public interface AccessController
The implementing class is declared by the "security-config/access-controller" element in the tangosol-coherence.xml configuration descriptor and used to control access to protected clustered resources.
DefaultController
, Security
Modifier and Type | Method and Description |
---|---|
void |
checkPermission(ClusterPermission permission, Subject subject)
Determine whether the cluster access request indicated by the specified permission should be allowed or denied for a given Subject (requestor).
|
Object |
decrypt(SignedObject so, Subject subjEncryptor, Subject subjDecryptor)
Decrypt the specified SignedObject using the public credentials for a given encryptor Subject in a context represented by the decryptor Subject which is usually associated with the current thread.
|
SignedObject |
encrypt(Object o, Subject subjEncryptor)
Encrypt the specified object using the private credentials for the given Subject (encryptor), which is usually associated with the current thread.
|
void checkPermission(ClusterPermission permission, Subject subject)
This method quietly returns if the access request is permitted, or throws a suitable AccessControlException if the specified authentication is invalid or insufficient.
permission
- the permission object that represents access to a clustered resourcesubject
- the Subject object representing the requestorAccessControlException
- if the specified permission is not permitted, based on the current security policySignedObject encrypt(Object o, Subject subjEncryptor) throws IOException, GeneralSecurityException
o
- the Object to encryptsubjEncryptor
- the Subject object whose credentials are being used to do the encryptionIOException
- if an error occurs during serializationGeneralSecurityException
- if the signing failsObject decrypt(SignedObject so, Subject subjEncryptor, Subject subjDecryptor) throws ClassNotFoundException, IOException, GeneralSecurityException
Note: the encryptor Subject usually represents a remote called and comes without any private credentials. Moreover, even the public credentials it provides may not be fully trusted and have to be verified as matching to the set of the encryptor's principals.
so
- the SignedObject to decryptsubjEncryptor
- the Subject object whose credentials were used to do the encryptionsubjDecryptor
- the Subject object whose credentials might be used to do the decryption; for example, in a request/response model, the decryptor for a response is the encryptor for the original requestClassNotFoundException
- if a necessary class cannot be found during deserializationIOException
- if an error occurs during deserializationGeneralSecurityException
- if the verification fails