1 /* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
2 *
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15 package org.acegisecurity.acls;
16
17 import org.acegisecurity.acls.objectidentity.ObjectIdentity;
18 import org.acegisecurity.acls.sid.Sid;
19
20 import java.io.Serializable;
21
22
23 /**
24 * Represents an access control list (ACL) for a domain object.
25 *
26 * <p>
27 * An <code>Acl</code> represents all ACL entries for a given domain object. In
28 * order to avoid needing references to the domain object itself, this
29 * interface handles indirection between a domain object and an ACL object
30 * identity via the {@link
31 * org.acegisecurity.acls.objectidentity.ObjectIdentity} interface.
32 * </p>
33 *
34 * <p>
35 * An implementation represents the {@link org.acegisecurity.acls.Permission}
36 * list applicable for some or all {@link org.acegisecurity.acls.sid.Sid}
37 * instances.
38 * </p>
39 *
40 * @author Ben Alex
41 * @version $Id: Acl.java 1784 2007-02-24 21:00:24Z luke_t $
42 */
43 public interface Acl extends Serializable {
44 //~ Methods ========================================================================================================
45
46 /**
47 * Returns all of the entries represented by the present <code>Acl</code> (not parents).<p>This method is
48 * typically used for administrative purposes.</p>
49 * <p>The order that entries appear in the array is unspecified. However, if implementations use
50 * particular ordering logic in authorization decisions, the entries returned by this method <em>MUST</em> be
51 * ordered in that manner.</p>
52 * <p>Do <em>NOT</em> use this method for making authorization decisions. Instead use {@link
53 * #isGranted(Permission[], Sid[], boolean)}.</p>
54 * <p>This method must operate correctly even if the <code>Acl</code> only represents a subset of
55 * <code>Sid</code>s. The caller is responsible for correctly handling the result if only a subset of
56 * <code>Sid</code>s is represented.</p>
57 *
58 * @return the list of entries represented by the <code>Acl</code>
59 */
60 AccessControlEntry[] getEntries();
61
62 /**
63 * Obtains the domain object this <code>Acl</code> provides entries for. This is immutable once an
64 * <code>Acl</code> is created.
65 *
66 * @return the object identity
67 */
68 ObjectIdentity getObjectIdentity();
69
70 /**
71 * Determines the owner of the <code>Acl</code>. The meaning of ownership varies by implementation and is
72 * unspecified.
73 *
74 * @return the owner (may be null if the implementation does not use ownership concepts)
75 */
76 Sid getOwner();
77
78 /**
79 * A domain object may have a parent for the purpose of ACL inheritance. If there is a parent, its ACL can
80 * be accessed via this method. In turn, the parent's parent (grandparent) can be accessed and so on.<p>This
81 * method solely represents the presence of a navigation hierarchy between the parent <code>Acl</code> and this
82 * <code>Acl</code>. For actual inheritance to take place, the {@link #isEntriesInheriting()} must also be
83 * <code>true</code>.</p>
84 * <p>This method must operate correctly even if the <code>Acl</code> only represents a subset of
85 * <code>Sid</code>s. The caller is responsible for correctly handling the result if only a subset of
86 * <code>Sid</code>s is represented.</p>
87 *
88 * @return the parent <code>Acl</code>
89 */
90 Acl getParentAcl();
91
92 /**
93 * Indicates whether the ACL entries from the {@link #getParentAcl()} should flow down into the current
94 * <code>Acl</code>.<p>The mere link between an <code>Acl</code> and a parent <code>Acl</code> on its own
95 * is insufficient to cause ACL entries to inherit down. This is because a domain object may wish to have entirely
96 * independent entries, but maintain the link with the parent for navigation purposes. Thus, this method denotes
97 * whether or not the navigation relationship also extends to the actual inheritence of entries.</p>
98 *
99 * @return <code>true</code> if parent ACL entries inherit into the current <code>Acl</code>
100 */
101 boolean isEntriesInheriting();
102
103 /**
104 * This is the actual authorization logic method, and must be used whenever ACL authorization decisions are
105 * required.<p>An array of <code>Sid</code>s are presented, representing security identifies of the current
106 * principal. In addition, an array of <code>Permission</code>s is presented which will have one or more bits set
107 * in order to indicate the permissions needed for an affirmative authorization decision. An array is presented
108 * because holding <em>any</em> of the <code>Permission</code>s inside the array will be sufficient for an
109 * affirmative authorization.</p>
110 * <p>The actual approach used to make authorization decisions is left to the implementation and is not
111 * specified by this interface. For example, an implementation <em>MAY</em> search the current ACL in the order
112 * the ACL entries have been stored. If a single entry is found that has the same active bits as are shown in a
113 * passed <code>Permission</code>, that entry's grant or deny state may determine the authorization decision. If
114 * the case of a deny state, the deny decision will only be relevant if all other <code>Permission</code>s passed
115 * in the array have also been unsuccessfully searched. If no entry is found that match the bits in the current
116 * ACL, provided that {@link #isEntriesInheriting()} is <code>true</code>, the authorization decision may be
117 * passed to the parent ACL. If there is no matching entry, the implementation MAY throw an exception, or make a
118 * predefined authorization decision.</p>
119 * <p>This method must operate correctly even if the <code>Acl</code> only represents a subset of
120 * <code>Sid</code>s.</p>
121 *
122 * @param permission the permission or permissions required
123 * @param sids the security identities held by the principal
124 * @param administrativeMode if <code>true</code> denotes the query is for administrative purposes and no logging
125 * or auditing (if supported by the implementation) should be undertaken
126 *
127 * @return <code>true</code> is authorization is granted
128 *
129 * @throws NotFoundException MUST be thrown if an implementation cannot make an authoritative authorization
130 * decision, usually because there is no ACL information for this particular permission and/or SID
131 * @throws UnloadedSidException thrown if the <code>Acl</code> does not have details for one or more of the
132 * <code>Sid</code>s passed as arguments
133 */
134 boolean isGranted(Permission[] permission, Sid[] sids, boolean administrativeMode)
135 throws NotFoundException, UnloadedSidException;
136
137 /**
138 * For efficiency reasons an <code>Acl</code> may be loaded and <em>not</em> contain entries for every
139 * <code>Sid</code> in the system. If an <code>Acl</code> has been loaded and does not represent every
140 * <code>Sid</code>, all methods of the <code>Sid</code> can only be used within the limited scope of the
141 * <code>Sid</code> instances it actually represents.
142 * <p>
143 * It is normal to load an <code>Acl</code> for only particular <code>Sid</code>s if read-only authorization
144 * decisions are being made. However, if user interface reporting or modification of <code>Acl</code>s are
145 * desired, an <code>Acl</code> should be loaded with all <code>Sid</code>s. This method denotes whether or
146 * not the specified <code>Sid</code>s have been loaded or not.
147 * </p>
148 *
149 * @param sids one or more security identities the caller is interest in knowing whether this <code>Sid</code>
150 * supports
151 *
152 * @return <code>true</code> if every passed <code>Sid</code> is represented by this <code>Acl</code> instance
153 */
154 boolean isSidLoaded(Sid[] sids);
155 }