Package com.sun.enterprise.security.jacc

Class JaccWebAuthorizationManager

  • public class JaccWebAuthorizationManager
extends Object
    This class is the entry point for authorization decisions in the web container. It implements JACC, the JSR 115 - JavaTM Authorization Contract for Containers. This class is a companion class of EJBSecurityManager.

    All the authorization decisions required to allow access to a resource in the web container should happen via this class.

    Note that according to the JACC specification, for the actual authorization decision we delegate our queries to a JACC aware Policy, which is pluggable (can be replaced by the user).

    Author:
    Jean-Francois Arcand, Harpreet Singh., Ondro Mihalyi

    • Field Detail

      • CONSTRAINT_URI

        public static final String CONSTRAINT_URI
        Request path. Copied from org.apache.catalina.Globals; Required to break dependence on WebTier of Security Module
        See Also:
        Constant Field Values

      • policy

        protected Policy policy

      • policyConfigurationFactory

        protected jakarta.security.jacc.PolicyConfigurationFactory policyConfigurationFactory

      • policyConfiguration

        protected jakarta.security.jacc.PolicyConfiguration policyConfiguration

    • Constructor Detail

      • JaccWebAuthorizationManager

        public JaccWebAuthorizationManager​(WebBundleDescriptor webBundleDescriptor,
                                   ServerContext serverContext,
                                   WebSecurityManagerFactory webSecurityManagerFactory,
                                   boolean register)
                            throws jakarta.security.jacc.PolicyContextException
        Throws:
        jakarta.security.jacc.PolicyContextException

    • Method Detail

      • hasNoConstrainedResources

        public boolean hasNoConstrainedResources()
        This method returns true to indicate that a policy check was made and there were no constrained resources.

        When caching is disabled must always return false, which will ensure that policy is consulted to authorize each request.

        Returns:
        true when there are no constrained resources, false otherwise

      • hasUserDataPermission

        public int hasUserDataPermission​(jakarta.servlet.http.HttpServletRequest servletRequest,
                                 String uri,
                                 String httpMethod)
        Checks if for the given request and the given request URI and method are the target of any user-data-constraint with a and whether any such constraint is already satisfied.

        if uri == null, determine if the connection characteristics of the request satisfy the applicable policy. If the uri is not null, determine if the uri and Http method require a CONFIDENTIAL transport. The uri value does not include the context path, and any colons occurring in the uri must be escaped.

        Note: this method is not intended to be called if the request is secure. It checks whether the resource can be accessed over the current connection type (which is presumed to be insecure), and if an insecure connection type is not permitted it checks if the resource can be accessed via a confidential transport.

        If the request is secure, the second check is skipped, and the proper result is returned (but that is not the intended use model).

        Parameters:
        servletRequest - the request that may be redirected
        uri - the request URI (minus the context path) to check
        method - the request method to check
        Returns:
        1 if access is permitted (as is or without SSL). -1 if the the access will be permitted after a redirect to SSL. return 0 if access will be denied independent of whether a redirect to SSL is done.

      • isPermitAll

        public boolean isPermitAll​(jakarta.servlet.http.HttpServletRequest request)

      • hasResourcePermission

        public boolean hasResourcePermission​(jakarta.servlet.http.HttpServletRequest servletRequest)
        Perform access control based on the HttpServletRequest. Return true if this constraint is satisfied and processing should continue, or false otherwise.
        Returns:
        true is the resource is granted, false if denied

      • hasRoleRefPermission

        public boolean hasRoleRefPermission​(String servletName,
                                    String role,
                                    Principal principal)
        Return true if the specified servletName has the specified security role, within the context of the WebRoleRefPermission; otherwise return false.
        Parameters:
        servletName - the resource's name
        role - Security role to be checked
        principal - Principal for whom the role is to be checked
        Returns:
        true is the resource is granted, false if denied

      • release

        public void release()
             throws jakarta.security.jacc.PolicyContextException
        Analogous to destroy, except does not remove links from Policy Context, and does not remove context_id from role mapper factory. Used to support Policy Changes that occur via ServletContextListener.
        Throws:
        jakarta.security.jacc.PolicyContextException

      • destroy

        public void destroy()
             throws jakarta.security.jacc.PolicyContextException
        Throws:
        jakarta.security.jacc.PolicyContextException