01: /*
02: * Licensed to the Apache Software Foundation (ASF) under one or more
03: * contributor license agreements. See the NOTICE file distributed with
04: * this work for additional information regarding copyright ownership.
05: * The ASF licenses this file to You under the Apache License, Version 2.0
06: * (the "License"); you may not use this file except in compliance with
07: * the License. You may obtain a copy of the License at
08: *
09: * http://www.apache.org/licenses/LICENSE-2.0
10: *
11: * Unless required by applicable law or agreed to in writing, software
12: * distributed under the License is distributed on an "AS IS" BASIS,
13: * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14: * See the License for the specific language governing permissions and
15: * limitations under the License.
16: */
17: package org.apache.wicket.authorization;
18:
19: import org.apache.wicket.Component;
20: import org.apache.wicket.settings.ISecuritySettings;
21:
22: /**
23: * Authorization strategies specify aspect-like constraints on significant
24: * actions taken by the framework in a given application. These constraints are
25: * guaranteed by the framework to be applied consistently throughout. Violations
26: * will result in a security action directed by the strategy, such as the
27: * throwing of an AuthorizationException or the filtering out of
28: * security-sensitive information.
29: *
30: * @author Eelco Hillenius
31: * @author Jonathan Locke
32: * @since Wicket 1.2
33: */
34: public interface IAuthorizationStrategy {
35: /**
36: * Implementation of {@link IAuthorizationStrategy} that allows everything.
37: */
38: public static final IAuthorizationStrategy ALLOW_ALL = new IAuthorizationStrategy() {
39: /**
40: * @see org.apache.wicket.authorization.IAuthorizationStrategy#isInstantiationAuthorized(java.lang.Class)
41: */
42: public boolean isInstantiationAuthorized(final Class c) {
43: return true;
44: }
45:
46: /**
47: * @see org.apache.wicket.authorization.IAuthorizationStrategy#isActionAuthorized(org.apache.wicket.Component,
48: * org.apache.wicket.authorization.Action)
49: */
50: public boolean isActionAuthorized(Component c, Action action) {
51: return true;
52: }
53: };
54:
55: /**
56: * Checks whether an instance of the given component class may be created.
57: * If this method returns false, the
58: * {@link IUnauthorizedComponentInstantiationListener} that is configured in
59: * the {@link ISecuritySettings security settings} will be called. The
60: * default implementation of that listener throws a
61: * {@link UnauthorizedInstantiationException}.
62: * <p>
63: * If you wish to implement a strategy that authenticates users which cannot
64: * access a given Page (or other Component), you can simply throw a
65: * {@link org.apache.wicket.RestartResponseAtInterceptPageException} in your
66: * implementation of this method.
67: *
68: * @param componentClass
69: * The component class to check
70: * @return Whether the given component may be created
71: */
72: boolean isInstantiationAuthorized(Class componentClass);
73:
74: /**
75: * Gets whether the given action is permitted. If it is, this method should
76: * return true. If it isn't, this method should either return false or - in
77: * case of a serious breach - throw a security exception. Returning is
78: * generally preferable over throwing an exception as that doesn't break the
79: * normal flow.
80: *
81: * @param component
82: * The component to be acted upon
83: * @param action
84: * The action to authorize on the component
85: * @return Whether the given action may be taken on the given component
86: * @throws AuthorizationException
87: * Can be thrown by implementation if action is unauthorized
88: * @see Component#ENABLE
89: * @see Component#RENDER
90: */
91: boolean isActionAuthorized(Component component, Action action);
92: }
|