IBM WebSphere Application ServerTM
Release 7

com.ibm.wsspi.container.security
Interface AccessManager


public interface AccessManager

The AccessManager provides application security role functions.


Method Summary
 void checkAccess(java.lang.String appName, java.lang.String resourceName, java.lang.String methodName, java.lang.String resourceType, java.lang.String[] rolesAllowed, boolean isDenyAll, boolean isPermitAll, javax.security.auth.Subject subject)
          The checkAccess method determines if a given subject has access to any of a given set of roles within the context of a given application.
 void popApplicationContext(java.lang.String appName)
          The popApplicationContext method signals a return of control from the specified application.
 boolean pushApplicationContext(java.lang.String appName)
          The pushApplicationContext method signals a flow of control into the specified application.
 java.lang.Object runAs(java.lang.String appName, java.lang.String resourceName, java.lang.String methodName, java.lang.String runAsRole, java.security.PrivilegedExceptionAction action)
          The runAs method performs the given PrivilegedExceptionAction with the Java thread identity set to the user associated with a given runAs role.
 

Method Detail

pushApplicationContext

boolean pushApplicationContext(java.lang.String appName)
The pushApplicationContext method signals a flow of control into the specified application. This provides context for security-related processing on the current thread of execution. A subsequent call to popApplicationContext is required when the application returns control.

Parameters:
appName - - name of the application
Returns:
boolean true if push was completed

popApplicationContext

void popApplicationContext(java.lang.String appName)
The popApplicationContext method signals a return of control from the specified application. This provides context for security-related processing on the current thread of execution.

Parameters:
appName - - name of the application
Throws:
java.lang.IllegalArgumentException - if the application name does not match the one used on the preceding pushApplicationContext call
EmptyStackException - if there is no active application context on the thread

checkAccess

void checkAccess(java.lang.String appName,
                 java.lang.String resourceName,
                 java.lang.String methodName,
                 java.lang.String resourceType,
                 java.lang.String[] rolesAllowed,
                 boolean isDenyAll,
                 boolean isPermitAll,
                 javax.security.auth.Subject subject)
                 throws AccessException
The checkAccess method determines if a given subject has access to any of a given set of roles within the context of a given application. The caller passes an array of role names to be checked (rolesAllowed). These roles must be a subset of the roles defined in the named application. The caller also can pass flags indicating to deny or permit access to all users (isDenyAll, isPermitAll). If either flag is true, rolesAllowed is ignored and the flags are used to determine access. If both flags are true, then isDenyAll takes precedence. The resourceName, methodName, and resourceType arguments are used when auditing is active to audit the check that was performed and its outcome.

Parameters:
appName - - name of the application
resourceName - - name of the target object, for example a bean name
methodName - - name of the method invoked on the target object
resourceType - - identifier that describes the type of resource
rolesAllowed - - array of role names to be checked for permission
isDenyAll - - indicates whether to always deny access
isPermitAll - - indicates whether to always permit access
subject - - holds the credentials of the principal to be verified
Throws:
AccessException - Thrown if access is denied

runAs

java.lang.Object runAs(java.lang.String appName,
                       java.lang.String resourceName,
                       java.lang.String methodName,
                       java.lang.String runAsRole,
                       java.security.PrivilegedExceptionAction action)
                       throws java.security.PrivilegedActionException,
                              DelegationException
The runAs method performs the given PrivilegedExceptionAction with the Java thread identity set to the user associated with a given runAs role. The caller passes an application name and a role name. The role name must be defined as a runAs role in the application. The resourceName and methodName arguments are used when auditing is active to audit the use of the runAs role.

Parameters:
appName - - name of the application
resourceName - - name of the target object, for example a bean name
methodName - - name of the method invoked on the target object
runAsRole - - name of RunAs role
action - - the action to perform
Returns:
the value returned by the action's run method
Throws:
java.security.PrivilegedActionException - if the action's run method threw a checked exception
DelegationException - if there is an error setting the thread identity from the runAs role

IBM WebSphere Application ServerTM
Release 7