Google Git
Sign in
apache / shiro-site / 01016f43374d9b054f3ea1e568b015d5d69428f9 / . / src / site / assets / static / 1.8.0 / xref / org / apache / shiro / authz / Permission.html
blob: 345b50e60efb22d72dc2cd5ee07d364692e82287 [file] [log] [blame]
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><meta http-equiv="content-type" content="text/html; charset=UTF-8" />
<title>Permission xref</title>
<link type="text/css" rel="stylesheet" href="../../../../stylesheet.css" />
</head>
<body>
<div id="overview"><a href="../../../../../apidocs/org/apache/shiro/authz/Permission.html">View Javadoc</a></div><pre>
<a class="jxr_linenumber" name="L1" href="#L1">1</a> <em class="jxr_comment">/*</em>
<a class="jxr_linenumber" name="L2" href="#L2">2</a> <em class="jxr_comment"> * Licensed to the Apache Software Foundation (ASF) under one</em>
<a class="jxr_linenumber" name="L3" href="#L3">3</a> <em class="jxr_comment"> * or more contributor license agreements. See the NOTICE file</em>
<a class="jxr_linenumber" name="L4" href="#L4">4</a> <em class="jxr_comment"> * distributed with this work for additional information</em>
<a class="jxr_linenumber" name="L5" href="#L5">5</a> <em class="jxr_comment"> * regarding copyright ownership. The ASF licenses this file</em>
<a class="jxr_linenumber" name="L6" href="#L6">6</a> <em class="jxr_comment"> * to you under the Apache License, Version 2.0 (the</em>
<a class="jxr_linenumber" name="L7" href="#L7">7</a> <em class="jxr_comment"> * "License"); you may not use this file except in compliance</em>
<a class="jxr_linenumber" name="L8" href="#L8">8</a> <em class="jxr_comment"> * with the License. You may obtain a copy of the License at</em>
<a class="jxr_linenumber" name="L9" href="#L9">9</a> <em class="jxr_comment"> *</em>
<a class="jxr_linenumber" name="L10" href="#L10">10</a> <em class="jxr_comment"> * <a href="http://www.apache.org/licenses/LICENSE-2.0" target="alexandria_uri">http://www.apache.org/licenses/LICENSE-2.0</a></em>
<a class="jxr_linenumber" name="L11" href="#L11">11</a> <em class="jxr_comment"> *</em>
<a class="jxr_linenumber" name="L12" href="#L12">12</a> <em class="jxr_comment"> * Unless required by applicable law or agreed to in writing,</em>
<a class="jxr_linenumber" name="L13" href="#L13">13</a> <em class="jxr_comment"> * software distributed under the License is distributed on an</em>
<a class="jxr_linenumber" name="L14" href="#L14">14</a> <em class="jxr_comment"> * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY</em>
<a class="jxr_linenumber" name="L15" href="#L15">15</a> <em class="jxr_comment"> * KIND, either express or implied. See the License for the</em>
<a class="jxr_linenumber" name="L16" href="#L16">16</a> <em class="jxr_comment"> * specific language governing permissions and limitations</em>
<a class="jxr_linenumber" name="L17" href="#L17">17</a> <em class="jxr_comment"> * under the License.</em>
<a class="jxr_linenumber" name="L18" href="#L18">18</a> <em class="jxr_comment"> */</em>
<a class="jxr_linenumber" name="L19" href="#L19">19</a> <strong class="jxr_keyword">package</strong> org.apache.shiro.authz;
<a class="jxr_linenumber" name="L20" href="#L20">20</a>
<a class="jxr_linenumber" name="L21" href="#L21">21</a> <em class="jxr_javadoccomment">/**</em>
<a class="jxr_linenumber" name="L22" href="#L22">22</a> <em class="jxr_javadoccomment"> * A Permission represents the ability to perform an action or access a resource. A Permission is the most</em>
<a class="jxr_linenumber" name="L23" href="#L23">23</a> <em class="jxr_javadoccomment"> * granular, or atomic, unit in a system's security policy and is the cornerstone upon which fine-grained security</em>
<a class="jxr_linenumber" name="L24" href="#L24">24</a> <em class="jxr_javadoccomment"> * models are built.</em>
<a class="jxr_linenumber" name="L25" href="#L25">25</a> <em class="jxr_javadoccomment"> * &lt;p/&gt;</em>
<a class="jxr_linenumber" name="L26" href="#L26">26</a> <em class="jxr_javadoccomment"> * It is important to understand a Permission instance only represents functionality or access - it does not grant it.</em>
<a class="jxr_linenumber" name="L27" href="#L27">27</a> <em class="jxr_javadoccomment"> * Granting access to an application functionality or a particular resource is done by the application's security</em>
<a class="jxr_linenumber" name="L28" href="#L28">28</a> <em class="jxr_javadoccomment"> * configuration, typically by assigning Permissions to users, roles and/or groups.</em>
<a class="jxr_linenumber" name="L29" href="#L29">29</a> <em class="jxr_javadoccomment"> * &lt;p/&gt;</em>
<a class="jxr_linenumber" name="L30" href="#L30">30</a> <em class="jxr_javadoccomment"> * Most typical systems are what the Shiro team calls &lt;em&gt;role-based&lt;/em&gt; in nature, where a role represents</em>
<a class="jxr_linenumber" name="L31" href="#L31">31</a> <em class="jxr_javadoccomment"> * common behavior for certain user types. For example, a system might have an &lt;em&gt;Administrator&lt;/em&gt; role, a</em>
<a class="jxr_linenumber" name="L32" href="#L32">32</a> <em class="jxr_javadoccomment"> * &lt;em&gt;User&lt;/em&gt; or &lt;em&gt;Guest&lt;/em&gt; roles, etc.</em>
<a class="jxr_linenumber" name="L33" href="#L33">33</a> <em class="jxr_javadoccomment"> * &lt;p/&gt;</em>
<a class="jxr_linenumber" name="L34" href="#L34">34</a> <em class="jxr_javadoccomment"> * But if you have a dynamic security model, where roles can be created and deleted at runtime, you can't hard-code</em>
<a class="jxr_linenumber" name="L35" href="#L35">35</a> <em class="jxr_javadoccomment"> * role names in your code. In this environment, roles themselves aren't very useful. What matters is what</em>
<a class="jxr_linenumber" name="L36" href="#L36">36</a> <em class="jxr_javadoccomment"> * &lt;em&gt;permissions&lt;/em&gt; are assigned to these roles.</em>
<a class="jxr_linenumber" name="L37" href="#L37">37</a> <em class="jxr_javadoccomment"> * &lt;p/&gt;</em>
<a class="jxr_linenumber" name="L38" href="#L38">38</a> <em class="jxr_javadoccomment"> * Under this paradigm, permissions are immutable and reflect an application's raw functionality</em>
<a class="jxr_linenumber" name="L39" href="#L39">39</a> <em class="jxr_javadoccomment"> * (opening files, accessing a web URL, creating users, etc). This is what allows a system's security policy</em>
<a class="jxr_linenumber" name="L40" href="#L40">40</a> <em class="jxr_javadoccomment"> * to be dynamic: because Permissions represent raw functionality and only change when the application's</em>
<a class="jxr_linenumber" name="L41" href="#L41">41</a> <em class="jxr_javadoccomment"> * source code changes, they are immutable at runtime - they represent 'what' the system can do. Roles, users, and</em>
<a class="jxr_linenumber" name="L42" href="#L42">42</a> <em class="jxr_javadoccomment"> * groups are the 'who' of the application. Determining 'who' can do 'what' then becomes a simple exercise of</em>
<a class="jxr_linenumber" name="L43" href="#L43">43</a> <em class="jxr_javadoccomment"> * associating Permissions to roles, users, and groups in some way.</em>
<a class="jxr_linenumber" name="L44" href="#L44">44</a> <em class="jxr_javadoccomment"> * &lt;p/&gt;</em>
<a class="jxr_linenumber" name="L45" href="#L45">45</a> <em class="jxr_javadoccomment"> * Most applications do this by associating a named role with permissions (i.e. a role 'has a' collection of</em>
<a class="jxr_linenumber" name="L46" href="#L46">46</a> <em class="jxr_javadoccomment"> * Permissions) and then associate users with roles (i.e. a user 'has a' collection of roles) so that by transitive</em>
<a class="jxr_linenumber" name="L47" href="#L47">47</a> <em class="jxr_javadoccomment"> * association, the user 'has' the permissions in their roles. There are numerous variations on this theme</em>
<a class="jxr_linenumber" name="L48" href="#L48">48</a> <em class="jxr_javadoccomment"> * (permissions assigned directly to users, or assigned to groups, and users added to groups and these groups in turn</em>
<a class="jxr_linenumber" name="L49" href="#L49">49</a> <em class="jxr_javadoccomment"> * have roles, etc, etc). When employing a permission-based security model instead of a role-based one, users, roles,</em>
<a class="jxr_linenumber" name="L50" href="#L50">50</a> <em class="jxr_javadoccomment"> * and groups can all be created, configured and/or deleted at runtime. This enables an extremely powerful security</em>
<a class="jxr_linenumber" name="L51" href="#L51">51</a> <em class="jxr_javadoccomment"> * model.</em>
<a class="jxr_linenumber" name="L52" href="#L52">52</a> <em class="jxr_javadoccomment"> * &lt;p/&gt;</em>
<a class="jxr_linenumber" name="L53" href="#L53">53</a> <em class="jxr_javadoccomment"> * A benefit to Shiro is that, although it assumes most systems are based on these types of static role or</em>
<a class="jxr_linenumber" name="L54" href="#L54">54</a> <em class="jxr_javadoccomment"> * dynamic role w/ permission schemes, it does not require a system to model their security data this way - all</em>
<a class="jxr_linenumber" name="L55" href="#L55">55</a> <em class="jxr_javadoccomment"> * Permission checks are relegated to {@link org.apache.shiro.realm.Realm} implementations, and only those</em>
<a class="jxr_linenumber" name="L56" href="#L56">56</a> <em class="jxr_javadoccomment"> * implementations really determine how a user 'has' a permission or not. The Realm could use the semantics described</em>
<a class="jxr_linenumber" name="L57" href="#L57">57</a> <em class="jxr_javadoccomment"> * here, or it could utilize some other mechanism entirely - it is always up to the application developer.</em>
<a class="jxr_linenumber" name="L58" href="#L58">58</a> <em class="jxr_javadoccomment"> * &lt;p/&gt;</em>
<a class="jxr_linenumber" name="L59" href="#L59">59</a> <em class="jxr_javadoccomment"> * Shiro provides a very powerful default implementation of this interface in the form of the</em>
<a class="jxr_linenumber" name="L60" href="#L60">60</a> <em class="jxr_javadoccomment"> * {@link org.apache.shiro.authz.permission.WildcardPermission WildcardPermission}. We highly recommend that you</em>
<a class="jxr_linenumber" name="L61" href="#L61">61</a> <em class="jxr_javadoccomment"> * investigate this class before trying to implement your own &lt;code&gt;Permission&lt;/code&gt;s.</em>
<a class="jxr_linenumber" name="L62" href="#L62">62</a> <em class="jxr_javadoccomment"> *</em>
<a class="jxr_linenumber" name="L63" href="#L63">63</a> <em class="jxr_javadoccomment"> * @see org.apache.shiro.authz.permission.WildcardPermission WildcardPermission</em>
<a class="jxr_linenumber" name="L64" href="#L64">64</a> <em class="jxr_javadoccomment"> * @since 0.2</em>
<a class="jxr_linenumber" name="L65" href="#L65">65</a> <em class="jxr_javadoccomment"> */</em>
<a class="jxr_linenumber" name="L66" href="#L66">66</a> <strong class="jxr_keyword">public</strong> <strong class="jxr_keyword">interface</strong> <a name="Permission" href="../../../../org/apache/shiro/authz/Permission.html#Permission">Permission</a> {
<a class="jxr_linenumber" name="L67" href="#L67">67</a>
<a class="jxr_linenumber" name="L68" href="#L68">68</a> <em class="jxr_javadoccomment">/**</em>
<a class="jxr_linenumber" name="L69" href="#L69">69</a> <em class="jxr_javadoccomment"> * Returns {@code true} if this current instance &lt;em&gt;implies&lt;/em&gt; all the functionality and/or resource access</em>
<a class="jxr_linenumber" name="L70" href="#L70">70</a> <em class="jxr_javadoccomment"> * described by the specified {@code Permission} argument, {@code false} otherwise.</em>
<a class="jxr_linenumber" name="L71" href="#L71">71</a> <em class="jxr_javadoccomment"> * &lt;p/&gt;</em>
<a class="jxr_linenumber" name="L72" href="#L72">72</a> <em class="jxr_javadoccomment"> * &lt;p&gt;That is, this current instance must be exactly equal to or a &lt;em&gt;superset&lt;/em&gt; of the functionality</em>
<a class="jxr_linenumber" name="L73" href="#L73">73</a> <em class="jxr_javadoccomment"> * and/or resource access described by the given {@code Permission} argument. Yet another way of saying this</em>
<a class="jxr_linenumber" name="L74" href="#L74">74</a> <em class="jxr_javadoccomment"> * would be:</em>
<a class="jxr_linenumber" name="L75" href="#L75">75</a> <em class="jxr_javadoccomment"> * &lt;p/&gt;</em>
<a class="jxr_linenumber" name="L76" href="#L76">76</a> <em class="jxr_javadoccomment"> * &lt;p&gt;If &amp;quot;permission1 implies permission2&amp;quot;, i.e. &lt;code&gt;permission1.implies(permission2)&lt;/code&gt; ,</em>
<a class="jxr_linenumber" name="L77" href="#L77">77</a> <em class="jxr_javadoccomment"> * then any Subject granted {@code permission1} would have ability greater than or equal to that defined by</em>
<a class="jxr_linenumber" name="L78" href="#L78">78</a> <em class="jxr_javadoccomment"> * {@code permission2}.</em>
<a class="jxr_linenumber" name="L79" href="#L79">79</a> <em class="jxr_javadoccomment"> *</em>
<a class="jxr_linenumber" name="L80" href="#L80">80</a> <em class="jxr_javadoccomment"> * @param p the permission to check for behavior/functionality comparison.</em>
<a class="jxr_linenumber" name="L81" href="#L81">81</a> <em class="jxr_javadoccomment"> * @return {@code true} if this current instance &lt;em&gt;implies&lt;/em&gt; all the functionality and/or resource access</em>
<a class="jxr_linenumber" name="L82" href="#L82">82</a> <em class="jxr_javadoccomment"> * described by the specified {@code Permission} argument, {@code false} otherwise.</em>
<a class="jxr_linenumber" name="L83" href="#L83">83</a> <em class="jxr_javadoccomment"> */</em>
<a class="jxr_linenumber" name="L84" href="#L84">84</a> <strong class="jxr_keyword">boolean</strong> implies(<a name="Permission" href="../../../../org/apache/shiro/authz/Permission.html#Permission">Permission</a> p);
<a class="jxr_linenumber" name="L85" href="#L85">85</a> }
</pre>
<hr/>
<div id="footer">Copyright &#169; 2004&#x2013;2021 <a href="https://www.apache.org/">The Apache Software Foundation</a>. All rights reserved.</div>
</body>
</html>