject
- The Subject to convert.- Returns:
- The resulting AzSubject.
- Throws:
IllegalArgumentException
- Given null or illegal subject- See Also:
AuthorizationService.makeAzSubject(javax.security.auth.Subject)
-
makeAzResource
public AzResource makeAzResource(URI resource)
Convert a resource, expressed as a URI, into a typed attributes collection.Query parameters in the given URI are appended to this
AzResource
instance attributes collection.- Specified by:
makeAzResource
in interfaceAuthorizationService
- Parameters:
resource
- The URI to convert.- Returns:
- The resulting AzResource.
- Throws:
IllegalArgumentException
- Given null or illegal resource- See Also:
AuthorizationService.makeAzResource(java.net.URI)
-
makeAzAction
public AzAction makeAzAction(String action)
Convert an action, expressed as a String, into a typed attributes collection.- Specified by:
makeAzAction
in interfaceAuthorizationService
- Parameters:
action
- The action to convert. null or "*" represents all actions.- Returns:
- The resulting AzAction.
- See Also:
AuthorizationService.makeAzAction(String)
-
findOrCreateDeploymentContext
public AuthorizationService.PolicyDeploymentContext findOrCreateDeploymentContext(String appContext)
Find an existing PolicyDeploymentContext, or create a new one if one does not already exist for the specified appContext. The context will be returned in an "open" state, and will stay that way until commit() or delete() is called.- Specified by:
findOrCreateDeploymentContext
in interfaceAuthorizationService
- Parameters:
appContext
- The application context for which the PolicyDeploymentContext is desired.- Returns:
- The resulting PolicyDeploymentContext, null if the configured providers do not support this feature.
- Throws:
IllegalStateException
- Service was not initialized.- See Also:
AuthorizationService.findOrCreateDeploymentContext(String)
-
postConstruct
public void postConstruct()
Called when the instance has been created and the component is about to be place into commission.The component has been injected with any dependency and will be placed into commission by the subsystem.
Hk2 will catch all unchecked exceptions, and will consequently cause the backing inhabitant to be released.
- Specified by:
postConstruct
in interfaceorg.glassfish.hk2.api.PostConstruct
- See Also:
PostConstruct.postConstruct()
-
appendAttributeResolver
public boolean appendAttributeResolver(AzAttributeResolver resolver)
Appends the given
instance to the internal ordered list ofAzAttributeResolver
AzAttributeResolver
instances, if not currently in the list based on
.org.glassfish.security.services.api.authorization.AzAttributeResolver#equals
- Specified by:
appendAttributeResolver
in interfaceAuthorizationService
- Parameters:
resolver
- TheAzAttributeResolver
instance to append.- Returns:
- true if the
AzAttributeResolver
was added, false if theAzAttributeResolver
was already in the list. - Throws:
IllegalArgumentException
- Given AzAttributeResolver was null.- See Also:
AuthorizationService.appendAttributeResolver(org.glassfish.security.services.api.authorization.AzAttributeResolver)
-
setAttributeResolvers
public void setAttributeResolvers(List<AzAttributeResolver> resolverList)
Replaces the internal list ofAttributeResolver
instances with the given list. If multiple equivalent instances exist in the given list, only the first such instance will be inserted.- Specified by:
setAttributeResolvers
in interfaceAuthorizationService
- Parameters:
resolverList
- Replacement list ofAzAttributeResolver
instances- Throws:
IllegalArgumentException
- Given AzAttributeResolver list was null.- See Also:
AuthorizationService.setAttributeResolvers(java.util.List<org.glassfish.security.services.api.authorization.AzAttributeResolver>)
-
getAttributeResolvers
public List<AzAttributeResolver> getAttributeResolvers()
Determines the current list ofAttributeResolver
instances, in execution order.- Specified by:
getAttributeResolvers
in interfaceAuthorizationService
- Returns:
- The current list of AttributeResolver instances, in execution order.
- See Also:
AuthorizationService.getAttributeResolvers()
-
removeAllAttributeResolvers
public boolean removeAllAttributeResolvers()
Removes allAttributeResolver
instances from the current internal list ofAttributeResolver
instances.- Specified by:
removeAllAttributeResolvers
in interfaceAuthorizationService
- Returns:
- true if any
AttributeResolver
instances were removed, false if the list was empty. - See Also:
AuthorizationService.removeAllAttributeResolvers()
-
-