org.jboss.security.plugins

Class JBossAuthorizationManager

java.lang.Object

org.jboss.security.plugins.JBossAuthorizationManager

All Implemented Interfaces:

AuthorizationManager, BaseSecurityManager

public class JBossAuthorizationManager
extends Object
implements AuthorizationManager

Authorization Manager implementation

Since:

Jan 3, 2006

Version:

$Revision$

Author:

Anil Saldhana

Constructor Summary

Constructors

Constructor and Description
JBossAuthorizationManager(String securityDomainName)

Method Summary

Modifier and Type	Method and Description
int	authorize(Resource resource) Authorize a resource Note: The implementation will try to derive the authenticated subject by some means
int	authorize(Resource resource, Subject subject) Authorize a resource for an authenticated subject
int	authorize(Resource resource, Subject subject, Group roleGroup) Authorize a resource given a Group of Principals representing roles
int	authorize(Resource resource, Subject subject, RoleGroup role) Authorize a resource given a role
protected boolean	doesRoleGroupHaveRole(Principal role, RoleGroup userRoles) Check that the indicated application domain role is a member of the user's assigned roles.
boolean	doesUserHaveRole(Principal principal, Principal role) Does the current Subject have a role(a Principal) that equates to one of the role names.
boolean	doesUserHaveRole(Principal principal, Set<Principal> rolePrincipals) Does the current Subject have a role(a Principal) that equates to one of the role names.
String	getSecurityDomain() Get the security domain from which the security manager is from.
RoleGroup	getSubjectRoles(Subject authenticatedSubject, CallbackHandler cbh) Get the Current Roles for the authenticated Subject The AuthorizationManager will apply role generation and role mapping logic configured for the security domain
Group	getTargetRoles(Principal targetPrincipal, Map<String,Object> contextMap) Trust usecases may have a need to determine the roles of the target principal which has been derived via a principal from another domain by the Authentication Manager An implementation of this interface may have to contact a trust provider for additional information about the principal
Set<Principal>	getUserRoles(Principal principal) Return the set of domain roles the current active Subject 'Roles' group found in the subject Principals set.
void	setAuthorizationContext(AuthorizationContext authorizationContext) Set the AuthorizationContext
String	toString()

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Constructor Detail

JBossAuthorizationManager

public JBossAuthorizationManager(String securityDomainName)

Method Detail

authorize

public int authorize(Resource resource)
              throws AuthorizationException

Description copied from interface: AuthorizationManager

Authorize a resource Note: The implementation will try to derive the authenticated subject by some means

Specified by:

authorize in interface AuthorizationManager

Parameters:

resource - Resource to be authorized

Returns:

AuthorizationContext.PERMIT or AuthorizationContext.DENY

Throws:

AuthorizationException

See Also:

AuthorizationManager.authorize(Resource)

authorize

public int authorize(Resource resource,
                     Subject subject)
              throws AuthorizationException

Description copied from interface: AuthorizationManager

Authorize a resource for an authenticated subject

Specified by:

authorize in interface AuthorizationManager

Parameters:

resource - Resource to be authorized

subject - Authenticated Subject

Returns:

AuthorizationContext.PERMIT or AuthorizationContext.DENY

Throws:

AuthorizationException

See Also:

AuthorizationManager.authorize(Resource, Subject)

authorize

public int authorize(Resource resource,
                     Subject subject,
                     RoleGroup role)
              throws AuthorizationException

Description copied from interface: AuthorizationManager

Authorize a resource given a role

Specified by:

authorize in interface AuthorizationManager

subject - the authenticated subject

role - a role (which can be a nested role)

Returns:

AuthorizationContext.PERMIT or AuthorizationContext.DENY

Throws:

AuthorizationException

See Also:

AuthorizationManager.authorize(Resource, Subject, RoleGroup)

authorize

public int authorize(Resource resource,
                     Subject subject,
                     Group roleGroup)
              throws AuthorizationException

Description copied from interface: AuthorizationManager

Authorize a resource given a Group of Principals representing roles

Specified by:

authorize in interface AuthorizationManager

subject - the authenticated subject

Returns:

Throws:

AuthorizationException

See Also:

AuthorizationManager.authorize(Resource, Subject, Group)

doesUserHaveRole

public boolean doesUserHaveRole(Principal principal,
                                Set<Principal> rolePrincipals)

Does the current Subject have a role(a Principal) that equates to one of the role names. This method obtains the Group named 'Roles' from the principal set of the currently authenticated Subject as determined by the SecurityAssociation.getSubject() method and then creates a SimplePrincipal for each name in roleNames. If the role is a member of the Roles group, then the user has the role. This requires that the caller establish the correct SecurityAssociation subject prior to calling this method. In the past this was done as a side-effect of an isValid() call, but this is no longer the case.

Specified by:

doesUserHaveRole in interface AuthorizationManager

Parameters:

principal - - ignored. The current authenticated Subject determines the active user and assigned user roles.

rolePrincipals - - a Set of Principals for the roles to check.

Returns:

true if the principal has at least one of the roles in the roles set, false otherwise.

See Also:

Group;, Subject.getPrincipals()

doesUserHaveRole

public boolean doesUserHaveRole(Principal principal,
                                Principal role)

Does the current Subject have a role(a Principal) that equates to one of the role names.

Parameters:

principal - - ignored. The current authenticated Subject determines the active user and assigned user roles.

role - - the application domain role that the principal is to be validated against.

Returns:

true if the active principal has the role, false otherwise.

See Also:

doesUserHaveRole(Principal, Set)

getUserRoles

public Set<Principal> getUserRoles(Principal principal)

Return the set of domain roles the current active Subject 'Roles' group found in the subject Principals set.

Specified by:

getUserRoles in interface AuthorizationManager

Parameters:

principal - - ignored. The current authenticated Subject determines the active user and assigned user roles.

Returns:

The Set for the application domain roles that the principal has been assigned.

doesRoleGroupHaveRole

protected boolean doesRoleGroupHaveRole(Principal role,
                                        RoleGroup userRoles)

Check that the indicated application domain role is a member of the user's assigned roles. This handles the special AnybodyPrincipal and NobodyPrincipal independent of the Group implementation.

Parameters:

role - , the application domain role required for access

userRoles - , the set of roles assigned to the user

Returns:

true if role is in userRoles or an AnybodyPrincipal instance, false if role is a NobodyPrincipal or no a member of userRoles

toString

public String toString()

Overrides:

toString in class Object

setAuthorizationContext

public void setAuthorizationContext(AuthorizationContext authorizationContext)

Set the AuthorizationContext

getSecurityDomain

public String getSecurityDomain()

Description copied from interface: BaseSecurityManager

Get the security domain from which the security manager is from. Every security manager belongs to a named domain. The meaning of the security domain name depends on the implementation. Examples range from as fine grained as the name of EJBs to J2EE application names to DNS domain names.

Specified by:

getSecurityDomain in interface BaseSecurityManager

Returns:

the security domain name. May be null in which case the security manager belongs to the logical default domain.

getTargetRoles

public Group getTargetRoles(Principal targetPrincipal,
                            Map<String,Object> contextMap)

Description copied from interface: AuthorizationManager

Trust usecases may have a need to determine the roles of the target principal which has been derived via a principal from another domain by the Authentication Manager An implementation of this interface may have to contact a trust provider for additional information about the principal

Specified by:

getTargetRoles in interface AuthorizationManager

Parameters:

targetPrincipal - Principal applicable in current domain

contextMap - Read-Only Contextual Information that may be useful for the implementation in determining the roles.

Returns:

roles from the target domain

See Also:

AuthorizationManager.getTargetRoles(Principal, Map)

getSubjectRoles

public RoleGroup getSubjectRoles(Subject authenticatedSubject,
                                 CallbackHandler cbh)

Description copied from interface: AuthorizationManager

Get the Current Roles for the authenticated Subject The AuthorizationManager will apply role generation and role mapping logic configured for the security domain

Specified by:

getSubjectRoles in interface AuthorizationManager

cbh - a CallbackHandler that can be used by the AuthorizationManager to obtain essentials such as SecurityContext etc

Returns:

See Also:

AuthorizationManager.getSubjectRoles(Subject, CallbackHandler)