001/* 002 * Licensed to the Apache Software Foundation (ASF) under one or more 003 * contributor license agreements. See the NOTICE file distributed with 004 * this work for additional information regarding copyright ownership. 005 * The ASF licenses this file to You under the Apache License, Version 2.0 006 * (the "License"); you may not use this file except in compliance with 007 * the License. You may obtain a copy of the License at 008 * 009 * http://www.apache.org/licenses/LICENSE-2.0 010 * 011 * Unless required by applicable law or agreed to in writing, software 012 * distributed under the License is distributed on an "AS IS" BASIS, 013 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 014 * See the License for the specific language governing permissions and 015 * limitations under the License. 016 */ 017package org.apache.wicket.authorization; 018 019import org.apache.wicket.Component; 020import org.apache.wicket.request.component.IRequestableComponent; 021import org.apache.wicket.request.mapper.parameter.PageParameters; 022import org.apache.wicket.request.resource.IResource; 023 024/** 025 * Authorization strategies specify aspect-like constraints on significant actions taken by the 026 * framework in a given application. These constraints are guaranteed by the framework to be applied 027 * consistently throughout. Violations will result in a security action directed by the strategy, 028 * such as the throwing of an AuthorizationException or the filtering out of security-sensitive 029 * information. 030 * 031 * @author Eelco Hillenius 032 * @author Jonathan Locke 033 * @since Wicket 1.2 034 */ 035public interface IAuthorizationStrategy 036{ 037 class AllowAllAuthorizationStrategy implements IAuthorizationStrategy 038 { 039 /** 040 * @see org.apache.wicket.authorization.IAuthorizationStrategy#isInstantiationAuthorized(java.lang.Class) 041 */ 042 @Override 043 public <T extends IRequestableComponent> boolean isInstantiationAuthorized(final Class<T> c) 044 { 045 return true; 046 } 047 048 /** 049 * @see org.apache.wicket.authorization.IAuthorizationStrategy#isActionAuthorized(org.apache.wicket.Component, 050 * org.apache.wicket.authorization.Action) 051 */ 052 @Override 053 public boolean isActionAuthorized(Component c, Action action) 054 { 055 return true; 056 } 057 058 @Override 059 public boolean isResourceAuthorized(IResource resource, PageParameters pageParameters) 060 { 061 return true; 062 } 063 } 064 065 /** 066 * Implementation of {@link IAuthorizationStrategy} that allows everything. 067 */ 068 IAuthorizationStrategy ALLOW_ALL = new AllowAllAuthorizationStrategy(); 069 070 /** 071 * Checks whether an instance of the given component class may be created. If this method 072 * returns false, the {@link IUnauthorizedComponentInstantiationListener} that is configured in 073 * the {@link org.apache.wicket.settings.SecuritySettings security settings} will be called. The default implementation of 074 * that listener throws a {@link UnauthorizedInstantiationException}. 075 * <p> 076 * If you wish to implement a strategy that authenticates users which cannot access a given Page 077 * (or other Component), you can simply throw a 078 * {@link org.apache.wicket.RestartResponseAtInterceptPageException} in your implementation of 079 * this method. 080 * 081 * @param <T> 082 * 083 * @param componentClass 084 * The component class to check 085 * @return Whether the given component may be created 086 */ 087 <T extends IRequestableComponent> boolean isInstantiationAuthorized(Class<T> componentClass); 088 089 /** 090 * Gets whether the given action is permitted. If it is, this method should return true. If it 091 * isn't, this method should either return false or - in case of a serious breach - throw a 092 * security exception. Returning is generally preferable over throwing an exception as that 093 * doesn't break the normal flow. 094 * 095 * @param component 096 * The component to be acted upon 097 * @param action 098 * The action to authorize on the component 099 * @return Whether the given action may be taken on the given component 100 * @throws AuthorizationException 101 * Can be thrown by implementation if action is unauthorized 102 * @see Component#ENABLE 103 * @see Component#RENDER 104 */ 105 boolean isActionAuthorized(Component component, Action action); 106 107 /** 108 * Checks whether a request with some parameters is allowed to a resource. 109 * 110 * @param resource 111 * The resource that should be processed 112 * @param parameters 113 * The request parameters 114 * @return {@code true} if the request to this resource is allowed. 115 */ 116 boolean isResourceAuthorized(IResource resource, PageParameters parameters); 117}