public class AuthzRealm extends AbstractAuthorizingRealm
AbstractAuthorizingRealm
provides the ability
to check permissions without making calls out to an external PDP. Permission
objects are
checked against each other to ensure that the subject permissions imply the resource permissions.metacardExpansionServices, userExpansionServices
Constructor and Description |
---|
AuthzRealm(String dirPath,
Parser parser) |
Modifier and Type | Method and Description |
---|---|
void |
addPolicyExtension(PolicyExtension policyExtension) |
protected org.apache.shiro.authc.AuthenticationInfo |
doGetAuthenticationInfo(org.apache.shiro.authc.AuthenticationToken token) |
org.apache.shiro.authz.AuthorizationInfo |
getAuthorizationInfo(org.apache.shiro.subject.PrincipalCollection principals)
Returns an account's authorization-specific information for the specified
principals ,
or null if no account could be found. |
protected Collection<org.apache.shiro.authz.Permission> |
getPermissions(org.apache.shiro.authz.AuthorizationInfo authorizationInfo)
Returns a collection of
Permission objects that the AuthorizationInfo object of
a Subject is asserting. |
boolean[] |
isPermitted(org.apache.shiro.subject.PrincipalCollection subjectPrincipal,
List<org.apache.shiro.authz.Permission> permissions)
Checks if the corresponding Subject/user implies the given Permissions and returns a boolean
array indicating which permissions are implied.
|
boolean |
isPermitted(org.apache.shiro.subject.PrincipalCollection subjectPrincipal,
org.apache.shiro.authz.Permission permission)
Returns true if the corresponding subject/user is permitted to perform an action or
access a resource summarized by the specified permission.
|
void |
removePolicyExtension(PolicyExtension policyExtension) |
void |
setEnvironmentAttributes(List<String> environmentAttributes) |
void |
setMatchAllMappings(List<String> list)
Sets the mappings used by the "match all" evaluation to determine if this user should be
authorized to access requested data.
|
void |
setMatchOneMappings(List<String> list)
Sets the mappings used by the "match one" evaluation to determine if this user should be
authorized to access requested data.
|
void |
setPolicyExtensions(List<PolicyExtension> policyExtensions)
Sets list of policy extension objects
|
addMetacardExpansion, addMetacardExpansion, addUserExpansion, addUserExpansion, doGetAuthorizationInfo, expandPermissions, removeMetacardExpansion, removeUserExpansion
afterCacheManagerSet, checkPermission, checkPermission, checkPermission, checkPermissions, checkPermissions, checkPermissions, checkRole, checkRole, checkRoles, checkRoles, checkRoles, clearCachedAuthorizationInfo, doClearCache, getAuthorizationCache, getAuthorizationCacheKey, getAuthorizationCacheName, getPermissionResolver, getRolePermissionResolver, hasAllRoles, hasRole, hasRole, hasRoles, hasRoles, isAuthorizationCachingEnabled, isPermitted, isPermitted, isPermitted, isPermitted, isPermittedAll, isPermittedAll, isPermittedAll, onInit, setAuthorizationCache, setAuthorizationCacheName, setAuthorizationCachingEnabled, setName, setPermissionResolver, setRolePermissionResolver
assertCredentialsMatch, clearCachedAuthenticationInfo, getAuthenticationCache, getAuthenticationCacheKey, getAuthenticationCacheKey, getAuthenticationCacheName, getAuthenticationInfo, getAuthenticationTokenClass, getCredentialsMatcher, init, isAuthenticationCachingEnabled, isAuthenticationCachingEnabled, setAuthenticationCache, setAuthenticationCacheName, setAuthenticationCachingEnabled, setAuthenticationTokenClass, setCredentialsMatcher, supports
clearCache, getAvailablePrincipal, getCacheManager, getName, isCachingEnabled, onLogout, setCacheManager, setCachingEnabled
public AuthzRealm(String dirPath, Parser parser) throws PdpException
PdpException
protected org.apache.shiro.authc.AuthenticationInfo doGetAuthenticationInfo(org.apache.shiro.authc.AuthenticationToken token) throws org.apache.shiro.authc.AuthenticationException
doGetAuthenticationInfo
in class org.apache.shiro.realm.AuthenticatingRealm
org.apache.shiro.authc.AuthenticationException
public org.apache.shiro.authz.AuthorizationInfo getAuthorizationInfo(org.apache.shiro.subject.PrincipalCollection principals)
principals
,
or null
if no account could be found. The resulting AuthorizationInfo
object is
used by the other method implementations in this class to automatically perform access control
checks for the corresponding Subject
.
This implementation obtains the actual AuthorizationInfo
object from the subclass's
implementation of doGetAuthorizationInfo
, and then caches it for efficient reuse if caching is enabled (see
below).
Invocations of this method should be thought of as completely orthogonal to acquiring authenticationInfo
, since
either could occur in any order.
For example, in "Remember Me" scenarios, the user identity is remembered (and assumed) for their current session and an authentication attempt during that session might never occur. But because their identity would be remembered, that is sufficient enough information to call this method to execute any necessary authorization checks. For this reason, authentication and authorization should be loosely coupled and not depend on each other.
AuthorizationInfo
values returned from this method are cached for efficient reuse
if caching is enabled. Caching is enabled automatically when an authorizationCache
instance has been explicitly configured, or if a cacheManager
has been configured, which will be used to lazily create the authorizationCache
as needed.
If caching is enabled, the authorization cache will be checked first and if found, will
return the cached AuthorizationInfo
immediately. If caching is disabled, or there is a
cache miss, the authorization info will be looked up from the underlying data store via the
AbstractAuthorizingRealm.doGetAuthorizationInfo(org.apache.shiro.subject.PrincipalCollection)
method, which
must be implemented by subclasses.
clearCachedAuthorizationInfo
method. This ensures that the next call to getAuthorizationInfo(PrincipalCollection)
will acquire the account's fresh authorization data,
where it will then be cached for efficient reuse. This ensures that stale authorization data
will not be reused.getAuthorizationInfo
in class org.apache.shiro.realm.AuthorizingRealm
principals
- the corresponding Subject's identifying principals with which to look up the
Subject's AuthorizationInfo
.principals
, or null
if no account could be found.public boolean isPermitted(org.apache.shiro.subject.PrincipalCollection subjectPrincipal, org.apache.shiro.authz.Permission permission)
More specifically, this method determines if any Permissions associated with the
subject imply
the specified permission.
isPermitted
in interface org.apache.shiro.authz.Authorizer
isPermitted
in class org.apache.shiro.realm.AuthorizingRealm
subjectPrincipal
- the application-specific subject/user identifier.permission
- the permission that is being checked.public boolean[] isPermitted(org.apache.shiro.subject.PrincipalCollection subjectPrincipal, List<org.apache.shiro.authz.Permission> permissions)
More specifically, this method should determine if each Permission in the array is
implied
by permissions already associated with the
subject.
This is primarily a performance-enhancing method to help reduce the number of isPermitted(org.apache.shiro.subject.PrincipalCollection, org.apache.shiro.authz.Permission)
invocations over the wire in client/server systems.
isPermitted
in interface org.apache.shiro.authz.Authorizer
isPermitted
in class org.apache.shiro.realm.AuthorizingRealm
subjectPrincipal
- the application-specific subject/user identifier.permissions
- the permissions that are being checked.protected Collection<org.apache.shiro.authz.Permission> getPermissions(org.apache.shiro.authz.AuthorizationInfo authorizationInfo)
Permission
objects that the AuthorizationInfo
object of
a Subject
is asserting.getPermissions
in class org.apache.shiro.realm.AuthorizingRealm
authorizationInfo
- the application-specific subject/user identifier.public void setPolicyExtensions(List<PolicyExtension> policyExtensions)
policyExtensions
- public void addPolicyExtension(PolicyExtension policyExtension)
public void removePolicyExtension(PolicyExtension policyExtension)
public void setMatchAllMappings(List<String> list)
Each string is of the format: subjectAttrName=metacardAttrName
where metacardAttrName
is the name of an attribute in the metacard and
subjectAttrName
is the name of the corresponding attribute in the user credentials.
It is the values corresponding to each of these attributes that will be evaluated against each
other when determining if authorization should be allowed.
list
- List of Strings that define mappings between metadata attributes and user
attributespublic void setMatchOneMappings(List<String> list)
Each string is of the format: subjectAttrName=metacardAttrName
where metacardAttrName
is the name of an attribute in the metacard and
subjectAttrName
is the name of the corresponding attribute in the user credentials.
It is the values corresponding to each of these attributes that will be evaluated against each
other when determining if authorization should be allowed.
list
- List of Strings that define mappings between metadata attributes and user
attributesThis work is licensed under a Creative Commons Attribution 4.0 International License.