WebSecurityManager (Payara Project 4.1.2.174 API)

java.lang.Object
- com.sun.enterprise.security.web.integration.WebSecurityManager

```
public class WebSecurityManager
extends Object
```
The class implements the JSR 115 - JavaTM Authorization Contract for Containers. This class is a companion class of EJBSecurityManager. All the security decisions required to allow access to a resource are defined in that class.

Author:

Jean-Francois Arcand, Harpreet Singh.

Field Summary

Fields
Modifier and Type	Field and Description
`protected CodeSource`	`codesource`
`static String`	`CONSTRAINT_URI` Request path.
`protected javax.security.jacc.PolicyConfiguration`	`pc`
`protected javax.security.jacc.PolicyConfigurationFactory`	`pcf`
`protected Policy`	`policy`

Method Summary

All Methods Static Methods Instance Methods Concrete Methods
Modifier and Type	Method and Description
`protected boolean`	`checkPermission(Permission perm, Set principalSet)`
`void`	`destroy()`
`static String`	`getContextID(WebBundleDescriptor wbd)`
`boolean`	`hasNoConstrainedResources()` returns true to indicate that a policy check was made and there were no constrained resources.
`boolean`	`hasResourcePermission(javax.servlet.http.HttpServletRequest httpsr)` Perform access control based on the `HttpServletRequest`.
`boolean`	`hasRoleRefPermission(String servletName, String role, Principal p)`
`int`	`hasUserDataPermission(javax.servlet.http.HttpServletRequest httpsr, String uri, String httpMethod)` if uri == null, determine if the connection characteristics of the request satisfy the applicable policy.
`void`	`loadPolicyConfiguration()`
`boolean`	`permitAll(javax.servlet.http.HttpServletRequest req)`
`void`	`release()` Analogous to destroy, except does not remove links from Policy Context, and does not remove context_id from role mapper factory.

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

- Field Detail
  - CONSTRAINT_URI
```
public static final String CONSTRAINT_URI
```
    Request path. Copied from org.apache.catalina.Globals; Required to break dependence on WebTier of Security Module
    
    See Also:
    
    Constant Field Values
  - policy
```
protected Policy policy
```
  - pc
```
protected javax.security.jacc.PolicyConfiguration pc
```
  - pcf
```
protected javax.security.jacc.PolicyConfigurationFactory pcf
```
  - codesource
```
protected CodeSource codesource
```
- Method Detail
  - getContextID
```
public static String getContextID(WebBundleDescriptor wbd)
```
  - loadPolicyConfiguration
```
public void loadPolicyConfiguration()
                             throws javax.security.jacc.PolicyContextException
```
    Throws:
    
    javax.security.jacc.PolicyContextException
  - permitAll
```
public boolean permitAll(javax.servlet.http.HttpServletRequest req)
```
  - checkPermission
```
protected boolean checkPermission(Permission perm,
                                  Set principalSet)
```
  - hasResourcePermission
```
public boolean hasResourcePermission(javax.servlet.http.HttpServletRequest httpsr)
```
    Perform access control based on the HttpServletRequest. Return true if this constraint is satisfied and processing should continue, or false otherwise.
    
    Returns:
    
    true is the resource is granted, false if denied
  - hasRoleRefPermission
```
public boolean hasRoleRefPermission(String servletName,
                                    String role,
                                    Principal p)
```
  - hasUserDataPermission
```
public int hasUserDataPermission(javax.servlet.http.HttpServletRequest httpsr,
                                 String uri,
                                 String httpMethod)
```
    if uri == null, determine if the connection characteristics of the request satisfy the applicable policy. If the uri is not null, determine if the uri and Http method require a CONFIDENTIAL transport. The uri value does not include the context path, and any colons occurring in the uri must be escaped.
    
    Returns:
    
    1 if access is permitted (as is or without SSL). -1 if the the access will be permitted after a redirect to SSL. return 0 if access will be denied independent of whether a redirect to SSL is done. Note: this method is not intended to be called if the request is secure. it checks whether the resource can be accessed over the current connection type (which is presumed to be insecure), and if an insecure connection type is not permitted it checks if the resource can be accessed via a confidential transport. If the request is secure, the second check is skipped, and the proper result is returned (but that is not the intended use model).
  - destroy
```
public void destroy()
             throws javax.security.jacc.PolicyContextException
```
    Throws:
    
    javax.security.jacc.PolicyContextException
  - release
```
public void release()
             throws javax.security.jacc.PolicyContextException
```
    Analogous to destroy, except does not remove links from Policy Context, and does not remove context_id from role mapper factory. Used to support Policy Changes that occur via ServletContextListener.
    
    Throws:
    
    javax.security.jacc.PolicyContextException
  - hasNoConstrainedResources
```
public boolean hasNoConstrainedResources()
```
    returns true to indicate that a policy check was made and there were no constrained resources. when caching is disabled must always return false, which will ensure that policy is consulted to authorize each request.

Class WebSecurityManager

Field Summary

Method Summary

Methods inherited from class java.lang.Object

Field Detail

CONSTRAINT_URI

policy

pc

pcf

codesource

Method Detail

getContextID

loadPolicyConfiguration

permitAll

checkPermission

hasResourcePermission

hasRoleRefPermission

hasUserDataPermission

destroy

release

hasNoConstrainedResources