Java tutorial
/* * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information * regarding copyright ownership. The ASF licenses this file * to you under the Apache License, Version 2.0 (the * "License"); you may not use this file except in compliance * with the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, * software distributed under the License is distributed on an * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY * KIND, either express or implied. See the License for the * specific language governing permissions and limitations * under the License. */ package org.apache.shiro.authz; import java.io.Serializable; import java.util.Collection; /** * <code>AuthorizationInfo</code> represents a single Subject's stored authorization data (roles, permissions, etc) * used during authorization (access control) checks only. * <p/> * Roles are represented as a <code>Collection</code> of Strings * ({@link java.util.Collection Collection}<{@link String String}>), typically each element being the Role name. * <p/> * {@link Permission Permission}s are provided in two ways: * <ul> * <li>A <code>Collection</code> of Strings, where each String can usually be converted into <code>Permission</code> * objects by a <code>Realm</code>'s * {@link org.apache.shiro.authz.permission.PermissionResolver PermissionResolver}</li> * <li>A <code>Collection</code> of {@link Permission Permission} objects</li> * </ul> * Both permission collections together represent the total aggregate collection of permissions. You may use one * or both depending on your preference and needs. * <p/> * Because the act of authorization (access control) is orthogonal to authentication (log-in), this interface is * intended to represent only the account data needed by Shiro during an access control check * (role, permission, etc). Shiro also has a parallel * {@link org.apache.shiro.authc.AuthenticationInfo AuthenticationInfo} interface for use during the authentication * process that represents identity data such as principals and credentials. * <p/> * Because many if not most {@link org.apache.shiro.realm.Realm Realm}s store both sets of data for a Subject, it might be * convenient for a <code>Realm</code> implementation to utilize an implementation of the * {@link org.apache.shiro.authc.Account Account} interface instead, which is a convenience interface that combines both * <code>AuthenticationInfo</code> and <code>AuthorizationInfo</code>. Whether you choose to implement these two * interfaces separately or implement the one <code>Account</code> interface for a given <code>Realm</code> is * entirely based on your application's needs or your preferences. * * @see org.apache.shiro.authc.AuthenticationInfo AuthenticationInfo * @see org.apache.shiro.authc.Account * @since 0.9 */ public interface AuthorizationInfo extends Serializable { /** * Returns the names of all roles assigned to a corresponding Subject. * * @return the names of all roles assigned to a corresponding Subject. */ Collection<String> getRoles(); /** * Returns all string-based permissions assigned to the corresponding Subject. The permissions here plus those * returned from {@link #getObjectPermissions() getObjectPermissions()} represent the total set of permissions * assigned. The aggregate set is used to perform a permission authorization check. * <p/> * This method is a convenience mechanism that allows Realms to represent permissions as Strings if they choose. * When performing a security check, a <code>Realm</code> usually converts these strings to object * {@link Permission Permission}s via an internal * {@link org.apache.shiro.authz.permission.PermissionResolver PermissionResolver} * in order to perform the actual permission check. This is not a requirement of course, since <code>Realm</code>s * can perform security checks in whatever manner deemed necessary, but this explains the conversion mechanism that * most Shiro Realms execute for string-based permission checks. * * @return all string-based permissions assigned to the corresponding Subject. */ Collection<String> getStringPermissions(); /** * Returns all type-safe {@link Permission Permission}s assigned to the corresponding Subject. The permissions * returned from this method plus any returned from {@link #getStringPermissions() getStringPermissions()} * represent the total set of permissions. The aggregate set is used to perform a permission authorization check. * * @return all type-safe {@link Permission Permission}s assigned to the corresponding Subject. */ Collection<Permission> getObjectPermissions(); }