Search
SupportConsoleDevelopersStart a trialContact

Chapter 14. JBoss Authorization Manager

download PDF
The default implementation includes an authorization manager interface, JBossAuthorizationManager, which obtains fine-grained and pluggable authorization via authorization modules. This interface also provides support for the PolicyRegistration interface.
The interface resembles the following: 
package org.jboss.security.plugins;
...
import static org.jboss.security.SecurityConstants.ROLES_IDENTIFIER; 

/**
 *  Authorization Manager implementation 
 */
public class JBossAuthorizationManager 
implements AuthorizationManager,PolicyRegistration
{  
   private String securityDomain; 
   
   private Map contextIdToPolicy = new HashMap();  
   protected boolean trace = log.isTraceEnabled();

   private CallbackHandler callbackHandler = null;
   
   public JBossAuthorizationManager(String securityDomainName)
   { 
   }
   
   public JBossAuthorizationManager(String securityDomainName, CallbackHandler cbh)
   { 
   }
   
   /**
    * @see AuthorizationManager#authorize(Resource)
    */
   public int authorize(Resource resource) throws AuthorizationException
   {
      String SUBJECT_CONTEXT_KEY = SecurityConstants.SUBJECT_CONTEXT_KEY;
      Subject subject = null;
      try
      {
         subject = (Subject) PolicyContext.getContext(SUBJECT_CONTEXT_KEY);
      }
      catch (PolicyContextException e)
      {
         log.error("Error obtaining AuthenticatedSubject:",e);
      }
      AuthorizationContext ac = new JBossAuthorizationContext(this.securityDomain,subject,
            this.callbackHandler ); 
      return ac.authorize(resource);
   }  
   
   /** Determines whether the Subject has a role (Principal) that matches
    *  a defined role name. This method obtains the "Roles" Group from the
    *  principal set of the currently-authenticated Subject (as determined
    *  by the SecurityAssociation.getSubject() method). It then creates a
    *  SimplePrincipal for each name in roleNames. If the Subject's role
    *  can be matched to a role in the "Roles" Group, then the user has that
    *  role. The caller must therefore establish the correct
    *  SecurityAssociation Subject before this method is called.
    *  (This is no longer a side-effect of the isValid() call.)
    *  
    *  @param principal - ignored. The current authenticated Subject determines
    *  the active user and assigned user roles.
    *  
    *  @param rolePrincipals - a Set of Principals for the roles to check.
    *  
    *  @see java.security.acl.Group;
    *  @see Subject#getPrincipals()
    */
   public boolean doesUserHaveRole(Principal principal, Set rolePrincipals)
   { 
   }
   
   /** Determines whether the current Subject has a role (Principal) that
    *  matches one of the role names.
    *  
    *  @see #doesUserHaveRole(Principal, Set)
    *  
    *  @param principal - ignored. The currently-authenticated Subject
    *  determines the active user and assigned user roles.
    *  @param role - the application domain role that the principal is
    *  validated against.
    *  @return true if the active principal has the role, false otherwise.
    */
   public boolean doesUserHaveRole(Principal principal, Principal role)
   { 
   } 
   
   /** Returns the set of domain roles that were found by the current active
    *  Subject "Roles" Group, in the Subject Principals Set.
    *  
    *  @param principal - ignored. The current authenticated Subject determines
    *  the active user and assigned user roles.
    *  @return The Set<Principal> for the application domain roles that the
    *  principal has been assigned.
    */
   public Set getUserRoles(Principal principal)
   {  
   }  
     
   
   /** Checks that the indicated application domain role belongs to the
    *  group of roles assigned to the user. This handles the special
    *  AnybodyPrincipal and NobodyPrincipal independent of the Group
    *  implementation.
    *  
    *  @param role - the application domain role required for access
    *  @param userRoles - the set of roles assigned to the user
    *  @return true - if role is in userRoles or an AnybodyPrincipal instance, false
    *  if role is a NobodyPrincipal or no a member of userRoles
    */
   protected boolean doesRoleGroupHaveRole(Principal role, Group userRoles)
   { 
   } 

   /**
    * @see PolicyRegistration#registerPolicy(String, URL)
    */
   public void registerPolicy(String contextID, URL location) 
   { 
   }
   
   /**
    * @see PolicyRegistration#registerPolicy(String, InputStream)
    */
   public void registerPolicy(String contextID, InputStream stream) 
   { 
   }

   /**
    * @see PolicyRegistration#deRegisterPolicy(String)
    */
   public void deRegisterPolicy(String contextID)
   {  
   }

   /**
    * @see PolicyRegistration#getPolicy(String, Map)
    */
   public Object getPolicy(String contextID, Map contextMap)
   { 
   } 

   /**
    * @see AuthorizationManager#getTargetRoles(Principal, Map)
    */
   public Group getTargetRoles(Principal targetPrincipal, Map contextMap)
   {
      throw new RuntimeException("Not implemented");
   } 
}
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.