Package org.jboss.security.plugins
Class JBossAuthorizationManager
- java.lang.Object
-
- org.jboss.security.plugins.JBossAuthorizationManager
-
- All Implemented Interfaces:
AuthorizationManager
,BaseSecurityManager
public class JBossAuthorizationManager extends Object implements AuthorizationManager
Authorization Manager implementation- Since:
- Jan 3, 2006
- Version:
- $Revision$
- Author:
- Anil Saldhana
-
-
Constructor Summary
Constructors Constructor Description JBossAuthorizationManager(String securityDomainName)
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description int
authorize(Resource resource)
Authorize a resource Note: The implementation will try to derive the authenticated subject by some meansint
authorize(Resource resource, Subject subject)
Authorize a resource for an authenticated subjectint
authorize(Resource resource, Subject subject, Group roleGroup)
Authorize a resource given a Group of Principals representing rolesint
authorize(Resource resource, Subject subject, RoleGroup role)
Authorize a resource given a roleprotected boolean
doesRoleGroupHaveRole(Principal role, RoleGroup userRoles)
Check that the indicated application domain role is a member of the user's assigned roles.boolean
doesUserHaveRole(Principal principal, Principal role)
Does the current Subject have a role(a Principal) that equates to one of the role names.boolean
doesUserHaveRole(Principal principal, Set<Principal> rolePrincipals)
Does the current Subject have a role(a Principal) that equates to one of the role names.String
getSecurityDomain()
Get the security domain from which the security manager is from.RoleGroup
getSubjectRoles(Subject authenticatedSubject, CallbackHandler cbh)
Get the Current Roles for the authenticated Subject The AuthorizationManager will apply role generation and role mapping logic configured for the security domainGroup
getTargetRoles(Principal targetPrincipal, Map<String,Object> contextMap)
Trust usecases may have a need to determine the roles of the target principal which has been derived via a principal from another domain by the Authentication Manager An implementation of this interface may have to contact a trust provider for additional information about the principalSet<Principal>
getUserRoles(Principal principal)
Return the set of domain roles the current active Subject 'Roles' group found in the subject Principals set.void
setAuthorizationContext(AuthorizationContext authorizationContext)
Set the AuthorizationContextString
toString()
-
-
-
Constructor Detail
-
JBossAuthorizationManager
public JBossAuthorizationManager(String securityDomainName)
-
-
Method Detail
-
authorize
public int authorize(Resource resource) throws AuthorizationException
Description copied from interface:AuthorizationManager
Authorize a resource Note: The implementation will try to derive the authenticated subject by some means- Specified by:
authorize
in interfaceAuthorizationManager
- Parameters:
resource
- Resource to be authorized- Returns:
- AuthorizationContext.PERMIT or AuthorizationContext.DENY
- Throws:
AuthorizationException
- See Also:
AuthorizationManager.authorize(Resource)
-
authorize
public int authorize(Resource resource, Subject subject) throws AuthorizationException
Description copied from interface:AuthorizationManager
Authorize a resource for an authenticated subject- Specified by:
authorize
in interfaceAuthorizationManager
- Parameters:
resource
- Resource to be authorizedsubject
- Authenticated Subject- Returns:
- AuthorizationContext.PERMIT or AuthorizationContext.DENY
- Throws:
AuthorizationException
- See Also:
AuthorizationManager.authorize(Resource, Subject)
-
authorize
public int authorize(Resource resource, Subject subject, RoleGroup role) throws AuthorizationException
Description copied from interface:AuthorizationManager
Authorize a resource given a role- Specified by:
authorize
in interfaceAuthorizationManager
subject
- the authenticated subjectrole
- a role (which can be a nested role)- Returns:
- AuthorizationContext.PERMIT or AuthorizationContext.DENY
- Throws:
AuthorizationException
- See Also:
AuthorizationManager.authorize(Resource, Subject, RoleGroup)
-
authorize
public int authorize(Resource resource, Subject subject, Group roleGroup) throws AuthorizationException
Description copied from interface:AuthorizationManager
Authorize a resource given a Group of Principals representing roles- Specified by:
authorize
in interfaceAuthorizationManager
subject
- the authenticated subject- Returns:
- Throws:
AuthorizationException
- See Also:
AuthorizationManager.authorize(Resource, Subject, Group)
-
doesUserHaveRole
public boolean doesUserHaveRole(Principal principal, Set<Principal> rolePrincipals)
Does the current Subject have a role(a Principal) that equates to one of the role names. This method obtains the Group named 'Roles' from the principal set of the currently authenticated Subject as determined by the SecurityAssociation.getSubject() method and then creates a SimplePrincipal for each name in roleNames. If the role is a member of the Roles group, then the user has the role. This requires that the caller establish the correct SecurityAssociation subject prior to calling this method. In the past this was done as a side-effect of an isValid() call, but this is no longer the case.- Specified by:
doesUserHaveRole
in interfaceAuthorizationManager
- Parameters:
principal
- - ignored. The current authenticated Subject determines the active user and assigned user roles.rolePrincipals
- - a Set of Principals for the roles to check.- Returns:
- true if the principal has at least one of the roles in the roles set, false otherwise.
- See Also:
Subject.getPrincipals()
-
doesUserHaveRole
public boolean doesUserHaveRole(Principal principal, Principal role)
Does the current Subject have a role(a Principal) that equates to one of the role names.- Parameters:
principal
- - ignored. The current authenticated Subject determines the active user and assigned user roles.role
- - the application domain role that the principal is to be validated against.- Returns:
- true if the active principal has the role, false otherwise.
- See Also:
doesUserHaveRole(Principal, Set)
-
getUserRoles
public Set<Principal> getUserRoles(Principal principal)
Return the set of domain roles the current active Subject 'Roles' group found in the subject Principals set.- Specified by:
getUserRoles
in interfaceAuthorizationManager
- Parameters:
principal
- - ignored. The current authenticated Subject determines the active user and assigned user roles.- Returns:
- The Set
for the application domain roles that the principal has been assigned.
-
doesRoleGroupHaveRole
protected boolean doesRoleGroupHaveRole(Principal role, RoleGroup userRoles)
Check that the indicated application domain role is a member of the user's assigned roles. This handles the special AnybodyPrincipal and NobodyPrincipal independent of the Group implementation.- Parameters:
role
- , the application domain role required for accessuserRoles
- , the set of roles assigned to the user- Returns:
- true if role is in userRoles or an AnybodyPrincipal instance, false if role is a NobodyPrincipal or no a member of userRoles
-
setAuthorizationContext
public void setAuthorizationContext(AuthorizationContext authorizationContext)
Set the AuthorizationContext
-
getSecurityDomain
public String getSecurityDomain()
Description copied from interface:BaseSecurityManager
Get the security domain from which the security manager is from. Every security manager belongs to a named domain. The meaning of the security domain name depends on the implementation. Examples range from as fine grained as the name of EJBs to J2EE application names to DNS domain names.- Specified by:
getSecurityDomain
in interfaceBaseSecurityManager
- Returns:
- the security domain name. May be null in which case the security manager belongs to the logical default domain.
-
getTargetRoles
public Group getTargetRoles(Principal targetPrincipal, Map<String,Object> contextMap)
Description copied from interface:AuthorizationManager
Trust usecases may have a need to determine the roles of the target principal which has been derived via a principal from another domain by the Authentication Manager An implementation of this interface may have to contact a trust provider for additional information about the principal- Specified by:
getTargetRoles
in interfaceAuthorizationManager
- Parameters:
targetPrincipal
- Principal applicable in current domaincontextMap
- Read-Only Contextual Information that may be useful for the implementation in determining the roles.- Returns:
- roles from the target domain
- See Also:
AuthorizationManager.getTargetRoles(Principal, Map)
-
getSubjectRoles
public RoleGroup getSubjectRoles(Subject authenticatedSubject, CallbackHandler cbh)
Description copied from interface:AuthorizationManager
Get the Current Roles for the authenticated Subject The AuthorizationManager will apply role generation and role mapping logic configured for the security domain- Specified by:
getSubjectRoles
in interfaceAuthorizationManager
cbh
- a CallbackHandler that can be used by the AuthorizationManager to obtain essentials such as SecurityContext etc- Returns:
- See Also:
AuthorizationManager.getSubjectRoles(Subject, CallbackHandler)
-
-