Following up to the recent outline of object permissions, I'd like to
continue with a description of the permission management API.
At the centre of this API is the PermissionManager bean. This bean
provides all of the operations required to grant, deny and query object
permissions. Here's a description of the methods:
List<Permission> listPermissions(Object resource, String operation)
Returns a List of all the Permissions that have been granted for the
specified resource and operation.
List<Permission> listPermissions(Object resource)
Returns a List of all the Permissions that have been granted for the
specified resource
boolean grantPermission(Permission permission)
Grants the specified permission, returns true if successful.
boolean grantPermissions(List<Permission> permissions)
Grants all the permissions contained in the specified List, returns true
if successful.
boolean revokePermission(Permission permission)
Revokes the specified permission, returns true if successful.
boolean revokePermissions(List<Permission> permissions)
Revokes the specified permissions, returns true if successful.
List<String> listAvailableOperations(Object resource)
Returns a list containing all the known allowed operations for the
specified resource.
Each of these methods in turn will invoke a permission check to ensure
that the current user has permission to invoke that particular
permission management operation.
Behind the scenes, the PermissionManager uses a PermissionStore to do
the actual work. The PermissionStore interface is practically identical
to the PermissionManager interface, in face we can possibly just have it
extend it. DeltaSpike should provide one PermissionStore implementation
out of the box, JpaPermissionStore which allows the user to store their
permissions in a database table. We can use annotations to configure
the entity that is used to store permissions:
@Entity
public class ObjectPermission
{
private Long permissionId;
@PermissionRecipient private String recipient;
@PermissionResourceIdentifier private String resourceId;
@PermissionOperation private String operation;
@PermissionDiscriminator private String discriminator;
}
It should also be possible to use multiple tables to store permissions.
Take for example the use case where a user might wish to query a table
based on assigned permissions:
SELECT
C.*
FROM
CUSTOMER C,
CUSTOMER_PERMISSION CP
WHERE
C.CUSTOMER_ID = CP.CUSTOMER_ID
AND CP.OPERATION CONTAINS '%READ%';
