Class WritableAuthorizerConfiguration
- java.lang.Object
-
- org.jboss.as.controller.access.management.WritableAuthorizerConfiguration
-
- All Implemented Interfaces:
AuthorizerConfiguration
,AccessConstraintUtilizationRegistry
public class WritableAuthorizerConfiguration extends Object implements AuthorizerConfiguration, AccessConstraintUtilizationRegistry
StandardAuthorizerConfiguration
implementation that also exposes mutator APIs for use by the WildFly management layer.- Author:
- Brian Stansberry (c) 2013 Red Hat Inc.
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static class
WritableAuthorizerConfiguration.MatchType
Types of matching strategies used inorg.jboss.as.controller.access.Caller
toAuthorizerConfiguration.RoleMapping
mapping.-
Nested classes/interfaces inherited from interface org.jboss.as.controller.access.AuthorizerConfiguration
AuthorizerConfiguration.MappingPrincipal, AuthorizerConfiguration.PrincipalType, AuthorizerConfiguration.RoleMapping, AuthorizerConfiguration.ScopedRole, AuthorizerConfiguration.ScopedRoleListener
-
-
Constructor Summary
Constructors Constructor Description WritableAuthorizerConfiguration(Authorizer.AuthorizerDescription authorizerDescription)
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description void
addRoleMapping(String roleName)
Adds a new role to the list of defined roles.void
addRoleMappingImmediate(String roleName)
boolean
addRoleMappingPrincipal(String roleName, AuthorizerConfiguration.PrincipalType principalType, WritableAuthorizerConfiguration.MatchType matchType, String name, String realm, boolean immediate)
void
addScopedRole(AuthorizerConfiguration.ScopedRole toAdd)
AuthorizerConfiguration.MappingPrincipal
createPrincipal(AuthorizerConfiguration.PrincipalType principalType, String name, String realm)
Map<PathAddress,AccessConstraintUtilization>
getAccessConstraintUtilizations(AccessConstraintKey accessConstraintKey)
Set<String>
getAllRoles()
Gets the names of the all roles used by the authorizer, including both built-in roles and roles added via end user configuration.CombinationPolicy
getPermissionCombinationPolicy()
Gets the policy for combining access control permissions when the configuration grants the user more than one type of permission for a given action.Map<String,AuthorizerConfiguration.RoleMapping>
getRoleMappings()
Gets the configured role mappings, keyed by the name of the role.Map<String,AuthorizerConfiguration.ScopedRole>
getScopedRoles()
Gets the configured scoped roles, keyed by the name of the role.Set<String>
getStandardRoles()
Gets the names of the "standard" "built-in" roles used by the authorizer.boolean
hasRole(String roleName)
Gets whether the currentset of roles
contains the given role, with the check performed using a case-insensitive algorithm.boolean
isMapUsingIdentityRoles()
Gets whether role mapping should use roles obtained from theSecurityIdentity
.boolean
isNonFacadeMBeansSensitive()
Gets whether JMX calls to non-facade mbeans (i.e.boolean
isRoleBased()
Gets whether the authorizer uses a role-based authorization mechanism.void
registerAccessConstraintAttributeUtilization(AccessConstraintKey key, PathAddress address, String attribute)
void
registerAccessConstraintOperationUtilization(AccessConstraintKey key, PathAddress address, String operation)
void
registerAccessConstraintResourceUtilization(AccessConstraintKey key, PathAddress address)
void
registerScopedRoleListener(AuthorizerConfiguration.ScopedRoleListener listener)
Register a listener for changes in the configured scoped roles.Object
removeRoleMapping(String roleName)
Remove a role from the list of defined roles.boolean
removeRoleMappingPrincipal(String roleName, AuthorizerConfiguration.PrincipalType principalType, WritableAuthorizerConfiguration.MatchType matchType, String name, String realm)
void
removeScopedRole(String toRemove)
void
reset()
Reset the internal state of this object back to what it originally was.void
setPermissionCombinationPolicy(CombinationPolicy combinationPolicy)
void
setRoleMappingIncludeAll(String roleName, boolean includeAll)
void
setUseIdentityRoles(boolean useIdentityRoles)
boolean
undoRoleMappingRemove(Object removalKey)
Undo a prior removal using the supplied undo key.void
unregisterAccessConstraintUtilizations(PathAddress address)
void
unregisterScopedRoleListener(AuthorizerConfiguration.ScopedRoleListener listener)
Unregister a listener for changes in the configured scoped roles.
-
-
-
Constructor Detail
-
WritableAuthorizerConfiguration
public WritableAuthorizerConfiguration(Authorizer.AuthorizerDescription authorizerDescription)
-
-
Method Detail
-
reset
public void reset()
Reset the internal state of this object back to what it originally was. Used then reloading a server or in a slave host controller following a post-boot reconnect to the master.
-
registerScopedRoleListener
public void registerScopedRoleListener(AuthorizerConfiguration.ScopedRoleListener listener)
Description copied from interface:AuthorizerConfiguration
Register a listener for changes in the configured scoped roles.- Specified by:
registerScopedRoleListener
in interfaceAuthorizerConfiguration
- Parameters:
listener
- the listener. Cannot benull
-
unregisterScopedRoleListener
public void unregisterScopedRoleListener(AuthorizerConfiguration.ScopedRoleListener listener)
Description copied from interface:AuthorizerConfiguration
Unregister a listener for changes in the configured scoped roles.- Specified by:
unregisterScopedRoleListener
in interfaceAuthorizerConfiguration
- Parameters:
listener
- the listener. Cannot benull
-
getPermissionCombinationPolicy
public CombinationPolicy getPermissionCombinationPolicy()
Description copied from interface:AuthorizerConfiguration
Gets the policy for combining access control permissions when the configuration grants the user more than one type of permission for a given action. For example, in the standard WildFly access control system, a user may map to more than one role. This property would control how the permissions associated with those roles should be combined to make access control decisions.- Specified by:
getPermissionCombinationPolicy
in interfaceAuthorizerConfiguration
- Returns:
- the combination policy. Will not be
null
.
-
isRoleBased
public boolean isRoleBased()
Description copied from interface:AuthorizerConfiguration
Gets whether the authorizer uses a role-based authorization mechanism.- Specified by:
isRoleBased
in interfaceAuthorizerConfiguration
- Returns:
true
if a role-based mechanism is used;false
if not
-
isMapUsingIdentityRoles
public boolean isMapUsingIdentityRoles()
Description copied from interface:AuthorizerConfiguration
Gets whether role mapping should use roles obtained from theSecurityIdentity
. Any configured exclusions are still checked. The configured inclusions will also be checked meaning additional roles may also be granted.- Specified by:
isMapUsingIdentityRoles
in interfaceAuthorizerConfiguration
- Returns:
true
if role
-
getStandardRoles
public Set<String> getStandardRoles()
Description copied from interface:AuthorizerConfiguration
Gets the names of the "standard" "built-in" roles used by the authorizer. A built-in role requires no end user configuration.- Specified by:
getStandardRoles
in interfaceAuthorizerConfiguration
- Returns:
- the standard role names. Will not be
null
, but may be an empty set if roles are not used or no built-in roles are used.
-
getScopedRoles
public Map<String,AuthorizerConfiguration.ScopedRole> getScopedRoles()
Description copied from interface:AuthorizerConfiguration
Gets the configured scoped roles, keyed by the name of the role.- Specified by:
getScopedRoles
in interfaceAuthorizerConfiguration
- Returns:
- the scoped roles. Will not be
null
-
getAllRoles
public Set<String> getAllRoles()
Description copied from interface:AuthorizerConfiguration
Gets the names of the all roles used by the authorizer, including both built-in roles and roles added via end user configuration.- Specified by:
getAllRoles
in interfaceAuthorizerConfiguration
- Returns:
- the role names. Will not be
null
, but may be an empty set if roles are not used or no built-in roles are used and no end user configured roles exist.
-
hasRole
public boolean hasRole(String roleName)
Description copied from interface:AuthorizerConfiguration
Gets whether the currentset of roles
contains the given role, with the check performed using a case-insensitive algorithm.- Specified by:
hasRole
in interfaceAuthorizerConfiguration
- Parameters:
roleName
- the name of the role- Returns:
true
if the current role set includes an item thatequals ignoring case
the givenroleName
-
getRoleMappings
public Map<String,AuthorizerConfiguration.RoleMapping> getRoleMappings()
Description copied from interface:AuthorizerConfiguration
Gets the configured role mappings, keyed by the name of the role.- Specified by:
getRoleMappings
in interfaceAuthorizerConfiguration
- Returns:
- the role mappings. Will not be
null
-
setUseIdentityRoles
public void setUseIdentityRoles(boolean useIdentityRoles)
-
addScopedRole
public void addScopedRole(AuthorizerConfiguration.ScopedRole toAdd)
-
removeScopedRole
public void removeScopedRole(String toRemove)
-
isNonFacadeMBeansSensitive
public boolean isNonFacadeMBeansSensitive()
Description copied from interface:AuthorizerConfiguration
Gets whether JMX calls to non-facade mbeans (i.e. those that result in invocations toAuthorizer#authorizeJmxOperation(Caller, Environment, JmxAction)
) should be treated as 'sensitive'.- Specified by:
isNonFacadeMBeansSensitive
in interfaceAuthorizerConfiguration
- Returns:
true
if non-facade mbean calls are sensitive;false
otherwise
-
addRoleMappingImmediate
public void addRoleMappingImmediate(String roleName)
-
addRoleMapping
public void addRoleMapping(String roleName)
Adds a new role to the list of defined roles.- Parameters:
roleName
- - The name of the role being added.
-
removeRoleMapping
public Object removeRoleMapping(String roleName)
Remove a role from the list of defined roles.- Parameters:
roleName
- - The name of the role to be removed.- Returns:
- A key that can be used to undo the removal.
-
undoRoleMappingRemove
public boolean undoRoleMappingRemove(Object removalKey)
Undo a prior removal using the supplied undo key.- Parameters:
removalKey
- - The key returned from the call to removeRoleMapping.- Returns:
- true if the undo was successful, false otherwise.
-
setRoleMappingIncludeAll
public void setRoleMappingIncludeAll(String roleName, boolean includeAll)
-
addRoleMappingPrincipal
public boolean addRoleMappingPrincipal(String roleName, AuthorizerConfiguration.PrincipalType principalType, WritableAuthorizerConfiguration.MatchType matchType, String name, String realm, boolean immediate)
-
removeRoleMappingPrincipal
public boolean removeRoleMappingPrincipal(String roleName, AuthorizerConfiguration.PrincipalType principalType, WritableAuthorizerConfiguration.MatchType matchType, String name, String realm)
-
createPrincipal
public AuthorizerConfiguration.MappingPrincipal createPrincipal(AuthorizerConfiguration.PrincipalType principalType, String name, String realm)
-
setPermissionCombinationPolicy
public void setPermissionCombinationPolicy(CombinationPolicy combinationPolicy)
-
getAccessConstraintUtilizations
public Map<PathAddress,AccessConstraintUtilization> getAccessConstraintUtilizations(AccessConstraintKey accessConstraintKey)
- Specified by:
getAccessConstraintUtilizations
in interfaceAccessConstraintUtilizationRegistry
-
registerAccessConstraintResourceUtilization
public void registerAccessConstraintResourceUtilization(AccessConstraintKey key, PathAddress address)
- Specified by:
registerAccessConstraintResourceUtilization
in interfaceAccessConstraintUtilizationRegistry
-
registerAccessConstraintAttributeUtilization
public void registerAccessConstraintAttributeUtilization(AccessConstraintKey key, PathAddress address, String attribute)
- Specified by:
registerAccessConstraintAttributeUtilization
in interfaceAccessConstraintUtilizationRegistry
-
registerAccessConstraintOperationUtilization
public void registerAccessConstraintOperationUtilization(AccessConstraintKey key, PathAddress address, String operation)
- Specified by:
registerAccessConstraintOperationUtilization
in interfaceAccessConstraintUtilizationRegistry
-
unregisterAccessConstraintUtilizations
public void unregisterAccessConstraintUtilizations(PathAddress address)
- Specified by:
unregisterAccessConstraintUtilizations
in interfaceAccessConstraintUtilizationRegistry
-
-