15.7. Permission Management
Just as Seam Security provides an Identity Management API to let you manage users and roles, it also provides a Permissions Management API to let you manage persistent user permissions — the
PermissionManager component.
15.7.1. PermissionManager
The
PermissionManager component is an application-scoped Seam component that provides a number of permission-management methods. It must be configured with a permission store before use. By default, it will attempt to use JpaPermissionStore. To configure a custom permission store, specify the permission-store property in components.xml:
<security:permission-manager permission-store="#{ldapPermissionStore}"/>
The following table describes each of the methods provided by
PermissionManager:
Table 15.11. PermissionManager API methods
|
Return type
|
Method
|
Description
|
|---|---|---|
List<Permission>
| listPermissions(Object target, String action)
|
Returns a list of
Permission objects representing all of the permissions that have been granted for the specified target and action.
|
List<Permission>
| listPermissions(Object target)
|
Returns a list of
Permission objects representing all of the permissions that have been granted for the specified target and action.
|
boolean
| grantPermission(Permission permission)
|
Persists (grants) the specified
Permission to the back-end permission store. Returns true if the operation succeeds.
|
boolean
| grantPermissions(List<Permission> permissions)
|
Persists (grants) the specified list of
Permissions to the back-end permission store. Returns true if the operation succeeds.
|
boolean
| revokePermission(Permission permission)
|
Removes (revokes) the specified
Permission from the back-end permission store. Returns true if the operation succeeds.
|
boolean
| revokePermissions(List<Permission> permissions)
|
Removes (revokes) the specified list of
Permissions from the back-end permission store. Returns true if the operation succeeds.
|
List<String>
| listAvailableActions(Object target)
|
Returns a list of the available actions for the specified target object. The actions that this method returns are dependent on the
@Permission annotations configured on the target object's class.
|
15.7.2. Permission checks for PermissionManager operations
To invoke
PermissionManager methods, the currently authenticated user must be authorized to perform that management operation. The following table lists the permissions required to invoke a particular method.
Table 15.12. Permission Management Security Permissions
|
Method
|
Permission Target
|
Permission Action
|
|---|---|---|
listPermissions()
|
The specified
target.
| seam.read-permissions
|
grantPermission()
|
The target of the specified
Permission, or each of the targets for the specified list of Permissions (depending on the method called).
| seam.grant-permission
|
grantPermission()
|
The target of the specified
Permission.
| seam.grant-permission
|
grantPermissions()
|
Each of the targets of the specified list of
Permissions.
| seam.grant-permission
|
revokePermission()
|
The target of the specified
Permission.
| seam.revoke-permission
|
revokePermissions()
|
Each of the targets of the specified list of
Permissions.
| seam.revoke-permission
|