Package org.apache.jena.permissions.example

Class ShiroExampleEvaluator

java.lang.Object
org.apache.jena.permissions.example.ShiroExampleEvaluator
All Implemented Interfaces:
SecurityEvaluator
public class ShiroExampleEvaluator extends Object implements SecurityEvaluator
Class to use Shiro to provide credentials. An example evaluator that only provides access to messages in the graph that are from or to the principal.

  • Constructor Details

    • ShiroExampleEvaluator

      public ShiroExampleEvaluator(Model model)
      Parameters:
      model - The graph we are going to evaluate against.

  • Method Details

    • evaluate

      public boolean evaluate(Object principal, SecurityEvaluator.Action action, Node graphIRI)
      We allow any action on the graph itself, so this is always true.
      Specified by:
      evaluate in interface SecurityEvaluator
      Parameters:
      principal - The principal that is attempting the action.
      action - The action to perform
      graphIRI - The IRI of the graph to check
      Returns:
      true if the action is allowed, false otherwise.

    • evaluate

      public boolean evaluate(Object principal, SecurityEvaluator.Action action, Node graphIRI, Triple triple)
      As per our design, users can do anything with triples they have access to, so we just ignore the action parameter. If we were to implement rules restricted access based upon action this method would sort those out appropriately.
      Specified by:
      evaluate in interface SecurityEvaluator
      Parameters:
      principal - The principal that is attempting the action.
      action - The action to perform
      graphIRI - The IRI of the graph to the action is being taken upon. May be ANY.
      triple - The triple to check
      Returns:
      true if the action is allowed, false otherwise.

    • evaluate

      public boolean evaluate(Object principal, Set<SecurityEvaluator.Action> actions, Node graphIRI)
      As per our design, users can access any graph. If we were to implement rules that restricted user access to specific graphs, those checks would be here and we would return false if they were not allowed to access the graph. Note that this method is checking to see that the user may perform ALL the actions in the set on the graph.
      Specified by:
      evaluate in interface SecurityEvaluator
      Parameters:
      principal - The principal that is attempting the action.
      actions - The set of actions to perform
      graphIRI - The IRI of the graph to the action is being taken upon. May be ANY.
      Returns:
      true if all the actions are allowed, false otherwise.

    • evaluate

      public boolean evaluate(Object principal, Set<SecurityEvaluator.Action> actions, Node graphIRI, Triple triple)
      As per our design, users can access any triple from a message that is from or to them. Since we don't have restrictions on actions this is no different then checking access for a single action.
      Specified by:
      evaluate in interface SecurityEvaluator
      actions - The actions to perform.
      graphIRI - The IRI of the graph to the action is being taken upon. May be ANY.
      triple - The triple to check
      Returns:
      true if all the actions are allowed, false otherwise.

    • evaluateAny

      public boolean evaluateAny(Object principal, Set<SecurityEvaluator.Action> actions, Node graphIRI)
      As per our design, users can access any graph. If we were to implement rules that restricted user access to specific graphs, those checks would be here and we would return false if they were not allowed to access the graph. Note that this method is checking to see that the user may perform ANY of the actions in the set on the graph.
      Specified by:
      evaluateAny in interface SecurityEvaluator
      Parameters:
      principal - The principal that is attempting the action.
      actions - The actions to perform
      graphIRI - The IRI of the graph to the action is being taken upon. May be ANY.
      Returns:
      true true if any the actions are allowed, false otherwise.

    • evaluateAny

      public boolean evaluateAny(Object principal, Set<SecurityEvaluator.Action> actions, Node graphIRI, Triple triple)
      As per our design, users can access any triple from a message that is from or to them. Since we don't have restrictions on actions this is no different then checking access for a single action.
      Specified by:
      evaluateAny in interface SecurityEvaluator
      Parameters:
      principal - The principal that is attempting the action.
      actions - The actions to check.
      graphIRI - The IRI of the graph to the action is being taken upon. May be ANY.
      triple - The triple to check
      Returns:
      true if any the actions are allowed, false otherwise.

    • evaluateUpdate

      public boolean evaluateUpdate(Object principal, Node graphIRI, Triple from, Triple to)
      As per our design, users can access any triple from a message that is from or to them. So for an update they can only change triples they have access to into other triples they have access to. (e.g. they can not remove themselves from the message).
      Specified by:
      evaluateUpdate in interface SecurityEvaluator
      Parameters:
      principal - The principal that is attempting the action.
      graphIRI - The IRI of the graph to the action is being taken upon. May be ANY.
      from - The triple to be changed
      to - The value to change it to.
      Returns:
      true if the user may make the change, false otherwise.

    • getPrincipal

      public Object getPrincipal()
      Return the Shiro subject. This is the subject that Shiro currently has logged in.
      Specified by:
      getPrincipal in interface SecurityEvaluator
      Returns:
      The current principal

    • isPrincipalAuthenticated

      public boolean isPrincipalAuthenticated(Object principal)
      Verify the Shiro subject is authenticated.
      Specified by:
      isPrincipalAuthenticated in interface SecurityEvaluator
      Parameters:
      principal - The principal to check.
      Returns:
      true if authenticated, false if not.