Package org.apache.shiro.mgt

Class AuthorizingSecurityManager

  • All Implemented Interfaces:
    Authenticator, Authorizer, org.apache.shiro.cache.CacheManagerAware, org.apache.shiro.event.EventBusAware, SecurityManager, SessionManager, org.apache.shiro.util.Destroyable
    Direct Known Subclasses:
    SessionsSecurityManager
    public abstract class AuthorizingSecurityManager
extends AuthenticatingSecurityManager
    Shiro support of a SecurityManager class hierarchy that delegates all authorization (access control) operations to a wrapped Authorizer instance. That is, this class implements all the Authorizer methods in the SecurityManager interface, but in reality, those methods are merely passthrough calls to the underlying 'real' Authorizer instance.

    All remaining SecurityManager methods not covered by this class or its parents (mostly Session support) are left to be implemented by subclasses.

    In keeping with the other classes in this hierarchy and Shiro's desire to minimize configuration whenever possible, suitable default instances for all dependencies will be created upon instantiation.

    Since:
    0.9

    • Constructor Detail

      • AuthorizingSecurityManager

        public AuthorizingSecurityManager()
        Default no-arg constructor that initializes an internal default ModularRealmAuthorizer.

    • Method Detail

      • getAuthorizer

        public Authorizer getAuthorizer()
        Returns the underlying wrapped Authorizer instance to which this SecurityManager implementation delegates all of its authorization calls.
        Returns:
        the wrapped Authorizer used by this SecurityManager implementation.

      • setAuthorizer

        public void setAuthorizer​(Authorizer authorizer)
        Sets the underlying Authorizer instance to which this SecurityManager implementation will delegate all of its authorization calls.
        Parameters:
        authorizer - the Authorizer this SecurityManager should wrap and delegate all of its authorization calls to.

      • afterRealmsSet

        protected void afterRealmsSet()
        First calls super.afterRealmsSet() and then sets these same Realm objects on this instance's wrapped Authorizer.

        The setting of realms the Authorizer will only occur if it is an instance of ModularRealmAuthorizer, that is: 

         if ( this.authorizer instanceof ModularRealmAuthorizer ) {
     ((ModularRealmAuthorizer)this.authorizer).setRealms(realms);
 }
        Overrides:
        afterRealmsSet in class AuthenticatingSecurityManager

      • isPermitted

        public boolean isPermitted​(PrincipalCollection principals,
                            permissionString)
        Description copied from interface: Authorizer
        Returns true if the corresponding subject/user is permitted to perform an action or access a resource summarized by the specified permission string.

        This is an overloaded method for the corresponding type-safe Permission variant. Please see the class-level JavaDoc for more information on these String-based permission methods.

        Parameters:
        principals - the application-specific subject/user identifier.
        permissionString - the String representation of a Permission that is being checked.
        Returns:
        true if the corresponding Subject/user is permitted, false otherwise.
        See Also:
        Authorizer.isPermitted(PrincipalCollection principals,Permission permission)

      • isPermitted

        public boolean isPermitted​(PrincipalCollection principals,
                           Permission permission)
        Description copied from interface: Authorizer
        Returns true if the corresponding subject/user is permitted to perform an action or access a resource summarized by the specified permission.

        More specifically, this method determines if any Permissions associated with the subject imply the specified permission.

        Parameters:
        principals - the application-specific subject/user identifier.
        permission - the permission that is being checked.
        Returns:
        true if the corresponding Subject/user is permitted, false otherwise.

      • isPermitted

        public boolean[] isPermitted​(PrincipalCollection principals,
                             ... permissions)
        Description copied from interface: Authorizer
        Checks if the corresponding Subject implies the given permission strings and returns a boolean array indicating which permissions are implied.

        This is an overloaded method for the corresponding type-safe Permission variant. Please see the class-level JavaDoc for more information on these String-based permission methods.

        Parameters:
        principals - the application-specific subject/user identifier.
        permissions - the String representations of the Permissions that are being checked.
        Returns:
        an array of booleans whose indices correspond to the index of the permissions in the given list. A true value at an index indicates the user is permitted for for the associated Permission string in the list. A false value at an index indicates otherwise.

      • isPermitted

        public boolean[] isPermitted​(PrincipalCollection principals,
                             <Permission> permissions)
        Description copied from interface: Authorizer
        Checks if the corresponding Subject/user implies the given Permissions and returns a boolean array indicating which permissions are implied.

        More specifically, this method should determine if each Permission in the array is implied by permissions already associated with the subject.

        This is primarily a performance-enhancing method to help reduce the number of Authorizer.isPermitted(org.apache.shiro.subject.PrincipalCollection, java.lang.String) invocations over the wire in client/server systems.

        Parameters:
        principals - the application-specific subject/user identifier.
        permissions - the permissions that are being checked.
        Returns:
        an array of booleans whose indices correspond to the index of the permissions in the given list. A true value at an index indicates the user is permitted for for the associated Permission object in the list. A false value at an index indicates otherwise.

      • isPermittedAll

        public boolean isPermittedAll​(PrincipalCollection principals,
                              ... permissions)
        Description copied from interface: Authorizer
        Returns true if the corresponding Subject/user implies all of the specified permission strings, false otherwise.

        This is an overloaded method for the corresponding type-safe Permission variant. Please see the class-level JavaDoc for more information on these String-based permission methods.

        Parameters:
        principals - the application-specific subject/user identifier.
        permissions - the String representations of the Permissions that are being checked.
        Returns:
        true if the user has all of the specified permissions, false otherwise.
        See Also:
        Authorizer.isPermittedAll(PrincipalCollection,Collection)

      • isPermittedAll

        public boolean isPermittedAll​(PrincipalCollection principals,
                              <Permission> permissions)
        Description copied from interface: Authorizer
        Returns true if the corresponding Subject/user implies all of the specified permissions, false otherwise.

        More specifically, this method determines if all of the given Permissions are implied by permissions already associated with the subject.

        Parameters:
        principals - the application-specific subject/user identifier.
        permissions - the permissions to check.
        Returns:
        true if the user has all of the specified permissions, false otherwise.

      • checkPermission

        public void checkPermission​(PrincipalCollection principals,
                             permission)
                     throws AuthorizationException
        Description copied from interface: Authorizer
        Ensures the corresponding Subject/user implies the specified permission String.

        If the subject's existing associated permissions do not Permission.implies(Permission) imply} the given permission, an AuthorizationException will be thrown.

        This is an overloaded method for the corresponding type-safe Permission variant. Please see the class-level JavaDoc for more information on these String-based permission methods.

        Parameters:
        principals - the application-specific subject/user identifier.
        permission - the String representation of the Permission to check.
        Throws:
        AuthorizationException - if the user does not have the permission.

      • checkPermissions

        public void checkPermissions​(PrincipalCollection principals,
                             ... permissions)
                      throws AuthorizationException
        Description copied from interface: Authorizer
        Ensures the corresponding Subject/user implies all of the specified permission strings. If the subject's existing associated permissions do not imply all of the given permissions, an AuthorizationException will be thrown.

        This is an overloaded method for the corresponding type-safe Permission variant. Please see the class-level JavaDoc for more information on these String-based permission methods.

        Parameters:
        principals - the application-specific subject/user identifier.
        permissions - the string representations of Permissions to check.
        Throws:
        AuthorizationException - if the user does not have all of the given permissions.

      • checkPermissions

        public void checkPermissions​(PrincipalCollection principals,
                             <Permission> permissions)
                      throws AuthorizationException
        Description copied from interface: Authorizer
        Ensures the corresponding Subject/user implies all of the specified permission strings. If the subject's existing associated permissions do not imply all of the given permissions, an AuthorizationException will be thrown.
        Parameters:
        principals - the application-specific subject/user identifier.
        permissions - the Permissions to check.
        Throws:
        AuthorizationException - if the user does not have all of the given permissions.

      • hasRole

        public boolean hasRole​(PrincipalCollection principals,
                        roleIdentifier)
        Description copied from interface: Authorizer
        Returns true if the corresponding Subject/user has the specified role, false otherwise.
        Parameters:
        principals - the application-specific subject/user identifier.
        roleIdentifier - the application-specific role identifier (usually a role id or role name).
        Returns:
        true if the corresponding subject has the specified role, false otherwise.

      • hasRoles

        public boolean[] hasRoles​(PrincipalCollection principals,
                          <> roleIdentifiers)
        Description copied from interface: Authorizer
        Checks if the corresponding Subject/user has the specified roles, returning a boolean array indicating which roles are associated with the given subject.

        This is primarily a performance-enhancing method to help reduce the number of Authorizer.hasRole(org.apache.shiro.subject.PrincipalCollection, java.lang.String) invocations over the wire in client/server systems.

        Parameters:
        principals - the application-specific subject/user identifier.
        roleIdentifiers - the application-specific role identifiers to check (usually role ids or role names).
        Returns:
        an array of booleans whose indices correspond to the index of the roles in the given identifiers. A true value indicates the user has the role at that index. False indicates the user does not have the role at that index.

      • hasAllRoles

        public boolean hasAllRoles​(PrincipalCollection principals,
                           <> roleIdentifiers)
        Description copied from interface: Authorizer
        Returns true if the corresponding Subject/user has all of the specified roles, false otherwise.
        Parameters:
        principals - the application-specific subject/user identifier.
        roleIdentifiers - the application-specific role identifiers to check (usually role ids or role names).
        Returns:
        true if the user has all the roles, false otherwise.

      • checkRole

        public void checkRole​(PrincipalCollection principals,
                       role)
               throws AuthorizationException
        Description copied from interface: Authorizer
        Asserts the corresponding Subject/user has the specified role by returning quietly if they do or throwing an AuthorizationException if they do not.
        Parameters:
        principals - the application-specific subject/user identifier.
        role - the application-specific role identifier (usually a role id or role name ).
        Throws:
        AuthorizationException - if the user does not have the role.

      • checkRoles

        public void checkRoles​(PrincipalCollection principals,
                       <> roles)
                throws AuthorizationException
        Description copied from interface: Authorizer
        Asserts the corresponding Subject/user has all of the specified roles by returning quietly if they do or throwing an AuthorizationException if they do not.
        Parameters:
        principals - the application-specific subject/user identifier.
        roles - the application-specific role identifiers to check (usually role ids or role names).
        Throws:
        AuthorizationException - if the user does not have all of the specified roles.