Interface AuthorizationService
-
- All Superinterfaces:
SecurityService
- All Known Implementing Classes:
AuthorizationServiceImpl
@Contract public interface AuthorizationService extends SecurityService
TheAuthorizationService
interface provides methods that allow server and container to determine whether access should be allowed to a particular resource. It is intended for internal use, not for use by applications.
-
-
Nested Class Summary
Nested Classes Modifier and Type Interface Description static interface
AuthorizationService.PolicyDeploymentContext
This interface represents a PolicyDeploymentContext as returned by the Authorization Service's findOrCreateDeploymentContext() method.
-
Method Summary
All Methods Instance Methods Abstract Methods Modifier and Type Method Description boolean
appendAttributeResolver(AzAttributeResolver resolver)
Appends the given
instance to the internal ordered list ofAzAttributeResolver
AzAttributeResolver
instances, if not currently in the list based on
.org.glassfish.security.services.api.authorization.AzAttributeResolver#equals
AuthorizationService.PolicyDeploymentContext
findOrCreateDeploymentContext(String appContext)
Finds an existing PolicyDeploymentContext, or create a new one if one does not already exist for the specified appContext.List<AzAttributeResolver>
getAttributeResolvers()
Determines the current list ofAttributeResolver
instances, in execution order.AzResult
getAuthorizationDecision(AzSubject subject, AzResource resource, AzAction action)
The primary authorization method.boolean
isAuthorized(Subject subject, URI resource)
Determines whether the given Subject is authorized to access the given resource, specified by a URI.boolean
isAuthorized(Subject subject, URI resource, String action)
Determines whether the given Subject is authorized to access the given resource, specified by a URI.boolean
isPermissionGranted(Subject subject, Permission permission)
Determines whether the given Subject has been granted the specified Permission by delegating to the configured java.security.Policy object.AzAction
makeAzAction(String action)
Converts an action, expressed as a String, into a typed attributes collection.AzResource
makeAzResource(URI resource)
Converts a resource, expressed as a URI, into a typed attributes collection.AzSubject
makeAzSubject(Subject subject)
Converts a Java Subject into a typed attributes collection.boolean
removeAllAttributeResolvers()
Removes allAttributeResolver
instances from the current internal list ofAttributeResolver
instances.void
setAttributeResolvers(List<AzAttributeResolver> resolverList)
Replaces the internal list ofAttributeResolver
instances with the given list.-
Methods inherited from interface org.glassfish.security.services.api.SecurityService
initialize
-
-
-
-
Method Detail
-
isPermissionGranted
boolean isPermissionGranted(Subject subject, Permission permission)
Determines whether the given Subject has been granted the specified Permission by delegating to the configured java.security.Policy object. This method is a high-level convenience method that tests for a Subject-based permission grant without reference to the AccessControlContext of the caller. In addition, this method isolates the query from the underlying Policy configuration model. It could, for example, multiplex queries across multiple instances of Policy configured in an implementation-specific way such that different threads, or different applications, query different Policy objects. The initial implementation simply delegates to the configured Policy as defined by Java SE.- Parameters:
subject
- The Subject for which permission is being tested.permission
- The Permission being queried.- Returns:
- True or false, depending on whether the specified Permission is granted to the Subject by the configured Policy.
- Throws:
IllegalArgumentException
- Given null or illegal subject or permission
-
isAuthorized
boolean isAuthorized(Subject subject, URI resource)
Determines whether the given Subject is authorized to access the given resource, specified by a URI.- Parameters:
subject
- The Subject being tested.resource
- URI of the resource being tested.- Returns:
- True or false, depending on whether the access is authorized.
- Throws:
IllegalArgumentException
- Given null or illegal subject or resourceIllegalStateException
- Service was not initialized.
-
isAuthorized
boolean isAuthorized(Subject subject, URI resource, String action)
Determines whether the given Subject is authorized to access the given resource, specified by a URI.- Parameters:
subject
- The Subject being tested.resource
- URI of the resource being tested.action
- The action, with respect to the resource parameter, for which authorization is desired. To check authorization for all actions, action is represented by null or "*".- Returns:
- True or false, depending on whether the access is authorized.
- Throws:
IllegalArgumentException
- Given null or illegal subject or resourceIllegalStateException
- Service was not initialized.
-
getAuthorizationDecision
AzResult getAuthorizationDecision(AzSubject subject, AzResource resource, AzAction action)
The primary authorization method. The isAuthorized() methods call this method after converting their arguments into the appropriate attribute collection type. It returns a full AzResult, including authorization status, decision, and obligations. This method performs two steps prior to invoking the configured AuthorizationProvider to evaluate the request: First, it acquires the current AzEnvironment attributes by calling the Security Context service. Second, it calls the Role Mapping service to determine which roles the subject has, and adds the resulting role attributes into the AzSubject.- Parameters:
subject
- The attributes collection representing the Subject for which an authorization decision is requested.resource
- The attributes collection representing the resource for which access is being requested.action
- The attributes collection representing the action, with respect to the resource, for which access is being requested. A null action is interpreted as all actions, however all actions may also be represented by the AzAction instance. See
.AzAction
- Returns:
- The AzResult indicating the result of the access decision.
- Throws:
IllegalArgumentException
- Given null or illegal subject or resourceIllegalStateException
- Service was not initialized.
-
makeAzSubject
AzSubject makeAzSubject(Subject subject)
Converts a Java Subject into a typed attributes collection.- Parameters:
subject
- The Subject to convert.- Returns:
- The resulting AzSubject.
- Throws:
IllegalArgumentException
- Given null or illegal subject
-
makeAzResource
AzResource makeAzResource(URI resource)
Converts a resource, expressed as a URI, into a typed attributes collection.Query parameters in the given URI are appended to this
AzResource
instance attributes collection.- Parameters:
resource
- The URI to convert.- Returns:
- The resulting AzResource.
- Throws:
IllegalArgumentException
- Given null or illegal resource
-
makeAzAction
AzAction makeAzAction(String action)
Converts an action, expressed as a String, into a typed attributes collection.- Parameters:
action
- The action to convert. null or "*" represents all actions.- Returns:
- The resulting AzAction.
-
findOrCreateDeploymentContext
AuthorizationService.PolicyDeploymentContext findOrCreateDeploymentContext(String appContext)
Finds an existing PolicyDeploymentContext, or create a new one if one does not already exist for the specified appContext. The context will be returned in an "open" state, and will stay that way until commit() or delete() is called.- Parameters:
appContext
- The application context for which the PolicyDeploymentContext is desired.- Returns:
- The resulting PolicyDeploymentContext, null if the configured providers do not support this feature.
- Throws:
IllegalStateException
- Service was not initialized.
-
appendAttributeResolver
boolean appendAttributeResolver(AzAttributeResolver resolver)
Appends the given
instance to the internal ordered list ofAzAttributeResolver
AzAttributeResolver
instances, if not currently in the list based on
.org.glassfish.security.services.api.authorization.AzAttributeResolver#equals
- Parameters:
resolver
- TheAzAttributeResolver
instance to append.- Returns:
- true if the
AzAttributeResolver
was added, false if theAzAttributeResolver
was already in the list. - Throws:
IllegalArgumentException
- Given AzAttributeResolver was null.
-
setAttributeResolvers
void setAttributeResolvers(List<AzAttributeResolver> resolverList)
Replaces the internal list ofAttributeResolver
instances with the given list. If multiple equivalent instances exist in the given list, only the first such instance will be inserted.- Parameters:
resolverList
- Replacement list ofAzAttributeResolver
instances- Throws:
IllegalArgumentException
- Given AzAttributeResolver list was null.
-
getAttributeResolvers
List<AzAttributeResolver> getAttributeResolvers()
Determines the current list ofAttributeResolver
instances, in execution order.- Returns:
- The current list of AttributeResolver instances, in execution order.
-
removeAllAttributeResolvers
boolean removeAllAttributeResolvers()
Removes allAttributeResolver
instances from the current internal list ofAttributeResolver
instances.- Returns:
- true if any
AttributeResolver
instances were removed, false if the list was empty.
-
-