Skip to content

Swapped tabs for spaces. #685

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Apr 30, 2022
Merged

Swapped tabs for spaces. #685

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions src/main/java/org/owasp/esapi/AccessControlRule.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@


public interface AccessControlRule<P, R> {
void setPolicyParameters(P policyParameter);
P getPolicyParameters();
boolean isAuthorized(R runtimeParameter) throws Exception;
void setPolicyParameters(P policyParameter);
P getPolicyParameters();
boolean isAuthorized(R runtimeParameter) throws Exception;
}
184 changes: 92 additions & 92 deletions src/main/java/org/owasp/esapi/AccessController.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,70 +66,70 @@
*/
public interface AccessController {

/**
* <code>isAuthorized</code> executes the <code>AccessControlRule</code>
* that is identified by <code>key</code> and listed in the
* <code>resources/ESAPI-AccessControlPolicy.xml</code> file. It returns
* true if the <code>AccessControlRule</code> decides that the operation
* should be allowed. Otherwise, it returns false. Any exception thrown by
* the <code>AccessControlRule</code> must result in false. If
* <code>key</code> does not map to an <code>AccessControlRule</code>, then
* false is returned.
*
* Developers should call isAuthorized to control execution flow. For
* example, if you want to decide whether to display a UI widget in the
* browser using the same logic that you will use to enforce permissions
* on the server, then isAuthorized is the method that you want to use.
*
* Typically, assertAuthorized should be used to enforce permissions on the
* server.
*
* @param key <code>key</code> maps to
* <code>&lt;AccessControlPolicy&gt;&lt;AccessControlRules&gt;
* &lt;AccessControlRule name="key"</code>
* @param runtimeParameter runtimeParameter can contain anything that
* the AccessControlRule needs from the runtime system.
* @return Returns <code>true</code> if and only if the AccessControlRule specified
* by <code>key</code> exists and returned <code>true</code>.
* Otherwise returns <code>false</code>
*/
boolean isAuthorized(Object key, Object runtimeParameter);
/**
* <code>assertAuthorized</code> executes the <code>AccessControlRule</code>
* that is identified by <code>key</code> and listed in the
* <code>resources/ESAPI-AccessControlPolicy.xml</code> file. It does
* nothing if the <code>AccessControlRule</code> decides that the operation
* should be allowed. Otherwise, it throws an
* <code>org.owasp.esapi.errors.AccessControlException</code>. Any exception
* thrown by the <code>AccessControlRule</code> will also result in an
* <code>AccesControlException</code>. If <code>key</code> does not map to
* an <code>AccessControlRule</code>, then an <code>AccessControlException
* </code> is thrown.
*
* Developers should call {@code assertAuthorized} to enforce privileged access to
* the system. It should be used to answer the question: "Should execution
* continue." Ideally, the call to <code>assertAuthorized</code> should
* be integrated into the application framework so that it is called
* automatically.
*
* @param key <code>key</code> maps to
* &lt;AccessControlPolicy&gt;&lt;AccessControlRules&gt;
* &lt;AccessControlRule name="key"
* @param runtimeParameter runtimeParameter can contain anything that
* the AccessControlRule needs from the runtime system.
*/
void assertAuthorized(Object key, Object runtimeParameter)
throws AccessControlException;
/**
* <code>isAuthorized</code> executes the <code>AccessControlRule</code>
* that is identified by <code>key</code> and listed in the
* <code>resources/ESAPI-AccessControlPolicy.xml</code> file. It returns
* true if the <code>AccessControlRule</code> decides that the operation
* should be allowed. Otherwise, it returns false. Any exception thrown by
* the <code>AccessControlRule</code> must result in false. If
* <code>key</code> does not map to an <code>AccessControlRule</code>, then
* false is returned.
*
* Developers should call isAuthorized to control execution flow. For
* example, if you want to decide whether to display a UI widget in the
* browser using the same logic that you will use to enforce permissions
* on the server, then isAuthorized is the method that you want to use.
*
* Typically, assertAuthorized should be used to enforce permissions on the
* server.
*
* @param key <code>key</code> maps to
* <code>&lt;AccessControlPolicy&gt;&lt;AccessControlRules&gt;
* &lt;AccessControlRule name="key"</code>
* @param runtimeParameter runtimeParameter can contain anything that
* the AccessControlRule needs from the runtime system.
* @return Returns <code>true</code> if and only if the AccessControlRule specified
* by <code>key</code> exists and returned <code>true</code>.
* Otherwise returns <code>false</code>
*/
boolean isAuthorized(Object key, Object runtimeParameter);
/**
* <code>assertAuthorized</code> executes the <code>AccessControlRule</code>
* that is identified by <code>key</code> and listed in the
* <code>resources/ESAPI-AccessControlPolicy.xml</code> file. It does
* nothing if the <code>AccessControlRule</code> decides that the operation
* should be allowed. Otherwise, it throws an
* <code>org.owasp.esapi.errors.AccessControlException</code>. Any exception
* thrown by the <code>AccessControlRule</code> will also result in an
* <code>AccesControlException</code>. If <code>key</code> does not map to
* an <code>AccessControlRule</code>, then an <code>AccessControlException
* </code> is thrown.
*
* Developers should call {@code assertAuthorized} to enforce privileged access to
* the system. It should be used to answer the question: "Should execution
* continue." Ideally, the call to <code>assertAuthorized</code> should
* be integrated into the application framework so that it is called
* automatically.
*
* @param key <code>key</code> maps to
* &lt;AccessControlPolicy&gt;&lt;AccessControlRules&gt;
* &lt;AccessControlRule name="key"
* @param runtimeParameter runtimeParameter can contain anything that
* the AccessControlRule needs from the runtime system.
*/
void assertAuthorized(Object key, Object runtimeParameter)
throws AccessControlException;


/*** Below this line has been deprecated as of ESAPI 1.6 ***/
/*** Below this line has been deprecated as of ESAPI 1.6 ***/
/**
* Checks if the current user is authorized to access the referenced URL. Generally, this method should be invoked in the
* application's controller or a filter as follows:
Expand All @@ -140,10 +140,10 @@ void assertAuthorized(Object key, Object runtimeParameter)
* exception would be logged.
*
* @param url
* the URL as returned by request.getRequestURI().toString()
* the URL as returned by request.getRequestURI().toString()
*
* @return
* true, if is authorized for URL
* true, if is authorized for URL
*/
@Deprecated
boolean isAuthorizedForURL(String url);
Expand All @@ -155,10 +155,10 @@ void assertAuthorized(Object key, Object runtimeParameter)
* AccessControlException is not thrown, this method should return true.
*
* @param functionName
* the name of the function
* the name of the function
*
* @return
* true, if is authorized for function
* true, if is authorized for function
*/
@Deprecated
boolean isAuthorizedForFunction(String functionName);
Expand All @@ -175,10 +175,10 @@ void assertAuthorized(Object key, Object runtimeParameter)
* (e.g., Read, Write, etc.), or the name of the function the data is being passed to.
*
* @param data
* The actual object or object identifier being accessed or a reference to the object being accessed.
* The actual object or object identifier being accessed or a reference to the object being accessed.
*
* @return
* true, if is authorized for the data
* true, if is authorized for the data
*/
@Deprecated
boolean isAuthorizedForData(String action, Object data);
Expand All @@ -190,10 +190,10 @@ void assertAuthorized(Object key, Object runtimeParameter)
* is not thrown, this method should return true.
*
* @param filepath
* the path of the file to be checked, including filename
* the path of the file to be checked, including filename
*
* @return
* true, if is authorized for the file
* true, if is authorized for the file
*/
@Deprecated
boolean isAuthorizedForFile(String filepath);
Expand All @@ -206,10 +206,10 @@ void assertAuthorized(Object key, Object runtimeParameter)
* AccessControlException is not thrown, this method should return true.
*
* @param serviceName
* the service name
* the service name
*
* @return
* true, if is authorized for the service
* true, if is authorized for the service
*/
@Deprecated
boolean isAuthorizedForService(String serviceName);
Expand All @@ -229,16 +229,16 @@ void assertAuthorized(Object key, Object runtimeParameter)
* <li>Use available information to make an access control decision</li>
* <ol type="a">
* <li>Ideally, this policy would be data driven</li>
* <li>You can use the current User, roles, data type, data name, time of day, etc.</li>
* <li>Access control decisions must deny by default</li>
* <li>You can use the current User, roles, data type, data name, time of day, etc.</li>
* <li>Access control decisions must deny by default</li>
* </ol>
* <li>If access is not permitted, throw an AccessControlException with details</li>
* </ol>
* @param url
* the URL as returned by request.getRequestURI().toString()
* the URL as returned by request.getRequestURI().toString()
*
* @throws AccessControlException
* if access is not permitted
* if access is not permitted
*/
@Deprecated
void assertAuthorizedForURL(String url) throws AccessControlException;
Expand All @@ -257,17 +257,17 @@ void assertAuthorized(Object key, Object runtimeParameter)
* <li>Use available information to make an access control decision</li>
* <ol type="a">
* <li>Ideally, this policy would be data driven</li>
* <li>You can use the current User, roles, data type, data name, time of day, etc.</li>
* <li>Access control decisions must deny by default</li>
* <li>You can use the current User, roles, data type, data name, time of day, etc.</li>
* <li>Access control decisions must deny by default</li>
* </ol>
* <li>If access is not permitted, throw an AccessControlException with details</li>
* </ol>
*
* @param functionName
* the function name
* the function name
*
* @throws AccessControlException
* if access is not permitted
* if access is not permitted
*/
@Deprecated
void assertAuthorizedForFunction(String functionName) throws AccessControlException;
Expand All @@ -283,8 +283,8 @@ void assertAuthorized(Object key, Object runtimeParameter)
* <li>Use available information to make an access control decision</li>
* <ol type="a">
* <li>Ideally, this policy would be data driven</li>
* <li>You can use the current User, roles, data type, data name, time of day, etc.</li>
* <li>Access control decisions must deny by default</li>
* <li>You can use the current User, roles, data type, data name, time of day, etc.</li>
* <li>Access control decisions must deny by default</li>
* </ol>
* <li>If access is not permitted, throw an AccessControlException with details</li>
* </ol>
Expand All @@ -294,10 +294,10 @@ void assertAuthorized(Object key, Object runtimeParameter)
* (e.g., Read, Write, etc.), or the name of the function the data is being passed to.
*
* @param data
* The actual object or object identifier being accessed or a reference to the object being accessed.
* The actual object or object identifier being accessed or a reference to the object being accessed.
*
* @throws AccessControlException
* if access is not permitted
* if access is not permitted
*/
@Deprecated
void assertAuthorizedForData(String action, Object data) throws AccessControlException;
Expand All @@ -315,14 +315,14 @@ void assertAuthorized(Object key, Object runtimeParameter)
* <li>Use available information to make an access control decision</li>
* <ol type="a">
* <li>Ideally, this policy would be data driven</li>
* <li>You can use the current User, roles, data type, data name, time of day, etc.</li>
* <li>Access control decisions must deny by default</li>
* <li>You can use the current User, roles, data type, data name, time of day, etc.</li>
* <li>Access control decisions must deny by default</li>
* </ol>
* <li>If access is not permitted, throw an AccessControlException with details</li>
* </ol>
*
* @param filepath
* Path to the file to be checked
* Path to the file to be checked
* @throws AccessControlException if access is denied
*/
@Deprecated
Expand All @@ -341,18 +341,18 @@ void assertAuthorized(Object key, Object runtimeParameter)
* <li>Use available information to make an access control decision</li>
* <ol type="a">
* <li>Ideally, this policy would be data driven</li>
* <li>You can use the current User, roles, data type, data name, time of day, etc.</li>
* <li>Access control decisions must deny by default</li>
* <li>You can use the current User, roles, data type, data name, time of day, etc.</li>
* <li>Access control decisions must deny by default</li>
* </ol>
* <li>If access is not permitted, throw an AccessControlException with details</li>
* </ol>
*
* @param serviceName
* the service name
* the service name
*
* @throws AccessControlException
* if access is not permitted
*/
* if access is not permitted
*/
@Deprecated
void assertAuthorizedForService(String serviceName) throws AccessControlException;

Expand Down
Loading