001/** 002 * Copyright 2015 DuraSpace, Inc. 003 * 004 * Licensed under the Apache License, Version 2.0 (the "License"); 005 * you may not use this file except in compliance with the License. 006 * You may obtain a copy of the License at 007 * 008 * http://www.apache.org/licenses/LICENSE-2.0 009 * 010 * Unless required by applicable law or agreed to in writing, software 011 * distributed under the License is distributed on an "AS IS" BASIS, 012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 013 * See the License for the specific language governing permissions and 014 * limitations under the License. 015 */ 016package org.fcrepo.auth.common; 017 018import org.modeshape.jcr.value.Path; 019 020import javax.jcr.Session; 021 022/** 023 * An interface that can authorize access to specific resources within 024 * repositories. 025 * <p> 026 * An implementation has the opportunity to inspect nodes and the session, which 027 * may have additional information assigned as session attributes, such as the 028 * associated servlet request. This interface defines the Fedora-specific 029 * attributes which may be added. 030 * </p> 031 * 032 * @author Gregory Jansen 033 */ 034public interface FedoraAuthorizationDelegate { 035 036 /** 037 * The name of the session attribute containing the servlet request (an 038 * instance of javax.servlet.http.HttpServletRequest). 039 */ 040 public static final String FEDORA_SERVLET_REQUEST = 041 "fedora-servlet-request"; 042 043 /** 044 * The name of the session attribute containing an instance of Principal 045 * representing the current authenticated user. 046 */ 047 public static final String FEDORA_USER_PRINCIPAL = "fedora-user-principal"; 048 049 /** 050 * The name of the session attribute containing a set of instances of 051 * Principal, representing the current user's credentials, including the 052 * value of the FEDORA_USER_PRINCIPAL session attribute. 053 */ 054 public static final String FEDORA_ALL_PRINCIPALS = "fedora-all-principals"; 055 056 /** 057 * Determine if the supplied session has permission at absPath for all of 058 * the actions. 059 * <p> 060 * The authentication provider may have added session attributes, which can 061 * be accessed in implementations by calling session#getAttribute. If an 062 * attribute is not available in session attributes and would be required to 063 * establish that the session has permission for any action given, an 064 * implementation should usually return false. 065 * </p> 066 * <p> 067 * Note that accessing nodes using the provided session will result in 068 * additional calls to this method and thus an infinite loop. Instead, 069 * obtain a new session instance if your implementation requires access to 070 * nodes. See AbstractRolesAuthorizationDelegate for an example. 071 * </p> 072 * 073 * @param session the session 074 * @param absPath the abspath 075 * @param actions the actions 076 * @return true if the given session has permission at absPath for all of 077 * the given actions, or false otherwise 078 */ 079 boolean hasPermission(Session session, Path absPath, String[] actions); 080 081}