Group


1   /*
2    * $Header: /cvshome/build/org.osgi.service.useradmin/src/org/osgi/service/useradmin/Group.java,v 1.8 2006/06/16 16:31:41 hargrave Exp $
3    *
4    * Copyright (c) OSGi Alliance (2001, 2006). All Rights Reserved.
5    *
6    * Licensed under the Apache License, Version 2.0 (the "License");
7    * you may not use this file except in compliance with the License.
8    * You may obtain a copy of the License at
9    *
10   *      http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing, software
13   * distributed under the License is distributed on an "AS IS" BASIS,
14   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15   * See the License for the specific language governing permissions and
16   * limitations under the License.
17   */
18  package org.osgi.service.useradmin;
19  
20  /**
21   * A named grouping of roles (<code>Role</code> objects).
22   * <p>
23   * Whether or not a given <code>Authorization</code> context implies a
24   * <code>Group</code> object depends on the members of that <code>Group</code>
25   * object.
26   * <p>
27   * A <code>Group</code> object can have two kinds of members: <i>basic </i> and
28   * <i>required </i>. A <code>Group</code> object is implied by an
29   * <code>Authorization</code> context if all of its required members are implied
30   * and at least one of its basic members is implied.
31   * <p>
32   * A <code>Group</code> object must contain at least one basic member in order to
33   * be implied. In other words, a <code>Group</code> object without any basic
34   * member roles is never implied by any <code>Authorization</code> context.
35   * <p>
36   * A <code>User</code> object always implies itself.
37   * <p>
38   * No loop detection is performed when adding members to <code>Group</code>
39   * objects, which means that it is possible to create circular implications.
40   * Loop detection is instead done when roles are checked. The semantics is that
41   * if a role depends on itself (i.e., there is an implication loop), the role is
42   * not implied.
43   * <p>
44   * The rule that a <code>Group</code> object must have at least one basic member
45   * to be implied is motivated by the following example:
46   * 
47   * <pre>
48   * 
49   *  group foo
50   *    required members: marketing
51   *    basic members: alice, bob
52   *  
53   * </pre>
54   * 
55   * Privileged operations that require membership in "foo" can be performed only
56   * by "alice" and "bob", who are in marketing.
57   * <p>
58   * If "alice" and "bob" ever transfer to a different department, anybody in
59   * marketing will be able to assume the "foo" role, which certainly must be
60   * prevented. Requiring that "foo" (or any <code>Group</code> object for that
61   * matter) must have at least one basic member accomplishes that.
62   * <p>
63   * However, this would make it impossible for a <code>Group</code> object to be
64   * implied by just its required members. An example where this implication might
65   * be useful is the following declaration: "Any citizen who is an adult is
66   * allowed to vote." An intuitive configuration of "voter" would be:
67   * 
68   * <pre>
69   * 
70   *  group voter
71   *    required members: citizen, adult
72   *       basic members:
73   *  
74   * </pre>
75   * 
76   * However, according to the above rule, the "voter" role could never be assumed
77   * by anybody, since it lacks any basic members. In order to address this issue
78   * a predefined role named "user.anyone" can be specified, which is always
79   * implied. The desired implication of the "voter" group can then be achieved by
80   * specifying "user.anyone" as its basic member, as follows:
81   * 
82   * <pre>
83   * 
84   *  group voter
85   *    required members: citizen, adult
86   *       basic members: user.anyone
87   *  
88   * </pre>
89   * 
90   * @version $Revision: 1.8 $
91   */
92  public interface Group extends User {
93      /**
94       * Adds the specified <code>Role</code> object as a basic member to this
95       * <code>Group</code> object.
96       * 
97       * @param role The role to add as a basic member.
98       * 
99       * @return <code>true</code> if the given role could be added as a basic
100      *         member, and <code>false</code> if this <code>Group</code> object
101      *         already contains a <code>Role</code> object whose name matches that
102      *         of the specified role.
103      * 
104      * @throws SecurityException If a security manager exists and the caller
105      *         does not have the <code>UserAdminPermission</code> with name
106      *         <code>admin</code>.
107      */
108     public boolean addMember(Role role);
109 
110     /**
111      * Adds the specified <code>Role</code> object as a required member to this
112      * <code>Group</code> object.
113      * 
114      * @param role The <code>Role</code> object to add as a required member.
115      * 
116      * @return <code>true</code> if the given <code>Role</code> object could be
117      *         added as a required member, and <code>false</code> if this
118      *         <code>Group</code> object already contains a <code>Role</code> object
119      *         whose name matches that of the specified role.
120      * 
121      * @throws SecurityException If a security manager exists and the caller
122      *         does not have the <code>UserAdminPermission</code> with name
123      *         <code>admin</code>.
124      */
125     public boolean addRequiredMember(Role role);
126 
127     /**
128      * Removes the specified <code>Role</code> object from this <code>Group</code>
129      * object.
130      * 
131      * @param role The <code>Role</code> object to remove from this <code>Group</code>
132      *        object.
133      * 
134      * @return <code>true</code> if the <code>Role</code> object could be removed,
135      *         otherwise <code>false</code>.
136      * 
137      * @throws SecurityException If a security manager exists and the caller
138      *         does not have the <code>UserAdminPermission</code> with name
139      *         <code>admin</code>.
140      */
141     public boolean removeMember(Role role);
142 
143     /**
144      * Gets the basic members of this <code>Group</code> object.
145      * 
146      * @return The basic members of this <code>Group</code> object, or
147      *         <code>null</code> if this <code>Group</code> object does not contain
148      *         any basic members.
149      */
150     public Role[] getMembers();
151 
152     /**
153      * Gets the required members of this <code>Group</code> object.
154      * 
155      * @return The required members of this <code>Group</code> object, or
156      *         <code>null</code> if this <code>Group</code> object does not contain
157      *         any required members.
158      */
159     public Role[] getRequiredMembers();
160 }
161
A to Z: JavaDoc & Examples Daily Java News & Articles Open Source Projects Open Source Codes Free Computer Books Remove Frame
Popular Tags