org.jboss.security
Interface AuthorizationManager

All Superinterfaces:

BaseSecurityManager

public interface AuthorizationManager
extends BaseSecurityManager

Generalized Authorization Manager Interface.

Replaces the legacy RealmMapping interface

Since:

Jan 2, 2006

Version:

$Revision: 69507 $

Author:

Anil Saldhana

See Also:

org.jboss.security.RealmMapping

Method Summary

int	authorize(Resource resource) Authorize a resource
int	authorize(Resource resource, javax.security.auth.Subject subject, java.security.acl.Group roleGroup) Authorize a resource given a Group of Principals representing roles
int	authorize(Resource resource, javax.security.auth.Subject subject, RoleGroup role) Authorize a resource given a role
boolean	doesUserHaveRole(java.security.Principal principal, java.util.Set<java.security.Principal> roles) Validates the application domain roles to which the operational environment Principal belongs.
<T> EntitlementHolder<T>	getEntitlements(java.lang.Class<T> clazz, Resource resource, Identity identity) Instance Based Security Get all the entitlements assigned to the components of a Resource
RoleGroup	getSubjectRoles(javax.security.auth.Subject authenticatedSubject, javax.security.auth.callback.CallbackHandler cbh) Get the Current Roles for the authenticated Subject The AuthorizationManager will apply role generation and role mapping logic configured for the security domain
java.security.acl.Group	getTargetRoles(java.security.Principal targetPrincipal, java.util.Map<java.lang.String,java.lang.Object> contextMap) Trust usecases may have a need to determine the roles of the target principal which has been derived via a principal from another domain by the Authentication Manager An implementation of this interface may have to contact a trust provider for additional information about the principal
java.util.Set<java.security.Principal>	getUserRoles(java.security.Principal principal) Deprecated.

Methods inherited from interface org.jboss.security.BaseSecurityManager

getSecurityDomain

Method Detail

authorize

int authorize(Resource resource)
              throws AuthorizationException

Authorize a resource

Parameters:

resource -

Returns:

AuthorizationContext.PERMIT or AuthorizationContext.DENY

Throws:

AuthorizationException

authorize

int authorize(Resource resource,
              javax.security.auth.Subject subject,
              RoleGroup role)
              throws AuthorizationException

Authorize a resource given a role

Parameters:

resource -

subject - the authenticated subject

role - a role (which can be a nested role)

Returns:

AuthorizationContext.PERMIT or AuthorizationContext.DENY

Throws:

AuthorizationException

authorize

int authorize(Resource resource,
              javax.security.auth.Subject subject,
              java.security.acl.Group roleGroup)
              throws AuthorizationException

Authorize a resource given a Group of Principals representing roles

Parameters:

resource -

subject - the authenticated subject

roleGroup -

Returns:

Throws:

AuthorizationException

getEntitlements

<T> EntitlementHolder<T> getEntitlements(java.lang.Class<T> clazz,
                                         Resource resource,
                                         Identity identity)
                                     throws AuthorizationException

Instance Based Security Get all the entitlements assigned to the components of a Resource

Parameters:

clazz - Defines the class type of the entitlements

resource - A Resource (Can be a Portal Resource, a Rules Resource)

identity - The Identity against whom the entitlements need to be generated

Returns:

a Entitlements Wrapper

Throws:

AuthorizationException

doesUserHaveRole

boolean doesUserHaveRole(java.security.Principal principal,
                         java.util.Set<java.security.Principal> roles)

Validates the application domain roles to which the operational environment Principal belongs.

Parameters:

principal - the caller principal as known in the operation environment.

roles - The Set for the application domain roles that the principal is to be validated against.

Returns:

true if the principal has at least one of the roles in the roles set, false otherwise.

getSubjectRoles

RoleGroup getSubjectRoles(javax.security.auth.Subject authenticatedSubject,
                          javax.security.auth.callback.CallbackHandler cbh)

Get the Current Roles for the authenticated Subject The AuthorizationManager will apply role generation and role mapping logic configured for the security domain

Parameters:

authenticatedSubject -

cbh - a CallbackHandler that can be used by the AuthorizationManager to obtain essentials such as SecurityContext etc

Returns:

getUserRoles

java.util.Set<java.security.Principal> getUserRoles(java.security.Principal principal)

Deprecated.

Return the set of domain roles the principal has been assigned.

Returns:

The Set for the application domain roles that the principal has been assigned.

getTargetRoles

java.security.acl.Group getTargetRoles(java.security.Principal targetPrincipal,
                                       java.util.Map<java.lang.String,java.lang.Object> contextMap)

Trust usecases may have a need to determine the roles of the target principal which has been derived via a principal from another domain by the Authentication Manager An implementation of this interface may have to contact a trust provider for additional information about the principal

Parameters:

targetPrincipal - Principal applicable in current domain

contextMap - Read-Only Contextual Information that may be useful for the implementation in determining the roles.

Returns:

roles from the target domain