wt.access
Class StandardAccessControlManager

java.lang.Object
  wt.services.StandardManager
      wt.access.StandardAccessControlManager

All Implemented Interfaces:

Serializable, AccessControlManager, wt.access.AccessControlManagerSvr, NetFactor, wt.services.Manager

public class StandardAccessControlManager
extends StandardManager
implements AccessControlManager, wt.access.AccessControlManagerSvr, Serializable

The StandardAccessControlManager provides the standard implementation of a manager for access control. In addition to containing implementations for the methods in the AccessControlManager interface, it contains methods for maintenance of the ACL cache and auxiliary methods for ACL creation and maintenance.

Use the newStandardAccessControlManager static factory method(s), not the StandardAccessControlManager constructor, to construct instances of this class. Instances must be constructed using the static factory(s), in order to ensure proper initialization of the instance.

Supported API: true

Extendable: false

See Also:

Serialized Form

Method Summary

boolean	checkAccess(Object object, AccessPermission permission) Determines whether the current principal has a given permission on a given object.
void	checkAccess(WTCollection objects, AccessPermission permission) Determines whether the current principal has a given permission on a collection of objects.
ObjectVectorIfc	filterObjects(ObjectVectorIfc objects, AccessPermission permission) Given a set of objects, this method constructs and returns a new set containing only objects where the current principal is granted the permission to these objects.
QueryResult	filterObjects(QueryResult objects, AccessPermission permission) Given a set of objects (stored as a QueryResult), this method constructs and returns a new set containing only objects where the current principal is granted the permission to these objects.
boolean	hasAccess(Object object, AccessPermission permission) Determines whether the current principal has the given access permission over the object passed as argument.
boolean	hasAccess(WTCollection objects, AccessPermission permission) Determines whether the current principal has the given access permission over the collection of objects passed as argument.
boolean	hasAccess(WTPrincipal user, Object object, AccessPermission permission) Determines whether the given principal has the given access permission over the object passed as argument.
boolean	hasAccess(WTPrincipal user, String type_id, AdminDomainRef domain_ref, State state, AccessPermission permission) Determines whether the given principal has the given access permission over a given type in a given domain and state.
boolean	hasAccess(WTPrincipal principal, WTCollection objects, AccessPermission permission) Determines whether the given principal has the given access permission over the collection of objects passed as argument.

Methods inherited from class wt.services.StandardManager

getManagerService, getManagerStatus, getName, getStartupType

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Method Detail

checkAccess

public boolean checkAccess(Object object,
                           AccessPermission permission)
                    throws WTException

Determines whether the current principal has a given permission on a given object. Emits the AccessControlEvent.NOT_AUTHORIZED event for auditing purposes and throws a NotAuthorizedException if this is not the case.

If the object parameter specifies an instance of ObjectReference, access rights are checked on the referenced object unless the reference class itself is AccessControlled.

If the NotAuthorizedException thrown by this method is caught and does not result in a user's action failing due to the lack of access rights, auditing of the exception should be disabled.

Supported API: true

Specified by:

checkAccess in interface AccessControlManager

Parameters:

object - object for which permissions are to be evaluated

permission - access control permission

Returns:

boolean

Throws:

WTException

See Also:

AccessControlServerHelper.disableNotAuthorizedAudit(), AccessControlServerHelper.reenableNotAuthorizedAudit()

checkAccess

public void checkAccess(WTCollection objects,
                        AccessPermission permission)
                 throws WTException

Determines whether the current principal has a given permission on a collection of objects. Emits the AccessControlEvent.NOT_AUTHORIZED event for auditing purposes and throws a NotAuthorizedException if this is not the case.

If the objects parameter specifies a collection that has not been inflated, access rights are checked on a copy of the collection that has been inflated with access control enforcement bypassed.

If the NotAuthorizedException thrown by this method is caught and does not result in a user's action failing due to the lack of access rights, auditing of the exception should be disabled.

Supported API: true

Specified by:

checkAccess in interface AccessControlManager

Parameters:

objects - objects for which permissions are to be evaluated

permission - access control permission

Throws:

WTException

See Also:

AccessControlServerHelper.disableNotAuthorizedAudit(), AccessControlServerHelper.reenableNotAuthorizedAudit()

hasAccess

public boolean hasAccess(Object object,
                         AccessPermission permission)
                  throws WTException

Determines whether the current principal has the given access permission over the object passed as argument. Returns true if this is the case, false otherwise.

If the object parameter specifies an instance of ObjectReference, access rights are checked on the referenced object unless the reference class itself is AccessControlled.

Supported API: true

Specified by:

hasAccess in interface AccessControlManager

Parameters:

object - object for which permissions are to be evaluated

permission - access control permission

Returns:

boolean

Throws:

WTException

hasAccess

public boolean hasAccess(WTCollection objects,
                         AccessPermission permission)
                  throws WTException

Determines whether the current principal has the given access permission over the collection of objects passed as argument. Returns true if this is the case, false otherwise.

If the objects parameter specifies a collection that has not been inflated, access rights are checked on a copy of the collection that has been inflated with access control enforcement bypassed.

Supported API: true

Specified by:

hasAccess in interface AccessControlManager

Parameters:

objects - objects for which permissions are to be evaluated

permission - access control permission

Returns:

boolean

Throws:

WTException

hasAccess

public boolean hasAccess(WTPrincipal user,
                         Object object,
                         AccessPermission permission)
                  throws WTException

Determines whether the given principal has the given access permission over the object passed as argument. Returns true if this is the case, false otherwise.

If the object parameter specifies an instance of ObjectReference, access rights are checked on the referenced object unless the reference class itself is AccessControlled.

Supported API: true

Specified by:

hasAccess in interface AccessControlManager

Parameters:

user - principal whose access rights are to be evaluated

object - object for which permissions are to be evaluated

permission - access control permission

Returns:

boolean

Throws:

WTException

hasAccess

public boolean hasAccess(WTPrincipal principal,
                         WTCollection objects,
                         AccessPermission permission)
                  throws WTException

Determines whether the given principal has the given access permission over the collection of objects passed as argument. Returns true if this is the case, false otherwise.

If the objects parameter specifies a collection that has not been inflated, access rights are checked on a copy of the collection that has been inflated with access control enforcement bypassed.

Supported API: true

Specified by:

hasAccess in interface AccessControlManager

Parameters:

principal - principal whose access rights are to be evaluated

objects - objects for which permissions are to be evaluated

permission - access control permission

Returns:

boolean

Throws:

WTException

hasAccess

public boolean hasAccess(WTPrincipal user,
                         String type_id,
                         AdminDomainRef domain_ref,
                         State state,
                         AccessPermission permission)
                  throws WTException

Determines whether the given principal has the given access permission over a given type in a given domain and state. Returns true if this is the case, false otherwise. The access is evaluated only taking into account access policies. For a specific object this is only part of the answer as the object may be ad hoc controlled and have an ad hoc ACL that provides additional access rights.

Supported API: true

Specified by:

hasAccess in interface AccessControlManager

Parameters:

user - principal whose access rights are to be evaluated

type_id - persisted type identifier

domain_ref - reference to the domain for which policy rules are to be evaluated

state - lifecycle state

permission - access control permission

Returns:

boolean

Throws:

WTException

filterObjects

public ObjectVectorIfc filterObjects(ObjectVectorIfc objects,
                                     AccessPermission permission)
                              throws WTException

Given a set of objects, this method constructs and returns a new set containing only objects where the current principal is granted the permission to these objects.

This method can be used to filter out objects for which the user has no read access after a query is performed.

Supported API: true

Specified by:

filterObjects in interface AccessControlManager

Parameters:

objects - set of objects

permission - access control permission

Returns:

ObjectVectorIfc

Throws:

WTException

filterObjects

public QueryResult filterObjects(QueryResult objects,
                                 AccessPermission permission)
                          throws WTException

Given a set of objects (stored as a QueryResult), this method constructs and returns a new set containing only objects where the current principal is granted the permission to these objects.

This method can be used to filter out objects for which the user has no read access after a database query is performed.

Supported API: true

Specified by:

filterObjects in interface AccessControlManager

Parameters:

objects - set of objects

permission - access control permission

Returns:

QueryResult

Throws:

WTException