Authorizers authorize
Operation on
ServerChannel.
Authorizers can be
ConfigurableServerChannel#addAuthorizer(Authorizer) and
ConfigurableServerChannel#removeAuthorizer(Authorizer) removed from} channels, even wildcard
channels.
Authorizers work together with the
SecurityPolicy to determine if a
Operation#CREATE, a
Operation#SUBSCRIBE or a
Operation#PUBLISH may succeed.
For an operation on a channel, the authorizers on the wildcard channels that match the channel and the
authorizers on the channel itself (together known at the authorizers set for that channel) will be
consulted to check if the the operation is granted, denied or ignored.
The list of wildcard channels that match the channel is obtained from
ChannelId#getWilds().
The following is the authorization algorithm:
- If there is a security policy, and the security policy denies the request, then the request is denied.
- Otherwise, if the authorizers set is empty, the request is granted.
- Otherwise, if no authorizer explicitly grants the operation, the request is denied.
- Otherwise, if at least one authorizer explicitly grants the operation, and no authorizer explicitly denies the
operation, the request is granted.
- Otherwise, if one authorizer explicitly denies the operation, remaining authorizers are not consulted, and the
request is denied.
The order in which the authorizers are checked is not important.
Typically, authorizers are setup during the configuration of a channel:
BayeuxServer bayeuxServer = ...;
bayeuxServer.createIfAbsent("/television/cnn", new ConfigurableServerChannel.Initializer()
{
public void configureChannel(ConfigurableServerChannel channel)
{
// Grant subscribe to all
channel.addAuthorizer(GrantAuthorizer.GRANT_SUBSCRIBE);
// Grant publishes only to CNN employees
channel.addAuthorizer(new Authorizer()
{
public Result authorize(Operation operation, ChannelId channel,
ServerSession session, ServerMessage message)
{
if (operation == Operation.PUBLISH &&
session.getAttribute("isCNNEmployee") == Boolean.TRUE)
return Result.grant();
else
return Result.ignore();
}
});
}
});
A typical usage of authorizers is as follows:
- Create a wildcard authorizer that matches all channels and neither grants or
denies (e.g. use
org.cometd.server.authorizer.GrantAuthorizer.GRANT_NONE).
This authorizer can be added to channel /** or to a more specific channel for your application such as
/game/**.
This ensures that authorizers set is not empty and that another authorizer must explicitly grant access.
- For public channels, that all users can access, add authorizers that will simply grant
publish and/or subscribe permissions to the specific or wildcard channels.
- For access controlled channels (e.g. only nominated players can publish to a game channel), then
specific implementation of authorizers need to be created that will check identities and possibly other
state before granting permission.
Typically there is no need for such authorizers to explicitly deny access, unless that attempted access
represents a specific error condition that needs to be passed to the client in the message associated
with a deny.
- For cross cutting concerns, such as checking a users credit or implementing user bans, authorizers
can be created to explicitly deny access, without the need to modify all authorizers already in place
that may grant.