Interface AuthorizationService
- All Superinterfaces:
SecurityService
- All Known Implementing Classes:
AuthorizationServiceImpl
The
AuthorizationService
interface provides methods that allow server and container
to determine whether access should be allowed to a particular resource.
It is intended for internal use, not for use by applications.-
Nested Class Summary
Nested ClassesModifier and TypeInterfaceDescriptionstatic interface
This interface represents a PolicyDeploymentContext as returned by the Authorization Service's findOrCreateDeploymentContext() method. -
Method Summary
Modifier and TypeMethodDescriptionboolean
appendAttributeResolver
(AzAttributeResolver resolver) Appends the given
instance to the internal ordered list ofAzAttributeResolver
AzAttributeResolver
instances, if not currently in the list based oninvalid reference
org.glassfish.security.services.api.authorization.AzAttributeResolver#equals
findOrCreateDeploymentContext
(String appContext) Finds an existing PolicyDeploymentContext, or create a new one if one does not already exist for the specified appContext.Determines the current list ofAttributeResolver
instances, in execution order.getAuthorizationDecision
(AzSubject subject, AzResource resource, AzAction action) The primary authorization method.boolean
isAuthorized
(Subject subject, URI resource) Determines whether the given Subject is authorized to access the given resource, specified by a URI.boolean
isAuthorized
(Subject subject, URI resource, String action) Determines whether the given Subject is authorized to access the given resource, specified by a URI.boolean
isPermissionGranted
(Subject subject, Permission permission) Determines whether the given Subject has been granted the specified Permission by delegating to the configured java.security.Policy object.makeAzAction
(String action) Converts an action, expressed as a String, into a typed attributes collection.makeAzResource
(URI resource) Converts a resource, expressed as a URI, into a typed attributes collection.makeAzSubject
(Subject subject) Converts a Java Subject into a typed attributes collection.boolean
Removes allAttributeResolver
instances from the current internal list ofAttributeResolver
instances.void
setAttributeResolvers
(List<AzAttributeResolver> resolverList) Replaces the internal list ofAttributeResolver
instances with the given list.Methods inherited from interface org.glassfish.security.services.api.SecurityService
initialize
-
Method Details
-
isPermissionGranted
Determines whether the given Subject has been granted the specified Permission by delegating to the configured java.security.Policy object. This method is a high-level convenience method that tests for a Subject-based permission grant without reference to the AccessControlContext of the caller. In addition, this method isolates the query from the underlying Policy configuration model. It could, for example, multiplex queries across multiple instances of Policy configured in an implementation-specific way such that different threads, or different applications, query different Policy objects. The initial implementation simply delegates to the configured Policy as defined by Java SE.- Parameters:
subject
- The Subject for which permission is being tested.permission
- The Permission being queried.- Returns:
- True or false, depending on whether the specified Permission is granted to the Subject by the configured Policy.
- Throws:
IllegalArgumentException
- Given null or illegal subject or permission
-
isAuthorized
Determines whether the given Subject is authorized to access the given resource, specified by a URI.- Parameters:
subject
- The Subject being tested.resource
- URI of the resource being tested.- Returns:
- True or false, depending on whether the access is authorized.
- Throws:
IllegalArgumentException
- Given null or illegal subject or resourceIllegalStateException
- Service was not initialized.
-
isAuthorized
Determines whether the given Subject is authorized to access the given resource, specified by a URI.- Parameters:
subject
- The Subject being tested.resource
- URI of the resource being tested.action
- The action, with respect to the resource parameter, for which authorization is desired. To check authorization for all actions, action is represented by null or "*".- Returns:
- True or false, depending on whether the access is authorized.
- Throws:
IllegalArgumentException
- Given null or illegal subject or resourceIllegalStateException
- Service was not initialized.
-
getAuthorizationDecision
The primary authorization method. The isAuthorized() methods call this method after converting their arguments into the appropriate attribute collection type. It returns a full AzResult, including authorization status, decision, and obligations. This method performs two steps prior to invoking the configured AuthorizationProvider to evaluate the request: First, it acquires the current AzEnvironment attributes by calling the Security Context service. Second, it calls the Role Mapping service to determine which roles the subject has, and adds the resulting role attributes into the AzSubject.- Parameters:
subject
- The attributes collection representing the Subject for which an authorization decision is requested.resource
- The attributes collection representing the resource for which access is being requested.action
- The attributes collection representing the action, with respect to the resource, for which access is being requested. A null action is interpreted as all actions, however all actions may also be represented by the AzAction instance. See
.AzAction
- Returns:
- The AzResult indicating the result of the access decision.
- Throws:
IllegalArgumentException
- Given null or illegal subject or resourceIllegalStateException
- Service was not initialized.
-
makeAzSubject
Converts a Java Subject into a typed attributes collection.- Parameters:
subject
- The Subject to convert.- Returns:
- The resulting AzSubject.
- Throws:
IllegalArgumentException
- Given null or illegal subject
-
makeAzResource
Converts a resource, expressed as a URI, into a typed attributes collection.Query parameters in the given URI are appended to this
AzResource
instance attributes collection.- Parameters:
resource
- The URI to convert.- Returns:
- The resulting AzResource.
- Throws:
IllegalArgumentException
- Given null or illegal resource
-
makeAzAction
Converts an action, expressed as a String, into a typed attributes collection.- Parameters:
action
- The action to convert. null or "*" represents all actions.- Returns:
- The resulting AzAction.
-
findOrCreateDeploymentContext
Finds an existing PolicyDeploymentContext, or create a new one if one does not already exist for the specified appContext. The context will be returned in an "open" state, and will stay that way until commit() or delete() is called.- Parameters:
appContext
- The application context for which the PolicyDeploymentContext is desired.- Returns:
- The resulting PolicyDeploymentContext, null if the configured providers do not support this feature.
- Throws:
IllegalStateException
- Service was not initialized.
-
appendAttributeResolver
Appends the given
instance to the internal ordered list ofAzAttributeResolver
AzAttributeResolver
instances, if not currently in the list based oninvalid reference
org.glassfish.security.services.api.authorization.AzAttributeResolver#equals
- Parameters:
resolver
- TheAzAttributeResolver
instance to append.- Returns:
- true if the
AzAttributeResolver
was added, false if theAzAttributeResolver
was already in the list. - Throws:
IllegalArgumentException
- Given AzAttributeResolver was null.
-
setAttributeResolvers
Replaces the internal list ofAttributeResolver
instances with the given list. If multiple equivalent instances exist in the given list, only the first such instance will be inserted.- Parameters:
resolverList
- Replacement list ofAzAttributeResolver
instances- Throws:
IllegalArgumentException
- Given AzAttributeResolver list was null.
-
getAttributeResolvers
List<AzAttributeResolver> getAttributeResolvers()Determines the current list ofAttributeResolver
instances, in execution order.- Returns:
- The current list of AttributeResolver instances, in execution order.
-
removeAllAttributeResolvers
boolean removeAllAttributeResolvers()Removes allAttributeResolver
instances from the current internal list ofAttributeResolver
instances.- Returns:
- true if any
AttributeResolver
instances were removed, false if the list was empty.
-