Package org.cometd.bayeux.server

Interface Authorizer

All Known Implementing Classes:
GrantAuthorizer
public interface Authorizer

Authorizers authorize operations on channels.

Authorizers can be added to and ConfigurableServerChannel.removeAuthorizer(Authorizer) removed from} channels, even wildcard channels.

Authorizers work together with the SecurityPolicy to determine if a channel creation, a channel subscribe or a publish operation may succeed.

For an operation on a channel, the authorizers on the wildcard channels that match the channel and the authorizers on the channel itself (together known at the authorizers set for that channel) will be consulted to check if the the operation is granted, denied or ignored.

The list of wildcard channels that match the channel is obtained from ChannelId.getWildIds().

The following is the authorization algorithm:

  • If there is a security policy, and the security policy denies the request, then the request is denied.
  • Otherwise, if the authorizers set is empty, the request is granted.
  • Otherwise, if no authorizer explicitly grants the operation, the request is denied.
  • Otherwise, if at least one authorizer explicitly grants the operation, and no authorizer explicitly denies the operation, the request is granted.
  • Otherwise, if one authorizer explicitly denies the operation, remaining authorizers are not consulted, and the request is denied.

The order in which the authorizers are checked is not important.

Typically, authorizers are setup during the configuration of a channel:

 BayeuxServer bayeuxServer = ...;
 bayeuxServer.createIfAbsent("/television/cnn", new ConfigurableServerChannel.Initializer()
 {
     public void configureChannel(ConfigurableServerChannel channel)
     {
         // Grant subscribe to all
         channel.addAuthorizer(GrantAuthorizer.GRANT_SUBSCRIBE);

         // Grant publishes only to CNN employees
         channel.addAuthorizer(new Authorizer()
         {
             public Result authorize(Operation operation, ChannelId channel,
                                     ServerSession session, ServerMessage message)
             {
                 if (operation == Operation.PUBLISH &&
                         session.getAttribute("isCNNEmployee") == Boolean.TRUE)
                     return Result.grant();
                 else
                     return Result.ignore();
             }
         });
     }
 });

A typical usage of authorizers is as follows:

  • Create a wildcard authorizer that matches all channels and neither grants or denies (e.g. use org.cometd.server.authorizer.GrantAuthorizer.GRANT_NONE). This authorizer can be added to channel /** or to a more specific channel for your application such as /game/**. This ensures that authorizers set is not empty and that another authorizer must explicitly grant access.
  • For public channels, that all users can access, add authorizers that will simply grant publish and/or subscribe permissions to the specific or wildcard channels.
  • For access controlled channels (e.g. only nominated players can publish to a game channel), then specific implementation of authorizers need to be created that will check identities and possibly other state before granting permission. Typically there is no need for such authorizers to explicitly deny access, unless that attempted access represents a specific error condition that needs to be passed to the client in the message associated with a deny.
  • For cross cutting concerns, such as checking a users credit or implementing user bans, authorizers can be created to explicitly deny access, without the need to modify all authorizers already in place that may grant.
See Also: