Package org.apache.shiro.authz

Interface Authorizer

All Known Subinterfaces:

SecurityManager

All Known Implementing Classes:

AbstractLdapRealm, ActiveDirectoryRealm, AuthenticatingSecurityManager, AuthorizingRealm, AuthorizingSecurityManager, CachingSecurityManager, DefaultLdapRealm, DefaultSecurityManager, IniRealm, JdbcRealm, JndiLdapRealm, ModularRealmAuthorizer, PropertiesRealm, RealmSecurityManager, SessionsSecurityManager, SimpleAccountRealm, TextConfigurationRealm

public interface Authorizer

An Authorizer performs authorization (access control) operations for any given Subject (aka 'application user').

Each method requires a subject principal to perform the action for the corresponding Subject/user.

This principal argument is usually an object representing a user database primary key or a String username or something similar that uniquely identifies an application user. The runtime value of the this principal is application-specific and provided by the application's configured Realms.

Note that there are many *Permission methods in this interface overloaded to accept String arguments instead of Permission instances. They are a convenience allowing the caller to use a String representation of a Permission if desired. Most implementations of this interface will simply convert these String values to Permission instances and then just call the corresponding type-safe method. (Shiro's default implementations do String-to-Permission conversion for these methods using PermissionResolvers.)

These overloaded *Permission methods do forego type-safety for the benefit of convenience and simplicity, so you should choose which ones to use based on your preferences and needs.

Since:

0.1

Method Summary

Modifier and Type	Method	Description
void	checkPermission(PrincipalCollection subjectPrincipal, permission)	Ensures the corresponding Subject/user implies the specified permission String.
void	checkPermission(PrincipalCollection subjectPrincipal, Permission permission)	Ensures a subject/user Permission.implies(Permission) implies} the specified Permission.
void	checkPermissions(PrincipalCollection subjectPrincipal, ... permissions)	Ensures the corresponding Subject/user implies all of the specified permission strings.
void	checkPermissions(PrincipalCollection subjectPrincipal, <Permission> permissions)	Ensures the corresponding Subject/user implies all of the specified permission strings.
void	checkRole(PrincipalCollection subjectPrincipal, roleIdentifier)	Asserts the corresponding Subject/user has the specified role by returning quietly if they do or throwing an AuthorizationException if they do not.
void	checkRoles(PrincipalCollection subjectPrincipal, ... roleIdentifiers)	Same as checkRoles(PrincipalCollection subjectPrincipal, Collection<String> roleIdentifiers) but doesn't require a collection as an argument.
void	checkRoles(PrincipalCollection subjectPrincipal, <> roleIdentifiers)	Asserts the corresponding Subject/user has all of the specified roles by returning quietly if they do or throwing an AuthorizationException if they do not.
boolean	hasAllRoles(PrincipalCollection subjectPrincipal, <> roleIdentifiers)	Returns true if the corresponding Subject/user has all of the specified roles, false otherwise.
boolean	hasRole(PrincipalCollection subjectPrincipal, roleIdentifier)	Returns true if the corresponding Subject/user has the specified role, false otherwise.
boolean[]	hasRoles(PrincipalCollection subjectPrincipal, <> roleIdentifiers)	Checks if the corresponding Subject/user has the specified roles, returning a boolean array indicating which roles are associated with the given subject.
boolean	isPermitted(PrincipalCollection principals, permission)	Returns true if the corresponding subject/user is permitted to perform an action or access a resource summarized by the specified permission string.
boolean[]	isPermitted(PrincipalCollection subjectPrincipal, ... permissions)	Checks if the corresponding Subject implies the given permission strings and returns a boolean array indicating which permissions are implied.
boolean[]	isPermitted(PrincipalCollection subjectPrincipal, <Permission> permissions)	Checks if the corresponding Subject/user implies the given Permissions and returns a boolean array indicating which permissions are implied.
boolean	isPermitted(PrincipalCollection subjectPrincipal, Permission permission)	Returns true if the corresponding subject/user is permitted to perform an action or access a resource summarized by the specified permission.
boolean	isPermittedAll(PrincipalCollection subjectPrincipal, ... permissions)	Returns true if the corresponding Subject/user implies all of the specified permission strings, false otherwise.
boolean	isPermittedAll(PrincipalCollection subjectPrincipal, <Permission> permissions)	Returns true if the corresponding Subject/user implies all of the specified permissions, false otherwise.

Method Detail

isPermitted

boolean isPermitted(PrincipalCollection principals,
                     permission)

Returns true if the corresponding subject/user is permitted to perform an action or access a resource summarized by the specified permission string.

This is an overloaded method for the corresponding type-safe Permission variant. Please see the class-level JavaDoc for more information on these String-based permission methods.

Parameters:

principals - the application-specific subject/user identifier.

permission - the String representation of a Permission that is being checked.

Returns:

true if the corresponding Subject/user is permitted, false otherwise.

Since:

0.9

See Also:

isPermitted(PrincipalCollection principals,Permission permission)

isPermitted

boolean isPermitted(PrincipalCollection subjectPrincipal,
                    Permission permission)

Returns true if the corresponding subject/user is permitted to perform an action or access a resource summarized by the specified permission.

More specifically, this method determines if any Permissions associated with the subject imply the specified permission.

Parameters:

subjectPrincipal - the application-specific subject/user identifier.

permission - the permission that is being checked.

Returns:

true if the corresponding Subject/user is permitted, false otherwise.

isPermitted

boolean[] isPermitted(PrincipalCollection subjectPrincipal,
                      ... permissions)

Checks if the corresponding Subject implies the given permission strings and returns a boolean array indicating which permissions are implied.

This is an overloaded method for the corresponding type-safe Permission variant. Please see the class-level JavaDoc for more information on these String-based permission methods.

Parameters:

subjectPrincipal - the application-specific subject/user identifier.

permissions - the String representations of the Permissions that are being checked.

Returns:

an array of booleans whose indices correspond to the index of the permissions in the given list. A true value at an index indicates the user is permitted for for the associated Permission string in the list. A false value at an index indicates otherwise.

Since:

0.9

isPermitted

boolean[] isPermitted(PrincipalCollection subjectPrincipal,
                      <Permission> permissions)

Checks if the corresponding Subject/user implies the given Permissions and returns a boolean array indicating which permissions are implied.

More specifically, this method should determine if each Permission in the array is implied by permissions already associated with the subject.

This is primarily a performance-enhancing method to help reduce the number of isPermitted(org.apache.shiro.subject.PrincipalCollection, java.lang.String) invocations over the wire in client/server systems.

Parameters:

subjectPrincipal - the application-specific subject/user identifier.

permissions - the permissions that are being checked.

Returns:

an array of booleans whose indices correspond to the index of the permissions in the given list. A true value at an index indicates the user is permitted for for the associated Permission object in the list. A false value at an index indicates otherwise.

isPermittedAll

boolean isPermittedAll(PrincipalCollection subjectPrincipal,
                       ... permissions)

Returns true if the corresponding Subject/user implies all of the specified permission strings, false otherwise.

This is an overloaded method for the corresponding type-safe Permission variant. Please see the class-level JavaDoc for more information on these String-based permission methods.

Parameters:

subjectPrincipal - the application-specific subject/user identifier.

permissions - the String representations of the Permissions that are being checked.

Returns:

true if the user has all of the specified permissions, false otherwise.

Since:

0.9

See Also:

isPermittedAll(PrincipalCollection,Collection)

isPermittedAll

boolean isPermittedAll(PrincipalCollection subjectPrincipal,
                       <Permission> permissions)

Returns true if the corresponding Subject/user implies all of the specified permissions, false otherwise.

More specifically, this method determines if all of the given Permissions are implied by permissions already associated with the subject.

Parameters:

subjectPrincipal - the application-specific subject/user identifier.

permissions - the permissions to check.

Returns:

true if the user has all of the specified permissions, false otherwise.

checkPermission

void checkPermission(PrincipalCollection subjectPrincipal,
                      permission)
              throws AuthorizationException

Ensures the corresponding Subject/user implies the specified permission String.

If the subject's existing associated permissions do not Permission.implies(Permission) imply} the given permission, an AuthorizationException will be thrown.

This is an overloaded method for the corresponding type-safe Permission variant. Please see the class-level JavaDoc for more information on these String-based permission methods.

Parameters:

subjectPrincipal - the application-specific subject/user identifier.

permission - the String representation of the Permission to check.

Throws:

AuthorizationException - if the user does not have the permission.

Since:

0.9

checkPermission

void checkPermission(PrincipalCollection subjectPrincipal,
                     Permission permission)
              throws AuthorizationException

Ensures a subject/user Permission.implies(Permission) implies} the specified Permission. If the subject's existing associated permissions do not Permission.implies(Permission) imply} the given permission, an AuthorizationException will be thrown.

Parameters:

subjectPrincipal - the application-specific subject/user identifier.

permission - the Permission to check.

Throws:

AuthorizationException - if the user does not have the permission.

checkPermissions

void checkPermissions(PrincipalCollection subjectPrincipal,
                      ... permissions)
               throws AuthorizationException

Ensures the corresponding Subject/user implies all of the specified permission strings. If the subject's existing associated permissions do not imply all of the given permissions, an AuthorizationException will be thrown.

This is an overloaded method for the corresponding type-safe Permission variant. Please see the class-level JavaDoc for more information on these String-based permission methods.

Parameters:

subjectPrincipal - the application-specific subject/user identifier.

permissions - the string representations of Permissions to check.

Throws:

AuthorizationException - if the user does not have all of the given permissions.

Since:

0.9

checkPermissions

void checkPermissions(PrincipalCollection subjectPrincipal,
                      <Permission> permissions)
               throws AuthorizationException

Ensures the corresponding Subject/user implies all of the specified permission strings. If the subject's existing associated permissions do not imply all of the given permissions, an AuthorizationException will be thrown.

Parameters:

subjectPrincipal - the application-specific subject/user identifier.

permissions - the Permissions to check.

Throws:

AuthorizationException - if the user does not have all of the given permissions.

hasRole

boolean hasRole(PrincipalCollection subjectPrincipal,
                 roleIdentifier)

Returns true if the corresponding Subject/user has the specified role, false otherwise.

Parameters:

subjectPrincipal - the application-specific subject/user identifier.

roleIdentifier - the application-specific role identifier (usually a role id or role name).

Returns:

true if the corresponding subject has the specified role, false otherwise.

hasRoles

boolean[] hasRoles(PrincipalCollection subjectPrincipal,
                   <> roleIdentifiers)

Checks if the corresponding Subject/user has the specified roles, returning a boolean array indicating which roles are associated with the given subject.

This is primarily a performance-enhancing method to help reduce the number of hasRole(org.apache.shiro.subject.PrincipalCollection, java.lang.String) invocations over the wire in client/server systems.

Parameters:

subjectPrincipal - the application-specific subject/user identifier.

roleIdentifiers - the application-specific role identifiers to check (usually role ids or role names).

Returns:

an array of booleans whose indices correspond to the index of the roles in the given identifiers. A true value indicates the user has the role at that index. False indicates the user does not have the role at that index.

hasAllRoles

boolean hasAllRoles(PrincipalCollection subjectPrincipal,
                    <> roleIdentifiers)

Returns true if the corresponding Subject/user has all of the specified roles, false otherwise.

Parameters:

subjectPrincipal - the application-specific subject/user identifier.

roleIdentifiers - the application-specific role identifiers to check (usually role ids or role names).

Returns:

true if the user has all the roles, false otherwise.

checkRole

void checkRole(PrincipalCollection subjectPrincipal,
                roleIdentifier)
        throws AuthorizationException

Asserts the corresponding Subject/user has the specified role by returning quietly if they do or throwing an AuthorizationException if they do not.

Parameters:

subjectPrincipal - the application-specific subject/user identifier.

roleIdentifier - the application-specific role identifier (usually a role id or role name ).

Throws:

AuthorizationException - if the user does not have the role.

checkRoles

void checkRoles(PrincipalCollection subjectPrincipal,
                <> roleIdentifiers)
         throws AuthorizationException

Asserts the corresponding Subject/user has all of the specified roles by returning quietly if they do or throwing an AuthorizationException if they do not.

Parameters:

subjectPrincipal - the application-specific subject/user identifier.

roleIdentifiers - the application-specific role identifiers to check (usually role ids or role names).

Throws:

AuthorizationException - if the user does not have all of the specified roles.

checkRoles

void checkRoles(PrincipalCollection subjectPrincipal,
                ... roleIdentifiers)
         throws AuthorizationException

Same as checkRoles(PrincipalCollection subjectPrincipal, Collection<String> roleIdentifiers) but doesn't require a collection as an argument. Asserts the corresponding Subject/user has all of the specified roles by returning quietly if they do or throwing an AuthorizationException if they do not.

Parameters:

subjectPrincipal - the application-specific subject/user identifier.

roleIdentifiers - the application-specific role identifiers to check (usually role ids or role names).

Throws:

AuthorizationException - if the user does not have all of the specified roles.

Since:

1.1.0