public final class JpsAuth
extends java.lang.Object
Modifier and Type | Class and Description |
---|---|
static interface |
JpsAuth.Authorizer |
Constructor and Description |
---|
JpsAuth() |
Modifier and Type | Method and Description |
---|---|
static java.util.Set<ResourceActionsEntry> |
checkBulkAuthorization(javax.security.auth.Subject subject, java.util.Set<ResourceActionsEntry> requestedResources)
Determines whether the subject has access one or more Resource Actions.
|
static void |
checkPermission(java.security.Permission perm)
Utility method to perform checkPermission.
|
static java.util.Set<JpsApplicationRole> |
getAllGrantedAppRoles(javax.security.auth.Subject subject, java.util.Set<java.lang.String> applications)
Returns a set of application roles that have been granted to a subject, directly or indirectly, for the specified application stripes.
|
static java.util.Set<ResourceActionsEntry> |
getGrantedResources(javax.security.auth.Subject subject, boolean isAuthorized)
Returns resource-actions that have been granted to a Subject.
|
static JpsAuth.Authorizer |
getSystemAuthorizer()
Returns the system-level Authorizer
|
static boolean |
hasPermission(javax.security.auth.Subject subject, java.security.Permission perm) |
public static JpsAuth.Authorizer getSystemAuthorizer()
public static void checkPermission(java.security.Permission perm) throws java.security.AccessControlException
The check proceeds as follows:
SecurityManager
is set, call SecurityManager.checkPermission
AccessController.checkPermission
perm
- permission to be checkedjava.security.AccessControlException
- if the specified permission is not permitted, based on the current security policy.public static boolean hasPermission(javax.security.auth.Subject subject, java.security.Permission perm)
public static java.util.Set<ResourceActionsEntry> getGrantedResources(javax.security.auth.Subject subject, boolean isAuthorized) throws JpsRuntimeException
This utility method is to provide a runtime authorization query to fetch all granted resources on a given Subject instance. The return type is a Set
of ResourceActionsEntry
.
Please note that only permissions associated with resource types (directly or indirectly through permission sets) will be returned by this method.
If the subject is given java.security.AllPermission permission, then the returned resource actions entry will contain "<all actions>" action and "<all permissions>" resource where the resource type is "AllPermission".subject
- The Subject instance. This Subject instance can contain user identity, enterprise roles, or application roles. This method will compute application roles for the given subject. The subject must be read-only.isAuthorized
- A boolean flag to indicate if it also needs to perform checkPermission
for the subject on all the granted resources. Set to true to perform a checkPermission for the subject on the resource actions entries. If set to false, no checkPermission is performed. Please note that in certain cases, a subject is granted for a permission does not necessary mean that the subject is authorized.
An example would be, say, we have a custom permission which implements its own implies
method, and it adds one more condition to return imply true only if the access time is between 9 AM and 5 PM. In this case, a subject is granted the permission, but will only be authorized during 9 AM and 5 PM. If authorize is set to false, we will not evaluate the permissions and just return the entire set of permissions in ResourceActionsEntry.
JpsRuntimeException
- If the policy provider does not implement getGrantedResources
.public static java.util.Set<ResourceActionsEntry> checkBulkAuthorization(javax.security.auth.Subject subject, java.util.Set<ResourceActionsEntry> requestedResources) throws PolicyStoreException
Following example illustrates how to invoke this method
import oracle.security.jps.*; import oracle.security.jps.util.*; import oracle.security.jps.service.policystore.*; import oracle.security.jps.service.policystore.info.*; import oracle.security.jps.service.policystore.info.common.*; import oracle.security.jps.service.policystore.info.resource.*; import oracle.security.jps.service.policystore.search.*; import java.util.*; import java.security.*; import javax.security.auth.*; ... PolicyStore ps; // the current PolicyStore // Construct the requested Resource-Actions Set<ResourceActionsEntry> requestedResources = new HashSet<ResourceActionsEntry>(); ResourceActionsEntry aResourceActionsEntry; Set<String> allowedActions; // actions for this resource allowedActions = new HashSet<String>(); allowedActions.add("read"); allowedActions.add("write"); // Build one resource-actions // Assuming FILE is a pre-existing resource type defined in the application 'application_1' aResourceActionsEntry = InfoFactory.newResourceActionsEntry("FILE", "/tmp", allowedActions, "application_1"); // and add it to the request requestedResources.add ( aResourceActionsEntry ); // build one more resource-actions allowedActions = new HashSet<String>(); allowedActions.add("connect"); // Assuming SOCKET is a pre-existing resource type defined in the application 'application2' aResourceActionsEntry = InfoFactory.newResourceActionsEntry("SOCKET", "somehost:9999", allowedActions, "application_2"); requestedResources.add ( aResourceActionsEntry ); // Create a Subject (not shown here) Subject jdoe; Set<ResourceActionsEntry> allowedResources; // Return result has the allowed resource-actions allowedResources = JpsAuth.checkBulkAuthorization(jdoe, requestedResources);
subject
- the Subject to authorizerequestedResources
- a Set of resource actions the caller is requesting access to.ResourceActionsEntry
correspond to action1 AND action2 ... AND action_n.requestedResources
. Resource Actions the caller cannot access are not included in the return result.
If the Subject is not authorized to all the resoure-actions, an empty Set is returned.
PolicyStoreException
- if an error occurs while evaluating the request.InfoFactory.newResourceActionsEntry(String,String,Set,String)
public static java.util.Set<JpsApplicationRole> getAllGrantedAppRoles(javax.security.auth.Subject subject, java.util.Set<java.lang.String> applications) throws PolicyStoreException
The method queries all the granted application roles on a given subject instance for multiple application policies.
subject
- The Subject instance. This Subject instance can contain user identity, enterprise roles, or application roles. The subject must be read-only. If there are application roles in the incoming subject, and the application name associated with the application roles is not null, then the application role computation for that particular application will be skipped.
To ensure all the application roles granted to the Subject are computed by this method, do not include any application role in the Subject.
applications
- names to compute the granted application roles in for the given Subject.oracle.security.jps.principals.JpsApplicationRole
. This set will contain all application roles (including direct or indirect application roles) in flat structure across all specified applications.PolicyStoreException
- if an error occurs while evaluating the request.