Package org.apache.wicket.authorization

Interface IAuthorizationStrategy

All Known Implementing Classes:

AbstractPageAuthorizationStrategy, ActionAuthorizationStrategy, CompoundAuthorizationStrategy, IAuthorizationStrategy.AllowAllAuthorizationStrategy, SimplePageAuthorizationStrategy

public interface IAuthorizationStrategy

Authorization strategies specify aspect-like constraints on significant actions taken by the framework in a given application. These constraints are guaranteed by the framework to be applied consistently throughout. Violations will result in a security action directed by the strategy, such as the throwing of an AuthorizationException or the filtering out of security-sensitive information.

Since:

Wicket 1.2

Author:

Eelco Hillenius, Jonathan Locke

Nested Class Summary

Nested Classes

Modifier and Type	Interface	Description
static class	IAuthorizationStrategy.AllowAllAuthorizationStrategy

Field Summary

Fields

Modifier and Type	Field	Description
static IAuthorizationStrategy	ALLOW_ALL	Implementation of IAuthorizationStrategy that allows everything.

Method Summary

Modifier and Type	Method	Description
boolean	isActionAuthorized(Component component, Action action)	Gets whether the given action is permitted.
<T extends IRequestableComponent> boolean	isInstantiationAuthorized(java.lang.Class<T> componentClass)	Checks whether an instance of the given component class may be created.
boolean	isResourceAuthorized(IResource resource, org.apache.wicket.request.mapper.parameter.PageParameters parameters)	Checks whether a request with some parameters is allowed to a resource.

Field Detail

ALLOW_ALL

static final IAuthorizationStrategy ALLOW_ALL

Implementation of IAuthorizationStrategy that allows everything.

Method Detail

isInstantiationAuthorized

<T extends IRequestableComponent> boolean isInstantiationAuthorized(java.lang.Class<T> componentClass)

Checks whether an instance of the given component class may be created. If this method returns false, the IUnauthorizedComponentInstantiationListener that is configured in the security settings will be called. The default implementation of that listener throws a UnauthorizedInstantiationException.

If you wish to implement a strategy that authenticates users which cannot access a given Page (or other Component), you can simply throw a RestartResponseAtInterceptPageException in your implementation of this method.

Type Parameters:

T -

Parameters:

componentClass - The component class to check

Returns:

Whether the given component may be created

isActionAuthorized

boolean isActionAuthorized(Component component,
                           Action action)

Gets whether the given action is permitted. If it is, this method should return true. If it isn't, this method should either return false or - in case of a serious breach - throw a security exception. Returning is generally preferable over throwing an exception as that doesn't break the normal flow.

Parameters:

component - The component to be acted upon

action - The action to authorize on the component

Returns:

Whether the given action may be taken on the given component

Throws:

AuthorizationException - Can be thrown by implementation if action is unauthorized

See Also:

Component.ENABLE, Component.RENDER

isResourceAuthorized

boolean isResourceAuthorized(IResource resource,
                             org.apache.wicket.request.mapper.parameter.PageParameters parameters)

Checks whether a request with some parameters is allowed to a resource.

Parameters:

resource - The resource that should be processed

parameters - The request parameters

Returns:

true if the request to this resource is allowed.