Package com.broadleafcommerce.data.tracking.core.policy.trackable.marketplace.vendor

Class VendorAwareTrackablePolicyUtils

java.lang.Object

com.broadleafcommerce.data.tracking.core.policy.trackable.DefaultTrackablePolicyUtils

com.broadleafcommerce.data.tracking.core.policy.trackable.marketplace.vendor.VendorAwareTrackablePolicyUtils

All Implemented Interfaces:

PolicyUtils, TrackablePolicyUtils

public class VendorAwareTrackablePolicyUtils
extends DefaultTrackablePolicyUtils

An extension of DefaultTrackablePolicyUtils that understands what vendor(s) the current authentication is restricted to (including consideration for the current policy requirements) and can enforce access control accordingly.

See Also:

• AuthenticationVendorPrivilegesSummary

Field Summary

Fields inherited from class com.broadleafcommerce.data.tracking.core.policy.trackable.DefaultTrackablePolicyUtils

ADMIN_CLAIM, AUTHORITIES, USER_TYPE_ATTR

Fields inherited from interface com.broadleafcommerce.data.tracking.core.policy.PolicyUtils

DEFAULT_AUTH_DETAILS_OWNER_ID, ROLE_ANONYMOUS

Fields inherited from interface com.broadleafcommerce.data.tracking.core.policy.trackable.TrackablePolicyUtils

AUTH_DETAILS_ACCOUNT_KEY, AUTH_DETAILS_ADMIN_USER_ID_KEY, AUTH_DETAILS_APPLICATION_ACCESS_KEY, AUTH_DETAILS_APPLICATIONS_KEY, AUTH_DETAILS_CUSTOMER_CONTEXT_IDS, AUTH_DETAILS_GLOBAL_KEY, AUTH_DETAILS_TENANT_ACCESS_KEY, AUTH_DETAILS_TENANT_KEY

Constructor Summary

Constructors

Constructor	Description
VendorAwareTrackablePolicyUtils(CatalogFinder<Catalog> catalogFinder, TrackableBehaviorUtil trackableBehaviorUtil, AuthenticationVendorPrivilegesUtility authenticationVendorPrivilegesUtility)
VendorAwareTrackablePolicyUtils(CatalogFinder<Catalog> catalogFinder, TrackableBehaviorUtil trackableBehaviorUtil, String ownerIdentifier, AuthenticationVendorPrivilegesUtility authenticationVendorPrivilegesUtility)

Method Summary

Modifier and Type	Method	Description
protected OperationType	determineRequiredOperationType(PolicyInformation policy, ContextInfo contextInfo)	This is copied from DefaultPolicyAspectProcessor.narrowType(PolicyInformation, ContextInfo).
Set<String>	filterToVendorRestrictionsMatchingPolicyRequirements(@NonNull Set<String> restrictedVendorRefs, @NonNull Map<String,Set<String>> vendorRefsByRestrictedAuthority, @NonNull PolicyInformation policyRequirements, ContextInfo contextInfo)	An authentication may have restrictions, but it's possible not all of them have the authorities required by a resource.
protected Set<String>	filterToVendorRestrictionsMatchingPolicyRequirements(@NonNull Set<String> restrictedVendorRefs, @NonNull Map<String,Set<String>> vendorRefsByRestrictedAuthority, OperationType requiredOperationType, @NonNull String[] permissionRoots, PermissionMatchingStrategy permissionMatchingStrategy)	See javadocs of filterToVendorRestrictionsMatchingPolicyRequirements(Set, Map, PolicyInformation, ContextInfo).
Set<String>	filterToVendorRestrictionsMatchingRequiredPermissions(@NonNull Set<String> restrictedVendorRefs, @NonNull Map<String,Set<String>> vendorRefsByRestrictedAuthority, @NonNull List<String> fullyExpandedRequiredPermissions, PermissionMatchingStrategy permissionMatchingStrategy)	See javadocs of filterToVendorRestrictionsMatchingPolicyRequirements(Set, Map, PolicyInformation, ContextInfo).
protected AuthenticationVendorPrivilegesUtility	getAuthenticationVendorPrivilegesUtility()
AuthenticationVendorPrivilegesSummary	getVendorPrivileges(@NonNull org.springframework.security.core.Authentication authentication)	Delegates to getVendorPrivileges(Authentication, ContextInfo).
AuthenticationVendorPrivilegesSummary	getVendorPrivileges(@NonNull org.springframework.security.core.Authentication authentication, ContextInfo contextInfo)	Obtains the summary of vendor privileges from the given authentication and context.
protected VendorVisibilityManager	getVendorVisibilityManager()
protected boolean	isCatalogVisibleByVendorRestrictions(@NonNull ContextInfo contextInfo, String[] requiredPermissionRoots, PermissionMatchingStrategy permissionMatchingStrategy, OperationType requiredOperationType)	Reports whether the catalog referenced in the contextInfo is visible by the vendor restrictions in the current authentication.
void	setVendorVisibilityManager(VendorVisibilityManager vendorVisibilityManager)	Lazily inject the VendorVisibilityManager, since the handlers it injects may require service dependencies that themselves require policy utils.
PolicyResponse	validateContext(ContextInfo contextInfo)	Review the ContextInfo parameter for valid tenant user membership and valid catalog visibility based on the current Authentication and requested tenant information in the contextInfo.
PolicyResponse	validateContext(ContextInfo contextInfo, String[] requiredPermissionRoots, PermissionMatchingStrategy permissionMatchingStrategy, OperationType operationType)	Performs similar validation to DefaultTrackablePolicyUtils.validateContext(ContextInfo, String[], PermissionMatchingStrategy, OperationType), but also considers whether the catalog in the contextInfo is visible by the current authentication's vendor restrictions.
protected PolicyResponse	validateEntityMutableByCurrentVendorRestrictions(Trackable entity, ContextInfo contextInfo, String[] requiredPermissionRoots, PermissionMatchingStrategy permissionMatchingStrategy, OperationType operationType)	Checks whether the given entity being mutated is actually mutable given the current authentication's vendor privileges and provided policy requirements.
protected PolicyResponse	validateEntityOperation(Trackable entity, ContextInfo contextInfo, String[] permissionRoots, PermissionMatchingStrategy strategy, OperationType operationType)	This is the method used by DefaultTrackablePolicyUtils.validateUpdate(Trackable, ContextInfo, String[], PermissionMatchingStrategy) and DefaultTrackablePolicyUtils.validateDelete(Trackable, ContextInfo, String[], PermissionMatchingStrategy) to validate an entity can be updated/deleted by the current authentication, so it is overridden here to add consideration for vendor restrictions.
PolicyResponse	validateInsert(Trackable entity, ContextInfo contextInfo, String[] permissionRoots, PermissionMatchingStrategy strategy)	Overrides DefaultTrackablePolicyUtils.validateInsert(Trackable, ContextInfo, String[], PermissionMatchingStrategy) to add behavior that checks whether the entity can be inserted by the current authentication's vendor restrictions.
PolicyResponse	validatePermission(String[] permissionRoots, PermissionMatchingStrategy strategy, OperationType operationType, ContextInfo contextInfo)	Overrides DefaultTrackablePolicyUtils.validatePermission(String[], PermissionMatchingStrategy, OperationType, ContextInfo) to give special consideration to vendor restrictions and vendor-restricted authorities.
PolicyResponse	validatePermissions(String[] permissions, ContextInfo contextInfo)	Overridden from PolicyUtils.validatePermissions(String[], ContextInfo) to give special consideration to vendor restrictions and vendor-restricted authorities.

Methods inherited from class com.broadleafcommerce.data.tracking.core.policy.trackable.DefaultTrackablePolicyUtils

expandPermissionRootsToPermissions, getAttributesConverter, getAuthDetailsOwnerIdentifier, getAuthenticationAttributes, getCurrentUserAccountId, getCustomerContextIdsForUser, getImplicitApplicationCatalog, invalidPolicyResponse, invalidPolicyResponse, isAccountVisible, isAdminScopedServiceClient, isAdminUser, isAnonymous, isApplicationCatalogAddAllowed, isApplicationVisible, isCatalogMutable, isCatalogVisible, isCatalogVisible, isContextVisible, isGlobalApplication, isGlobalChangeInHiddenCatalog, isGlobalTenant, isGlobalTenantUser, isGlobalTenantUser, isMutationPossibleForContext, isNotUser, isOwnerUser, isSandboxVisible, isTenantVisible, isUserApplicationLevelAccess, isUserApplicationLevelAccess, isUserApplicationRestricted, isUserApplicationRestricted, isUserTenantLevelAccess, isUserTenantLevelAccess, isValidApplicationUser, isValidApplicationUser, isValidApplicationUser, isValidApplicationUser, isValidCustomerContext, isValidSandboxUser, isValidTenantUser, matchInheritanceLine, rateMember, setAttributesConverter, streamApplications, validateApplicationCatalogUpdate, validateApplicationUpdate, validateCatalogInsert, validateDelete, validateEntityUpdate, validateEntityUpdateForTenantFactors, validateGlobalMutateToInheritedCatalog, validateGlobalUpdateToHiddenCatalog, validateOperation, validateOperation, validateOther, validateOwner, validatePermission, validateRead, validateTenantTrackableUpdate, validateTenantUpdate, validateUpdate

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface com.broadleafcommerce.data.tracking.core.policy.PolicyUtils

getAuthentication

Constructor Details

VendorAwareTrackablePolicyUtils

public VendorAwareTrackablePolicyUtils(CatalogFinder<Catalog> catalogFinder,
 TrackableBehaviorUtil trackableBehaviorUtil,
 String ownerIdentifier,
 AuthenticationVendorPrivilegesUtility authenticationVendorPrivilegesUtility)

VendorAwareTrackablePolicyUtils

public VendorAwareTrackablePolicyUtils(CatalogFinder<Catalog> catalogFinder,
 TrackableBehaviorUtil trackableBehaviorUtil,
 AuthenticationVendorPrivilegesUtility authenticationVendorPrivilegesUtility)

Method Details

setVendorVisibilityManager

@Autowired
@Lazy
public void setVendorVisibilityManager(VendorVisibilityManager vendorVisibilityManager)

Lazily inject the VendorVisibilityManager, since the handlers it injects may require service dependencies that themselves require policy utils. Lazy injection avoids a circular reference.

Additionally, this bean disables policy validation before invoking any methods of VendorVisibilityManager to prevent recursive policy validation.

Parameters:

vendorVisibilityManager - the vendor visibility manager

getVendorPrivileges

public AuthenticationVendorPrivilegesSummary getVendorPrivileges(@NonNull
 @NonNull org.springframework.security.core.Authentication authentication)

Delegates to getVendorPrivileges(Authentication, ContextInfo).

Parameters:

authentication - the Authentication from which to extract vendor privilege information

Returns:

details about the given authentication's vendor restrictions and authorities

Throws:

IllegalArgumentException - if the authentication details didn't match the expected structure

See Also:

• AuthenticationVendorPrivilegesSummary
• AuthenticationVendorPrivilegesUtility

getVendorPrivileges

public AuthenticationVendorPrivilegesSummary getVendorPrivileges(@NonNull
 @NonNull org.springframework.security.core.Authentication authentication,
 @Nullable
 ContextInfo contextInfo)

Obtains the summary of vendor privileges from the given authentication and context.

Parameters:

authentication - the Authentication from which to extract vendor privilege information

contextInfo - context information surrounding sandboxing and multitenant state

Returns:

details about the given authentication's vendor restrictions and authorities

Throws:

IllegalArgumentException - if the authentication details didn't match the expected structure

See Also:

• AuthenticationVendorPrivilegesSummary
• AuthenticationVendorPrivilegesUtility
• VendorAuthenticationPrivilegeProperties

validateContext

public PolicyResponse validateContext(@Nullable
 ContextInfo contextInfo)

Description copied from interface: TrackablePolicyUtils

Review the ContextInfo parameter for valid tenant user membership and valid catalog visibility based on the current Authentication and requested tenant information in the contextInfo.

Specified by:

validateContext in interface TrackablePolicyUtils

Overrides:

validateContext in class DefaultTrackablePolicyUtils

Parameters:

contextInfo - the context containing multitenant application, tenant and catalog information

Returns:

Whether or not the contextInfo contains valid tenant information

validateContext

public PolicyResponse validateContext(@Nullable
 ContextInfo contextInfo,
 @Nullable
 String[] requiredPermissionRoots,
 @Nullable
 PermissionMatchingStrategy permissionMatchingStrategy,
 @Nullable
 OperationType operationType)

Performs similar validation to DefaultTrackablePolicyUtils.validateContext(ContextInfo, String[], PermissionMatchingStrategy, OperationType), but also considers whether the catalog in the contextInfo is visible by the current authentication's vendor restrictions.

Specified by:

validateContext in interface TrackablePolicyUtils

Overrides:

validateContext in class DefaultTrackablePolicyUtils

Parameters:

contextInfo - the context containing multitenant application, tenant and catalog information

requiredPermissionRoots - the permission roots required by the policy

permissionMatchingStrategy - how to validate multiple permissions

operationType - the operation type required by the policy

Returns:

Whether or not the contextInfo is valid with consideration to the current authentication and provided policy requirements

isCatalogVisibleByVendorRestrictions

protected boolean isCatalogVisibleByVendorRestrictions(@NonNull
 @NonNull ContextInfo contextInfo,
 @Nullable
 String[] requiredPermissionRoots,
 @Nullable
 PermissionMatchingStrategy permissionMatchingStrategy,
 @Nullable
 OperationType requiredOperationType)

Reports whether the catalog referenced in the contextInfo is visible by the vendor restrictions in the current authentication.

Ultimately, the expectation is that if the current authentication is restricted (see AuthenticationVendorPrivilegesSummary.isUnrestricted()), its context requests should only be able to supply the ID of a catalog which is directly associated to one of its vendor restrictions via Catalog.getVendorRef().

Note that this is critical since visibility and mutability of catalog-discriminated entities are purely determined by this behavior. The pure permission validation simply checks if the authentication has the requisite permission(s) in at least one of their vendor restrictions, but this will go further to confirm the requisite permissions are found for the vendor ref associated to the requested catalog.

Parameters:

contextInfo - the context info whose catalog should be checked for accessibility

requiredPermissionRoots - the permission roots required by the policy

permissionMatchingStrategy - how to validate multiple permissions

requiredOperationType - the operation type required by the policy

Returns:

true if the catalog is visible by the current vendor restrictions, false otherwise

validateInsert

public PolicyResponse validateInsert(@Nullable
 Trackable entity,
 @Nullable
 ContextInfo contextInfo,
 @Nullable
 String[] permissionRoots,
 @Nullable
 PermissionMatchingStrategy strategy)

Overrides DefaultTrackablePolicyUtils.validateInsert(Trackable, ContextInfo, String[], PermissionMatchingStrategy) to add behavior that checks whether the entity can be inserted by the current authentication's vendor restrictions.

Specified by:

validateInsert in interface TrackablePolicyUtils

Overrides:

validateInsert in class DefaultTrackablePolicyUtils

Parameters:

entity - The item being inserted

contextInfo - the context containing multitenant application and catalog information

permissionRoots - The permission roots to validate. If not specified, then permission validation will not be performed.

strategy - how to treat multiple permissions

Returns:

Whether or not the update request on the entity should be allowed, including consideration for vendor restrictions

validateEntityOperation

protected PolicyResponse validateEntityOperation(@Nullable
 Trackable entity,
 @Nullable
 ContextInfo contextInfo,
 @Nullable
 String[] permissionRoots,
 @Nullable
 PermissionMatchingStrategy strategy,
 @Nullable
 OperationType operationType)

This is the method used by DefaultTrackablePolicyUtils.validateUpdate(Trackable, ContextInfo, String[], PermissionMatchingStrategy) and DefaultTrackablePolicyUtils.validateDelete(Trackable, ContextInfo, String[], PermissionMatchingStrategy) to validate an entity can be updated/deleted by the current authentication, so it is overridden here to add consideration for vendor restrictions.

Overrides:

validateEntityOperation in class DefaultTrackablePolicyUtils

Parameters:

entity - the entity being updated/deleted

contextInfo - the context containing multitenant application and catalog information

permissionRoots - The permission roots to validate. If not specified, then permission validation will not be performed.

strategy - how to treat multiple permissions

operationType - the explicit type of operation to validate

Returns:

whether or not the operation should be allowed on the entity

validateEntityMutableByCurrentVendorRestrictions

protected PolicyResponse validateEntityMutableByCurrentVendorRestrictions(@Nullable
 Trackable entity,
 @Nullable
 ContextInfo contextInfo,
 @Nullable
 String[] requiredPermissionRoots,
 @Nullable
 PermissionMatchingStrategy permissionMatchingStrategy,
 @Nullable
 OperationType operationType)

Checks whether the given entity being mutated is actually mutable given the current authentication's vendor privileges and provided policy requirements.

If the entity is null, if the entity type does not have vendor-discrimination support, if there is no current authentication, if there are no required permission roots, or if the current authentication is unrestricted, the validation will automatically pass.

If the authentication is restricted, then this will first determine which vendors the current authentication can access within the provided policy requirements. Those vendors and the entity itself are both provided to VendorVisibilityManager.isEntityMutableByVendorRestrictions(Object, Set, ContextInfo) such that the appropriate VendorVisibilityHandler (if any) for that entity can make an appropriate determination about whether the entity is within the constraints of the vendor restrictions.

Parameters:

entity - the entity being updated/deleted. If not specified, then validation will automatically pass.

contextInfo - the context containing multitenant application and catalog information

requiredPermissionRoots - The permission roots to validate. If not specified, then validation will automatically pass.

permissionMatchingStrategy - how to treat multiple permission roots

operationType - the explicit type of operation to validate

Returns:

whether or not the operation should be allowed on the entity

filterToVendorRestrictionsMatchingPolicyRequirements

public Set<String> filterToVendorRestrictionsMatchingPolicyRequirements(@NonNull
 @NonNull Set<String> restrictedVendorRefs,
 @NonNull
 @NonNull Map<String,Set<String>> vendorRefsByRestrictedAuthority,
 @NonNull
 @NonNull PolicyInformation policyRequirements,
 @Nullable
 ContextInfo contextInfo)

An authentication may have restrictions, but it's possible not all of them have the authorities required by a resource. For example, an authentication could be restricted to ['vendorA', 'vendorB'], and only have the 'READ_PRODUCT' authority in 'vendorA'. If accessing a resource that requires 'READ_PRODUCT', the authentication effectively only has access to 'vendorA' and will not have access to 'vendorB'.

To support such validation, this method accepts a set of restrictedVendorRefs and returns a filtered set of vendor refs which satisfy the provided policy requirements of a resource.

Parameters:

restrictedVendorRefs - the set of vendor refs to filter by. An empty provided here means no accessible vendors, and will automatically result in this method returning an empty set. See AuthenticationVendorPrivilegesSummary.getRestrictedVendorRefs().

vendorRefsByRestrictedAuthority - A map from "restricted authorities" (ex: READ_PRODUCT) to all "vendor refs" (ex: a vendor ID or vendor code) that the authority has been granted to. This is used as the source of truth for determining what authorities are available. See AuthenticationVendorPrivilegesSummary.getVendorRefsByRestrictedAuthority().

policyRequirements - the policy requirements to validate against

contextInfo - context information about sandboxing/multitenant state. Useful for determining the required operation type in conjunction with PolicyInformation.

Returns:

a filtered set of vendor refs which satisfy the provided policy requirements of a resource. An empty result means no vendors are accessible.

See Also:

• filterToVendorRestrictionsMatchingRequiredPermissions(Set, Map, List, PermissionMatchingStrategy)

filterToVendorRestrictionsMatchingPolicyRequirements

protected Set<String> filterToVendorRestrictionsMatchingPolicyRequirements(@NonNull
 @NonNull Set<String> restrictedVendorRefs,
 @NonNull
 @NonNull Map<String,Set<String>> vendorRefsByRestrictedAuthority,
 @Nullable
 OperationType requiredOperationType,
 @NonNull
 @NonNull String[] permissionRoots,
 @Nullable
 PermissionMatchingStrategy permissionMatchingStrategy)

See javadocs of filterToVendorRestrictionsMatchingPolicyRequirements(Set, Map, PolicyInformation, ContextInfo).

Parameters:

restrictedVendorRefs - the set of vendor refs to filter by. An empty provided here means no accessible vendors, and will automatically result in this method returning an empty set. See AuthenticationVendorPrivilegesSummary.getRestrictedVendorRefs().

vendorRefsByRestrictedAuthority - A map from "restricted authorities" (ex: READ_PRODUCT) to all "vendor refs" (ex: a vendor ID or vendor code) that the authority has been granted to. This is used as the source of truth for determining what authorities are available. See AuthenticationVendorPrivilegesSummary.getVendorRefsByRestrictedAuthority().

requiredOperationType - the operation type that should be used as the required operation type for policy validation. This is typically determined by looking at PolicyInformation and ContextInfo.

permissionRoots - the required permission roots. See PolicyInformation.getPermissionRoots().

permissionMatchingStrategy - the matching strategy to use for evaluating permissions. See PermissionMatchingStrategy.

Returns:

a filtered set of vendor refs which satisfy the provided policy requirements of a resource. An empty result means no vendors are accessible.

determineRequiredOperationType

protected OperationType determineRequiredOperationType(PolicyInformation policy,
 @Nullable
 ContextInfo contextInfo)

This is copied from DefaultPolicyAspectProcessor.narrowType(PolicyInformation, ContextInfo).

Figure out the OperationType to use, given the policy and contextInfo.

• If there is only one operationType described in Policy:
• If it's not UNKNOWN, use it
• If there's not contextInfo, return UNKNOWN
• Otherwise, return the operation type on the contextInfo
• Otherwise, find and use the first match of contextInfo operationType in those defined by Policy, or the first OperationType in the policy defined list if no match is found

Parameters:

policy - The policy annotation on the method that optionally defines one or more OperationTypes

contextInfo - The optional contextInfo that describes an overall operationType for the context of the request

Returns:

The final OperationType to use for the policy validation

filterToVendorRestrictionsMatchingRequiredPermissions

public Set<String> filterToVendorRestrictionsMatchingRequiredPermissions(@NonNull
 @NonNull Set<String> restrictedVendorRefs,
 @NonNull
 @NonNull Map<String,Set<String>> vendorRefsByRestrictedAuthority,
 @NonNull
 @NonNull List<String> fullyExpandedRequiredPermissions,
 @Nullable
 PermissionMatchingStrategy permissionMatchingStrategy)

See javadocs of filterToVendorRestrictionsMatchingPolicyRequirements(Set, Map, PolicyInformation, ContextInfo).

Parameters:

restrictedVendorRefs - the set of vendor refs to filter by. An empty provided here means no accessible vendors, and will automatically result in this method returning an empty set. See AuthenticationVendorPrivilegesSummary.getRestrictedVendorRefs().

vendorRefsByRestrictedAuthority - A map from "restricted authorities" (ex: READ_PRODUCT) to all "vendor refs" (ex: a vendor ID or vendor code) that the authority has been granted to. This is used as the source of truth for determining what authorities are available. See AuthenticationVendorPrivilegesSummary.getVendorRefsByRestrictedAuthority().

fullyExpandedRequiredPermissions - the required permissions. This should be the fully expanded permissions (ex: READ_PRODUCT), not just their roots (PRODUCT).

permissionMatchingStrategy - the matching strategy to use for evaluating permissions. See PermissionMatchingStrategy.

Returns:

a filtered set of vendor refs which satisfy the provided permission requirements. An empty result means no vendors are accessible.

validatePermission

public PolicyResponse validatePermission(@Nullable
 String[] permissionRoots,
 @Nullable
 PermissionMatchingStrategy strategy,
 @Nullable
 OperationType operationType,
 @Nullable
 ContextInfo contextInfo)

Overrides DefaultTrackablePolicyUtils.validatePermission(String[], PermissionMatchingStrategy, OperationType, ContextInfo) to give special consideration to vendor restrictions and vendor-restricted authorities.

If there are no policy requirements or if there is no current authentication, the result will automatically be PolicyResponse.VALID.

If the current authentication is unrestricted, the authentication's full authority set will be validated for the presence of the required permissions as dictated by the PermissionMatchingStrategy.

If the current authentication is not unrestricted, the authentication must have at least one vendor-type restriction for which it has the required permissions as dictated by the PermissionMatchingStrategy.

The expectation is that if an authentication could conceivably access this resource with even one of its vendor restrictions, the policy validation here will allow it, and then rely on VendorNarrowingContextInfoCustomizer to prevent data from unauthorized vendors from appearing in the results.

Specified by:

validatePermission in interface TrackablePolicyUtils

Overrides:

validatePermission in class DefaultTrackablePolicyUtils

Parameters:

permissionRoots - the permission roots requested

strategy - the permission matching strategy to use for validation

operationType - the explicit type of operation to validate

contextInfo - the context containing multitenant application, tenant and catalog information. Not used in the default implementation, though custom implementations may use this for validation purposes.

Returns:

Whether or not the discovered permission is in scope for the current user

validatePermissions

public PolicyResponse validatePermissions(@Nullable
 String[] permissions,
 @Nullable
 ContextInfo contextInfo)

Overridden from PolicyUtils.validatePermissions(String[], ContextInfo) to give special consideration to vendor restrictions and vendor-restricted authorities.

The semantics of validation are similar to what is described in validatePermission(String[], PermissionMatchingStrategy, OperationType, ContextInfo).

Parameters:

permissions - the permissions to check. A single permission in the current PolicyUtils.getAuthentication() must match to pass the policy

contextInfo - the context containing multitenant application, tenant and catalog information. Not used in the default implementation, though custom implementations may use this for validation purposes.

Returns:

the result of the validation

See Also:

• validatePermission(String[], PermissionMatchingStrategy, OperationType, ContextInfo)

getVendorVisibilityManager

protected VendorVisibilityManager getVendorVisibilityManager()

See Also:

• setVendorVisibilityManager(VendorVisibilityManager)

getAuthenticationVendorPrivilegesUtility

protected AuthenticationVendorPrivilegesUtility getAuthenticationVendorPrivilegesUtility()