Package wt.access

Interface AccessControlManager

All Known Implementing Classes:
StandardAccessControlManager
@RemoteInterface public interface AccessControlManager
The AccessControlManager interface contains the signature of the methods supported by managers of the access control package. These methods fall into three classes: (1) access control enforcement methods (checkAccess, for example); (2) specialized query methods; and (3) maintenance of access control rules, lists and security labels.

Supported API: true

Extendable: false

  • Method Details

    • checkAccess

      boolean checkAccess(Object object, AccessPermission permission) throws WTException
      Determines whether the current principal has a given permission on a given object. Emits the AccessControlEvent.NOT_AUTHORIZED event for auditing purposes and throws a NotAuthorizedException if this is not the case.

      If the object parameter specifies an instance of ObjectReference, access rights are checked on the referenced object unless the reference class itself is AccessControlled.

      If the NotAuthorizedException thrown by this method is caught and does not result in a user's action failing due to the lack of access rights, auditing of the exception should be disabled. The current principal is determined by calling SessionContext.getEffectivePrincipal(). If no effective principal is set, then SessionHelper.getPrincipal().

      Supported API: true

      Parameters:
      object - object for which permissions are to be evaluated
      permission - access control permission
      Returns:
      boolean
      Throws:
      WTException
      See Also:

    • checkAccess

      void checkAccess(WTCollection objects, AccessPermission permission) throws WTException
      Determines whether the current principal has a given permission for all of the objects in the specified collection. Emits the AccessControlEvent.NOT_AUTHORIZED event for auditing purposes and throws a NotAuthorizedException if this is not the case.

      If the objects parameter specifies a collection that has not been inflated, access rights are checked on a copy of the collection that has been inflated with access control enforcement bypassed.

      If the NotAuthorizedException thrown by this method is caught and does not result in a user's action failing due to the lack of access rights, auditing of the exception should be disabled. The current principal is determined by calling SessionContext.getEffectivePrincipal(). If no effective principal is set, then SessionHelper.getPrincipal().

      Supported API: true

      Parameters:
      objects - objects for which permissions are to be evaluated
      permission - access control permission
      Throws:
      WTException
      See Also:

    • hasAccess

      boolean hasAccess(Object object, AccessPermission permission) throws WTException
      Determines whether the current principal has the given access permission over the object passed as argument. Returns true if this is the case, false otherwise.

      If the object parameter specifies an instance of ObjectReference, access rights are checked on the referenced object unless the reference class itself is AccessControlled. The current principal is determined by calling SessionContext.getEffectivePrincipal(). If no effective principal is set, then SessionHelper.getPrincipal().

      Supported API: true

      Parameters:
      object - object for which permissions are to be evaluated
      permission - access control permission
      Returns:
      boolean
      Throws:
      WTException

    • hasAccess

      boolean hasAccess(WTCollection objects, AccessPermission permission) throws WTException
      Determines whether the current principal has the given access permission for all of the objects in the specified collection. Returns true if this is the case, false otherwise.

      If the objects parameter specifies a collection that has not been inflated, access rights are checked on a copy of the collection that has been inflated with access control enforcement bypassed. The current principal is determined by calling SessionContext.getEffectivePrincipal(). If no effective principal is set, then SessionHelper.getPrincipal().

      Supported API: true

      Parameters:
      objects - objects for which permissions are to be evaluated
      permission - access control permission
      Returns:
      boolean
      Throws:
      WTException

    • hasAccess

      boolean hasAccess(WTPrincipal user, Object object, AccessPermission permission) throws WTException
      Determines whether the given principal has the given access permission over the object passed as argument. Returns true if this is the case, false otherwise.

      If the object parameter specifies an instance of ObjectReference, access rights are checked on the referenced object unless the reference class itself is AccessControlled.

      Supported API: true

      Parameters:
      user - principal whose access rights are to be evaluated
      object - object for which permissions are to be evaluated
      permission - access control permission
      Returns:
      boolean
      Throws:
      WTException

    • hasAccess

      boolean hasAccess(WTPrincipal principal, WTCollection objects, AccessPermission permission) throws WTException
      Determines whether the given principal has the given access permission for all of the objects in the specified collection. Returns true if this is the case, false otherwise.

      If the objects parameter specifies a collection that has not been inflated, access rights are checked on a copy of the collection that has been inflated with access control enforcement bypassed.

      Supported API: true

      Parameters:
      principal - principal whose access rights are to be evaluated
      objects - objects for which permissions are to be evaluated
      permission - access control permission
      Returns:
      boolean
      Throws:
      WTException

    • hasAccess

      boolean hasAccess(WTPrincipal user, String type_id, AdminDomainRef domain_ref, State state, AccessPermission permission) throws WTException
      Determines whether the given principal has the given access permission over a given type in a given domain and state. Returns true if this is the case, false otherwise. If the state parameter is null, access policies which apply to all states are used to evaluate the principal's access rights. This is intended for use with a type that does not have a state (that is, a type that is not LifeCycleManaged).

      The access is evaluated only taking into account access policies. For a specific object this is only part of the answer as the object may be ad hoc controlled and have an ad hoc ACL that provides additional access rights, or the object may be administratively locked, or the object may be security labeled and have labels that deny access rights. In general this method should only be used with a type that is PolicyAccessControlled but not AdHocControlled nor SecurityLabeled.

      Note: If a null state parameter is specified with a type that is LifeCycleManaged, the result does not indicate whether the user has access rights in every state. It only reflects the rights specified by rules that apply to all states. There could be a policy rule defined for a particular state that denies access rights, which would result in denial of access for that state even though a rule that applies to all states grants access.

      Supported API: true

      Parameters:
      user - principal whose access rights are to be evaluated
      type_id - external, logical or persisted type identifier
      domain_ref - reference to the domain for which policy rules are to be evaluated
      state - lifecycle state
      permission - access control permission
      Returns:
      boolean
      Throws:
      WTInvalidParameterException - if a principal, type or domain is not specified, or if the specified type is not a PolicyAccessControlled type or not a valid type
      WTException
      See Also:

    • filterObjects

      ObjectVectorIfc filterObjects(ObjectVectorIfc objects, AccessPermission permission) throws WTException
      Given a set of objects, this method constructs and returns a new set containing only objects where the current principal is granted the permission to these objects.

      This method can be used to filter out objects for which the user has no read access after a query is performed.

      Supported API: true

      Parameters:
      objects - set of objects
      permission - access control permission
      Returns:
      ObjectVectorIfc
      Throws:
      WTException

    • filterObjects

      QueryResult filterObjects(QueryResult objects, AccessPermission permission) throws WTException
      Given a set of objects (stored as a QueryResult), this method constructs and returns a new set containing only objects where the current principal is granted the permission to these objects.

      This method can be used to filter out objects for which the user has no read access after a database query is performed.

      Supported API: true

      Parameters:
      objects - set of objects
      permission - access control permission
      Returns:
      QueryResult
      Throws:
      WTException

    • getSecurityLabel

      @Deprecated String getSecurityLabel(SecurityLabeled object, String label_name) throws WTException
      Deprecated.
      Use getMultiValuedSecurityLabel(SecurityLabeled, String) instead.
      Returns the value of the specified security label for an object. The external representation of the value will be returned if the specified security label is a custom label.

      Supported API: true
      Parameters:
      object - object for which the security label is to be returned
      label_name - security label name
      Returns:
      String
      Throws:
      WTInvalidParameterException - if an object is not specified or the specified label name is not defined in the security labels configuration file
      WTRuntimeException - if any of the object's label names or values are not defined in the security labels configuration file
      WTException
      See Also:

    • getMultiValuedSecurityLabel

      Set<String> getMultiValuedSecurityLabel(SecurityLabeled object, String label_name) throws WTException
      Returns the value of the specified security label for an object. The external representation of the value will be returned if the specified security label is a custom label.

      Supported API: true
      Parameters:
      object - object for which the security label is to be returned
      label_name - security label name
      Returns:
      Set Set of SLValues.
      Throws:
      WTInvalidParameterException - if an object is not specified or the specified label name is not defined in the security labels configuration file
      WTRuntimeException - if any of the object's label names or values are not defined in the security labels configuration file
      WTException
      See Also:

    • getSecurityLabels

      @Deprecated Map<String,String> getSecurityLabels(SecurityLabeled object) throws WTException
      Deprecated.
      Use getMultiValuedSecurityLabels(SecurityLabeled) instead.
      Returns a map of all security labels for an object where the label names are the map keys and the label values are the corresponding map values. The external representation of the values will be returned for custom security labels. If no security labels are configured for the system, an empty map is returned.

      Supported API: true
      Parameters:
      object - object for which security labels are to be returned
      Returns:
      Map<String,String>
      Throws:
      WTInvalidParameterException - if an object is not specified
      WTRuntimeException - if any of the object's label names or standard label values are not defined in the security labels configuration file
      WTException
      See Also:

    • getMultiValuedSecurityLabels

      Map<String,Set<String>> getMultiValuedSecurityLabels(SecurityLabeled object) throws WTException
      Returns a map of all security labels for an object where the label names are the map keys and the Set of label values are the corresponding map values. The external representation of the values will be returned for custom security labels. If no security labels are configured for the system, an empty map is returned.

      Supported API: true
      Parameters:
      object - object for which security labels are to be returned
      Returns:
      Map<String,Set>
      Throws:
      WTInvalidParameterException - if an object is not specified
      WTRuntimeException - if any of the object's label names or standard label values are not defined in the security labels configuration file
      WTException
      See Also:

    • getSecurityLabels

      @Deprecated WTKeyedMap getSecurityLabels(WTCollection objects) throws WTException
      Deprecated.
      Use getMultiValuedSecurityLabels(WTCollection) instead.
      Returns the names and values of all security labels for a collection of objects. The specified objects are the key set, and for each map entry key, a Map<String, String> with the names and values of an object's security labels are the map entry's value. The external representation of the values will be returned for custom security labels.

      Supported API: true
      Parameters:
      objects - objects for which security labels are to be returned
      Returns:
      WTKeyedMap
      Throws:
      ClassCastException - if one or more objects in the collection are not SecurityLabeled
      WTInvalidParameterException - if a collection of objects is not specified or empty
      WTRuntimeException - if any of the objects' label names or standard label values are not defined in the security labels configuration file
      WTException
      See Also:

    • getMultiValuedSecurityLabels

      WTKeyedMap getMultiValuedSecurityLabels(WTCollection objects) throws WTException
      Returns the names and list of values of all security labels for a collection of objects. The specified objects are the key set, and for each map entry key, a Map<String, Set<String>> with the names and values of an object's security labels are the map entry's value. The external representation of the values will be returned for custom security labels.

      Supported API: true
      Parameters:
      objects - objects for which security labels are to be returned
      Returns:
      WTKeyedMap of object and Map<String,Set> where Set will hold multiple values on SL
      Throws:
      ClassCastException - if one or more objects in the collection are not SecurityLabeled
      WTInvalidParameterException - if a collection of objects is not specified or empty
      WTRuntimeException - if any of the objects' label names or standard label values are not defined in the security labels configuration file
      WTException
      See Also:

    • showSecurityLabelsGlyph

      boolean showSecurityLabelsGlyph(SecurityLabeled object) throws WTException
      Returns true if the security labels functionality is enabled and one or more of the security label values for the specified object are non-null, even if all of the security labels that have non-null values are informational markings only and do not restrict access to the object. Otherwise returns false.

      Supported API: true
      Parameters:
      object - object for which the security labels status is requested
      Returns:
      boolean
      Throws:
      WTInvalidParameterException - if an object is not specified
      WTException