Package com.illumon.iris.security

Class DeniedPermission

java.lang.Object
java.security.Permission
java.security.BasicPermission
com.illumon.iris.security.MetaPermission
com.illumon.iris.security.DeniedPermission
All Implemented Interfaces:
Serializable, Guard
public final class DeniedPermission
extends MetaPermission
A representation of a "negative" privilege.

A DeniedPermission, when "granted" to some ProtectionDomain, represents a privilege which cannot be exercised, regardless of any positive permissions (AllPermission included) possessed (except for a GuaranteedPermission). In other words, if a set of granted permissions, P, contains a permission of this class, D, then the set of effectively granted permissions is     { Pimplied - Dimplied }.

Each instance of this class encapsulates a target permission, representing the "positive" permission being negated.

Denied permissions employ the following naming scheme:

    <target_class_name>:<target_name>(:<target_actions>)

where:

  • <target_class_name> is the fully qualified name of the target permission's class,
  • <target_name> is the name of the target permission,
  • (<target_actions>) is, optionally, the actions string of the target permission, and
  • the ':' character stands for itself.
A denied permission, having a target permission t, is said to imply another permission p, iff:
  • p is not itself a denied permission, and (t.implies(p) == true), or
  • p is a denied permission, with a target t1, and (t.implies(t1) == true).

It is the responsibility of the policy decision point (e.g., the Policy provider) to take denied permission semantics into account when issuing authorization statements.

See Also:
Serialized Form

  • Method Details

    • create

      @Permissions public static DeniedPermission create​(String targetClassName, @Nullable String targetName, @Nullable String targetActions)
      Instantiates a DeniedPermission that encapsulates a target permission of the indicated class, specified name and, optionally, actions.
      Parameters:
      targetClassName - The name of the class of the Permission to be denied.
      targetName - The target for the Permission to be denied.
      targetActions - The actions (if any) to be specifically denied by the underlying class.
      Throws:
      IllegalArgumentException - if:
      • targetClassName is null, the empty string, does not refer to a concrete Permission descendant, or refers to DeniedPermission.class or UnresolvedPermission.class.
      • targetName is null.
      • targetClassName cannot be instantiated, and it's the caller's fault; e.g., because targetName and/or targetActions do not adhere to the naming constraints of the target class; or due to the target class not exposing a (String name), or (String name, String actions) constructor, depending on whether targetActions is null or not.
      SecurityException - if a SecurityManager, sm, is installed, and the invocation sm.checkPackageAccess(targetClassPackageName) (where targetClassPackageName is the package of the class referred to by targetClassName) denies access.

    • create

      @Permissions public static DeniedPermission create​(Permission target)
      Instantiates a DeniedPermission that encapsulates the given target permission.
      Parameters:
      target - The Permission that is being explicitly denied.
      Throws:
      IllegalArgumentException - if target is null, a DeniedPermission, or an UnresolvedPermission.

    • implies

      public boolean implies​(Permission p)
      Checks whether the given permission is implied by this one, as per the overview.
      Overrides:
      implies in class MetaPermission
      Parameters:
      p - The Permission being checked.