weblogic.security.service

Interface AuthorizationManager

public interface AuthorizationManager

Method Summary

Modifier and Type	Method and Description
void	createApplicationVersion(java.lang.String appIdentifier, java.lang.String sourceAppIdentifier) Marks the creation of a new application version and is only called on one server within a WLS domain at the time the version is created.
void	deleteApplication(java.lang.String appName) Marks the deletion of a non-versioned application and is only called on one server within a WLS domain at the time the application is deleted.
void	deleteApplicationPolicies(SecurityApplicationInfo appInfo) Deletes all policy for an application and is only called on one server within a WLS domain at the time an application is deleted.
void	deleteApplicationVersion(java.lang.String appIdentifier) Marks the deletion of an application version and is only called on one server within a WLS domain at the time the version is deleted.
void	deployExcludedPolicy(AuthorizationManagerDeployHandle handle, Resource resource) Deploys a policy which always denies access.
void	deployPolicy(AuthorizationManagerDeployHandle handle, Resource resource, java.lang.String[] roleNames) Deploys a policy (that is, creates a policy on behalf of a deployed Web application or EJB).
void	deployUncheckedPolicy(AuthorizationManagerDeployHandle handle, Resource resource) Deploys a policy which always grants access.
void	endDeployPolicies(AuthorizationManagerDeployHandle handle) Marks the end of an application policy deployment.
AuthorizationPolicyHandler	getAuthorizationPolicyHandler(java.lang.String name, java.lang.String version, java.lang.String timeStamp, Resource[] resources) Obtain a authorization policy handler for a policy set.
boolean	isAccessAllowed(weblogic.security.acl.internal.AuthenticatedSubject aSubject, java.util.Map roles, Resource resource, ContextHandler handler, Direction direction) Provides an indication to whether the authorization policies defined for the resource allow the requested method to be performed by utilizing the information contained in the Subject.
boolean	isAccessAllowed(weblogic.security.acl.internal.AuthenticatedSubject aSubject, Resource resource, ContextHandler handler) Provides a shortcut wrapper to the version of isAccessAllowed that takes SecurityRoles and ContextHandlers.
boolean	isProtectedResource(weblogic.security.acl.internal.AuthenticatedSubject aSubject, Resource resource) Returns an indication of whether the specified resource is protected.
boolean	isProtectedResource(javax.security.auth.Subject subject, Resource resource) Returns an indication of whether the specified resource is protected.
boolean	isResourceProtected(javax.security.auth.Subject subject, Resource resource) Query the policy store to see if the specified resource is protected.
boolean	isVersionableApplicationSupported() Returns true iff all the authorizers support the VersionableApplicationProvider SSPI.
AuthorizationManagerDeployHandle	startDeployPolicies(SecurityApplicationInfo appInfo) Marks the beginning of an application policy deployment and is called on all servers within a WLS domain where an application is targeted.
void	undeployAllPolicies(AuthorizationManagerDeployHandle handle) Undeploys all policy for an deployed application (that is, deletes a set of policy defitions on behalf of an undeployed Web application or EJB).

Method Detail

isAccessAllowed

boolean isAccessAllowed(weblogic.security.acl.internal.AuthenticatedSubject aSubject,
                        java.util.Map roles,
                        Resource resource,
                        ContextHandler handler,
                        Direction direction)

Provides an indication to whether the authorization policies defined for the resource allow the requested method to be performed by utilizing the information contained in the Subject. The method returns a boolean value that indicates whether requested method should be allowed. A return value of TRUE indicates that the specified Subject has permission to perform the operation; else a value of FALSE is returned.

The isAccessAllowed method utilizes the Adjudicator object to determine the outcome of the decision if more than one policy decision point (AccessDecision object) is configured to be used or if a single policy decision point returns a value of ABSTAIN.

The isAccessAllowed method may be called both prior and after a request has been processed. An indication of whether the method is being called to determine if the request should be allowed to be dispatched or to determine if the result of request should be allowed to be returned in represented by the value of the direction parameter.

The Auditor is called after the Adjudicator has rendered a decision and an AuditEvent with a severity of SUCCESS or FAILURE are generated depending upon the Adjudicator's decision.

Parameters:

subject - a Subject that contains the identity of the principals that are attempting to perform a request on the specified resource.

roles - an optional HashMap of SecurityRole objects that are associated with the Subject and should be taken into consideration when making the authorization decision.

resource - a Resource object that indicates that type of resource on which the Subject is attempting to perform a request.

handler - an optional ContextHandler object that can optionally be used by a policy decision point (PDP) to obtain addition information that is used in making the authorization decision.

If the caller is unable to provide additional information, a null value should be specified.

direction - an indication of whether the authorization check is being performed prior to processing the request or after the request has been processed but before the results are attempted to be returned.

A value of PRIOR indicates the authorization check is being requested to prior to processing the request. A value of POST indicates the authorization check is being requested after the request has been processed but before the results have been returned.

A value of ONCE indicates that the authorization check will only be performed prior to the processing of the request and that the AuthorizationManager should perform the task of acquiring the roles that are granted to the requesting Subject prior to delegating the decision to the configured AccessDecision objects.

Returns:

a boolean value indicating whether the requested method on the resource should be allowed to be performed. A value of TRUE indicates the method should be allowed; a value of FALSE indicates that the method should not be allowed to be performed.

Throws:

InvalidParameterException - returned if a required parameter is missing.

NotYetInitializedException - returned if the AuthorizationManager has not yet been initialized.

isAccessAllowed

boolean isAccessAllowed(weblogic.security.acl.internal.AuthenticatedSubject aSubject,
                        Resource resource,
                        ContextHandler handler)

Provides a shortcut wrapper to the version of isAccessAllowed that takes SecurityRoles and ContextHandlers. This method should be used anytime an authorization decision is required that does not need the return values of the compeleted request to be evaluated prior to returning them to the caller. The AuthorizationManager will acquire the roles that are granted to the requesting Subject each time this method is called and prior to delegating the decision to the configured AccessDecision objects. As a result, no list of roles for the Subject are required to be passed as a parameter to this method.

Parameters:

subject - a Subject that contains the identity of the principals that are attempting to perform a request on the specified resource.

resource - a Resource object that indicates that type of resource on which the Subject is attempting to perform a request.

handler - an optional ContextHandler object that can optionally be used by a policy decision point (PDP) to obtain addition information that is used in making the authorization decision.

If the caller is unable to provide additional information, a null value should be specified.

Returns:

a boolean value indicating whether the requested method on the resource should be allowed to be performed. A value of TRUE indicates the method should be allowed; a value of FALSE indicates that the method should not be allowed to be performed.

Throws:

NotYetInitializedException - returned if the AuthorizationManager has not yet been initialized.

InvalidParameterException - returned if a required parameter is missing.

isProtectedResource

boolean isProtectedResource(javax.security.auth.Subject subject,
                            Resource resource)

Returns an indication of whether the specified resource is protected. The method determines if the specified resource is protected against access by unauthenticated principals.

The isProtectedResource method does not compute the set of roles that may be granted to the caller's Subject. As a result, it provides a light-weight mechanism to determine if the resource is protected.

Parameters:

subject - a Subject that contains the identity of the principals that are attempting to perform a request on the specified resource.

resource - a Resource object that indicates that type of resource on which the Subject is attempting to perform a request.

Returns:

a boolean value indicating whether the resource is protected against unauthenticated access. A value of TRUE indicates the resource is protected; a value of FALSE indicates that the resource is not protected. On failure TRUE will be returned.

Throws:

InvalidParameterException - returned if a required parameter is missing.

NotYetInitializedException - returned if the AuthorizationManager has not yet been initialized.

isProtectedResource

boolean isProtectedResource(weblogic.security.acl.internal.AuthenticatedSubject aSubject,
                            Resource resource)

Returns an indication of whether the specified resource is protected. The method determines if the specified resource is protected against access by unauthenticated principals.

The isProtectedResource method does not compute the set of roles that may be granted to the caller's Subject. As a result, it provides a light-weight mechanism to determine if the resource is protected.

Parameters:

aSubject - a Subject that contains the identity of the principals that are attempting to perform a request on the specified resource.

resource - a Resource object that indicates that type of resource on which the Subject is attempting to perform a request.

Returns:

a boolean value indicating whether the resource is protected against unauthenticated access. A value of TRUE indicates the resource is protected; a value of FALSE indicates that the resource is not protected. On failure TRUE will be returned.

Throws:

InvalidParameterException - returned if a required parameter is missing.

NotYetInitializedException - returned if the AuthorizationManager has not yet been initialized.

isResourceProtected

boolean isResourceProtected(javax.security.auth.Subject subject,
                            Resource resource)

Query the policy store to see if the specified resource is protected. Note: for performance concern, this call will not seal the supplied subject before using it to query the store. Callers are recommended to use AuthorizationManager.isProtectedResource(Subject, Resource)

Parameters:

subject -

resource -

Returns:

startDeployPolicies

AuthorizationManagerDeployHandle startDeployPolicies(SecurityApplicationInfo appInfo)
                                              throws DeployHandleCreationException

Marks the beginning of an application policy deployment and is called on all servers within a WLS domain where an application is targeted.

Returns:

a AuthorizationManagerDeployHandle for the application that is used for subsequent calls to deploy policy.

Throws:

DeployHandleCreationException

deployPolicy

void deployPolicy(AuthorizationManagerDeployHandle handle,
                  Resource resource,
                  java.lang.String[] roleNames)
           throws ResourceCreationException

Deploys a policy (that is, creates a policy on behalf of a deployed Web application or EJB). If the policy already exists, it is removed and replaced by this policy.

Throws:

ResourceCreationException

deployUncheckedPolicy

void deployUncheckedPolicy(AuthorizationManagerDeployHandle handle,
                           Resource resource)
                    throws ResourceCreationException

Deploys a policy which always grants access. If a policy already exists, it is removed and replaced by this policy.

Throws:

ResourceCreationException

deployExcludedPolicy

void deployExcludedPolicy(AuthorizationManagerDeployHandle handle,
                          Resource resource)
                   throws ResourceCreationException

Deploys a policy which always denies access. If a policy already exists, it is removed and replaced by this policy.

Throws:

ResourceCreationException

endDeployPolicies

void endDeployPolicies(AuthorizationManagerDeployHandle handle)
                throws ResourceCreationException

Marks the end of an application policy deployment.

Throws:

ResourceCreationException

undeployAllPolicies

void undeployAllPolicies(AuthorizationManagerDeployHandle handle)
                  throws ResourceRemovalException

Undeploys all policy for an deployed application (that is, deletes a set of policy defitions on behalf of an undeployed Web application or EJB).

Throws:

ResourceRemovalException

deleteApplicationPolicies

void deleteApplicationPolicies(SecurityApplicationInfo appInfo)
                        throws ResourceRemovalException

Deletes all policy for an application and is only called on one server within a WLS domain at the time an application is deleted.

Throws:

ResourceRemovalException

isVersionableApplicationSupported

boolean isVersionableApplicationSupported()

Returns true iff all the authorizers support the VersionableApplicationProvider SSPI.

createApplicationVersion

void createApplicationVersion(java.lang.String appIdentifier,
                              java.lang.String sourceAppIdentifier)
                       throws ApplicationVersionCreationException

Marks the creation of a new application version and is only called on one server within a WLS domain at the time the version is created.

Throws:

ApplicationVersionCreationException

deleteApplicationVersion

void deleteApplicationVersion(java.lang.String appIdentifier)
                       throws ApplicationVersionRemovalException

Marks the deletion of an application version and is only called on one server within a WLS domain at the time the version is deleted.

Throws:

ApplicationVersionRemovalException

deleteApplication

void deleteApplication(java.lang.String appName)
                throws ApplicationRemovalException

Marks the deletion of a non-versioned application and is only called on one server within a WLS domain at the time the application is deleted.

Throws:

ApplicationRemovalException

getAuthorizationPolicyHandler

AuthorizationPolicyHandler getAuthorizationPolicyHandler(java.lang.String name,
                                                         java.lang.String version,
                                                         java.lang.String timeStamp,
                                                         Resource[] resources)
                                                  throws ConsumptionException

Obtain a authorization policy handler for a policy set.

Throws:

ConsumptionException