Class JaccWebAuthorizationManager
- java.lang.Object
-
- com.sun.enterprise.security.jacc.JaccWebAuthorizationManager
-
public class JaccWebAuthorizationManager extends Object
This class is the entry point for authorization decisions in the web container. It implements JACC, the JSR 115 - JavaTM Authorization Contract for Containers. This class is a companion class of EJBSecurityManager.All the authorization decisions required to allow access to a resource in the web container should happen via this class.
Note that according to the JACC specification, for the actual authorization decision we delegate our queries to a JACC aware
Policy
, which is pluggable (can be replaced by the user).- Author:
- Jean-Francois Arcand, Harpreet Singh., Ondro Mihalyi
-
-
Field Summary
Fields Modifier and Type Field Description protected CodeSource
codesource
static String
CONSTRAINT_URI
Request path.protected Policy
policy
protected jakarta.security.jacc.PolicyConfiguration
policyConfiguration
protected jakarta.security.jacc.PolicyConfigurationFactory
policyConfigurationFactory
-
Constructor Summary
Constructors Constructor Description JaccWebAuthorizationManager(WebBundleDescriptor webBundleDescriptor, ServerContext serverContext, WebSecurityManagerFactory webSecurityManagerFactory, boolean register)
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description void
destroy()
static String
getContextID(WebBundleDescriptor webBundleDescriptor)
boolean
hasNoConstrainedResources()
This method returns true to indicate that a policy check was made and there were no constrained resources.boolean
hasResourcePermission(jakarta.servlet.http.HttpServletRequest servletRequest)
Perform access control based on theHttpServletRequest
.boolean
hasRoleRefPermission(String servletName, String role, Principal principal)
Returntrue
if the specified servletName has the specified security role, within the context of theWebRoleRefPermission
; otherwise returnfalse
.int
hasUserDataPermission(jakarta.servlet.http.HttpServletRequest servletRequest, String uri, String httpMethod)
Checks if for the given request and the given request URI and method are the target of any user-data-constraint with a and whether any such constraint is already satisfied.boolean
isPermitAll(jakarta.servlet.http.HttpServletRequest request)
void
release()
Analogous to destroy, except does not remove links from Policy Context, and does not remove context_id from role mapper factory.
-
-
-
Field Detail
-
CONSTRAINT_URI
public static final String CONSTRAINT_URI
Request path. Copied from org.apache.catalina.Globals; Required to break dependence on WebTier of Security Module- See Also:
- Constant Field Values
-
policy
protected Policy policy
-
policyConfigurationFactory
protected jakarta.security.jacc.PolicyConfigurationFactory policyConfigurationFactory
-
policyConfiguration
protected jakarta.security.jacc.PolicyConfiguration policyConfiguration
-
codesource
protected CodeSource codesource
-
-
Constructor Detail
-
JaccWebAuthorizationManager
public JaccWebAuthorizationManager(WebBundleDescriptor webBundleDescriptor, ServerContext serverContext, WebSecurityManagerFactory webSecurityManagerFactory, boolean register) throws jakarta.security.jacc.PolicyContextException
- Throws:
jakarta.security.jacc.PolicyContextException
-
-
Method Detail
-
getContextID
public static String getContextID(WebBundleDescriptor webBundleDescriptor)
-
hasNoConstrainedResources
public boolean hasNoConstrainedResources()
This method returns true to indicate that a policy check was made and there were no constrained resources.When caching is disabled must always return false, which will ensure that policy is consulted to authorize each request.
- Returns:
- true when there are no constrained resources, false otherwise
-
hasUserDataPermission
public int hasUserDataPermission(jakarta.servlet.http.HttpServletRequest servletRequest, String uri, String httpMethod)
Checks if for the given request and the given request URI and method are the target of any user-data-constraint with a and whether any such constraint is already satisfied.if uri == null, determine if the connection characteristics of the request satisfy the applicable policy. If the uri is not null, determine if the uri and Http method require a CONFIDENTIAL transport. The uri value does not include the context path, and any colons occurring in the uri must be escaped.
Note: this method is not intended to be called if the request is secure. It checks whether the resource can be accessed over the current connection type (which is presumed to be insecure), and if an insecure connection type is not permitted it checks if the resource can be accessed via a confidential transport.
If the request is secure, the second check is skipped, and the proper result is returned (but that is not the intended use model).
- Parameters:
servletRequest
- the request that may be redirecteduri
- the request URI (minus the context path) to checkmethod
- the request method to check- Returns:
- 1 if access is permitted (as is or without SSL). -1 if the the access will be permitted after a redirect to SSL. return 0 if access will be denied independent of whether a redirect to SSL is done.
-
isPermitAll
public boolean isPermitAll(jakarta.servlet.http.HttpServletRequest request)
-
hasResourcePermission
public boolean hasResourcePermission(jakarta.servlet.http.HttpServletRequest servletRequest)
Perform access control based on theHttpServletRequest
. Returntrue
if this constraint is satisfied and processing should continue, orfalse
otherwise.- Returns:
- true is the resource is granted, false if denied
-
hasRoleRefPermission
public boolean hasRoleRefPermission(String servletName, String role, Principal principal)
Returntrue
if the specified servletName has the specified security role, within the context of theWebRoleRefPermission
; otherwise returnfalse
.- Parameters:
servletName
- the resource's namerole
- Security role to be checkedprincipal
- Principal for whom the role is to be checked- Returns:
- true is the resource is granted, false if denied
-
release
public void release() throws jakarta.security.jacc.PolicyContextException
Analogous to destroy, except does not remove links from Policy Context, and does not remove context_id from role mapper factory. Used to support Policy Changes that occur via ServletContextListener.- Throws:
jakarta.security.jacc.PolicyContextException
-
destroy
public void destroy() throws jakarta.security.jacc.PolicyContextException
- Throws:
jakarta.security.jacc.PolicyContextException
-
-