Annotation Type Policy
PolicyEvaluator
to make policy
determinations.
In Trackable
implementations, TrackableEntityPolicyEvaluator
is used in concert
with TrackablePolicyUtils
used to perform the actual policy validation business logic.
Implementations can disable policy validation altogether by setting the
'broadleaf.common.policy.validation.enforce' property to false. Implementations can also
customize, or replace, the out-of-the-box PolicyEvaluator behavior by providing their own
instances of the PolicyEvaluator
and/or PolicyUtils
interfaces.
See PolicyOverride
for more customization options regarding altering policy configuration
declared in Broadleaf from the codebase of an extending platform.
- Author:
- Jeff Fischer
-
Optional Element Summary
Modifier and TypeOptional ElementDescriptionOne of more possible user identity types.One or more possible valid operation types.int
The position (0 based) of the method parameter that represents the owner's identifier.int
The position (0 based) of the object parameter for which policies are checked.When multiplepermissionRoots()
are specified this controls how the final built authorities are validated for this annotation.String[]
The permission roots to check.
-
Element Details
-
param
int paramThe position (0 based) of the object parameter for which policies are checked. This is generally an entity object parameter. This can be ignored for uses of Policy that are not concerned with validating a method parameter. Policy validation generally includes checking theGrantedAuthority
instances on the currentAuthentication
againstpermissionRoots()
for applicability, as well as validation of any other information available in the current context. Additional contextual information is often included in a method parameter, as is the case with theContextInfo
method parameter inTrackable
implementations.A value of -1 (the default) indicates that object validation should be ignored.
- Returns:
- The position of the object parameter for which policies are checked
- Default:
- -1
-
permissionRoots
String[] permissionRootsThe permission roots to check. Can be left blank if the backing
PolicyEvaluator
implementation uses another approach to determine the current permission requirements. Permissions are generally constructed by combination of these roots withoperationTypes()
and compared against current user granted authorities.If multiple roots are specified, this delegates to the final
permissionMatchingStrategy()
to determine how they are handled.- Returns:
- One or more permission names to check
- Default:
- {""}
-
operationTypes
OperationType[] operationTypesOne or more possible valid operation types.For
Trackable
implementations, usually used in combination withpermissionRoots()
to create a full permission to validate. This can be left at the default value, in which case, theContextInfo.getOperationType()
is used. In the case where multiple operation types are declared here, theContextInfo.getOperationType()
is queried in order to choose which value to use. If there is no contextInfo available, or if there is no match with the value in the contextInfo, the first operation type in the array is used.In the case where there is no active
ContextInfo
and the default ofOperationType.UNKNOWN
is used, an ALL_ is prepended against the givenpermissionRoots()
and used to validate that permission.- Returns:
- One or more possible valid operation types
- Default:
- {UNKNOWN}
-
permissionMatchingStrategy
PermissionMatchingStrategy permissionMatchingStrategyWhen multiplepermissionRoots()
are specified this controls how the final built authorities are validated for this annotation. The default is for only a single permission to have to match in order for the policy to evaluate successfully- Returns:
- the matching strategy that is used for multiple
permissionRoots()
- Default:
- ANY
-
identityTypes
IdentityType[] identityTypesOne of more possible user identity types. Identity types represent the type of user requesting access. Different identity type receive different validation treatment. For example,IdentityType.ADMIN
types represent standard admin requests for accessing data and checks for visibility and mutability based on multitenant concerns, etc... are enforced.IdentityType.OWNER
on the other hand represents a standard user that is accessing a record they own (e.g. a cart). OWNER users are detected via aPolicyUtils.getAuthDetailsOwnerIdentifier()
parameter} present in theAuthentication.getDetails()
and the identifier harvested from there must match the identifier provided viaOwned.getOwnerIdentifier()
on the data object being accessed. The data object to test must implement theOwned
interface to enforce the OWNED identity type.Using one or multiple identity types, a common endpoint can be used for multiple users and be protected appropriately based on that user's viewing context.
- Returns:
- One of more possible user identity types
- Default:
- {UNKNOWN}
-
ownerIdentifier
String ownerIdentifierFor use with theOWNER
IdentityType and a business domain that implements theOwned
interface, this overrides the global owner identifier key at the method level. For default implementations, this can be thought of as a JWT claim.This is an optional value, and should only be used in cases where the owner id of this domain does not match the global default.
If multiple owner identifiers are supported, a comma separated string may be used. In the case of multiple owner identifiers, if any of these identifiers matches the owner, the ownership check will pass. A case where there may be multiple owners is with an account hierarchy where a parent account might define some payment or address to be shared with sub- accounts. In such a case, the owner identifier is either the requester's current account or one of its parents,
"acct_id,parent_accts"
.- Returns:
- The owner identifier.
- See Also:
- Default:
- ""
-
ownerIdentifierParam
int ownerIdentifierParamThe position (0 based) of the method parameter that represents the owner's identifier.For use with the
OWNER
IdentityType when you prefer to validate the authenticated user's ownership against a specific method param value, instead of searching for a method param that implements theOwned
interface.This is primarily intended to be used in endpoint methods where the owner's identifier is provided via a path variable.
A value of -1 (the default) indicates that validation should instead gather the owner's identifier from a method param that implements the
Owned
interface.- Returns:
- The position of the method parameter that represents the owner's identifier
- Default:
- -1
-