Class SimpleAuthorizationProviderImpl.Decider
java.lang.Object
org.glassfish.security.services.provider.authorization.SimpleAuthorizationProviderImpl.Decider
- Enclosing class:
SimpleAuthorizationProviderImpl
Chooses what authorization decision to render.
We always require that the user be an administrator, established
(for open-source) by having a Principal with name asadmin.
Beyond that, there are historical requirements for authenticated admin access:
- "External" users (CLI, browser, JMX)
- can perform all actions locally on the DAS
- can perform all actions remotely on the DAS if secure admin has been enabled [1]
- JMX users can perform read-only actions on a non-DAS instance,
remotely if secure admin has been enabled and always locally
- Selected local commands can act locally on the local DAS or local instance
using the local password mechanism (stop-local-instance, for example)
- A server in the same domain can perform all actions in a local or remote server
- A client (typically run in a shell created by the DAS) can perform all actions
on a local or remote DAS if it uses the admin token mechanism to authenticate
[1] Note that any attempted remote access that is not permitted has
already been rejected during authentication.
For enforcing read-only access we assume that any action other than the literal "read"
makes some change in the system.
-
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionprotected AzResult.Decisiondecide(AzSubject subject, AzResource resource, AzAction action, AzEnvironment env) protected String
-
Constructor Details
-
Decider
protected Decider()
-
-
Method Details
-
decide
protected AzResult.Decision decide(AzSubject subject, AzResource resource, AzAction action, AzEnvironment env) -
getAdminGroupName
-