Java Doc for AuthorizationManager.java in  » Wiki-Engine » JSPWiki » com » ecyrd » jspwiki » auth » Java Source Code / Java DocumentationJava Source Code and Java Documentation

Java Source Code / Java Documentation
1. 6.0 JDK Core
2. 6.0 JDK Modules
3. 6.0 JDK Modules com.sun
4. 6.0 JDK Modules com.sun.java
5. 6.0 JDK Modules sun
6. 6.0 JDK Platform
7. Ajax
8. Apache Harmony Java SE
9. Aspect oriented
10. Authentication Authorization
11. Blogger System
12. Build
13. Byte Code
14. Cache
15. Chart
16. Chat
17. Code Analyzer
18. Collaboration
19. Content Management System
20. Database Client
21. Database DBMS
22. Database JDBC Connection Pool
23. Database ORM
24. Development
25. EJB Server geronimo
26. EJB Server GlassFish
27. EJB Server JBoss 4.2.1
28. EJB Server resin 3.1.5
29. ERP CRM Financial
30. ESB
31. Forum
32. GIS
33. Graphic Library
34. Groupware
35. HTML Parser
36. IDE
37. IDE Eclipse
38. IDE Netbeans
39. Installer
40. Internationalization Localization
41. Inversion of Control
42. Issue Tracking
43. J2EE
44. JBoss
45. JMS
46. JMX
47. Library
48. Mail Clients
49. Net
50. Parser
51. PDF
52. Portal
53. Profiler
54. Project Management
55. Report
56. RSS RDF
57. Rule Engine
58. Science
59. Scripting
60. Search Engine
61. Security
62. Sevlet Container
63. Source Control
64. Swing Library
65. Template Engine
66. Test Coverage
67. Testing
68. UML
69. Web Crawler
70. Web Framework
71. Web Mail
72. Web Server
73. Web Services
74. Web Services apache cxf 2.0.1
75. Web Services AXIS2
76. Wiki Engine
77. Workflow Engines
78. XML
79. XML UI
Java
Java Tutorial
Java Open Source
Jar File Download
Java Articles
Java Products
Java by API
Photoshop Tutorials
Maya Tutorials
Flash Tutorials
3ds-Max Tutorials
Illustrator Tutorials
GIMP Tutorials
C# / C Sharp
C# / CSharp Tutorial
C# / CSharp Open Source
ASP.Net
ASP.NET Tutorial
JavaScript DHTML
JavaScript Tutorial
JavaScript Reference
HTML / CSS
HTML CSS Reference
C / ANSI-C
C Tutorial
C++
C++ Tutorial
Ruby
PHP
Python
Python Tutorial
Python Open Source
SQL Server / T-SQL
SQL Server / T-SQL Tutorial
Oracle PL / SQL
Oracle PL/SQL Tutorial
PostgreSQL
SQL / MySQL
MySQL Tutorial
VB.Net
VB.Net Tutorial
Flash / Flex / ActionScript
VBA / Excel / Access / Word
XML
XML Tutorial
Microsoft Office PowerPoint 2007 Tutorial
Microsoft Office Excel 2007 Tutorial
Microsoft Office Word 2007 Tutorial
Java Source Code / Java Documentation » Wiki Engine » JSPWiki » com.ecyrd.jspwiki.auth 
Source Cross Reference  Class Diagram Java Document (Java Doc) 


java.lang.Object
   com.ecyrd.jspwiki.auth.AuthorizationManager

AuthorizationManager
final public class AuthorizationManager (Code)

Manages all access control and authorization; determines what authenticated users are allowed to do.

Privileges in JSPWiki are expressed as Java-standard java.security.Permission classes. There are two types of permissions:

Calling classes determine whether they are entitled to perform a particular action by constructing the appropriate permission first, then passing it and the current com.ecyrd.jspwiki.WikiSession to the AuthorizationManager.checkPermission(WikiSession,Permission) method. If the session's Subject possesses the permission, the action is allowed.

For WikiPermissions, the decision criteria is relatively simple: the caller either possesses the permission, as granted by the wiki security policy -- or not.

For PagePermissions, the logic is exactly the same if the page being checked does not have an access control list. However, if the page does have an ACL, the authorization decision is made based the union of the permissions granted in the ACL and in the security policy. In other words, the user must be named in the ACL (or belong to a group or role that is named in the ACL) and be granted (at least) the same permission in the security policy. We do this to prevent a user from gaining more permissions than they already have, based on the security policy.

See the AuthorizationManager.checkPermission(WikiSession,Permission) and AuthorizationManager.hasRoleOrPrincipal(WikiSession,Principal) methods for more information on the authorization logic.


author:
   Andrew Jaquith
since:
   2.3
See Also:   AuthenticationManager


Field Summary
final public static  StringDEFAULT_AUTHORIZER
    
final protected static  StringDEFAULT_POLICY
     Name of the default security policy file, in WEB-INF.
final public static  StringPROP_AUTHORIZER
     The property name in jspwiki.properties for specifying the external Authorizer .

Constructor Summary
public  AuthorizationManager()
     Constructs a new AuthorizationManager instance.

Method Summary
final public synchronized  voidaddWikiEventListener(WikiEventListener listener)
     Registers a WikiEventListener with this instance.
protected  booleanallowedByLocalPolicy(Principal[] principals, Permission permission)
     Checks to see if the local security policy allows a particular static Permission.
final public  booleancheckPermission(WikiSession session, Permission permission)
     Returns true or false, depending on whether a Permission is allowed for the Subject associated with a supplied WikiSession.
final protected  booleancheckStaticPermission(WikiSession session, Permission permission)
     Determines whether a Subject posesses a given "static" Permission as defined in the security policy file.
final protected  voidfireEvent(int type, Principal user, Object permission)
     Fires a WikiSecurityEvent of the provided type, user, and permission to all registered listeners.
final public  AuthorizergetAuthorizer()
     Returns the current external Authorizer in use.
protected  booleanhasRoleOrPrincipal(WikiSession session, Principal principal)
    

Determines if the Subject associated with a supplied WikiSession contains a desired user Principal or built-in Role principal, OR is a member a Group or external Role.

final public  voidinitialize(WikiEngine engine, Properties properties)
     Initializes AuthorizationManager with an engine and set of properties.
protected  booleanisJAASAuthorized()
     Returns true if JSPWiki's JAAS authorization system is used for authorization in addition to container controls.
final public  booleanisUserInRole(WikiSession session, Principal principal)
    

Determines if the Subject associated with a supplied WikiSession contains a desired Role or GroupPrincipal. The algorithm simply checks to see if the Subject possesses the Role or GroupPrincipal it in its Principal set.

final public synchronized  voidremoveWikiEventListener(WikiEventListener listener)
     Un-registers a WikiEventListener with this instance.
final public  PrincipalresolvePrincipal(String name)
    

Given a supplied string representing a Principal's name from an Acl, this method resolves the correct type of Principal (role, group, or user). This method is guaranteed to always return a Principal. The algorithm is straightforward:

  1. If the name matches one of the built-in com.ecyrd.jspwiki.auth.authorize.Role names, return that built-in Role
  2. If the name matches one supplied by the current com.ecyrd.jspwiki.auth.Authorizer , return that Role
  3. If the name matches a group managed by the current com.ecyrd.jspwiki.auth.authorize.GroupManager , return that Group
  4. Otherwise, assume that the name represents a user principal.

Field Detail
DEFAULT_AUTHORIZER
final public static String DEFAULT_AUTHORIZER(Code)
The default external Authorizer is the com.ecyrd.jspwiki.auth.authorize.WebContainerAuthorizer


DEFAULT_POLICY
final protected static String DEFAULT_POLICY(Code)
Name of the default security policy file, in WEB-INF.


PROP_AUTHORIZER
final public static String PROP_AUTHORIZER(Code)
The property name in jspwiki.properties for specifying the external Authorizer .



Constructor Detail
AuthorizationManager
public AuthorizationManager()(Code)
Constructs a new AuthorizationManager instance.



Method Detail
addWikiEventListener
final public synchronized void addWikiEventListener(WikiEventListener listener)(Code)
Registers a WikiEventListener with this instance.
Parameters:
  listener - the event listener


allowedByLocalPolicy
protected boolean allowedByLocalPolicy(Principal[] principals, Permission permission)(Code)
Checks to see if the local security policy allows a particular static Permission. Do not use this method for normal permission checks; use AuthorizationManager.checkPermission(WikiSession,Permission) instead.
Parameters:
  principals - the Principals to check
Parameters:
  permission - the Permission the result


checkPermission
final public boolean checkPermission(WikiSession session, Permission permission)(Code)
Returns true or false, depending on whether a Permission is allowed for the Subject associated with a supplied WikiSession. The access control algorithm works this way:
  1. The com.ecyrd.jspwiki.auth.acl.Acl for the page is obtained
  2. The Subject associated with the current com.ecyrd.jspwiki.WikiSession is obtained
  3. If the Subject's Principal set includes the Role Principal that is the administrator group, always allow the Permission
  4. For all permissions, check to see if the Permission is allowed according to the default security policy. If it isn't, deny the permission and halt further processing.
  5. If there is an Acl, get the list of Principals assigned this Permission in the Acl: these will be role, group or user Principals, or com.ecyrd.jspwiki.auth.acl.UnresolvedPrincipal s (see below). Then iterate through the Subject's Principal set and determine whether the user (Subject) posesses any one of these specified Roles or Principals. The matching process delegates to AuthorizationManager.hasRoleOrPrincipal(WikiSession,Principal) .

Note that when iterating through the Acl's list of authorized Principals, it is possible that one or more of the Acl's Principal entries are of type UnresolvedPrincipal. This means that the last time the ACL was read, the Principal (user, built-in Role, authorizer Role, or wiki Group) could not be resolved: the Role was not valid, the user wasn't found in the UserDatabase, or the Group wasn't known to (e.g., cached) in the GroupManager. If an UnresolvedPrincipal is encountered, this method will attempt to resolve it first before checking to see if the Subject possesses this principal, by calling AuthorizationManager.resolvePrincipal(String) . If the (re-)resolution does not succeed, the access check for the principal will fail by definition (the Subject should never contain UnresolvedPrincipals).

If security not set to JAAS, will return true.


Parameters:
  session - the current wiki session
Parameters:
  permission - the Permission being checked
See Also:   AuthorizationManager.hasRoleOrPrincipal(WikiSession,Principal) the result of the Permission check


checkStaticPermission
final protected boolean checkStaticPermission(WikiSession session, Permission permission)(Code)
Determines whether a Subject posesses a given "static" Permission as defined in the security policy file. This method uses standard Java 2 security calls to do its work. Note that the current access control context's codeBase is effectively this class, not that of the caller. Therefore, this method will work best when what matters in the policy is who makes the permission check, not what the caller's code source is. Internally, this method works by excuting Subject.doAsPrivileged with a privileged action that simply calls java.security.AccessController.checkPermission(Permission) . AccessController#checkPermission(java.security.Permission). Acaught exception (or lack thereof) determines whether the privilegeis absent (or present).
Parameters:
  session - the WikiSession whose permission status is being queried
Parameters:
  permission - the Permission the Subject must possess true if the Subject posesses the permission,false otherwise


fireEvent
final protected void fireEvent(int type, Principal user, Object permission)(Code)
Fires a WikiSecurityEvent of the provided type, user, and permission to all registered listeners.
See Also:   com.ecyrd.jspwiki.event.WikiSecurityEvent
Parameters:
  type - the event type to be fired
Parameters:
  user - the user associated with the event
Parameters:
  permission - the permission the subject must possess


getAuthorizer
final public Authorizer getAuthorizer() throws WikiSecurityException(Code)
Returns the current external Authorizer in use. This method is guaranteed to return a properly-initialized Authorizer, unless it could not be initialized. In that case, this method throws a com.ecyrd.jspwiki.auth.WikiSecurityException .
throws:
  com.ecyrd.jspwiki.auth.WikiSecurityException - if the Authorizer couldnot be initialized the current Authorizer


hasRoleOrPrincipal
protected boolean hasRoleOrPrincipal(WikiSession session, Principal principal)(Code)

Determines if the Subject associated with a supplied WikiSession contains a desired user Principal or built-in Role principal, OR is a member a Group or external Role. The rules are as follows:

  1. First, if desired Principal is a Role or GroupPrincipal, delegate to AuthorizationManager.isUserInRole(WikiSession,Principal) and return the result.
  2. Otherwise, we're looking for a user Principal, so iterate through the Principal set and see if any share the same name as the one we are looking for.

Note: if the Principal parameter is a user principal, the session must be authenticated in order for the user to "possess it". Anonymous or asserted sessions will never posseess a named user principal.


Parameters:
  session - the current wiki session, which must be non-null. If null,the result of this method always returns false
Parameters:
  principal - the Principal (role, group, or user principal) to lookfor, which must be non-null. If null, the result of thismethod always returns false true if the Subject supplied with the WikiContextposesses the Role, GroupPrincipal or desireduser Principal, false otherwise


initialize
final public void initialize(WikiEngine engine, Properties properties) throws WikiException(Code)
Initializes AuthorizationManager with an engine and set of properties. Expects to find property 'jspwiki.authorizer' with a valid Authorizer implementation name to take care of group lookup operations.
Parameters:
  engine - the wiki engine
Parameters:
  properties - the set of properties used to initialize the wiki engine
throws:
  WikiException - if the AuthorizationManager cannot be initialized


isJAASAuthorized
protected boolean isJAASAuthorized()(Code)
Returns true if JSPWiki's JAAS authorization system is used for authorization in addition to container controls. the result


isUserInRole
final public boolean isUserInRole(WikiSession session, Principal principal)(Code)

Determines if the Subject associated with a supplied WikiSession contains a desired Role or GroupPrincipal. The algorithm simply checks to see if the Subject possesses the Role or GroupPrincipal it in its Principal set. Note that any user (anyonymous, asserted, authenticated) can possess a built-in role. But a user must be authenticated to possess a role other than one of the built-in ones. We do this to prevent privilege escalation.

For all other cases, this method returns false.

Note that this method does not consult the external Authorizer or GroupManager; it relies on the Principals that have been injected into the user's Subject at login time, or after group creation/modification/deletion.


Parameters:
  session - the current wiki session, which must be non-null. If null,the result of this method always returns false
Parameters:
  principal - the Principal (role or group principal) to lookfor, which must be non-null. If null,the result of this method always returns false true if the Subject supplied with the WikiContextposesses the Role or GroupPrincipal, false otherwise


removeWikiEventListener
final public synchronized void removeWikiEventListener(WikiEventListener listener)(Code)
Un-registers a WikiEventListener with this instance.
Parameters:
  listener - the event listener


resolvePrincipal
final public Principal resolvePrincipal(String name)(Code)

Given a supplied string representing a Principal's name from an Acl, this method resolves the correct type of Principal (role, group, or user). This method is guaranteed to always return a Principal. The algorithm is straightforward:

  1. If the name matches one of the built-in com.ecyrd.jspwiki.auth.authorize.Role names, return that built-in Role
  2. If the name matches one supplied by the current com.ecyrd.jspwiki.auth.Authorizer , return that Role
  3. If the name matches a group managed by the current com.ecyrd.jspwiki.auth.authorize.GroupManager , return that Group
  4. Otherwise, assume that the name represents a user principal. Using the current com.ecyrd.jspwiki.auth.user.UserDatabase , find the first user who matches the supplied name by calling com.ecyrd.jspwiki.auth.user.UserDatabase.find(String) .
  5. Finally, if a user cannot be found, manufacture and return a generic com.ecyrd.jspwiki.auth.acl.UnresolvedPrincipal

Parameters:
  name - the name of the Principal to resolve the fully-resolved Principal


Methods inherited from java.lang.Object
native protected Object clone() throws CloneNotSupportedException(Code)(Java Doc)
public boolean equals(Object obj)(Code)(Java Doc)
protected void finalize() throws Throwable(Code)(Java Doc)
final native public Class getClass()(Code)(Java Doc)
native public int hashCode()(Code)(Java Doc)
final native public void notify()(Code)(Java Doc)
final native public void notifyAll()(Code)(Java Doc)
public String toString()(Code)(Java Doc)
final native public void wait(long timeout) throws InterruptedException(Code)(Java Doc)
final public void wait(long timeout, int nanos) throws InterruptedException(Code)(Java Doc)
final public void wait() throws InterruptedException(Code)(Java Doc)

www.java2java.com | Contact Us
Copyright 2009 - 12 Demo Source and Support. All rights reserved.
All other trademarks are property of their respective owners.