com.ibm.wsspi.container.security
Interface AccessManager
- public interface AccessManager
Method Summary
Modifier and Type | Method and Description |
---|---|
|
checkAccess(java.lang.String appName,java.lang.String resourceName,java.lang.String methodName,java.lang.String resourceType,java.lang.String[] rolesAllowed,boolean isDenyAll,boolean isPermitAll,javax.security.auth.Subject subject)
The checkAccess method determines if a given subject has access to any of
a given set of roles within the context of a given application.
|
|
popApplicationContext(java.lang.String appName)
The popApplicationContext method signals a return of control from the
specified application.
|
|
pushApplicationContext(java.lang.String appName)
The pushApplicationContext method signals a flow of control into the
specified application.
|
|
runAs(java.lang.String appName,java.lang.String resourceName,java.lang.String methodName,java.lang.String runAsRole,java.security.PrivilegedExceptionAction action)
The runAs method performs the given PrivilegedExceptionAction with the
Java thread identity set to the user associated with a given runAs role.
|
Method Detail
pushApplicationContext
- boolean pushApplicationContext( java.lang.String appName)
The pushApplicationContext method signals a flow of control into the
specified application. This provides context for security-related processing
on the current thread of execution. A subsequent call to popApplicationContext
is required when the application returns control.
Parameters:
appName
- - name of the application Returns:
boolean true if push was completed
popApplicationContext
- void popApplicationContext(java.lang.String appName)
The popApplicationContext method signals a return of control from the
specified application. This provides context for security-related processing
on the current thread of execution.
Parameters:
appName
- - name of the application Throws:
java.lang.IllegalArgumentException
- if the application name does not match the one
used on the preceding pushApplicationContext call EmptyStackException
- if there is no active application context on the thread checkAccess
- void checkAccess(java.lang.String appName,
- java.lang.String resourceName,
- java.lang.String methodName,
- java.lang.String resourceType,
- java.lang.String[] rolesAllowed,
- boolean isDenyAll,
- boolean isPermitAll,
- javax.security.auth.Subject subject)
- throws AccessException
The checkAccess method determines if a given subject has access to any of
a given set of roles within the context of a given application.
The caller passes an array of role names to be checked (rolesAllowed).
These roles must be a subset of the roles defined in the named application.
The caller also can pass flags indicating to deny or permit access to all
users (isDenyAll, isPermitAll). If either flag is true, rolesAllowed is
ignored and the flags are used to determine access. If both flags are
true, then isDenyAll takes precedence.
The resourceName, methodName, and resourceType arguments are used when
auditing is active to audit the check that was performed and its outcome.
Parameters:
appName
- - name of the application resourceName
- - name of the target object, for example a bean name methodName
- - name of the method invoked on the target object resourceType
- - identifier that describes the type of resource rolesAllowed
- - array of role names to be checked for permission isDenyAll
- - indicates whether to always deny access isPermitAll
- - indicates whether to always permit access subject
- - holds the credentials of the principal to be verified Throws:
AccessException
- Thrown if access is denied runAs
- java.lang.Object runAs(java.lang.String appName,
- java.lang.String resourceName,
- java.lang.String methodName,
- java.lang.String runAsRole,
- java.security.PrivilegedExceptionAction action)
- throws java.security.PrivilegedActionException
- DelegationException
The runAs method performs the given PrivilegedExceptionAction with the
Java thread identity set to the user associated with a given runAs role.
The caller passes an application name and a role name. The role name
must be defined as a runAs role in the application.
The resourceName and methodName arguments are used when auditing is
active to audit the use of the runAs role.
Parameters:
appName
- - name of the application resourceName
- - name of the target object, for example a bean name methodName
- - name of the method invoked on the target object runAsRole
- - name of RunAs role action
- - the action to perform Returns:
the value returned by the action's run method
Throws:
java.security.PrivilegedActionException
- if the action's run method threw a checked exception DelegationException
- if there is an error setting the thread identity from the runAs role