Interface Authorizer
- All Known Implementing Classes:
GrantAuthorizer
public interface Authorizer
Authorizer
s authorize operations
on channels
.
Authorizers can be added to
and
ConfigurableServerChannel.removeAuthorizer(Authorizer)
removed from} channels, even wildcard
channels.
Authorizer
s work together with the SecurityPolicy
to determine if a
channel creation
, a channel subscribe
or a
publish operation
may succeed.
For an operation on a channel, the authorizers on the wildcard channels that match the channel and the authorizers on the channel itself (together known at the authorizers set for that channel) will be consulted to check if the the operation is granted, denied or ignored.
The list of wildcard channels that match the channel is obtained from ChannelId.getWilds()
.
The following is the authorization algorithm:
- If there is a security policy, and the security policy denies the request, then the request is denied.
- Otherwise, if the authorizers set is empty, the request is granted.
- Otherwise, if no authorizer explicitly grants the operation, the request is denied.
- Otherwise, if at least one authorizer explicitly grants the operation, and no authorizer explicitly denies the operation, the request is granted.
- Otherwise, if one authorizer explicitly denies the operation, remaining authorizers are not consulted, and the request is denied.
The order in which the authorizers are checked is not important.
Typically, authorizers are setup during the configuration of a channel:
BayeuxServer bayeuxServer = ...; bayeuxServer.createIfAbsent("/television/cnn", new ConfigurableServerChannel.Initializer() { public void configureChannel(ConfigurableServerChannel channel) { // Grant subscribe to all channel.addAuthorizer(GrantAuthorizer.GRANT_SUBSCRIBE); // Grant publishes only to CNN employees channel.addAuthorizer(new Authorizer() { public Result authorize(Operation operation, ChannelId channel, ServerSession session, ServerMessage message) { if (operation == Operation.PUBLISH && session.getAttribute("isCNNEmployee") == Boolean.TRUE) return Result.grant(); else return Result.ignore(); } }); } });
A typical usage of authorizers is as follows:
- Create a wildcard authorizer that matches all channels and neither grants or
denies (e.g. use
org.cometd.server.authorizer.GrantAuthorizer.GRANT_NONE
). This authorizer can be added to channel /** or to a more specific channel for your application such as /game/**. This ensures that authorizers set is not empty and that another authorizer must explicitly grant access. - For public channels, that all users can access, add authorizers that will simply grant publish and/or subscribe permissions to the specific or wildcard channels.
- For access controlled channels (e.g. only nominated players can publish to a game channel), then specific implementation of authorizers need to be created that will check identities and possibly other state before granting permission. Typically there is no need for such authorizers to explicitly deny access, unless that attempted access represents a specific error condition that needs to be passed to the client in the message associated with a deny.
- For cross cutting concerns, such as checking a users credit or implementing user bans, authorizers can be created to explicitly deny access, without the need to modify all authorizers already in place that may grant.
- See Also:
SecurityPolicy
-
Nested Class Summary
Nested Classes Modifier and Type Interface Description static class
Authorizer.Operation
Operations that are to be authorized on a channelstatic class
Authorizer.Result
The result of an authentication request. -
Method Summary
Modifier and Type Method Description Authorizer.Result
authorize(Authorizer.Operation operation, ChannelId channel, ServerSession session, ServerMessage message)
Callback invoked to authorize the givenoperation
on the givenchannel
.
-
Method Details
-
authorize
Authorizer.Result authorize(Authorizer.Operation operation, ChannelId channel, ServerSession session, ServerMessage message)Callback invoked to authorize the given
operation
on the givenchannel
.Additional parameters are passed to this method as context parameters, so that it is possible to implement complex logic based on the
ServerSession
andServerMessage
that are requesting the authorization.Note that the message channel is not the same as the
channelId
parameter. For example, for subscription requests, the message channel isChannel.META_SUBSCRIBE
, while thechannelId
parameter is the channel for which the subscription is requested.Note that for
create operation
, the channel instance does not yet exist: it will be created only after the authorization is granted.- Parameters:
operation
- the operation to authorizechannel
- the channel for which the authorization has been requestedsession
- the session that is requesting the authorizationmessage
- the message that triggered the authorization request- Returns:
- the result of the authorization
-