Type Parameters:
T - type of configuration used by this validator. Each validator must have its own AbacValidatorConfig class, so we can uniquely identify the one to call
All Known Implementing Classes:
PolicyValidator, RoleValidator, ScopeValidator, TimeValidator

public interface AbacValidator<T extends AbacValidatorConfig>
Service interface for attribute based access control (ABAC) validator. The validator provides information about itself:
  • Annotations it expects - should be meta-annotated with AbacAnnotation, so we can check all are processed even if validator is missing
  • Configuration key expected when configured through a file (or other config source)
  • Class of configuration of this attribute validator (also the type parameter of this class)
  • Method Details

    • supportedAnnotations

      default Collection<Class<? extends Annotation>> supportedAnnotations()
      Provide extension annotations supported by this validator (e.g. RolesAllowed). Annotations will be collected according to framework in use. For JAX-RS, annotations from application class, resource class and resource methods will be collected. The annotations will be transformed to configuration by fromAnnotations(EndpointConfig).
      Collection of annotations this provider expects.
    • configClass

      Class<T> configClass()
      Class of the configuration type.
      class of the type
    • configKey

      String configKey()
      Key of a configuration entry that maps to this validator's configuration.
      key in a config Config
    • fromConfig

      T fromConfig(Config config)
      Load configuration class instance from Config.
      config - configuration located on the key this validator expects in configKey()
      instance of configuration class
    • fromAnnotations

      T fromAnnotations(EndpointConfig endpointConfig)
      Load configuration class instance from annotations this validator expects.
      endpointConfig - endpoint config
      instance of configuration class
    • validate

      void validate(T config, Errors.Collector collector, ProviderRequest request)
      Validate that the configuration provided would grant access to the resource. Update collector with errors, if access should be denied using Errors.Collector.fatal(Object, String).
      config - configuration of this validator
      collector - error collector to gather issues with this request (e.g. "service not in role ABC")
      request - ABAC context containing subject(s), object(s) and environment