|
Oracle Fusion Middleware Java API Reference for Oracle WebLogic Server 12c (12.2.1) Part Number E55141-01 P4 Change 1723563 on 2015/10/09 |
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
public interface AccessDecision
The AccessDecision
interface defines the security service provider interface (SSPI) for policy enforcement points (PEP) that can be plugged into WebLogic Server.
An implementation of the AccessDecision
interface is the part of an Authorization provider that indicates whether to allow (permit) or deny the processing of the requested method. As such, it must return a Result
. If the Access Decision does not understand the type of resource being requested, the Access Decision is responsible for indicating that it will abstain from making a decision.
An Access Decision based on this interface may be called both prior to a request and after a request has been processed. Thus, the implementation must be stateless and not assume that any authorization check performed prior to allowing a request to be processed will have a corresponding authorization check after the request has been processed.
The Access Decision based on this interface must implement the two built-in groups: "users" and "everyone". All subjects are members of the "everyone" group and all non-anonymous subjects (that is, subjects with one or more principals) are members of the "users" group.
Method Summary | |
---|---|
abstract Result |
isAccessAllowed(Subject subject, Map roles, Resource resource, ContextHandler handler, Direction direction) Indicates whether the authorization policies defined for the resource allow the requested method to be performed, by utilizing the information contained in the subject. |
abstract boolean |
isProtectedResource(Subject subject, Resource resource) Determines if the specified resource is protected against access by unauthenticated principals. |
Method Detail |
---|
Result isAccessAllowed(Subject subject, Map roles, Resource resource, ContextHandler handler, Direction direction) throws InvalidPrincipalException
The isAccessAllowed
method may be called both prior to a request and after a request has been processed. An indication of whether the method is being called 1) to determine if the request should be allowed to be dispatched or 2) to determine if the result of request should be allowed to be returned is represented by the value of the direction
parameter.
subject
- a Subject
object containing the identity of the principals that are attempting to perform a request on the specified resource.roles
- a Map
of roles (indexed by their names) that are associated with the subject and should be taken into consideration when making the authorization decision.resource
- a Resource
object indicating the type of resource on which the subject is attempting to perform a request.handler
- a ContextHandler
object that can optionally be used by an Access Decision to obtain additional information that may be used in making the authorization decision. If the caller is unable to provide additional information, a null
value should be specified.direction
- a Direction
object representing whether the authorization check is being performed prior to processing the request or after the request has been processed but before the results have been returned. A value of PRIOR
indicates that the authorization check is being requested prior to processing the request. A value of POST
indicates that the authorization check is being requested after the request has been processed but before the results have been returned. A value of ONCE
indicates that the authorization check is being done once. isAccessAllowed
uses the direction to give it some indication as to which parameters to request (in or out) in the ContextHandler
.PERMIT
indicates that the specified subject has permission to perform the operation. A return value of DENY
indicates that the specified subject should not be allowed to perform the operation on the resource. A value of ABSTAIN
indicates that an explicit decision to either permit or deny the requested method could not be determined.InvalidPrincipalException
- if the principal has become invalid (possibly because the principal has been deleted from the system while there was an active subject with that principal).boolean isProtectedResource(Subject subject, Resource resource) throws InvalidPrincipalException
The isProtectedResource
method does not compute the set of roles that may be granted to the caller's subject. As a result, it provides a light-weight mechanism to determine if the resource is protected.
subject
- a Subject
object containing the identity of the principals that are attempting to perform a request on the specified resource.resource
- a Resource
object indicating the type of resource on which the subject is attempting to perform a request.TRUE
indicates the resource is protected; a value of FALSE
indicates that the resource is not protected.InvalidPrincipalException
- if the principal has become invalid (possibly because the principal has been deleted from the system while there was an active subject with that principal).
|
Copyright 1996, 2015, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Oracle Fusion Middleware Java API Reference for Oracle WebLogic Server 12c (12.2.1) Part Number E55141-01 P4 Change 1723563 on 2015/10/09 |
|||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |