public interface BulkAccessDecision
BulkAccessDecisionV2 security service provider (SSPI) interface
 for policy enforcement points (PEP) allows support for bulk runtime authorization queries.| Modifier and Type | Method and Description | 
|---|---|
| Map<Resource,Result> | isAccessAllowed(Subject subject,
               Map<Resource,Map<String,SecurityRole>> roles,
               List<Resource> resources,
               ContextHandler handler,
               Direction direction)Indicates whether the authorization policies defined for the list of resources
 allow the requested method to be performed, by utilizing the information
 contained in the subject and context. | 
Map<Resource,Result> isAccessAllowed(Subject subject, Map<Resource,Map<String,SecurityRole>> roles, List<Resource> resources, ContextHandler handler, Direction direction) throws InvalidPrincipalException
 
 The isAccessAllowed method may be called both prior to a
 request and after a request has been processed. An indication of whether
 the method is being called 1) to determine if the request should be allowed
 to be dispatched or 2) to determine if the result of request should be
 allowed to be returned is represented by the value of the
 direction parameter.
subject - a Subject object containing the 
                   identity of the principals that are attempting to
                   perform a request on the specified resource.roles - a Map of roles (indexed first by resource and then by
                   their names) that are associated with the subject and
                   should be taken into consideration when making the
                   authorization decision.resources - a list of Resource objects indicating the type 
                   of resources on which the subject is attempting to
                   perform a request.handler - a ContextHandler object that can optionally
                   be used by an Access Decision to obtain
                   additional information that may be used in making the
                   authorization decision. If the caller is unable to
                   provide additional information, a null
                   value should be specified.direction - a Direction object representing whether the
                   authorization check is being performed prior to
                   processing the requests or after the requests have been
                   processed but before the results have been returned.  A
                   value of PRIOR indicates that the
                   authorization check is being requested to prior to
                   processing the request. A value of POST
                   indicates that the authorization check is being
                   requested after the request has been processed but
                   before the results have been returned. A value of
                   ONCE indicates that the authorization check
                   is being done once. isAccessAllowed uses
                   the direction to give it some indication as to which
                   parameters to request (in or out) in the
                   ContextHandler.Map of indications (indexed by Resource) of whether 
                 the authorization policies defined
                 for the resources allow the requested methods to be performed.
                     For each resource in the input list, a return value of 
                     PERMIT indicates that the 
                 specified subject has permission to perform the operation. 
                 A return value of DENY indicates that the 
                 specified subject should not be allowed to perform the operation
                 on the matching resource index in the input list. A value of 
                 ABSTAIN indicates that an
                 explicit decision to either permit or deny the requested method 
                 could not be determined.InvalidPrincipalException - if the principal has become
                                       invalid (possibly because the
                                       principal has been deleted from the
                                       system while there was an active subject
                                       with that principal).