Module io.inverno.mod.security
Package io.inverno.mod.security.accesscontrol

Class ConfigurationSourcePermissionBasedAccessController

java.lang.Object
io.inverno.mod.security.accesscontrol.ConfigurationSourcePermissionBasedAccessController
All Implemented Interfaces:
AccessController, PermissionBasedAccessController
public class ConfigurationSourcePermissionBasedAccessController extends Object implements PermissionBasedAccessController

Permission based access controller implementation using a ConfigurationSource to resolve permissions.

Configuration source allows accessing parameterized properties with or without defaulting support which is particularly suited to defined access permissions and fits the PermissionBasedAccessController contract. In the configuration source permissions must be defined in a comma separated list of strings as property value using the username as property name and permissions parameters as configuration parameters.

A permission is defined as a string using the following rules:

  • [permission] to indicates that permission is granted
  • ![permission] to indicates that permission is not granted
  • * to indicate that all permissions are granted

A permission is then granted when it is present in a set of granted permission or when all permissions have been granted using a wildcard and if it hasn't been explicitly taken out using the !... notation (e.g. *,!admin grants all permissions but admin).

Permissions can be parameterized by defining multiple values with different combinations of configuration parameters. The defaulting strategy specified on the configuration source specifies parameters prioritization and the defaulting behaviour when no property was defined for a particular combination of parameters.

This implementation can also uses user roles when applicable. In that context a role is used to group permissions by role which are then assigned to users in order to facilitate access control management. When evaluating a permission the controller first tries to evaluate it in the context of the user which basically overrides permissions defined by role, in case the evalutation was unsuccessful it then tries in the context of each role, using the role instead of the username as configuration key, the process stops when the evaluated permission is found or when all roles have been scanned without success.

Since:
1.5
Author:
Jeremy Kuhn
See Also:

  • Field Details

    • DEFAULT_ROLE_PREFIX

      public static final String DEFAULT_ROLE_PREFIX
      The default prefix prepended to role when resolving role permissions.
      See Also:

  • Constructor Details

    • ConfigurationSourcePermissionBasedAccessController

      public ConfigurationSourcePermissionBasedAccessController(ConfigurationSource<?,?,?> configurationSource, String username)

      Creates a permission based access controller backed by a configuration source for the specified username.

      Parameters:
      configurationSource - a configuration source
      username - the username

    • ConfigurationSourcePermissionBasedAccessController

      public ConfigurationSourcePermissionBasedAccessController(ConfigurationSource<?,?,?> configurationSource, String username, Set<String> roles)

      Creates a permission based access controller backed by a configuration source for the specified username and set of roles.

      Parameters:
      configurationSource - a configuration source
      username - a username
      roles - a set of roles

    • ConfigurationSourcePermissionBasedAccessController

      public ConfigurationSourcePermissionBasedAccessController(ConfigurationSource<?,?,?> configurationSource, String username, Set<String> roles, String rolePrefix)

      Creates a permission based access controller backed by a configuration source for the specified username and set of roles.

      Parameters:
      configurationSource - a configuration source
      username - a username
      roles - a set of roles
      rolePrefix - the prefix to prepend to a role when resolving role permissions

  • Method Details