Package org.glassfish.api.admin

Class AccessRequired.AccessCheck<T>

  • Enclosing class:
    AccessRequired
    public static class AccessRequired.AccessCheck<T>
extends Object
    Represents an authorization check: a resource and an action to be authorized on that resource.

    Note that the resource can be identified in one of several ways:

    • with the resource name
    • with a resource ConfigBean
    • with a ConfigBean parent and a child type

    Secure admin submits each AccessCheck to the authorization service separately and records the result as isSuccessful which can be retrieved by commands that prepare their own access checks.

    A command which prepares its own access checks can also indicate if a failure of the access check should or should not be fatal to the overall authorization operation. This is useful, for example, in attempting to list all tenants. The command could prepare an AccessCheck for each tenant of interest, marking each as non-fatal. Because secure admin records the success of each access check, the "list tenant execute command can check each of its custom AccessChecks and report on only those accounts whose access checks succeeded.

    Often, commands which prepare their own access checks need to associate an object of some type with the access check. As a convenience such classes can optionally pass the related object to one of the constructors which accepts it and then retrieve it later. This helps avoid having to extend AccessCheck as a private inner class in a command so as to link a given AccessCheck with a given object of interest in the command.

    • Constructor Detail

      • AccessCheck

        public AccessCheck​(T relatedObject,
                   String resourceName,
                   String action,
                   String note,
                   boolean isFailureFinal)
        Creates a new AccessCheck object linked with a given related object that is of interest to the caller (typically a command).
        Parameters:
        relatedObject - the related object to which this AccessCheck is linked
        resourceName - the resource being acted upon
        action - the action performed on the resource
        note - a note related to this resource/action pair
        isFailureFinal - if a failure of this AccessCheck should cause the entire authorization to fail

      • AccessCheck

        public AccessCheck​(String resourceName,
                   String action,
                   String note,
                   boolean isFailureFinal)
        Creates a new AccessCheck.
        Parameters:
        resourceName - the resource to be checked
        action - the action on the resource
        note - descriptive note about the access check; used during logging
        isFailureFinal - whether a failure of this access check should cause the entire authorization to fail

      • AccessCheck

        public AccessCheck​(String resourceName,
                   String action,
                   String note)
        Creates a new AccessCheck.
        Parameters:
        resourceName - the name of the resource to be checked
        action - the action on the resource
        note - descriptive note about the access check; used during logging

      • AccessCheck

        public AccessCheck​(String resourceName,
                   String action,
                   boolean isFailureFinal)
        Creates a new AccessCheck.
        Parameters:
        resourceName - the name of the resource to be checked
        action - the action on the resource
        isFailureFinal - whether a failure of this access check should force a failure of the entire authorization operation

      • AccessCheck

        public AccessCheck​(T relatedObject,
                   String resourceName,
                   String action,
                   boolean isFailureFinal)
        Creates a new AccessCheck with the specified related object.
        Parameters:
        relatedObject - an object the commmand wants to associate with this AccessCheck
        resourceName - the resource to be checked
        action - the action on the resource
        isFailureFinal - whether a failure of this access check should force a failure of the entire authorization

      • AccessCheck

        public AccessCheck​(ConfigBeanProxy resource,
                   String action,
                   boolean isFailureFatal)
        Creates a new AccessCheck.
        Parameters:
        resource - the config bean that is the resource to check
        action - the action on the resource
        isFailureFatal - whether a failure of this access check should force a failure of the entire authorization operation

      • AccessCheck

        public AccessCheck​(String resourceName,
                   String action)
        Creates a new AccessCheck.
        Parameters:
        resourceName - the resource to be checked
        action - the action on the resource

      • AccessCheck

        public AccessCheck​(ConfigBeanProxy parent,
                   Class<? extends ConfigBeanProxy> childType,
                   String action,
                   String note,
                   boolean isFailureFinal)
        Creates a new AccessCheck.
        Parameters:
        parent - the config bean of the parent resource to which a child is to be added
        childType - the type of the child to be added
        action - the action on the resource (typically "create")
        note - descriptive note about the access check; used during logging
        isFailureFinal - whether a failure of this access check should force a failure of the entire authorization operation

      • AccessCheck

        public AccessCheck​(ConfigBeanProxy parent,
                   Class<? extends ConfigBeanProxy> childType,
                   String action,
                   boolean isFailureFinal)
        Creates a new AccessCheck.
        Parameters:
        parent - the config bean of the parent resource to which a child is to be added
        childType - the type of the child to be added
        action - the action on the resource (typically "create")
        isFailureFinal - whether a failure of this access check should force a failure of the entire authorization operation

      • AccessCheck

        public AccessCheck​(ConfigBeanProxy parent,
                   Class<? extends ConfigBeanProxy> childType,
                   String action)
        Creates a new AccessCheck.
        Parameters:
        parent - the config bean of the parent resource to which a child is to be added
        childType - the type of the child to be added
        action - the action on the resource (typically "create")

      • AccessCheck

        public AccessCheck​(ConfigBeanProxy parent,
                   Class<? extends ConfigBeanProxy> childType,
                   String childName,
                   String action)
        Creates a new AccessCheck (typically for an existing target child)
        Parameters:
        parent - the parent of the config bean to be accessed
        childType - the type of the child config bean
        childName - the name of the child config bean
        action - the action on the resource

    • Method Detail

      • relatedObjects

        public static <U> Collection<U> relatedObjects​(Collection<AccessRequired.AccessCheck<U>> accessChecks)
        Returns an immutable collection of the related objects associated with all of the specified access checks provided that the associated access check was successful.
        Type Parameters:
        U -
        Parameters:
        accessChecks - the collection of access checks (with related objects) to process
        Returns:

      • relatedObjects

        public static <U> Collection<U> relatedObjects​(Collection<AccessRequired.AccessCheck<U>> accessChecks,
                                               boolean successfulOnly)
        Returns an immutable collection of the related objects associated with all of the specified access checks, regardless of whether the access was granted for each.
        Type Parameters:
        U -
        Parameters:
        accessChecks - the collection of access checks (with related objects) to process
        successfulOnly - whether to return the related objects for only the successful checks or for all checks
        Returns:

      • relatedObject

        public T relatedObject()

      • resourceName

        public String resourceName()
        Returns the resource name, if any was set when the access check was created.
        Returns:

      • action

        public String action()
        Returns the action for the access check.
        Returns:

      • childType

        public Class<? extends ConfigBeanProxy> childType()
        Returns the type of the child to be added as part of a create-style operation, as set when the access check was created.
        Returns:

      • parent

        public ConfigBeanProxy parent()
        Returns the parent config bean to which a child was to be added.
        Returns:

      • note

        public String note()
        Returns the note associated with the access check.
        Returns:

      • resource

        public ConfigBeanProxy resource()
        Returns the config bean to be acted upon
        Returns:

      • isFailureFinal

        public boolean isFailureFinal()
        Returns whether a failure of this access check would automatically trigger a failure of the entire authorization operation of which it is a part.
        Returns:

      • setSuccessful

        public void setSuccessful​(boolean passed)
        Invoked by secure admin to record the result of performing the access check; command developers should not typically use this method themselves.
        Parameters:
        passed -

      • isSuccessful

        public boolean isSuccessful()
        Returns whether the access check succeeded.
        Returns:

      • toString

        public String toString()
        Formats the access check as a human-friendly string.
        Overrides:
        toString in class Object
        Returns: