public interface PolicyMgmt
Modifier and Type | Method and Description |
---|---|
java.util.List<GrantEntry> |
getGrantEntries()
Get all the grants defined in this scope (system or application).
|
void |
grant(java.util.List<PrincipalEntry> principalEntries, CodeSourceEntry csEntry, java.util.List<PermissionEntry> permissionEntries)
Grant a set of permissions to this group of principals and code source, or otherwise collectively known as the grantee.
|
void |
grant(java.security.Principal[] principals, java.security.CodeSource cs, java.security.Permission[] perms)
Grant a set of permissions to this group of principals and code source, or otherwise collectively known as the grantee.
|
void |
modifyGrant(java.util.List<PrincipalEntry> principalEntries, CodeSourceEntry csEntry, PermissionEntry oldpermissionEntry, PermissionEntry newPermissionEntry)
Modifies a grant by replacing the permission in an existing grant with a given permission if not already present.
|
void |
revoke(java.util.List<PrincipalEntry> principalEntries, CodeSourceEntry csEntry, java.util.List<PermissionEntry> permissionEntries)
Revoke a grant of permissions from this set of principals and codesource combination
|
void |
revoke(java.security.Principal[] principals, java.security.CodeSource cs, java.security.Permission[] perms)
Revoke a grant of permissions from this set of principals and codesource combination.
|
void grant(java.security.Principal[] principals, java.security.CodeSource cs, java.security.Permission[] perms) throws PolicyObjectAlreadyExistsException, PolicyStoreException, InvalidArgumentException
Permissions created with valid resource types will be validated for matcher class and allowed actions against their resource type. Validations will not be done for invalid (non-existent) resource types.
Based on the algorithm in JpsAuth
this checks for PolicyStoreAccessPermission( "context=APPLICATION,name=application stripe" , "grant"). OR for PolicyStoreAccessPermission
("context=SYSTEM", "grant" This may result in an AccessControlException or SecurityException
principals
- the set of principals to grant the permission(s) forcs
- the code sourceperms
- the set of permissionsPolicyObjectAlreadyExistsException
- if the grantee is already granted all the requested permissions. If any one permission was not granted previously, then this permission is now granted.InvalidArgumentException
- if the supplied perms
array is null
or empty, or any entry in the principals
or perms
arrays is null
, or the name of a Principal
is null
or empty; if duplicate Principal
objects are found in the principals
array or if duplicate Permission
objects are found in the perms
array; if a given Principal
is an AdminRole
principal; if a given Permission
is not an instanceof
oracle.security.jps.ResourcePermission
or oracle.security.jps.AbstractTypedPermission
when the oracle.security.jps.policystore.resourcetypeenforcementmode property is set to Strict.PolicyStoreException
- if an error occurred during this grant operation.
Cause | Explanation |
Permission Class validation fails (if resource type is defined in the policy store) | Permission class of Permission differs from the matcher class of the resource type. (see ResourceTypeEntry.getResourceMatcherClassName() ) |
Action validation fails (if resource type is defined in the policy store) | Action of the Permission is not a subset of actions for the given Resource Type. (see ResourceTypeEntry.getActions() ) |
void grant(java.util.List<PrincipalEntry> principalEntries, CodeSourceEntry csEntry, java.util.List<PermissionEntry> permissionEntries) throws PolicyObjectAlreadyExistsException, PolicyStoreException, InvalidArgumentException
Use this method only the if the grantee or PermissionEntries cannot be instantiated. Sometimes, the class
that implements the principal, or the permission
may not be available in the classloader. In such situations, this method can be used to perform a grant
.
This method searches for an existing grantee by comparing the corresponding string values of the grantee, which are the principal classname, principal name and the code source URL. Therefore, the grantee search is not exact and may not be entirely accurate since the Principal
objects are not compared.
Similarly, when the permissions
are granted, the check for duplicate permissions is performed by string comparisons of the permission attributes - namely the permission classname, permissions name and the permission action. Also since the Permission
object is not created, it is not possible to verify if the PermissionEntry
is valid or not.
Permissions created with valid resource types will be validated for matcher class and allowed actions against their resource type. Validations will not be done for invalid (non-existent) resource types.
The caller is responsible for the grantee and permissions values supplied as parameters in this method.Based on the algorithm in JpsAuth
this checks for PolicyStoreAccessPermission( "context=APPLICATION,name=application stripe" , "grant"). OR for PolicyStoreAccessPermission
("context=SYSTEM", "grant" This may result in an AccessControlException or SecurityException
principalEntries
- principal entries that constitute the granteecsEntry
- codesource entry that constitute the granteepermissionEntries
- permissions to grant.PolicyObjectAlreadyExistsException
- if the grantee is already granted all the requested permissions. If any one permission was not granted previously, then the permission is now granted.InvalidArgumentException
- if the supplied permissionEntries
list is null
or empty, or any entry in the principalEntries
or permissionEntries
lists is null
or has a null
or empty classname, or the principal name of a PrincipalEntry
is null
or empty; if duplicate PrincipalEntry
objects are found in the principalEntries
list or if duplicate PermissionEntry
objects are found in the permissionEntries
list; if a given PrincipalEntry
corresponds to an AdminRole
principal; if a given PrincipalEntry
is not associated with a Resource Type when the oracle.security.jps.policystore.resourcetypeenforcementmode property is set to Strict.PolicyStoreException
- if an error occurred during this grant operation.
Cause | Explanation |
Permission Class validation fails (if resource type exists in policy store) | Permission class of Permission differs from the matcher class of the Resource type. (see ResourceTypeEntry.getResourceMatcherClassName() ) |
Action validation fails (if resource type exists in policy store) | Action of the Permission is not a subset of actions for the given Resource Type. (see ResourceTypeEntry.getActions() ) |
void revoke(java.security.Principal[] principals, java.security.CodeSource cs, java.security.Permission[] perms) throws PolicyObjectNotFoundException, PolicyStoreException, InvalidArgumentException
Based on the algorithm in JpsAuth
this checks for PolicyStoreAccessPermission( "context=APPLICATION,name=application stripe" , "revoke"). OR for PolicyStoreAccessPermission
("context=SYSTEM", "revoke" This may result in an AccessControlException or SecurityException
Permissions created with valid resource types will be validated for matcher class and allowed actions against their resource type. Validations will not be done for invalid (non-existent) resource types.
principals
- the set of principals to revoke the permission(s) fromcs
- the code sourceperms
- the set of permissionsPolicyObjectNotFoundException
- if this object is not found.InvalidArgumentException
- if the supplied perms
array is null
or empty, or any entry in the principals
or perms
arrays is null
, or the name of a Principal
is null
or empty; if duplicate Principal
objects are found in the principals
array; if a given Principal
is an AdminRole
principal.PolicyStoreException
- if an error occurred during this revoke operation.
Cause | Explanation |
Permission Class validation fails (if resource type is defined in the policy store) | Permission class of Permission differs from the matcher class of the Resource type. (see ResourceTypeEntry.getResourceMatcherClassName() ) |
Action validation fails (if resource type is defined in the policy store) | Action of the Permission is not a subset of actions for the given Resource Type (see ResourceTypeEntry.getActions() ) |
void revoke(java.util.List<PrincipalEntry> principalEntries, CodeSourceEntry csEntry, java.util.List<PermissionEntry> permissionEntries) throws PolicyObjectNotFoundException, PolicyStoreException, InvalidArgumentException
Use this method only the if the grantee or PermissionEntries cannot be instantiated. Sometimes, the class
that implements the principal, or the permission
may not be available in the classloader. In such situations, this method can be used to perform a grant
.
This method searches for an existing grantee by comparing the corresponding string values of the grantee, which are the principal classname, principal name and the code source URL. Therefore, the grantee search is not exact and may not be entirely accurate since the Principal
objects are not compared.
Similarly, when the permissions
are revoked, the check for an existing permissions is performed by string comparisons of the permission attributes - namely the permission classname, permissions name and the permission action. Also since the Permission
object is not created, it is not possible to verify if the PermissionEntry
is valid or not.
Permissions created with valid resource types will be validated for matcher class and allowed actions against their resource type. Validations will not be done for invalid (non-existent) resource types.
The caller is responsible for the grantee and permissions values supplied as parameters in this method.Based on the algorithm in JpsAuth
this checks for PolicyStoreAccessPermission( "context=APPLICATION,name=application stripe" , "revoke"). OR for PolicyStoreAccessPermission
("context=SYSTEM", "revoke" This may result in an AccessControlException or SecurityException
principalEntries
- principal entries that constitute the granteecsEntry
- codesource entry that constitute the granteepermissionEntries
- permissions to grant.PolicyObjectNotFoundException
- if the grantee or permissions are not found.InvalidArgumentException
- if the supplied permissionEntries
list is null
or empty, or any entry in the principalEntries
or permissionEntries
lists is null
or has a null
or empty classname, or the principal name of a PrincipalEntry
object is null
or empty; if duplicate PrincipalEntry
objects are found in the principalEntries
list; if a given PrincipalEntry
corresponds to an AdminRole
principal.PolicyStoreException
- if an error occurred during this revoke operation.
Cause | Explanation |
Permission Class validation fails (if resource type is defined in the policy store) | Permission class of Permission differs from the matcher class of the Resource type. (see ResourceTypeEntry.getResourceMatcherClassName() ) |
Action validation fails (if resource type is defined in the policy store) | Action of the Permission is not a subset of actions for the given Resource Type (see ResourceTypeEntry.getActions() ) |
java.util.List<GrantEntry> getGrantEntries() throws PolicyStoreException
PolicyStoreException
- if an error occurred during this operationvoid modifyGrant(java.util.List<PrincipalEntry> principalEntries, CodeSourceEntry csEntry, PermissionEntry oldpermissionEntry, PermissionEntry newPermissionEntry) throws PolicyObjectNotFoundException, PolicyStoreException, InvalidArgumentException
PolicyStoreAccessPermission
("context=SYSTEM", "revoke" AND for PolicyStoreAccessPermission( "context=APPLICATION,name=application stripe" , "grant"). OR for PolicyStoreAccessPermission
("context=SYSTEM", "grant" This may result in an AccessControlException or SecurityExceptionprincipalEntries
- List of principal entries that defines the grantcsEntry
- codesource entry that defines the grantoldpermissionEntry
- old permission entry to be replacednewPermissionEntry
- new permission entry to be put inPolicyObjectNotFoundException
- thrown if the grant or old permission is not found.InvalidArgumentException
- if the supplied oldpermissionEntry
or newPermissionEntry
objects or any entries in the principalEntries
list are null
, or the principal name of a PrincipalEntry
object is null
or empty; if duplicate PrincipalEntry
objects are found in the principalEntries
list; if a given PrincipalEntry
corresponds to an AdminRole
principal.PolicyStoreException
- internal policy store error.