Package org.apache.shiro.authz

Interface AuthorizationInfo

  • All Superinterfaces:
    All Known Subinterfaces:
    Account
    All Known Implementing Classes:
    SimpleAccount, SimpleAuthorizationInfo
    public interface AuthorizationInfo
extends
    AuthorizationInfo represents a single Subject's stored authorization data (roles, permissions, etc) used during authorization (access control) checks only.

    Roles are represented as a Collection of Strings (<>), typically each element being the Role name.

    Permissions are provided in two ways:

    • A Collection of Strings, where each String can usually be converted into Permission objects by a Realm's PermissionResolver
    • A Collection of Permission objects
    Both permission collections together represent the total aggregate collection of permissions. You may use one or both depending on your preference and needs.

    Because the act of authorization (access control) is orthogonal to authentication (log-in), this interface is intended to represent only the account data needed by Shiro during an access control check (role, permission, etc). Shiro also has a parallel AuthenticationInfo interface for use during the authentication process that represents identity data such as principals and credentials.

    Because many if not most Realms store both sets of data for a Subject, it might be convenient for a Realm implementation to utilize an implementation of the Account interface instead, which is a convenience interface that combines both AuthenticationInfo and AuthorizationInfo. Whether you choose to implement these two interfaces separately or implement the one Account interface for a given Realm is entirely based on your application's needs or your preferences.

    Since:
    0.9
    See Also:
    AuthenticationInfo, Account

    • Method Detail

      • getRoles

        <> getRoles()
        Returns the names of all roles assigned to a corresponding Subject.
        Returns:
        the names of all roles assigned to a corresponding Subject.

      • getStringPermissions

        <> getStringPermissions()
        Returns all string-based permissions assigned to the corresponding Subject. The permissions here plus those returned from getObjectPermissions() represent the total set of permissions assigned. The aggregate set is used to perform a permission authorization check.

        This method is a convenience mechanism that allows Realms to represent permissions as Strings if they choose. When performing a security check, a Realm usually converts these strings to object Permissions via an internal PermissionResolver in order to perform the actual permission check. This is not a requirement of course, since Realms can perform security checks in whatever manner deemed necessary, but this explains the conversion mechanism that most Shiro Realms execute for string-based permission checks.

        Returns:
        all string-based permissions assigned to the corresponding Subject.

      • getObjectPermissions

        <Permission> getObjectPermissions()
        Returns all type-safe Permissions assigned to the corresponding Subject. The permissions returned from this method plus any returned from getStringPermissions() represent the total set of permissions. The aggregate set is used to perform a permission authorization check.
        Returns:
        all type-safe Permissions assigned to the corresponding Subject.