Source code

001/**
002 * Copyright 2015 DuraSpace, Inc.
003 *
004 * Licensed under the Apache License, Version 2.0 (the "License");
005 * you may not use this file except in compliance with the License.
006 * You may obtain a copy of the License at
007 *
008 *     http://www.apache.org/licenses/LICENSE-2.0
009 *
010 * Unless required by applicable law or agreed to in writing, software
011 * distributed under the License is distributed on an "AS IS" BASIS,
012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
013 * See the License for the specific language governing permissions and
014 * limitations under the License.
015 */
016package org.fcrepo.auth.common;
017
018import org.modeshape.jcr.value.Path;
019
020import javax.jcr.Session;
021
022/**
023 * An interface that can authorize access to specific resources within
024 * repositories.
025 * <p>
026 * An implementation has the opportunity to inspect nodes and the session, which
027 * may have additional information assigned as session attributes, such as the
028 * associated servlet request. This interface defines the Fedora-specific
029 * attributes which may be added.
030 * </p>
031 *
032 * @author Gregory Jansen
033 */
034public interface FedoraAuthorizationDelegate {
035
036    /**
037     * The name of the session attribute containing the servlet request (an
038     * instance of javax.servlet.http.HttpServletRequest).
039     */
040    public static final String FEDORA_SERVLET_REQUEST =
041            "fedora-servlet-request";
042
043    /**
044     * The name of the session attribute containing an instance of Principal
045     * representing the current authenticated user.
046     */
047    public static final String FEDORA_USER_PRINCIPAL = "fedora-user-principal";
048
049    /**
050     * The name of the session attribute containing a set of instances of
051     * Principal, representing the current user's credentials, including the
052     * value of the FEDORA_USER_PRINCIPAL session attribute.
053     */
054    public static final String FEDORA_ALL_PRINCIPALS = "fedora-all-principals";
055
056    /**
057     * Determine if the supplied session has permission at absPath for all of
058     * the actions.
059     * <p>
060     * The authentication provider may have added session attributes, which can
061     * be accessed in implementations by calling session#getAttribute. If an
062     * attribute is not available in session attributes and would be required to
063     * establish that the session has permission for any action given, an
064     * implementation should usually return false.
065     * </p>
066     * <p>
067     * Note that accessing nodes using the provided session will result in
068     * additional calls to this method and thus an infinite loop. Instead,
069     * obtain a new session instance if your implementation requires access to
070     * nodes. See AbstractRolesAuthorizationDelegate for an example.
071     * </p>
072     *
073     * @param session the session
074     * @param absPath the abspath
075     * @param actions the actions
076     * @return true if the given session has permission at absPath for all of
077     *         the given actions, or false otherwise
078     */
079    boolean hasPermission(Session session, Path absPath, String[] actions);
080
081}