wt.access
Interface AccessControlManager

All Known Implementing Classes:

StandardAccessControlManager

public interface AccessControlManager

The AccessControlManager interface contains the signature of the methods supported by managers of the access control package. These methods fall into three classes: (1) access control enforcement methods (checkAccess, for example); (2) specialized query methods; and (3) maintenance of access control rules and lists.

Supported API: true

Extendable: false

Method Summary

boolean	checkAccess(Object object, AccessPermission permission) Determines whether the current principal has a given permission on a given object.
void	checkAccess(WTCollection objects, AccessPermission permission) Determines whether the current principal has a given permission on a collection of objects.
ObjectVectorIfc	filterObjects(ObjectVectorIfc objects, AccessPermission permission) Given a set of objects, this method constructs and returns a new set containing only objects where the current principal is granted the permission to these objects.
QueryResult	filterObjects(QueryResult objects, AccessPermission permission) Given a set of objects (stored as a QueryResult), this method constructs and returns a new set containing only objects where the current principal is granted the permission to these objects.
boolean	hasAccess(Object object, AccessPermission permission) Determines whether the current principal has the given access permission over the object passed as argument.
boolean	hasAccess(WTCollection objects, AccessPermission permission) Determines whether the current principal has the given access permission over the collection of objects passed as argument.
boolean	hasAccess(WTPrincipal user, Object object, AccessPermission permission) Determines whether the given principal has the given access permission over the object passed as argument.
boolean	hasAccess(WTPrincipal user, String type_id, AdminDomainRef domain_ref, State state, AccessPermission permission) Determines whether the given principal has the given access permission over a given type in a given domain and state.
boolean	hasAccess(WTPrincipal principal, WTCollection objects, AccessPermission permission) Determines whether the given principal has the given access permission over the collection of objects passed as argument.

Method Detail

checkAccess

boolean checkAccess(Object object,
                    AccessPermission permission)
                    throws WTException

Determines whether the current principal has a given permission on a given object. Emits the AccessControlEvent.NOT_AUTHORIZED event for auditing purposes and throws a NotAuthorizedException if this is not the case.

If the object parameter specifies an instance of ObjectReference, access rights are checked on the referenced object unless the reference class itself is AccessControlled.

If the NotAuthorizedException thrown by this method is caught and does not result in a user's action failing due to the lack of access rights, auditing of the exception should be disabled.

Supported API: true

Parameters:

object - object for which permissions are to be evaluated

permission - access control permission

Returns:

boolean

Throws:

WTException

See Also:

AccessControlServerHelper.disableNotAuthorizedAudit(), AccessControlServerHelper.reenableNotAuthorizedAudit()

checkAccess

void checkAccess(WTCollection objects,
                 AccessPermission permission)
                 throws WTException

Determines whether the current principal has a given permission on a collection of objects. Emits the AccessControlEvent.NOT_AUTHORIZED event for auditing purposes and throws a NotAuthorizedException if this is not the case.

If the objects parameter specifies a collection that has not been inflated, access rights are checked on a copy of the collection that has been inflated with access control enforcement bypassed.

If the NotAuthorizedException thrown by this method is caught and does not result in a user's action failing due to the lack of access rights, auditing of the exception should be disabled.

Supported API: true

Parameters:

objects - objects for which permissions are to be evaluated

permission - access control permission

Throws:

WTException

See Also:

AccessControlServerHelper.disableNotAuthorizedAudit(), AccessControlServerHelper.reenableNotAuthorizedAudit()

hasAccess

boolean hasAccess(Object object,
                  AccessPermission permission)
                  throws WTException

Determines whether the current principal has the given access permission over the object passed as argument. Returns true if this is the case, false otherwise.

If the object parameter specifies an instance of ObjectReference, access rights are checked on the referenced object unless the reference class itself is AccessControlled.

Supported API: true

Parameters:

object - object for which permissions are to be evaluated

permission - access control permission

Returns:

boolean

Throws:

WTException

hasAccess

boolean hasAccess(WTCollection objects,
                  AccessPermission permission)
                  throws WTException

Determines whether the current principal has the given access permission over the collection of objects passed as argument. Returns true if this is the case, false otherwise.

If the objects parameter specifies a collection that has not been inflated, access rights are checked on a copy of the collection that has been inflated with access control enforcement bypassed.

Supported API: true

Parameters:

objects - objects for which permissions are to be evaluated

permission - access control permission

Returns:

boolean

Throws:

WTException

hasAccess

boolean hasAccess(WTPrincipal user,
                  Object object,
                  AccessPermission permission)
                  throws WTException

Determines whether the given principal has the given access permission over the object passed as argument. Returns true if this is the case, false otherwise.

If the object parameter specifies an instance of ObjectReference, access rights are checked on the referenced object unless the reference class itself is AccessControlled.

Supported API: true

Parameters:

user - principal whose access rights are to be evaluated

object - object for which permissions are to be evaluated

permission - access control permission

Returns:

boolean

Throws:

WTException

hasAccess

boolean hasAccess(WTPrincipal principal,
                  WTCollection objects,
                  AccessPermission permission)
                  throws WTException

Determines whether the given principal has the given access permission over the collection of objects passed as argument. Returns true if this is the case, false otherwise.

If the objects parameter specifies a collection that has not been inflated, access rights are checked on a copy of the collection that has been inflated with access control enforcement bypassed.

Supported API: true

Parameters:

principal - principal whose access rights are to be evaluated

objects - objects for which permissions are to be evaluated

permission - access control permission

Returns:

boolean

Throws:

WTException

hasAccess

boolean hasAccess(WTPrincipal user,
                  String type_id,
                  AdminDomainRef domain_ref,
                  State state,
                  AccessPermission permission)
                  throws WTException

Determines whether the given principal has the given access permission over a given type in a given domain and state. Returns true if this is the case, false otherwise. The access is evaluated only taking into account access policies. For a specific object this is only part of the answer as the object may be ad hoc controlled and have an ad hoc ACL that provides additional access rights.

Supported API: true

Parameters:

user - principal whose access rights are to be evaluated

type_id - persisted type identifier

domain_ref - reference to the domain for which policy rules are to be evaluated

state - lifecycle state

permission - access control permission

Returns:

boolean

Throws:

WTException

filterObjects

ObjectVectorIfc filterObjects(ObjectVectorIfc objects,
                              AccessPermission permission)
                              throws WTException

Given a set of objects, this method constructs and returns a new set containing only objects where the current principal is granted the permission to these objects.

This method can be used to filter out objects for which the user has no read access after a query is performed.

Supported API: true

Parameters:

objects - set of objects

permission - access control permission

Returns:

ObjectVectorIfc

Throws:

WTException

filterObjects

QueryResult filterObjects(QueryResult objects,
                          AccessPermission permission)
                          throws WTException

Given a set of objects (stored as a QueryResult), this method constructs and returns a new set containing only objects where the current principal is granted the permission to these objects.

This method can be used to filter out objects for which the user has no read access after a database query is performed.

Supported API: true

Parameters:

objects - set of objects

permission - access control permission

Returns:

QueryResult

Throws:

WTException