A
ResolverChain contains an ordered list of PermissionResolvers, to resolve object permissions for a particular object class or permission target.
The default
ResolverChain consists of all permission resolvers discovered during application deployment. The org.jboss.seam.security.defaultResolverChainCreated event is raised (and the ResolverChain instance passed as an event parameter) when the default ResolverChain is created. This allows additional resolvers that were not discovered during deployment to be added, or for resolvers that are in the chain to be re-ordered or removed.
The following sequence diagram shows the interaction between the components of the permission framework during a permission check. A permission check can originate from a number of possible sources: the security interceptor, the
s:hasPermission EL function, or via an API call to Identity.checkPermission:
- 1. A permission check is initiated (either in code or via an EL expression), resulting in a call to
Identity.hasPermission(). - 1.1.
IdentityinvokesPermissionMapper.resolvePermission(), passing in the permission to be resolved. - 1.1.1.
PermissionMappermaintains aMapofResolverChaininstances, keyed by class. It uses this map to locate the correctResolverChainfor the permission's target object. Once it has the correctResolverChain, it retrieves the list ofPermissionResolvers it contains by callingResolverChain.getResolvers(). - 1.1.2. For each
PermissionResolverin theResolverChain, thePermissionMapperinvokes itshasPermission()method, passing in the permission instance to be checked. If thePermissionResolvers returntrue, the permission check has succeeded and thePermissionMapperalso returnstruetoIdentity. If none of thePermissionResolvers returntrue, then the permission check has failed.