Package org.restheart.security

Interface ACLRegistry

public interface ACLRegistry
Registry for defining Access Control Lists (ACLs) programmatically. This registry is utilized by the ACLRegistryVetoer and ACLRegistryAllower authorizers to manage request permissions. The ACLRegistryVetoer denies requests based on veto predicates, while the ACLRegistryAllower grants permission to proceed with requests based on allow predicate. A request is permitted to proceed if it is not denied by any ACLRegistryVetoer and at least one ACLRegistryAllower approves it. Example usage: 
 
 @Inject("acl-registry")
 ACLRegistry registry;

 @OnInit
 public void init() {
  registry.registerVeto(request -> request.getPath().equals("/deny"));
  registry.registerAllow(request -> request.getPath().equals("/allow"));
 }
Author:
Andrea Di Cesare <andrea@softinstigate.com>

  • Method Summary

    Modifier and Type
    Method
    Description
    void
    registerAllow(Predicate<Request<?>> allow)
    Registers an allow predicate that determines if a request should be authorized.
    void
    registerAuthenticationRequirement(Predicate<Request<?>> authenticationRequired)
    Registers a predicate that determines whether requests handled by the ACLRegistryAllower require authentication.
    void
    registerVeto(Predicate<Request<?>> veto)
    Registers a veto predicate that determines if a request should be denied.

  • Method Details

    • registerVeto

      void registerVeto(Predicate<Request<?>> veto)
      Registers a veto predicate that determines if a request should be denied. When the predicate evaluates to true, the request is immediately forbidden (vetoed). Additionally, a request will also be denied if it is not explicitly authorized by any allow predicates or any other active allowing authorizers.
      Parameters:
      veto - The veto predicate to register. This predicate should return true to veto (deny) the request, and false to let the decision be further evaluated by allow predicates or other authorizers.

    • registerAllow

      void registerAllow(Predicate<Request<?>> allow)
      Registers an allow predicate that determines if a request should be authorized. The request is authorized if this predicate evaluates to true, provided that no veto predicates or other active vetoer authorizers subsequently deny the request. This method helps in setting up conditions under which requests can proceed unless explicitly vetoed.
      Parameters:
      allow - The allow predicate to register. This predicate should return true to authorize the request, unless it is vetoed by any veto predicates or other vetoing conditions.

    • registerAuthenticationRequirement

      void registerAuthenticationRequirement(Predicate<Request<?>> authenticationRequired)
      Registers a predicate that determines whether requests handled by the ACLRegistryAllower require authentication. This method is used to specify conditions under which authentication is mandatory. Typically, authentication is required unless there are allow predicates explicitly authorizing requests that are not authenticated.
      Parameters:
      authenticationRequired - The predicate to determine if authentication is necessary. It should return true if the request must be authenticated, otherwise false if unauthenticated requests might be allowed.