Interface Authorizer

All Known Implementing Classes:
GrantAuthorizer
public interface Authorizer

Authorizers authorize operations on channels.

Authorizers can be added to and ConfigurableServerChannel.removeAuthorizer(Authorizer) removed from} channels, even wildcard channels.

Authorizers work together with the SecurityPolicy to determine if a channel creation, a channel subscribe or a publish operation may succeed.

For an operation on a channel, the authorizers on the wildcard channels that match the channel and the authorizers on the channel itself (together known at the authorizers set for that channel) will be consulted to check if the the operation is granted, denied or ignored.

The list of wildcard channels that match the channel is obtained from ChannelId.getWildIds().

The following is the authorization algorithm:

  • If there is a security policy, and the security policy denies the request, then the request is denied.
  • Otherwise, if the authorizers set is empty, the request is granted.
  • Otherwise, if no authorizer explicitly grants the operation, the request is denied.
  • Otherwise, if at least one authorizer explicitly grants the operation, and no authorizer explicitly denies the operation, the request is granted.
  • Otherwise, if one authorizer explicitly denies the operation, remaining authorizers are not consulted, and the request is denied.

The order in which the authorizers are checked is not important.

Typically, authorizers are setup during the configuration of a channel:

 BayeuxServer bayeuxServer = ...;
 bayeuxServer.createIfAbsent("/television/cnn", new ConfigurableServerChannel.Initializer()
 {
     public void configureChannel(ConfigurableServerChannel channel)
     {
         // Grant subscribe to all
         channel.addAuthorizer(GrantAuthorizer.GRANT_SUBSCRIBE);

         // Grant publishes only to CNN employees
         channel.addAuthorizer(new Authorizer()
         {
             public Result authorize(Operation operation, ChannelId channel,
                                     ServerSession session, ServerMessage message)
             {
                 if (operation == Operation.PUBLISH &&
                         session.getAttribute("isCNNEmployee") == Boolean.TRUE)
                     return Result.grant();
                 else
                     return Result.ignore();
             }
         });
     }
 });

A typical usage of authorizers is as follows:

  • Create a wildcard authorizer that matches all channels and neither grants or denies (e.g. use org.cometd.server.authorizer.GrantAuthorizer.GRANT_NONE). This authorizer can be added to channel /** or to a more specific channel for your application such as /game/**. This ensures that authorizers set is not empty and that another authorizer must explicitly grant access.
  • For public channels, that all users can access, add authorizers that will simply grant publish and/or subscribe permissions to the specific or wildcard channels.
  • For access controlled channels (e.g. only nominated players can publish to a game channel), then specific implementation of authorizers need to be created that will check identities and possibly other state before granting permission. Typically there is no need for such authorizers to explicitly deny access, unless that attempted access represents a specific error condition that needs to be passed to the client in the message associated with a deny.
  • For cross cutting concerns, such as checking a users credit or implementing user bans, authorizers can be created to explicitly deny access, without the need to modify all authorizers already in place that may grant.
See Also:

  • Method Details

    • authorize

      default void authorize(Authorizer.Operation operation, ChannelId channel, ServerSession session, ServerMessage message, Promise<Authorizer.Result> promise)

      Callback invoked to authorize the given operation on the given channel.

      Additional parameters are passed to this method as context parameters, so that it is possible to implement complex logic based on the ServerSession and ServerMessage that are requesting the authorization.

      Note that the message channel is not the same as the channelId parameter. For example, for subscription requests, the message channel is Channel.META_SUBSCRIBE, while the channelId parameter is the channel for which the subscription is requested.

      Note that for create operation, the channel instance does not yet exist: it will be created only after the authorization is granted.

      Parameters:
      operation - the operation to authorize
      channel - the channel for which the authorization has been requested
      session - the session that is requesting the authorization
      message - the message that triggered the authorization request
      promise - the promise to notify of the authorization result

    • authorize

      Authorizer.Result authorize(Authorizer.Operation operation, ChannelId channel, ServerSession session, ServerMessage message)

      Blocking version of authorize(Operation, ChannelId, ServerSession, ServerMessage, Promise).

      Parameters:
      operation - the operation to authorize
      channel - the channel for which the authorization has been requested
      session - the session that is requesting the authorization
      message - the message that triggered the authorization request
      Returns:
      the authorization result