Class StandardRBACAuthorizer
- java.lang.Object
-
- org.jboss.as.controller.access.permission.ManagementPermissionAuthorizer
-
- org.jboss.as.controller.access.rbac.StandardRBACAuthorizer
-
- All Implemented Interfaces:
Authorizer
public final class StandardRBACAuthorizer extends ManagementPermissionAuthorizer
StandardAuthorizer
implementation that uses a providedRoleMapper
to construct aDefaultPermissionFactory
, with that permission factory used for the permissions used by thesuperclass implementation
.Also supports the allowed roles being specified via a
roles
operation-header in the top level operation whose value is the name of a role or a DMR list of strings each of which is the name of a role.This operation-header based approach is only secure to the extent the clients using it are secure. To use this approach the client must authenticate, and the underlying. So, by adding the
roles
operation-header to the request the client can only reduce its privileges, not increase them.- Author:
- Brian Stansberry (c) 2013 Red Hat Inc.
-
-
Nested Class Summary
-
Nested classes/interfaces inherited from interface org.jboss.as.controller.access.Authorizer
Authorizer.AuthorizerDescription
-
-
Field Summary
Fields Modifier and Type Field Description static Authorizer.AuthorizerDescription
AUTHORIZER_DESCRIPTION
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description static StandardRBACAuthorizer
create(AuthorizerConfiguration configuration, RoleMapper roleMapper)
Set<String>
getCallerRoles(org.wildfly.security.auth.server.SecurityIdentity identity, Environment callEnvironment, Set<String> runAsRoles)
Gets the set of roles the caller can run as taking into account any requested 'run as' roles.Authorizer.AuthorizerDescription
getDescription()
Gets a description of the characteristics of this authorizervoid
shutdown()
-
Methods inherited from class org.jboss.as.controller.access.permission.ManagementPermissionAuthorizer
authorize, authorize, authorizeJmxOperation
-
-
-
-
Field Detail
-
AUTHORIZER_DESCRIPTION
public static final Authorizer.AuthorizerDescription AUTHORIZER_DESCRIPTION
-
-
Method Detail
-
create
public static StandardRBACAuthorizer create(AuthorizerConfiguration configuration, RoleMapper roleMapper)
-
getCallerRoles
public Set<String> getCallerRoles(org.wildfly.security.auth.server.SecurityIdentity identity, Environment callEnvironment, Set<String> runAsRoles)
Description copied from interface:Authorizer
Gets the set of roles the caller can run as taking into account any requested 'run as' roles.- Specified by:
getCallerRoles
in interfaceAuthorizer
- Overrides:
getCallerRoles
in classManagementPermissionAuthorizer
- Parameters:
identity
- the caller identity. Cannot benull
callEnvironment
- the call environment. Cannot benull
runAsRoles
- any requested 'run as' roles. May benull
- Returns:
- The set of roles assigned to the caller; an empty set will be returned if no roles are assigned or
null
will be returned if the access control provider does not support role mapping.
-
getDescription
public Authorizer.AuthorizerDescription getDescription()
Description copied from interface:Authorizer
Gets a description of the characteristics of this authorizer- Specified by:
getDescription
in interfaceAuthorizer
- Overrides:
getDescription
in classManagementPermissionAuthorizer
- Returns:
- the description. Cannot be
null
-
shutdown
public void shutdown()
-
-