Red Hat Summit이 콘텐츠는 선택한 언어로 제공되지 않습니다.
Chapter 9. Authorization Modules
The following modules provide authorization services:
| Code | Class |
|---|---|
| DenyAll | org.jboss.security.authorization.modules.AllDenyAuthorizationModule |
| PermitAll | org.jboss.security.authorization.modules.AllPermitAuthorizationModule |
| Delegating | org.jboss.security.authorization.modules.DelegatingAuthorizationModule |
| Web | org.jboss.security.authorization.modules.web.WebAuthorizationModule |
| JACC | org.jboss.security.authorization.modules.JACCAuthorizationModule |
| XACML | org.jboss.security.authorization.modules.XACMLAuthorizationModule |
- AbstractAuthorizationModule
-
This is the base authorization module which has to be overridden and provides a facility for delegating to other authorization modules. This base authorization module also provides a
delegateMapproperty to the overriding class, which allows for delegation modules to be declared for specific components. This enables more specialized classes to handle the authorization for each layer, for exampleweb,ejb, etc, since the information used to authorize a user may vary between the resources being accessed. For instance, an authorization module may be based on permissions, yet have different permission types for thewebandejbresources. By default, the authorization module would be forced to deal with all possible resource and permission types, but configuring thedelegateMapoption allows the module to delegate to specific classes for different resource types. ThedelegateMapoption takes a comma-separated list of modules, each of which is prefixed by the component it relates to, for example<module-option name="delegateMap">web=xxx.yyy.MyWebDelegate,ejb=xxx.yyy.MyEJBDelegate</module-option>.
When configuring the delegateMap option, every delegate must implement the authorize(Resource) method and have it call the invokeDelegate(Resource) method in same way the provided authorization modules do. Failure to do so will result in the delegate not getting called.
- AllDenyAuthorizationModule
- This is a simple authorization module that always denies an authorization request. No configuration options are available.
- AllPermitAuthorizationModule
- This is a simple authorization module that always permits an authorization request. No configuration options are available.
- DelegatingAuthorizationModule
- This is the default authorization module that delegates decision making to the configured delegates. This module also supports the delegateMap option.
- WebAuthorizationModule
- This is the default web authorization module with the default Tomcat authorization logic, permit all.
- JACCAuthorizationModule
-
This module enforces JACC semantics using two delegates,
WebJACCPolicyModuleDelegatefor web container authorization requests andEJBJACCPolicyModuleDelegatefor EJB container requests. This module also supports thedelegateMapoption.
- XACMLAuthorizationModule
-
This module enforces XACML authorization using two delegates for web and EJB containers,
WebXACMLPolicyModuleDelegateandEJBXACMLPolicyModuleDelegate. It creates a PDP object based on registered policies and evaluates web or EJB requests against it. This module also supports thedelegateMapoption.
