Package org.apache.shiro.authz

Class ModularRealmAuthorizer

java.lang.Object

org.apache.shiro.authz.ModularRealmAuthorizer

All Implemented Interfaces:

Authorizer, PermissionResolverAware, RolePermissionResolverAware

public class ModularRealmAuthorizer
extends Object
implements Authorizer, PermissionResolverAware, RolePermissionResolverAware

A ModularRealmAuthorizer is an Authorizer implementation that consults one or more configured Realms during an authorization operation.

Since:

0.2

Field Summary

Fields

Modifier and Type	Field	Description
protected PermissionResolver	permissionResolver	A PermissionResolver to be used by all configured realms.
protected Collection<Realm>	realms	The realms to consult during any authorization check.
protected RolePermissionResolver	rolePermissionResolver	A RolePermissionResolver to be used by all configured realms.

Constructor Summary

Constructors

Constructor	Description
ModularRealmAuthorizer()	Default no-argument constructor, does nothing.
ModularRealmAuthorizer(Collection<Realm> realms)	Constructor that accepts the Realms to consult during an authorization check.

Method Summary

Modifier and Type	Method	Description
protected void	applyPermissionResolverToRealms()	Sets the internal getPermissionResolver() on any internal configured Realms that implement the PermissionResolverAware interface.
protected void	applyRolePermissionResolverToRealms()	Sets the internal getRolePermissionResolver() on any internal configured Realms that implement the RolePermissionResolverAware interface.
protected void	assertRealmsConfigured()	Used by the Authorizer implementation methods to ensure that the realms has been set.
void	checkPermission(PrincipalCollection principals, String permission)	If !isPermitted(permission), throws an UnauthorizedException otherwise returns quietly.
void	checkPermission(PrincipalCollection principals, Permission permission)	If !isPermitted(permission), throws an UnauthorizedException otherwise returns quietly.
void	checkPermissions(PrincipalCollection principals, String... permissions)	If !isPermitted(permission), throws an UnauthorizedException otherwise returns quietly.
void	checkPermissions(PrincipalCollection principals, Collection<Permission> permissions)	If !isPermitted(permission) for all the given Permissions, throws an UnauthorizedException otherwise returns quietly.
void	checkRole(PrincipalCollection principals, String role)	If !hasRole(role), throws an UnauthorizedException otherwise returns quietly.
void	checkRoles(PrincipalCollection principals, String... roles)	Calls checkRole for each role specified.
void	checkRoles(PrincipalCollection principals, Collection<String> roles)	Calls checkRoles(PrincipalCollection principals, String... roles) .
PermissionResolver	getPermissionResolver()	Returns the PermissionResolver to be used on all configured realms, or null
Collection<Realm>	getRealms()	Returns the realms wrapped by this Authorizer which are consulted during an authorization check.
RolePermissionResolver	getRolePermissionResolver()	Returns the RolePermissionResolver to be used on all configured realms, or null
boolean	hasAllRoles(PrincipalCollection principals, Collection<String> roleIdentifiers)	Returns true iff any of the configured realms' hasRole(org.apache.shiro.subject.PrincipalCollection, String) call returns true for all roles specified, false otherwise.
boolean	hasRole(PrincipalCollection principals, String roleIdentifier)	Returns true if any of the configured realms' hasRole(org.apache.shiro.subject.PrincipalCollection, String) call returns true, false otherwise.
boolean[]	hasRoles(PrincipalCollection principals, List<String> roleIdentifiers)	Calls hasRole(org.apache.shiro.subject.PrincipalCollection, String) for each role name in the specified collection and places the return value from each call at the respective location in the returned array.
boolean	isPermitted(PrincipalCollection principals, String permission)	Returns true if any of the configured realms' isPermitted(org.apache.shiro.subject.PrincipalCollection, String) returns true, false otherwise.
boolean[]	isPermitted(PrincipalCollection principals, String... permissions)	Returns true if any of the configured realms' isPermittedAll(org.apache.shiro.subject.PrincipalCollection, String...) call returns true, false otherwise.
boolean[]	isPermitted(PrincipalCollection principals, List<Permission> permissions)	Returns true if any of the configured realms' isPermitted(org.apache.shiro.subject.PrincipalCollection, List) call returns true, false otherwise.
boolean	isPermitted(PrincipalCollection principals, Permission permission)	Returns true if any of the configured realms' isPermitted(org.apache.shiro.subject.PrincipalCollection, Permission) call returns true, false otherwise.
boolean	isPermittedAll(PrincipalCollection principals, String... permissions)	Returns true if any of the configured realms' isPermitted(org.apache.shiro.subject.PrincipalCollection, String) call returns true for all of the specified string permissions, false otherwise.
boolean	isPermittedAll(PrincipalCollection principals, Collection<Permission> permissions)	Returns true if any of the configured realms' isPermitted(org.apache.shiro.subject.PrincipalCollection, Permission) call returns true for all of the specified Permissions, false otherwise.
void	setPermissionResolver(PermissionResolver permissionResolver)	Sets the specified PermissionResolver on all of the wrapped realms that implement the PermissionResolverAware interface.
void	setRealms(Collection<Realm> realms)	Sets the realms wrapped by this Authorizer which are consulted during an authorization check.
void	setRolePermissionResolver(RolePermissionResolver rolePermissionResolver)	Sets the specified RolePermissionResolver on all of the wrapped realms that implement the PermissionResolverAware interface.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

realms

protected Collection<Realm> realms

The realms to consult during any authorization check.

permissionResolver

protected PermissionResolver permissionResolver

A PermissionResolver to be used by all configured realms. Leave null if you wish to configure different resolvers for different realms.

rolePermissionResolver

protected RolePermissionResolver rolePermissionResolver

A RolePermissionResolver to be used by all configured realms. Leave null if you wish to configure different resolvers for different realms.

Constructor Detail

ModularRealmAuthorizer

public ModularRealmAuthorizer()

Default no-argument constructor, does nothing.

ModularRealmAuthorizer

public ModularRealmAuthorizer(Collection<Realm> realms)

Constructor that accepts the Realms to consult during an authorization check. Immediately calls setRealms(realms).

Parameters:

realms - the realms to consult during an authorization check.

Method Detail

getRealms

public Collection<Realm> getRealms()

Returns the realms wrapped by this Authorizer which are consulted during an authorization check.

Returns:

the realms wrapped by this Authorizer which are consulted during an authorization check.

setRealms

public void setRealms(Collection<Realm> realms)

Sets the realms wrapped by this Authorizer which are consulted during an authorization check.

Parameters:

realms - the realms wrapped by this Authorizer which are consulted during an authorization check.

getPermissionResolver

public PermissionResolver getPermissionResolver()

Returns the PermissionResolver to be used on all configured realms, or null

Returns:

the PermissionResolver to be used on all configured realms, or null

Since:

1.0

setPermissionResolver

public void setPermissionResolver(PermissionResolver permissionResolver)

Sets the specified PermissionResolver on all of the wrapped realms that implement the PermissionResolverAware interface.

Only call this method if you want the permission resolver to be passed to all realms that implement the PermissionResolver interface. If you do not want this to occur, the realms must configure themselves individually (or be configured individually).

Specified by:

setPermissionResolver in interface PermissionResolverAware

Parameters:

permissionResolver - the permissionResolver to set on all of the wrapped realms that implement the PermissionResolverAware interface.

applyPermissionResolverToRealms

protected void applyPermissionResolverToRealms()

Sets the internal getPermissionResolver() on any internal configured Realms that implement the PermissionResolverAware interface.

This method is called after setting a permissionResolver on this ModularRealmAuthorizer via the setPermissionResolver method.

It is also called after setting one or more realms via the setRealms method to allow these newly available realms to be given the PermissionResolver already in use.

Since:

1.0

getRolePermissionResolver

public RolePermissionResolver getRolePermissionResolver()

Returns the RolePermissionResolver to be used on all configured realms, or null

Returns:

the RolePermissionResolver to be used on all configured realms, or null

Since:

1.0

setRolePermissionResolver

public void setRolePermissionResolver(RolePermissionResolver rolePermissionResolver)

Sets the specified RolePermissionResolver on all of the wrapped realms that implement the PermissionResolverAware interface.

Only call this method if you want the permission resolver to be passed to all realms that implement the RolePermissionResolver interface. If you do not want this to occur, the realms must configure themselves individually (or be configured individually).

Specified by:

setRolePermissionResolver in interface RolePermissionResolverAware

Parameters:

rolePermissionResolver - the rolePermissionResolver to set on all of the wrapped realms that implement the RolePermissionResolverAware interface.

applyRolePermissionResolverToRealms

protected void applyRolePermissionResolverToRealms()

Sets the internal getRolePermissionResolver() on any internal configured Realms that implement the RolePermissionResolverAware interface.

This method is called after setting a rolePermissionResolver on this ModularRealmAuthorizer via the setRolePermissionResolver method.

It is also called after setting one or more realms via the setRealms method to allow these newly available realms to be given the RolePermissionResolver already in use.

Since:

1.0

assertRealmsConfigured

protected void assertRealmsConfigured()
                               throws IllegalStateException

Used by the Authorizer implementation methods to ensure that the realms has been set. The default implementation ensures the property is not null and not empty.

Throws:

IllegalStateException - if the realms property is configured incorrectly.

isPermitted

public boolean isPermitted(PrincipalCollection principals,
                           String permission)

Returns true if any of the configured realms' isPermitted(org.apache.shiro.subject.PrincipalCollection, String) returns true, false otherwise.

Specified by:

isPermitted in interface Authorizer

Parameters:

principals - the application-specific subject/user identifier.

permission - the String representation of a Permission that is being checked.

Returns:

true if the corresponding Subject/user is permitted, false otherwise.

See Also:

Authorizer.isPermitted(PrincipalCollection principals,Permission permission)

isPermitted

public boolean isPermitted(PrincipalCollection principals,
                           Permission permission)

Returns true if any of the configured realms' isPermitted(org.apache.shiro.subject.PrincipalCollection, Permission) call returns true, false otherwise.

Specified by:

isPermitted in interface Authorizer

Parameters:

principals - the application-specific subject/user identifier.

permission - the permission that is being checked.

Returns:

true if the corresponding Subject/user is permitted, false otherwise.

isPermitted

public boolean[] isPermitted(PrincipalCollection principals,
                             String... permissions)

Returns true if any of the configured realms' isPermittedAll(org.apache.shiro.subject.PrincipalCollection, String...) call returns true, false otherwise.

Specified by:

isPermitted in interface Authorizer

Parameters:

principals - the application-specific subject/user identifier.

permissions - the String representations of the Permissions that are being checked.

Returns:

an array of booleans whose indices correspond to the index of the permissions in the given list. A true value at an index indicates the user is permitted for for the associated Permission string in the list. A false value at an index indicates otherwise.

isPermitted

public boolean[] isPermitted(PrincipalCollection principals,
                             List<Permission> permissions)

Returns true if any of the configured realms' isPermitted(org.apache.shiro.subject.PrincipalCollection, List) call returns true, false otherwise.

Specified by:

isPermitted in interface Authorizer

Parameters:

principals - the application-specific subject/user identifier.

permissions - the permissions that are being checked.

Returns:

an array of booleans whose indices correspond to the index of the permissions in the given list. A true value at an index indicates the user is permitted for for the associated Permission object in the list. A false value at an index indicates otherwise.

isPermittedAll

public boolean isPermittedAll(PrincipalCollection principals,
                              String... permissions)

Returns true if any of the configured realms' isPermitted(org.apache.shiro.subject.PrincipalCollection, String) call returns true for all of the specified string permissions, false otherwise.

Specified by:

isPermittedAll in interface Authorizer

Parameters:

principals - the application-specific subject/user identifier.

permissions - the String representations of the Permissions that are being checked.

Returns:

true if the user has all of the specified permissions, false otherwise.

See Also:

Authorizer.isPermittedAll(PrincipalCollection,Collection)

isPermittedAll

public boolean isPermittedAll(PrincipalCollection principals,
                              Collection<Permission> permissions)

Returns true if any of the configured realms' isPermitted(org.apache.shiro.subject.PrincipalCollection, Permission) call returns true for all of the specified Permissions, false otherwise.

Specified by:

isPermittedAll in interface Authorizer

Parameters:

principals - the application-specific subject/user identifier.

permissions - the permissions to check.

Returns:

true if the user has all of the specified permissions, false otherwise.

checkPermission

public void checkPermission(PrincipalCollection principals,
                            String permission)
                     throws AuthorizationException

If !isPermitted(permission), throws an UnauthorizedException otherwise returns quietly.

Specified by:

checkPermission in interface Authorizer

Parameters:

principals - the application-specific subject/user identifier.

permission - the String representation of the Permission to check.

Throws:

AuthorizationException - if the user does not have the permission.

checkPermission

public void checkPermission(PrincipalCollection principals,
                            Permission permission)
                     throws AuthorizationException

If !isPermitted(permission), throws an UnauthorizedException otherwise returns quietly.

Specified by:

checkPermission in interface Authorizer

Parameters:

principals - the application-specific subject/user identifier.

permission - the Permission to check.

Throws:

AuthorizationException - if the user does not have the permission.

checkPermissions

public void checkPermissions(PrincipalCollection principals,
                             String... permissions)
                      throws AuthorizationException

If !isPermitted(permission), throws an UnauthorizedException otherwise returns quietly.

Specified by:

checkPermissions in interface Authorizer

Parameters:

principals - the application-specific subject/user identifier.

permissions - the string representations of Permissions to check.

Throws:

AuthorizationException - if the user does not have all of the given permissions.

checkPermissions

public void checkPermissions(PrincipalCollection principals,
                             Collection<Permission> permissions)
                      throws AuthorizationException

If !isPermitted(permission) for all the given Permissions, throws an UnauthorizedException otherwise returns quietly.

Specified by:

checkPermissions in interface Authorizer

Parameters:

principals - the application-specific subject/user identifier.

permissions - the Permissions to check.

Throws:

AuthorizationException - if the user does not have all of the given permissions.

hasRole

public boolean hasRole(PrincipalCollection principals,
                       String roleIdentifier)

Returns true if any of the configured realms' hasRole(org.apache.shiro.subject.PrincipalCollection, String) call returns true, false otherwise.

Specified by:

hasRole in interface Authorizer

Parameters:

principals - the application-specific subject/user identifier.

roleIdentifier - the application-specific role identifier (usually a role id or role name).

Returns:

true if the corresponding subject has the specified role, false otherwise.

hasRoles

public boolean[] hasRoles(PrincipalCollection principals,
                          List<String> roleIdentifiers)

Calls hasRole(org.apache.shiro.subject.PrincipalCollection, String) for each role name in the specified collection and places the return value from each call at the respective location in the returned array.

Specified by:

hasRoles in interface Authorizer

Parameters:

principals - the application-specific subject/user identifier.

roleIdentifiers - the application-specific role identifiers to check (usually role ids or role names).

Returns:

an array of booleans whose indices correspond to the index of the roles in the given identifiers. A true value indicates the user has the role at that index. False indicates the user does not have the role at that index.

hasAllRoles

public boolean hasAllRoles(PrincipalCollection principals,
                           Collection<String> roleIdentifiers)

Returns true iff any of the configured realms' hasRole(org.apache.shiro.subject.PrincipalCollection, String) call returns true for all roles specified, false otherwise.

Specified by:

hasAllRoles in interface Authorizer

Parameters:

principals - the application-specific subject/user identifier.

roleIdentifiers - the application-specific role identifiers to check (usually role ids or role names).

Returns:

true if the user has all the roles, false otherwise.

checkRole

public void checkRole(PrincipalCollection principals,
                      String role)
               throws AuthorizationException

If !hasRole(role), throws an UnauthorizedException otherwise returns quietly.

Specified by:

checkRole in interface Authorizer

Parameters:

principals - the application-specific subject/user identifier.

role - the application-specific role identifier (usually a role id or role name ).

Throws:

AuthorizationException - if the user does not have the role.

checkRoles

public void checkRoles(PrincipalCollection principals,
                       Collection<String> roles)
                throws AuthorizationException

Calls checkRoles(PrincipalCollection principals, String... roles) .

Specified by:

checkRoles in interface Authorizer

Parameters:

principals - the application-specific subject/user identifier.

roles - the application-specific role identifiers to check (usually role ids or role names).

Throws:

AuthorizationException - if the user does not have all of the specified roles.

checkRoles

public void checkRoles(PrincipalCollection principals,
                       String... roles)
                throws AuthorizationException

Calls checkRole for each role specified.

Specified by:

checkRoles in interface Authorizer

Parameters:

principals - the application-specific subject/user identifier.

roles - the application-specific role identifiers to check (usually role ids or role names).

Throws:

AuthorizationException - if the user does not have all of the specified roles.