Product SiteDocumentation Site

Chapter 10. Identity Management - Permissions API and Permission Management

10.1. Overview

The Permissions API is a set of extensible authorization features that provide capabilities for determining access privileges for application resources. This chapter describes the ACL (Access Control List) features and the management of persistent resource permissions via the PermissionManager. It also explains how the PermissionResolver SPI can be used to in conjunction with a custom PermissionVoter implementation, allowing you to plugin your own custom authorization logic.
The Permission interface is used in a number of places throughout the Permissions API, and defines the following methods:
public interface Permission {

    Object getResource();

    Class<?> getResourceClass();

    Serializable getResourceIdentifier();

    IdentityType getAssignee();

    String getOperation();
Each permission instance represents a specific resource permission, and contains three important pieces of state:
  • The assignee, which is the identity to which the permission is assigned.
  • The operation, which is a string value that represents the exact action that the assigned identity is allowed to perform.
  • Either a direct reference to the resource (if known), or a combination of a resource class and resource identifier. This value represents the resource to which the permission applies.
To understand better what a permission is for, here are some examples:
  • John is allowed to read FileA.txt
  • John is allowed to load/read entity Confidential with identifier 123.
  • John is allowed to view the /myapp/page page.
  • John is allowed to access Mary's profile
  • John is allowed to view button 'Delete' on page /myapp/page.
Basically, permissions can be string or type-based. In the latter case, if you are using JPA entities, you can also manage permissions for a specific entity given its identifier.
Permissions can be also grouped into roles or groups. Or any other IdentityType you want. For example, let's say that we have a role wich gives read access to a file. If you grant this role to users they are going to inherit all privileges/permissions from the role they were granted. You can even grant this role to a entire group, where all members of the group are also going to inherit the privileges.