• Home
• org.osgi
• org.osgi.compendium
• 4.2.0
• source code
• Group.java

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

org.osgi.service.useradmin.Group Maven / Gradle / Ivy

/*
 * Copyright (c) OSGi Alliance (2001, 2008). All Rights Reserved.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.osgi.service.useradmin;

/**
 * A named grouping of roles (Role objects).
 * 

 * Whether or not a given Authorization context implies a
 * Group object depends on the members of that Group
 * object.
 * 

 * A Group object can have two kinds of members: basic  and
 * required . A Group object is implied by an
 * Authorization context if all of its required members are implied
 * and at least one of its basic members is implied.
 * 

 * A Group object must contain at least one basic member in order to
 * be implied. In other words, a Group object without any basic
 * member roles is never implied by any Authorization context.
 * 

 * A User object always implies itself.
 * 

 * No loop detection is performed when adding members to Group
 * objects, which means that it is possible to create circular implications.
 * Loop detection is instead done when roles are checked. The semantics is that
 * if a role depends on itself (i.e., there is an implication loop), the role is
 * not implied.
 * 

 * The rule that a Group object must have at least one basic member
 * to be implied is motivated by the following example:
 * 
 * 
 * 
 *  group foo
 *    required members: marketing
 *    basic members: alice, bob
 *  
 * 
 * 
 * Privileged operations that require membership in "foo" can be performed only
 * by "alice" and "bob", who are in marketing.
 * 

 * If "alice" and "bob" ever transfer to a different department, anybody in
 * marketing will be able to assume the "foo" role, which certainly must be
 * prevented. Requiring that "foo" (or any Group object for that
 * matter) must have at least one basic member accomplishes that.
 * 

 * However, this would make it impossible for a Group object to be
 * implied by just its required members. An example where this implication might
 * be useful is the following declaration: "Any citizen who is an adult is
 * allowed to vote." An intuitive configuration of "voter" would be:
 * 
 * 
 * 
 *  group voter
 *    required members: citizen, adult
 *       basic members:
 *  
 * 
 * 
 * However, according to the above rule, the "voter" role could never be assumed
 * by anybody, since it lacks any basic members. In order to address this issue
 * a predefined role named "user.anyone" can be specified, which is always
 * implied. The desired implication of the "voter" group can then be achieved by
 * specifying "user.anyone" as its basic member, as follows:
 * 
 * 
 * 
 *  group voter
 *    required members: citizen, adult
 *       basic members: user.anyone
 *  
 * 
 * 
 * @version $Revision: 5673 $
 */
public interface Group extends User {
	/**
	 * Adds the specified Role object as a basic member to this
	 * Group object.
	 * 
	 * @param role The role to add as a basic member.
	 * 
	 * @return true if the given role could be added as a basic
	 *         member, and false if this Group object
	 *         already contains a Role object whose name matches that
	 *         of the specified role.
	 * 
	 * @throws SecurityException If a security manager exists and the caller
	 *         does not have the UserAdminPermission with name
	 *         admin.
	 */
	public boolean addMember(Role role);

	/**
	 * Adds the specified Role object as a required member to this
	 * Group object.
	 * 
	 * @param role The Role object to add as a required member.
	 * 
	 * @return true if the given Role object could be
	 *         added as a required member, and false if this
	 *         Group object already contains a Role object
	 *         whose name matches that of the specified role.
	 * 
	 * @throws SecurityException If a security manager exists and the caller
	 *         does not have the UserAdminPermission with name
	 *         admin.
	 */
	public boolean addRequiredMember(Role role);

	/**
	 * Removes the specified Role object from this Group
	 * object.
	 * 
	 * @param role The Role object to remove from this Group
	 *        object.
	 * 
	 * @return true if the Role object could be removed,
	 *         otherwise false.
	 * 
	 * @throws SecurityException If a security manager exists and the caller
	 *         does not have the UserAdminPermission with name
	 *         admin.
	 */
	public boolean removeMember(Role role);

	/**
	 * Gets the basic members of this Group object.
	 * 
	 * @return The basic members of this Group object, or
	 *         null if this Group object does not contain
	 *         any basic members.
	 */
	public Role[] getMembers();

	/**
	 * Gets the required members of this Group object.
	 * 
	 * @return The required members of this Group object, or
	 *         null if this Group object does not contain
	 *         any required members.
	 */
	public Role[] getRequiredMembers();
}