|
||||||||||
| PREV PACKAGE NEXT PACKAGE | FRAMES NO FRAMES | |||||||||
security package provides facilities for invocation-level
ACL's.
See:
Description
| Interface Summary | |
| Actor | |
| ActorFilter | Used to match an Actor |
| Rule | Represents a security constraint |
| Class Summary | |
| InvocationContext | Invocation information used by Rule to determine if an
invocation should be allowed by a given actor. |
| Rules | Convenience class providing factory methods for typical rules. |
| SecurityBroker | SecurityBroker is used to add thread constrained actor information to |
| SecurityInterceptor | Interceptor which tests security constraints specified in a SecurityBroker
and provides the Actor to the object being intercepted if it provides a
setActor(Actor) method. |
| Error Summary | |
| AccessError | |
The security package provides facilities for invocation-level
ACL's. The access controls are managed by the SecurityBroker which
can build a list of Rule instances embodying security rules.
Rules are executed in the order they are specified -- there is presently no mechanism for rules chains a la ipchains/iptables but that may be coming if anyone wants it ;-)
There are two levels of filtering for this interceptor. The first, course-grained,
is done when the SecurityInterceptor is added to the
InterceptionBroker. This is used to filter which method invocations
are actually tested. The second level is done at invocation time and handled by
the SecurityBroker where the actual rules are individually tested in order.
Common usage requires that the Actor be set on the
SecurityBroker before any interception takes place. The
actor is a ThreadLocal under the assumption that only one
actor is operating per thread. If this requirement doesn't work for you
let us me know and we can change it, no problem. This is just the easiest
and in constrained environments where thread local variables cannot be
trusted it may fall apart.
A sample usage is to store the actor in a sevlet session and set it prior to executing an intercepted Command. I'll try to get a sample app up as soon as someone requests one ;-)
In addition to any rules in the SecurityBroker, the information
on the actor is made available via type 2 IoC to intercepted objects.
|
||||||||||
| PREV PACKAGE NEXT PACKAGE | FRAMES NO FRAMES | |||||||||