org.apache.wicket.authorization.IAuthorizationStrategy.java Source code

Java tutorial

  1. HOME
  2. Java
  3. org.apache.wicket.authorization.IAuthorizationStrategy.java

Introduction

Here is the source code for org.apache.wicket.authorization.IAuthorizationStrategy.java

Source

/*
 * Licensed to the Apache Software Foundation (ASF) under one or more
 * contributor license agreements.  See the NOTICE file distributed with
 * this work for additional information regarding copyright ownership.
 * The ASF licenses this file to You under the Apache License, Version 2.0
 * (the "License"); you may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.apache.wicket.authorization;

import org.apache.wicket.Component;
import org.apache.wicket.request.component.IRequestableComponent;
import org.apache.wicket.request.mapper.parameter.PageParameters;
import org.apache.wicket.request.resource.IResource;

/**
 * Authorization strategies specify aspect-like constraints on significant actions taken by the
 * framework in a given application. These constraints are guaranteed by the framework to be applied
 * consistently throughout. Violations will result in a security action directed by the strategy,
 * such as the throwing of an AuthorizationException or the filtering out of security-sensitive
 * information.
 * 
 * @author Eelco Hillenius
 * @author Jonathan Locke
 * @since Wicket 1.2
 */
public interface IAuthorizationStrategy {
    class AllowAllAuthorizationStrategy implements IAuthorizationStrategy {
        /**
         * @see org.apache.wicket.authorization.IAuthorizationStrategy#isInstantiationAuthorized(java.lang.Class)
         */
        @Override
        public <T extends IRequestableComponent> boolean isInstantiationAuthorized(final Class<T> c) {
            return true;
        }

        /**
         * @see org.apache.wicket.authorization.IAuthorizationStrategy#isActionAuthorized(org.apache.wicket.Component,
         *      org.apache.wicket.authorization.Action)
         */
        @Override
        public boolean isActionAuthorized(Component c, Action action) {
            return true;
        }

        @Override
        public boolean isResourceAuthorized(IResource resource, PageParameters pageParameters) {
            return true;
        }
    }

    /**
     * Implementation of {@link IAuthorizationStrategy} that allows everything.
     */
    IAuthorizationStrategy ALLOW_ALL = new AllowAllAuthorizationStrategy();

    /**
     * Checks whether an instance of the given component class may be created. If this method
     * returns false, the {@link IUnauthorizedComponentInstantiationListener} that is configured in
     * the {@link org.apache.wicket.settings.SecuritySettings security settings} will be called. The default implementation of
     * that listener throws a {@link UnauthorizedInstantiationException}.
     * <p>
     * If you wish to implement a strategy that authenticates users which cannot access a given Page
     * (or other Component), you can simply throw a
     * {@link org.apache.wicket.RestartResponseAtInterceptPageException} in your implementation of
     * this method.
     * 
     * @param <T>
     * 
     * @param componentClass
     *            The component class to check
     * @return Whether the given component may be created
     */
    <T extends IRequestableComponent> boolean isInstantiationAuthorized(Class<T> componentClass);

    /**
     * Gets whether the given action is permitted. If it is, this method should return true. If it
     * isn't, this method should either return false or - in case of a serious breach - throw a
     * security exception. Returning is generally preferable over throwing an exception as that
     * doesn't break the normal flow.
     * 
     * @param component
     *            The component to be acted upon
     * @param action
     *            The action to authorize on the component
     * @return Whether the given action may be taken on the given component
     * @throws AuthorizationException
     *             Can be thrown by implementation if action is unauthorized
     * @see Component#ENABLE
     * @see Component#RENDER
     */
    boolean isActionAuthorized(Component component, Action action);

    /**
     * Checks whether a request with some parameters is allowed to a resource.
     *
     * @param resource
     *            The resource that should be processed
     * @param parameters
     *            The request parameters
     * @return {@code true} if the request to this resource is allowed.
     */
    boolean isResourceAuthorized(IResource resource, PageParameters parameters);
}