com.ibm.wsspi.container.security

Interface AccessManager



  • public interface AccessManager
    The AccessManager provides application security role functions.
    • Method Summary

      Methods 
      Modifier and Type Method and Description
      void checkAccess(java.lang.String appName, java.lang.String resourceName, java.lang.String methodName, java.lang.String resourceType, java.lang.String[] rolesAllowed, boolean isDenyAll, boolean isPermitAll, javax.security.auth.Subject subject)
      The checkAccess method determines if a given subject has access to any of a given set of roles within the context of a given application.
      void popApplicationContext(java.lang.String appName)
      The popApplicationContext method signals a return of control from the specified application.
      boolean pushApplicationContext(java.lang.String appName)
      The pushApplicationContext method signals a flow of control into the specified application.
      java.lang.Object runAs(java.lang.String appName, java.lang.String resourceName, java.lang.String methodName, java.lang.String runAsRole, java.security.PrivilegedExceptionAction action)
      The runAs method performs the given PrivilegedExceptionAction with the Java thread identity set to the user associated with a given runAs role.
    • Method Detail

      • pushApplicationContext

        boolean pushApplicationContext(java.lang.String appName)
        The pushApplicationContext method signals a flow of control into the specified application. This provides context for security-related processing on the current thread of execution. A subsequent call to popApplicationContext is required when the application returns control.
        Parameters:
        appName - - name of the application
        Returns:
        boolean true if push was completed
      • popApplicationContext

        void popApplicationContext(java.lang.String appName)
        The popApplicationContext method signals a return of control from the specified application. This provides context for security-related processing on the current thread of execution.
        Parameters:
        appName - - name of the application
        Throws:
        java.lang.IllegalArgumentException - if the application name does not match the one used on the preceding pushApplicationContext call
        EmptyStackException - if there is no active application context on the thread
      • checkAccess

        void checkAccess(java.lang.String appName,
                       java.lang.String resourceName,
                       java.lang.String methodName,
                       java.lang.String resourceType,
                       java.lang.String[] rolesAllowed,
                       boolean isDenyAll,
                       boolean isPermitAll,
                       javax.security.auth.Subject subject)
                         throws AccessException
        The checkAccess method determines if a given subject has access to any of a given set of roles within the context of a given application. The caller passes an array of role names to be checked (rolesAllowed). These roles must be a subset of the roles defined in the named application. The caller also can pass flags indicating to deny or permit access to all users (isDenyAll, isPermitAll). If either flag is true, rolesAllowed is ignored and the flags are used to determine access. If both flags are true, then isDenyAll takes precedence. The resourceName, methodName, and resourceType arguments are used when auditing is active to audit the check that was performed and its outcome.
        Parameters:
        appName - - name of the application
        resourceName - - name of the target object, for example a bean name
        methodName - - name of the method invoked on the target object
        resourceType - - identifier that describes the type of resource
        rolesAllowed - - array of role names to be checked for permission
        isDenyAll - - indicates whether to always deny access
        isPermitAll - - indicates whether to always permit access
        subject - - holds the credentials of the principal to be verified
        Throws:
        AccessException - Thrown if access is denied
      • runAs

        java.lang.Object runAs(java.lang.String appName,
                             java.lang.String resourceName,
                             java.lang.String methodName,
                             java.lang.String runAsRole,
                             java.security.PrivilegedExceptionAction action)
                               throws java.security.PrivilegedActionException,
                                      DelegationException
        The runAs method performs the given PrivilegedExceptionAction with the Java thread identity set to the user associated with a given runAs role. The caller passes an application name and a role name. The role name must be defined as a runAs role in the application. The resourceName and methodName arguments are used when auditing is active to audit the use of the runAs role.
        Parameters:
        appName - - name of the application
        resourceName - - name of the target object, for example a bean name
        methodName - - name of the method invoked on the target object
        runAsRole - - name of RunAs role
        action - - the action to perform
        Returns:
        the value returned by the action's run method
        Throws:
        java.security.PrivilegedActionException - if the action's run method threw a checked exception
        DelegationException - if there is an error setting the thread identity from the runAs role
IBM WebSphere Application ServerTM
Release 8.5