001/*
002 * Licensed to DuraSpace under one or more contributor license agreements.
003 * See the NOTICE file distributed with this work for additional information
004 * regarding copyright ownership.
005 *
006 * DuraSpace licenses this file to you under the Apache License,
007 * Version 2.0 (the "License"); you may not use this file except in
008 * compliance with the License.  You may obtain a copy of the License at
009 *
010 *     http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing, software
013 * distributed under the License is distributed on an "AS IS" BASIS,
014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
015 * See the License for the specific language governing permissions and
016 * limitations under the License.
017 */
018package org.fcrepo.auth.common;
019
020import java.security.Principal;
021
022import javax.jcr.Session;
023
024import org.modeshape.jcr.value.Path;
025
026/**
027 * An interface that can authorize access to specific resources within
028 * repositories.
029 * <p>
030 * An implementation has the opportunity to inspect nodes and the session, which
031 * may have additional information assigned as session attributes, such as the
032 * associated servlet request. This interface defines the Fedora-specific
033 * attributes which may be added.
034 * </p>
035 *
036 * @author Gregory Jansen
037 */
038public interface FedoraAuthorizationDelegate {
039
040    /**
041     * The name of the session attribute containing the servlet request (an
042     * instance of javax.servlet.http.HttpServletRequest).
043     */
044    public static final String FEDORA_SERVLET_REQUEST =
045            "fedora-servlet-request";
046
047    /**
048     * The name of the session attribute containing an instance of Principal
049     * representing the current authenticated user.
050     */
051    public static final String FEDORA_USER_PRINCIPAL = "fedora-user-principal";
052
053    /**
054     * The name of the session attribute containing a set of instances of
055     * Principal, representing the current user's credentials, including the
056     * value of the FEDORA_USER_PRINCIPAL session attribute.
057     */
058    public static final String FEDORA_ALL_PRINCIPALS = "fedora-all-principals";
059
060    /**
061     * Determine if the supplied session has permission at absPath for all of
062     * the actions.
063     * <p>
064     * The authentication provider may have added session attributes, which can
065     * be accessed in implementations by calling session#getAttribute. If an
066     * attribute is not available in session attributes and would be required to
067     * establish that the session has permission for any action given, an
068     * implementation should usually return false.
069     * </p>
070     * <p>
071     * Note that accessing nodes using the provided session will result in
072     * additional calls to this method and thus an infinite loop. Instead,
073     * obtain a new session instance if your implementation requires access to
074     * nodes. See AbstractRolesAuthorizationDelegate for an example.
075     * </p>
076     *
077     * @param session the session
078     * @param absPath the abspath
079     * @param actions the actions
080     * @return true if the given session has permission at absPath for all of
081     *         the given actions, or false otherwise
082     */
083    boolean hasPermission(Session session, Path absPath, String[] actions);
084
085    /**
086     * The principal that this delegate uses to represent the public "EVERYONE" user.
087     *
088     * @return principal
089     */
090    public Principal getEveryonePrincipal();
091
092}