Interface AuthorizationManager
-
- All Superinterfaces:
Initializable
- All Known Implementing Classes:
DefaultAuthorizationManager
public interface AuthorizationManager extends Initializable
Manages all access control and authorization; determines what authenticated users are allowed to do.
Privileges in JSPWiki are expressed as Java-standard
Permission
classes. There are two types of permissions:WikiPermission
- privileges that apply to an entire wiki instance: e.g., editing user profiles, creating pages, creating groupsPagePermission
- privileges that apply to a single wiki page or range of pages: e.g., reading, editing, renaming
Calling classes determine whether they are entitled to perform a particular action by constructing the appropriate permission first, then passing it and the current
Session
to thecheckPermission(Session, Permission)
method. If the session's Subject possesses the permission, the action is allowed.For WikiPermissions, the decision criteria is relatively simple: the caller either possesses the permission, as granted by the wiki security policy -- or not.
For PagePermissions, the logic is exactly the same if the page being checked does not have an access control list. However, if the page does have an ACL, the authorization decision is made based the union of the permissions granted in the ACL and in the security policy. In other words, the user must be named in the ACL (or belong to a group or role that is named in the ACL) and be granted (at least) the same permission in the security policy. We do this to prevent a user from gaining more permissions than they already have, based on the security policy.
See the implementation on
checkPermission(Session, Permission)
method for more information on the authorization logic.- Since:
- 2.3
- See Also:
AuthenticationManager
-
-
Field Summary
Fields Modifier and Type Field Description static java.lang.String
DEFAULT_AUTHORIZER
The default external Authorizer is theWebContainerAuthorizer
static java.lang.String
DEFAULT_POLICY
Name of the default security policy file, in WEB-INF.static java.lang.String
POLICY
Property that supplies the security policy file name, in WEB-INF.static java.lang.String
PROP_AUTHORIZER
The property name in jspwiki.properties for specifying the externalAuthorizer
.
-
Method Summary
All Methods Instance Methods Abstract Methods Default Methods Modifier and Type Method Description void
addWikiEventListener(WikiEventListener listener)
Registers a WikiEventListener with this instance.boolean
allowedByLocalPolicy(java.security.Principal[] principals, java.security.Permission permission)
Checks to see if the local security policy allows a particular static Permission.boolean
checkPermission(Session session, java.security.Permission permission)
Returnstrue
orfalse
, depending on whether a Permission is allowed for the Subject associated with a supplied Session.boolean
checkStaticPermission(Session session, java.security.Permission permission)
Determines whether a Subject possesses a given "static" Permission as defined in the security policy file.default void
fireEvent(int type, java.security.Principal user, java.lang.Object permission)
Fires a WikiSecurityEvent of the provided type, user, and permission to all registered listeners.Authorizer
getAuthorizer()
Returns the current externalAuthorizer
in use.default boolean
hasAccess(Context context, javax.servlet.http.HttpServletResponse response)
Checks whether the current user has access to the wiki context, by obtaining the required Permission (Command.requiredPermission()
) and delegating the access check tocheckPermission(Session, Permission)
.boolean
hasAccess(Context context, javax.servlet.http.HttpServletResponse response, boolean redirect)
Checks whether the current user has access to the wiki context (and optionally redirects if not), by obtaining the required Permission (Command.requiredPermission()
) and delegating the access check tocheckPermission(Session, Permission)
.boolean
hasRoleOrPrincipal(Session session, java.security.Principal principal)
Determines if the Subject associated with a supplied Session contains a desired user Principal or built-in Role principal, OR is a member a Group or external Role.default boolean
isUserInRole(Session session, java.security.Principal principal)
Determines if the Subject associated with a supplied Session contains a desired Role or GroupPrincipal.void
removeWikiEventListener(WikiEventListener listener)
Un-registers a WikiEventListener with this instance.java.security.Principal
resolvePrincipal(java.lang.String name)
Given a supplied string representing a Principal's name from an Acl, this method resolves the correct type of Principal (role, group, or user).-
Methods inherited from interface org.apache.wiki.api.engine.Initializable
initialize
-
-
-
-
Field Detail
-
DEFAULT_AUTHORIZER
static final java.lang.String DEFAULT_AUTHORIZER
The default external Authorizer is theWebContainerAuthorizer
- See Also:
- Constant Field Values
-
POLICY
static final java.lang.String POLICY
Property that supplies the security policy file name, in WEB-INF.- See Also:
- Constant Field Values
-
DEFAULT_POLICY
static final java.lang.String DEFAULT_POLICY
Name of the default security policy file, in WEB-INF.- See Also:
- Constant Field Values
-
PROP_AUTHORIZER
static final java.lang.String PROP_AUTHORIZER
The property name in jspwiki.properties for specifying the externalAuthorizer
.- See Also:
- Constant Field Values
-
-
Method Detail
-
checkPermission
boolean checkPermission(Session session, java.security.Permission permission)
Returnstrue
orfalse
, depending on whether a Permission is allowed for the Subject associated with a supplied Session. The access control algorithm works this way:- The
Acl
for the page is obtained - The Subject associated with the current
Session
is obtained - If the Subject's Principal set includes the Role Principal that is the administrator group, always allow the Permission
- For all permissions, check to see if the Permission is allowed according to the default security policy. If it isn't, deny the permission and halt further processing.
- If there is an Acl, get the list of Principals assigned this Permission in the Acl: these will be role, group or user Principals,
or
UnresolvedPrincipal
s (see below). Then iterate through the Subject's Principal set and determine whether the user (Subject) possesses any one of these specified Roles or Principals.
Note that when iterating through the Acl's list of authorized Principals, it is possible that one or more of the Acl's Principal entries are of type
UnresolvedPrincipal
. This means that the last time the ACL was read, the Principal (user, built-in Role, authorizer Role, or wiki Group) could not be resolved: the Role was not valid, the user wasn't found in the UserDatabase, or the Group wasn't known to (e.g., cached) in the GroupManager. If anUnresolvedPrincipal
is encountered, this method will attempt to resolve it first before checking to see if the Subject possesses this principal, by callingresolvePrincipal(String)
. If the (re-)resolution does not succeed, the access check for the principal will fail by definition (the Subject should never contain UnresolvedPrincipals).If security not set to JAAS, will return true.
- Parameters:
session
- the current wiki sessionpermission
- the Permission being checked- Returns:
- the result of the Permission check
- The
-
isUserInRole
default boolean isUserInRole(Session session, java.security.Principal principal)
Determines if the Subject associated with a supplied Session contains a desired Role or GroupPrincipal. The algorithm simply checks to see if the Subject possesses the Role or GroupPrincipal it in its Principal set. Note that any user (anonymous, asserted, authenticated) can possess a built-in role. But a user must be authenticated to possess a role other than one of the built-in ones. We do this to prevent privilege escalation.
For all other cases, this method returns
false
.Note that this method does not consult the external Authorizer or GroupManager; it relies on the Principals that have been injected into the user's Subject at login time, or after group creation/modification/deletion.
- Parameters:
session
- the current wiki session, which must be non-null. If null, the result of this method always returnsfalse
principal
- the Principal (role or group principal) to look for, which must be non-null
. Ifnull
, the result of this method always returnsfalse
- Returns:
true
if the Subject supplied with the WikiContext posesses the Role or GroupPrincipal,false
otherwise
-
getAuthorizer
Authorizer getAuthorizer() throws WikiSecurityException
Returns the current externalAuthorizer
in use. This method is guaranteed to return a properly-initialized Authorizer, unless it could not be initialized. In that case, this method throws aWikiSecurityException
.- Returns:
- the current Authorizer
- Throws:
WikiSecurityException
- if the Authorizer could not be initialized
-
hasRoleOrPrincipal
boolean hasRoleOrPrincipal(Session session, java.security.Principal principal)
Determines if the Subject associated with a supplied Session contains a desired user Principal or built-in Role principal, OR is a member a Group or external Role. The rules are as follows:
- First, if desired Principal is a Role or GroupPrincipal, delegate to
isUserInRole(Session, Principal)
and return the result. - Otherwise, we're looking for a user Principal, so iterate through the Principal set and see if any share the same name as the one we are looking for.
Note: if the Principal parameter is a user principal, the session must be authenticated in order for the user to "possess it". Anonymous or asserted sessions will never posseess a named user principal.
- Parameters:
session
- the current wiki session, which must be non-null. If null, the result of this method always returnsfalse
principal
- the Principal (role, group, or user principal) to look for, which must be non-null. If null, the result of this method always returnsfalse
- Returns:
true
if the Subject supplied with the WikiContext posesses the Role, GroupPrincipal or desired user Principal,false
otherwise
- First, if desired Principal is a Role or GroupPrincipal, delegate to
-
hasAccess
default boolean hasAccess(Context context, javax.servlet.http.HttpServletResponse response) throws java.io.IOException
Checks whether the current user has access to the wiki context, by obtaining the required Permission (Command.requiredPermission()
) and delegating the access check tocheckPermission(Session, Permission)
. If the user is allowed, this method returnstrue
;false
otherwise. If access is allowed, the wiki context will be added to the request as an attribute with the key nameContext.ATTR_CONTEXT
. Note that this method will automatically redirect the user to a login or error page, as appropriate, if access fails. This is NOT guaranteed to be default behavior in the future.- Parameters:
context
- wiki context to check if it is accesibleresponse
- the http response- Returns:
- the result of the access check
- Throws:
java.io.IOException
- In case something goes wrong
-
hasAccess
boolean hasAccess(Context context, javax.servlet.http.HttpServletResponse response, boolean redirect) throws java.io.IOException
Checks whether the current user has access to the wiki context (and optionally redirects if not), by obtaining the required Permission (Command.requiredPermission()
) and delegating the access check tocheckPermission(Session, Permission)
. If the user is allowed, this method returnstrue
;false
otherwise. Also, the wiki context will be added to the request as attribute with the key nameContext.ATTR_CONTEXT
.- Parameters:
context
- wiki context to check if it is accesibleresponse
- The servlet response objectredirect
- If true, makes an automatic redirect to the response- Returns:
- the result of the access check
- Throws:
java.io.IOException
- If something goes wrong
-
allowedByLocalPolicy
boolean allowedByLocalPolicy(java.security.Principal[] principals, java.security.Permission permission)
Checks to see if the local security policy allows a particular static Permission. Do not use this method for normal permission checks; usecheckPermission(Session, Permission)
instead.- Parameters:
principals
- the Principals to checkpermission
- the Permission- Returns:
- the result
-
checkStaticPermission
boolean checkStaticPermission(Session session, java.security.Permission permission)
Determines whether a Subject possesses a given "static" Permission as defined in the security policy file. This method uses standard Java 2 security calls to do its work. Note that the current access control context'scodeBase
is effectively this class, not that of the caller. Therefore, this method will work best when what matters in the policy is who makes the permission check, not what the caller's code source is. Internally, this method works by executingSubject.doAsPrivileged
with a privileged action that simply callsAccessController.checkPermission(Permission)
.- Parameters:
session
- the Session whose permission status is being queriedpermission
- the Permission the Subject must possess- Returns:
true
if the Subject possesses the permission,false
otherwise- See Also:
. A caught exception (or lack thereof) determines whether the privilege is absent (or present).
-
resolvePrincipal
java.security.Principal resolvePrincipal(java.lang.String name)
Given a supplied string representing a Principal's name from an Acl, this method resolves the correct type of Principal (role, group, or user). This method is guaranteed to always return a Principal. The algorithm is straightforward:
- If the name matches one of the built-in
Role
names, return that built-in Role - If the name matches one supplied by the current
Authorizer
, return that Role - If the name matches a group managed by the current
GroupManager
, return that Group - Otherwise, assume that the name represents a user principal. Using the current
UserDatabase
, find the first user who matches the supplied name by callingUserDatabase.find(String)
. - Finally, if a user cannot be found, manufacture and return a generic
UnresolvedPrincipal
- Parameters:
name
- the name of the Principal to resolve- Returns:
- the fully-resolved Principal
- If the name matches one of the built-in
-
addWikiEventListener
void addWikiEventListener(WikiEventListener listener)
Registers a WikiEventListener with this instance.- Parameters:
listener
- the event listener
-
removeWikiEventListener
void removeWikiEventListener(WikiEventListener listener)
Un-registers a WikiEventListener with this instance.- Parameters:
listener
- the event listener
-
fireEvent
default void fireEvent(int type, java.security.Principal user, java.lang.Object permission)
Fires a WikiSecurityEvent of the provided type, user, and permission to all registered listeners.- Parameters:
type
- the event type to be fireduser
- the user associated with the eventpermission
- the permission the subject must possess- See Also:
WikiSecurityEvent
-
-