Package org.glassfish.security.services.api.authorization

Interface AuthorizationService

  • All Superinterfaces:
    SecurityService
    All Known Implementing Classes:
    AuthorizationServiceImpl
    @Contract
public interface AuthorizationService
extends SecurityService
    The AuthorizationService interface provides methods that allow server and container to determine whether access should be allowed to a particular resource. It is intended for internal use, not for use by applications.

    • Method Detail

      • isPermissionGranted

        boolean isPermissionGranted​(Subject subject,
                            Permission permission)
        Determines whether the given Subject has been granted the specified Permission by delegating to the configured java.security.Policy object. This method is a high-level convenience method that tests for a Subject-based permission grant without reference to the AccessControlContext of the caller. In addition, this method isolates the query from the underlying Policy configuration model. It could, for example, multiplex queries across multiple instances of Policy configured in an implementation-specific way such that different threads, or different applications, query different Policy objects. The initial implementation simply delegates to the configured Policy as defined by Java SE.
        Parameters:
        subject - The Subject for which permission is being tested.
        permission - The Permission being queried.
        Returns:
        True or false, depending on whether the specified Permission is granted to the Subject by the configured Policy.
        Throws:
        IllegalArgumentException - Given null or illegal subject or permission

      • isAuthorized

        boolean isAuthorized​(Subject subject,
                     URI resource)
        Determines whether the given Subject is authorized to access the given resource, specified by a URI.
        Parameters:
        subject - The Subject being tested.
        resource - URI of the resource being tested.
        Returns:
        True or false, depending on whether the access is authorized.
        Throws:
        IllegalArgumentException - Given null or illegal subject or resource
        IllegalStateException - Service was not initialized.

      • isAuthorized

        boolean isAuthorized​(Subject subject,
                     URI resource,
                     String action)
        Determines whether the given Subject is authorized to access the given resource, specified by a URI.
        Parameters:
        subject - The Subject being tested.
        resource - URI of the resource being tested.
        action - The action, with respect to the resource parameter, for which authorization is desired. To check authorization for all actions, action is represented by null or "*".
        Returns:
        True or false, depending on whether the access is authorized.
        Throws:
        IllegalArgumentException - Given null or illegal subject or resource
        IllegalStateException - Service was not initialized.

      • getAuthorizationDecision

        AzResult getAuthorizationDecision​(AzSubject subject,
                                  AzResource resource,
                                  AzAction action)
        The primary authorization method. The isAuthorized() methods call this method after converting their arguments into the appropriate attribute collection type. It returns a full AzResult, including authorization status, decision, and obligations. This method performs two steps prior to invoking the configured AuthorizationProvider to evaluate the request: First, it acquires the current AzEnvironment attributes by calling the Security Context service. Second, it calls the Role Mapping service to determine which roles the subject has, and adds the resulting role attributes into the AzSubject.
        Parameters:
        subject - The attributes collection representing the Subject for which an authorization decision is requested.
        resource - The attributes collection representing the resource for which access is being requested.
        action - The attributes collection representing the action, with respect to the resource, for which access is being requested. A null action is interpreted as all actions, however all actions may also be represented by the AzAction instance. See AzAction.
        Returns:
        The AzResult indicating the result of the access decision.
        Throws:
        IllegalArgumentException - Given null or illegal subject or resource
        IllegalStateException - Service was not initialized.

      • makeAzSubject

        AzSubject makeAzSubject​(Subject subject)
        Converts a Java Subject into a typed attributes collection.
        Parameters:
        subject - The Subject to convert.
        Returns:
        The resulting AzSubject.
        Throws:
        IllegalArgumentException - Given null or illegal subject

      • makeAzResource

        AzResource makeAzResource​(URI resource)
        Converts a resource, expressed as a URI, into a typed attributes collection.

        Query parameters in the given URI are appended to this AzResource instance attributes collection.

        Parameters:
        resource - The URI to convert.
        Returns:
        The resulting AzResource.
        Throws:
        IllegalArgumentException - Given null or illegal resource

      • makeAzAction

        AzAction makeAzAction​(String action)
        Converts an action, expressed as a String, into a typed attributes collection.
        Parameters:
        action - The action to convert. null or "*" represents all actions.
        Returns:
        The resulting AzAction.

      • findOrCreateDeploymentContext

        AuthorizationService.PolicyDeploymentContext findOrCreateDeploymentContext​(String appContext)
        Finds an existing PolicyDeploymentContext, or create a new one if one does not already exist for the specified appContext. The context will be returned in an "open" state, and will stay that way until commit() or delete() is called.
        Parameters:
        appContext - The application context for which the PolicyDeploymentContext is desired.
        Returns:
        The resulting PolicyDeploymentContext, null if the configured providers do not support this feature.
        Throws:
        IllegalStateException - Service was not initialized.

      • appendAttributeResolver

        boolean appendAttributeResolver​(AzAttributeResolver resolver)
        Appends the given AzAttributeResolver instance to the internal ordered list of AzAttributeResolver instances, if not currently in the list based on org.glassfish.security.services.api.authorization.AzAttributeResolver#equals.
        Parameters:
        resolver - The AzAttributeResolver instance to append.
        Returns:
        true if the AzAttributeResolver was added, false if the AzAttributeResolver was already in the list.
        Throws:
        IllegalArgumentException - Given AzAttributeResolver was null.

      • setAttributeResolvers

        void setAttributeResolvers​(List<AzAttributeResolver> resolverList)
        Replaces the internal list of AttributeResolver instances with the given list. If multiple equivalent instances exist in the given list, only the first such instance will be inserted.
        Parameters:
        resolverList - Replacement list of AzAttributeResolver instances
        Throws:
        IllegalArgumentException - Given AzAttributeResolver list was null.

      • getAttributeResolvers

        List<AzAttributeResolver> getAttributeResolvers()
        Determines the current list of AttributeResolver instances, in execution order.
        Returns:
        The current list of AttributeResolver instances, in execution order.

      • removeAllAttributeResolvers

        boolean removeAllAttributeResolvers()
        Removes all AttributeResolver instances from the current internal list of AttributeResolver instances.
        Returns:
        true if any AttributeResolver instances were removed, false if the list was empty.