001/* 002 * Copyright 2015 DuraSpace, Inc. 003 * 004 * Licensed under the Apache License, Version 2.0 (the "License"); 005 * you may not use this file except in compliance with the License. 006 * You may obtain a copy of the License at 007 * 008 * http://www.apache.org/licenses/LICENSE-2.0 009 * 010 * Unless required by applicable law or agreed to in writing, software 011 * distributed under the License is distributed on an "AS IS" BASIS, 012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 013 * See the License for the specific language governing permissions and 014 * limitations under the License. 015 */ 016package org.fcrepo.auth.common; 017 018import java.security.Principal; 019 020import javax.jcr.Session; 021 022import org.modeshape.jcr.value.Path; 023 024/** 025 * An interface that can authorize access to specific resources within 026 * repositories. 027 * <p> 028 * An implementation has the opportunity to inspect nodes and the session, which 029 * may have additional information assigned as session attributes, such as the 030 * associated servlet request. This interface defines the Fedora-specific 031 * attributes which may be added. 032 * </p> 033 * 034 * @author Gregory Jansen 035 */ 036public interface FedoraAuthorizationDelegate { 037 038 /** 039 * The name of the session attribute containing the servlet request (an 040 * instance of javax.servlet.http.HttpServletRequest). 041 */ 042 public static final String FEDORA_SERVLET_REQUEST = 043 "fedora-servlet-request"; 044 045 /** 046 * The name of the session attribute containing an instance of Principal 047 * representing the current authenticated user. 048 */ 049 public static final String FEDORA_USER_PRINCIPAL = "fedora-user-principal"; 050 051 /** 052 * The name of the session attribute containing a set of instances of 053 * Principal, representing the current user's credentials, including the 054 * value of the FEDORA_USER_PRINCIPAL session attribute. 055 */ 056 public static final String FEDORA_ALL_PRINCIPALS = "fedora-all-principals"; 057 058 /** 059 * Determine if the supplied session has permission at absPath for all of 060 * the actions. 061 * <p> 062 * The authentication provider may have added session attributes, which can 063 * be accessed in implementations by calling session#getAttribute. If an 064 * attribute is not available in session attributes and would be required to 065 * establish that the session has permission for any action given, an 066 * implementation should usually return false. 067 * </p> 068 * <p> 069 * Note that accessing nodes using the provided session will result in 070 * additional calls to this method and thus an infinite loop. Instead, 071 * obtain a new session instance if your implementation requires access to 072 * nodes. See AbstractRolesAuthorizationDelegate for an example. 073 * </p> 074 * 075 * @param session the session 076 * @param absPath the abspath 077 * @param actions the actions 078 * @return true if the given session has permission at absPath for all of 079 * the given actions, or false otherwise 080 */ 081 boolean hasPermission(Session session, Path absPath, String[] actions); 082 083 /** 084 * The principal that this delegate uses to represent the public "EVERYONE" user. 085 * 086 * @return principal 087 */ 088 public Principal getEveryonePrincipal(); 089 090}