Chapter 14. JBoss Authorization Manager
The default implementation includes an authorization manager interface,
JBossAuthorizationManager
, which obtains fine-grained and pluggable authorization via authorization modules. This interface also provides support for the PolicyRegistration
interface.
The interface resembles the following:
package org.jboss.security.plugins; ... import static org.jboss.security.SecurityConstants.ROLES_IDENTIFIER; /** * Authorization Manager implementation */ public class JBossAuthorizationManager implements AuthorizationManager,PolicyRegistration { private String securityDomain; private Map contextIdToPolicy = new HashMap(); protected boolean trace = log.isTraceEnabled(); private CallbackHandler callbackHandler = null; public JBossAuthorizationManager(String securityDomainName) { } public JBossAuthorizationManager(String securityDomainName, CallbackHandler cbh) { } /** * @see AuthorizationManager#authorize(Resource) */ public int authorize(Resource resource) throws AuthorizationException { String SUBJECT_CONTEXT_KEY = SecurityConstants.SUBJECT_CONTEXT_KEY; Subject subject = null; try { subject = (Subject) PolicyContext.getContext(SUBJECT_CONTEXT_KEY); } catch (PolicyContextException e) { log.error("Error obtaining AuthenticatedSubject:",e); } AuthorizationContext ac = new JBossAuthorizationContext(this.securityDomain,subject, this.callbackHandler ); return ac.authorize(resource); } /** Determines whether the Subject has a role (Principal) that matches * a defined role name. This method obtains the "Roles" Group from the * principal set of the currently-authenticated Subject (as determined * by the SecurityAssociation.getSubject() method). It then creates a * SimplePrincipal for each name in roleNames. If the Subject's role * can be matched to a role in the "Roles" Group, then the user has that * role. The caller must therefore establish the correct * SecurityAssociation Subject before this method is called. * (This is no longer a side-effect of the isValid() call.) * * @param principal - ignored. The current authenticated Subject determines * the active user and assigned user roles. * * @param rolePrincipals - a Set of Principals for the roles to check. * * @see java.security.acl.Group; * @see Subject#getPrincipals() */ public boolean doesUserHaveRole(Principal principal, Set rolePrincipals) { } /** Determines whether the current Subject has a role (Principal) that * matches one of the role names. * * @see #doesUserHaveRole(Principal, Set) * * @param principal - ignored. The currently-authenticated Subject * determines the active user and assigned user roles. * @param role - the application domain role that the principal is * validated against. * @return true if the active principal has the role, false otherwise. */ public boolean doesUserHaveRole(Principal principal, Principal role) { } /** Returns the set of domain roles that were found by the current active * Subject "Roles" Group, in the Subject Principals Set. * * @param principal - ignored. The current authenticated Subject determines * the active user and assigned user roles. * @return The Set<Principal> for the application domain roles that the * principal has been assigned. */ public Set getUserRoles(Principal principal) { } /** Checks that the indicated application domain role belongs to the * group of roles assigned to the user. This handles the special * AnybodyPrincipal and NobodyPrincipal independent of the Group * implementation. * * @param role - the application domain role required for access * @param userRoles - the set of roles assigned to the user * @return true - if role is in userRoles or an AnybodyPrincipal instance, false * if role is a NobodyPrincipal or no a member of userRoles */ protected boolean doesRoleGroupHaveRole(Principal role, Group userRoles) { } /** * @see PolicyRegistration#registerPolicy(String, URL) */ public void registerPolicy(String contextID, URL location) { } /** * @see PolicyRegistration#registerPolicy(String, InputStream) */ public void registerPolicy(String contextID, InputStream stream) { } /** * @see PolicyRegistration#deRegisterPolicy(String) */ public void deRegisterPolicy(String contextID) { } /** * @see PolicyRegistration#getPolicy(String, Map) */ public Object getPolicy(String contextID, Map contextMap) { } /** * @see AuthorizationManager#getTargetRoles(Principal, Map) */ public Group getTargetRoles(Principal targetPrincipal, Map contextMap) { throw new RuntimeException("Not implemented"); } }