001/* 002 * Licensed to DuraSpace under one or more contributor license agreements. 003 * See the NOTICE file distributed with this work for additional information 004 * regarding copyright ownership. 005 * 006 * DuraSpace licenses this file to you under the Apache License, 007 * Version 2.0 (the "License"); you may not use this file except in 008 * compliance with the License. You may obtain a copy of the License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, software 013 * distributed under the License is distributed on an "AS IS" BASIS, 014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 015 * See the License for the specific language governing permissions and 016 * limitations under the License. 017 */ 018package org.fcrepo.auth.common; 019 020import java.security.Principal; 021 022import javax.jcr.Session; 023 024import org.modeshape.jcr.value.Path; 025 026/** 027 * An interface that can authorize access to specific resources within 028 * repositories. 029 * <p> 030 * An implementation has the opportunity to inspect nodes and the session, which 031 * may have additional information assigned as session attributes, such as the 032 * associated servlet request. This interface defines the Fedora-specific 033 * attributes which may be added. 034 * </p> 035 * 036 * @author Gregory Jansen 037 */ 038public interface FedoraAuthorizationDelegate { 039 040 /** 041 * The name of the session attribute containing the servlet request (an 042 * instance of javax.servlet.http.HttpServletRequest). 043 */ 044 public static final String FEDORA_SERVLET_REQUEST = 045 "fedora-servlet-request"; 046 047 /** 048 * The name of the session attribute containing an instance of Principal 049 * representing the current authenticated user. 050 */ 051 public static final String FEDORA_USER_PRINCIPAL = "fedora-user-principal"; 052 053 /** 054 * The name of the session attribute containing a set of instances of 055 * Principal, representing the current user's credentials, including the 056 * value of the FEDORA_USER_PRINCIPAL session attribute. 057 */ 058 public static final String FEDORA_ALL_PRINCIPALS = "fedora-all-principals"; 059 060 /** 061 * Determine if the supplied session has permission at absPath for all of 062 * the actions. 063 * <p> 064 * The authentication provider may have added session attributes, which can 065 * be accessed in implementations by calling session#getAttribute. If an 066 * attribute is not available in session attributes and would be required to 067 * establish that the session has permission for any action given, an 068 * implementation should usually return false. 069 * </p> 070 * <p> 071 * Note that accessing nodes using the provided session will result in 072 * additional calls to this method and thus an infinite loop. Instead, 073 * obtain a new session instance if your implementation requires access to 074 * nodes. See AbstractRolesAuthorizationDelegate for an example. 075 * </p> 076 * 077 * @param session the session 078 * @param absPath the abspath 079 * @param actions the actions 080 * @return true if the given session has permission at absPath for all of 081 * the given actions, or false otherwise 082 */ 083 boolean hasPermission(Session session, Path absPath, String[] actions); 084 085 /** 086 * The principal that this delegate uses to represent the public "EVERYONE" user. 087 * 088 * @return principal 089 */ 090 public Principal getEveryonePrincipal(); 091 092}