com.neurosys.security.auth.service

Class AuthorizationService

java.lang.Object

com.neurosys.security.auth.service.AuthorizationService

All Implemented Interfaces:

IAuthorizationService, Serializable

public class AuthorizationService
extends Object
implements IAuthorizationService, Serializable

Default implementation for IAuthorizationService.
[1] Conflict Resolution : In case of multiple Auth outcomes, be Non-Tursting. DENY > DISABLE > ALLOW
[2] Conflict Resolution Exception : If a Authorizable component has multiple Authorizations; then it will check if the User is able to satisfy any of them.

Author:

Arjun Dhar

See Also:

Serialized Form

Nested Class Summary

Nested classes/interfaces inherited from interface com.neurosys.security.auth.service.IAuthorizationService

IAuthorizationService.AuthState

Constructor Summary

Constructors

Constructor and Description
AuthorizationService()

Method Summary

Modifier and Type	Method and Description
protected IAuthorizationService.AuthState	eval(IAuthorizationService.AuthState currentAuthState, Authorization reqAuth, Authorization userAuth) Evaluate Authorizations to determine the final outcome as an AuthState Note that while evaluation Role are an extension of Authorization.
Comparator<Authorization>	getAuthComparator()
Collection<Authorization>	getAuthorizationsForUser(String authorizableId, User user) Get the Authorizations granted to a user.
List<Authorization>	getInOrderOfRestriction(Collection<Authorization> userAuthsForFeature, boolean leastRestrictiveToMost) When confronted with multiple Authorizations return a new List of Authorization. Max weight, i.e.
Authorization	getLeastRestrictive(Collection<Authorization> userAuthsForFeature) When confronted with multiple Authorizations return the least restrictive Authorization
Authorization	getMostRestrictive(Collection<Authorization> userAuthsForFeature) When confronted with multiple Authorizations return the most restrictive Authorization
RoleService	getRoleService() RoleService
IAuthorizationService.AuthState	isAuthorized(Authorization reqAuth, Collection<Authorization> userAuthsForFeature) featureRequiredAuth is the Minimum required Authorization from the Collection of user auths
IAuthorizationService.AuthState	isAuthorized(Collection<Authorization> featureRequiredAuths, Collection<Authorization> userAuthsForFeature) Check if userAuthsForFeature satisfies any one of the featureRequiredAuths
protected boolean	isEqual(Authorization a1, Authorization a2) Authorization.equals(Object) is not expected to be commutative.
void	setAuthComparator(Comparator<Authorization> authComparator)
void	setRoleService(RoleService roleService)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

AuthorizationService

public AuthorizationService()

Method Detail

isEqual

protected boolean isEqual(Authorization a1,
                          Authorization a2)

Authorization.equals(Object) is not expected to be commutative. i.e. (a1 equals a2) may not imply (a2 equals a1) hence we must provide a equals function that ensures Two Authorizations are truly equal.

Two nulls are also not considered equal; this is to prevent any security creeps where 2 nulls may exist causing a faulty match.

Parameters:

a1 - as Authorization

a2 - as Authorization

Returns:

boolean

eval

protected IAuthorizationService.AuthState eval(IAuthorizationService.AuthState currentAuthState,
                                               Authorization reqAuth,
                                               Authorization userAuth)
                                        throws Continue

Evaluate Authorizations to determine the final outcome as an AuthState
Note that while evaluation Role are an extension of Authorization.

Throws:

Continue

isAuthorized

public IAuthorizationService.AuthState isAuthorized(Collection<Authorization> featureRequiredAuths,
                                                    Collection<Authorization> userAuthsForFeature)

Check if userAuthsForFeature satisfies any one of the featureRequiredAuths

Specified by:

isAuthorized in interface IAuthorizationService

Parameters:

featureRequiredAuths - as Collection of Authorization @nullable true

userAuthsForFeature - as Collection of Authorization @nullable true

Returns:

IAuthorizationService.AuthState

isAuthorized

public IAuthorizationService.AuthState isAuthorized(Authorization reqAuth,
                                                    Collection<Authorization> userAuthsForFeature)

featureRequiredAuth is the Minimum required Authorization from the Collection of user auths

Specified by:

isAuthorized in interface IAuthorizationService

Parameters:

reqAuth - @nullable true

userAuthsForFeature - as Collection of Authorization @nullable true

Returns:

IAuthorizationService.AuthState

getMostRestrictive

public Authorization getMostRestrictive(Collection<Authorization> userAuthsForFeature)

When confronted with multiple Authorizations return the most restrictive Authorization

Specified by:

getMostRestrictive in interface IAuthorizationService

Parameters:

userAuthsForFeature - as Collection of Authorization @nullable true

Returns:

Authorization @nullable true if none found

getLeastRestrictive

public Authorization getLeastRestrictive(Collection<Authorization> userAuthsForFeature)

When confronted with multiple Authorizations return the least restrictive Authorization

Specified by:

getLeastRestrictive in interface IAuthorizationService

Parameters:

userAuthsForFeature - as Collection of Authorization @nullable true

Returns:

Authorization @nullable true if none found

getInOrderOfRestriction

public List<Authorization> getInOrderOfRestriction(Collection<Authorization> userAuthsForFeature,
                                                   boolean leastRestrictiveToMost)

When confronted with multiple Authorizations return a new List of Authorization.
Max weight, i.e. Lest restrictive first element.

Specified by:

getInOrderOfRestriction in interface IAuthorizationService

Parameters:

userAuthsForFeature - as Collection of Authorization @nullable true

leastRestrictiveToMost - as boolean. If true Least restrictive element will be first and most restrictive, the last.

getAuthComparator

public Comparator<Authorization> getAuthComparator()

setAuthComparator

public void setAuthComparator(Comparator<Authorization> authComparator)

getAuthorizationsForUser

public Collection<Authorization> getAuthorizationsForUser(String authorizableId,
                                                          User user)

Description copied from interface: IAuthorizationService

Get the Authorizations granted to a user. If User.getRoleNames() is not empty then append them.

Role based Authorizations are determined at runtime, while direct auths are setup from the User object directly. This implis that if we change a Role, then those changes will impact the user @ runtime and will be dynamic.

Specified by:

getAuthorizationsForUser in interface IAuthorizationService

Parameters:

authorizableId - as String , which can be derived from any Authorizable.getAuthorizableId(). Example(s): IModuleAware or MountModuleUI or a simple Authorizable entity.

user - as User

Returns:

Collection of Authorization

getRoleService

public RoleService getRoleService()

Description copied from interface: IAuthorizationService

RoleService

Specified by:

getRoleService in interface IAuthorizationService

setRoleService

public void setRoleService(RoleService roleService)