001/*
002 * Licensed to the Apache Software Foundation (ASF) under one or more
003 * contributor license agreements.  See the NOTICE file distributed with
004 * this work for additional information regarding copyright ownership.
005 * The ASF licenses this file to You under the Apache License, Version 2.0
006 * (the "License"); you may not use this file except in compliance with
007 * the License.  You may obtain a copy of the License at
008 *
009 *      http://www.apache.org/licenses/LICENSE-2.0
010 *
011 * Unless required by applicable law or agreed to in writing, software
012 * distributed under the License is distributed on an "AS IS" BASIS,
013 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
014 * See the License for the specific language governing permissions and
015 * limitations under the License.
016 */
017package org.apache.wicket.authorization;
018
019import org.apache.wicket.Component;
020import org.apache.wicket.request.component.IRequestableComponent;
021import org.apache.wicket.request.mapper.parameter.PageParameters;
022import org.apache.wicket.request.resource.IResource;
023
024/**
025 * Authorization strategies specify aspect-like constraints on significant actions taken by the
026 * framework in a given application. These constraints are guaranteed by the framework to be applied
027 * consistently throughout. Violations will result in a security action directed by the strategy,
028 * such as the throwing of an AuthorizationException or the filtering out of security-sensitive
029 * information.
030 * 
031 * @author Eelco Hillenius
032 * @author Jonathan Locke
033 * @since Wicket 1.2
034 */
035public interface IAuthorizationStrategy
036{
037        class AllowAllAuthorizationStrategy implements IAuthorizationStrategy
038        {
039                /**
040                 * @see org.apache.wicket.authorization.IAuthorizationStrategy#isInstantiationAuthorized(java.lang.Class)
041                 */
042                @Override
043                public <T extends IRequestableComponent> boolean isInstantiationAuthorized(final Class<T> c)
044                {
045                        return true;
046                }
047
048                /**
049                 * @see org.apache.wicket.authorization.IAuthorizationStrategy#isActionAuthorized(org.apache.wicket.Component,
050                 *      org.apache.wicket.authorization.Action)
051                 */
052                @Override
053                public boolean isActionAuthorized(Component c, Action action)
054                {
055                        return true;
056                }
057
058                @Override
059                public boolean isResourceAuthorized(IResource resource, PageParameters pageParameters)
060                {
061                        return true;
062                }
063        }
064
065        /**
066         * Implementation of {@link IAuthorizationStrategy} that allows everything.
067         */
068        IAuthorizationStrategy ALLOW_ALL = new AllowAllAuthorizationStrategy();
069
070        /**
071         * Checks whether an instance of the given component class may be created. If this method
072         * returns false, the {@link IUnauthorizedComponentInstantiationListener} that is configured in
073         * the {@link org.apache.wicket.settings.SecuritySettings security settings} will be called. The default implementation of
074         * that listener throws a {@link UnauthorizedInstantiationException}.
075         * <p>
076         * If you wish to implement a strategy that authenticates users which cannot access a given Page
077         * (or other Component), you can simply throw a
078         * {@link org.apache.wicket.RestartResponseAtInterceptPageException} in your implementation of
079         * this method.
080         * 
081         * @param <T>
082         * 
083         * @param componentClass
084         *            The component class to check
085         * @return Whether the given component may be created
086         */
087        <T extends IRequestableComponent> boolean isInstantiationAuthorized(Class<T> componentClass);
088
089        /**
090         * Gets whether the given action is permitted. If it is, this method should return true. If it
091         * isn't, this method should either return false or - in case of a serious breach - throw a
092         * security exception. Returning is generally preferable over throwing an exception as that
093         * doesn't break the normal flow.
094         * 
095         * @param component
096         *            The component to be acted upon
097         * @param action
098         *            The action to authorize on the component
099         * @return Whether the given action may be taken on the given component
100         * @throws AuthorizationException
101         *             Can be thrown by implementation if action is unauthorized
102         * @see Component#ENABLE
103         * @see Component#RENDER
104         */
105        boolean isActionAuthorized(Component component, Action action);
106
107        /**
108         * Checks whether a request with some parameters is allowed to a resource.
109         *
110         * @param resource
111         *            The resource that should be processed
112         * @param parameters
113         *            The request parameters
114         * @return {@code true} if the request to this resource is allowed.
115         */
116        boolean isResourceAuthorized(IResource resource, PageParameters parameters);
117}