Chapter 3. Authorization Manager
AuthorizationManager is an interface that provides the fine-grained aspects of authorization to a security-conscious subsystem. It is obtained from the SecurityContext.
package org.jboss.security;
import java.security.Principal;
import java.security.acl.Group;
import java.util.Map;
import java.util.Set;
import org.jboss.security.authorization.AuthorizationException;
import org.jboss.security.authorization.Resource;
/**
* Generalized Authorization Manager Interface.
*/
public interface AuthorizationManager
{
/**
* Authorize a resource
* @param resource
* @return
* @throws AuthorizationException
*/
public int authorize(Resource resource) throws AuthorizationException;
/** Validates the application domain roles to which the operational
environment Principal belongs.
@param principal - the caller principal as known in the operation environment.
@param roles - the Set<Principal> for the application domain roles that the
principal will be validated against.
@return true if the principal has at least one of the roles in the roles set,
otherwise false.
*/
public boolean doesUserHaveRole(Principal principal, Set roles);
/** Returns the set of domain roles assigned to the principal.
@return The Set<Principal> for the application domain roles that the
principal has been assigned.
*/
public Set getUserRoles(Principal principal);
/**
* Trust-based use-cases may need to determine the roles of the target
* principal, which are derived by the Authentication Manager via a principal
* from another domain.
* An implementation of this interface may need to contact a trust provider
* for additional information about the principal
* @param targetPrincipal - the principal applicable in current domain
* @param contextMap - read-only contextual information that can assist the
* implementation when determining roles
* @return roles from the target domain
*/
public Group getTargetRoles(Principal targetPrincipal, Map contextMap);
}
The Resource interface looks like this:
package org.jboss.security.authorization;
import java.util.Map;
/**
* Resource that is subject to Authorization Decisions
*/
public interface Resource
{
//Get the Layer (Web/EJB etc)
public ResourceType getLayer();
//Return the contextual map
public Map getMap();
}
An authorization module interface looks like this:
package org.jboss.security.authorization;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
/**
* Represents a Policy Decision Module that is used by the
* Authorization Context
*/
public interface AuthorizationModule
{
/**
* Abort the Authorization Process
* @return true - abort passed, false-otherwise
*/
boolean abort() throws AuthorizationException;
/**
* Overall authorization process has succeeded.
* The module can commit any decisions it has made, with
* third party systems like a database.
* @return
*/
boolean commit() throws AuthorizationException;
/**
* Initialize the module
*
* @param subject the authenticated subject
* @param handler CallbackHandler
* @param sharedState state shared with other configured modules
* @param options options specified in the Configuration
* for this particular module
*/
void initialize(Subject subject, CallbackHandler handler,
Map sharedState, Map options);
/**
* Authorize the resource
* @param resource
* @return AuthorizationContext.PERMIT or AuthorizationContext.DENY
*/
int authorize(Resource resource);
/**
* A final cleanup opportunity offered
* @return cleanup by the module passed or not
*/
boolean destroy();
}
There is a
PolicyRegistration interface that can provide a mechanism for registering policies (such as the XACML Policy), which looks like this:
package org.jboss.security.authorization;
/**
* Interface to register policies
*/
public interface PolicyRegistration
{
/**
* Registers a policy given the location and a context ID
* @param contextID
* @param location - location of the Policy File
*/
void registerPolicy(String contextID, URL location);
/**
*
* Registers a policy given an XML-based stream and a context ID
*
* @param contextID
* @param stream - InputStream that is an XML stream
*/
void registerPolicy(String contextID, InputStream stream);
/**
* Unregister a policy
* @param contextID Context ID
*/
void deRegisterPolicy(String contextID);
/**
* Obtain the registered policy for the context ID
* @param contextID - Context ID
* @param contextMap - A map that can be used by the implementation
* to determine the policy choice (typically null)
*/
Object getPolicy(String contextID, Map contextMap);
}
The Resource interface identifies resources that require authorization:
* JBoss, Home of Professional Open Source
* Copyright 2005, JBoss Inc., and individual contributors as indicated
* by the @authors tag. See the copyright.txt in the distribution for a
* full listing of individual contributors.
*
* This is free software; you can redistribute it and/or modify it
* under the terms of the GNU Lesser General Public License as
* published by the Free Software Foundation; either version 2.1 of
* the License, or (at your option) any later version.
*
* This software is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this software; if not, write to the Free
* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
* 02110-1301 USA, or see the FSF site: http://www.fsf.org.
*/
package org.jboss.security.authorization;
import java.util.Map;
/**
* Resource that is subject to Authorization Decisions
* @author <a href="mailto:Anil.Saldhana@jboss.org">Anil Saldhana</a>
* @version $Revision$
*/
public interface Resource
{
//Get the Layer (Web/EJB etc)
public ResourceType getLayer();
//Return the contextual map
public Map getMap();
}
For example, the EJB Container authorization uses a resource called
EJBResource, and the Web Container uses the WebResource.
