10.3.3. Restricting resource operations
For many resource types it makes sense to restrict the set of resource operations for which permissions might be assigned. For example, an application might have an entity bean containing lookup values for countries. This
Country
bean is likely to only require the bare minimum in terms of data management and so you might like to restrict the available operations for it to the typical CREATE, READ, UPDATE, DELETE
operations. To do this we use the @AllowedOperations
annotation - this annotation allows us to provide a child array of @AllowedOperation
values that specify exactly which operation values that permissions can be assigned for:
import org.picketlink.idm.permission.annotations.AllowedOperation; import org.picketlink.idm.permission.annotations.AllowedOperations; @Entity @AllowedOperations({ @AllowedOperation(value = "CREATE", mask = 1, classOperation = true), @AllowedOperation(value = "READ", mask = 2), @AllowedOperation(value = "UPDATE", mask = 4), @AllowedOperation(value = "DELETE", mask = 8) }) public class Country implements Serializable {
The optional
mask
value can be used to specify a bitmask value to allow for more efficient storage of permission values. If the mask values are set, the operation values for that object's permissions will be stored as a numerical value with the corresponding bit values turned on. For example, if a single user was assigned permission for both the READ
and UPDATE
operations for one of our Country
beans, then this operation value would be stored as 6 (READ
(2) + UPDATE
(4)).
The other optional value,
classOperation
can be set to true
if the permission applies to the class itself, and not an instance of a class. For example, you might wish to check that the current user has permission to actually create a new Country
bean. In this case, the permission check would look something like this:
@Inject Identity identity; public void createCountry() { if (!identity.hasPermission(Country.class, "CREATE")) { throw new SecurityException( "Current user has insufficient privileges for this operation."); } // snip }
This functionality is provided by the
ClassPermissionHandler
permission handler.