Authorizationinterface encapsulates an authorization context on which bundles can base authorization decisions, where appropriate.
Bundles associate the privilege to access restricted resources or operations
with roles. Before granting access to a restricted resource or operation, a
bundle will check if the
Authorization object passed to it possess
the required role, by calling its
Authorization contexts are instantiated by calling the
Trusting Authorization objects
There are no restrictions regarding the creation of
objects. Hence, a service must only accept
Authorization objects from
bundles that has been authorized to use the service using code based (or Java
In some cases it is useful to use
ServicePermission to do the code
based access control. A service basing user access control on
Authorization objects passed to it, will then require that a calling
bundle has the
ServicePermission to get the service in question. This
is the most convenient way. The OSGi environment will do the code based
permission check when the calling bundle attempts to get the service from the
Example: A servlet using a service on a user's behalf. The bundle with the
servlet must be given the
ServicePermission to get the Http Service.
However, in some cases the code based permission checks need to be more fine-grained. A service might allow all bundles to get it, but require certain code based permissions for some of its methods.
Example: A servlet using a service on a user's behalf, where some service
functionality is open to anyone, and some is restricted by code based
permissions. When a restricted method is called (e.g., one handing over an
Authorization object), the service explicitly checks that the calling
bundle has permission to make the call.
- "Consumers of this API must not implement this interface"
- The name of the
Userobject that this
Authorizationcontext was created for, or
nullif no user was specified when this
Authorizationcontext was created.
(String name)Checks if the role with the specified name is implied by this
Bundles must define globally unique role names that are associated with the privilege of accessing restricted resources or operations. Operators will grant users access to these resources, by creating a
Groupobject for each role and adding
Userobjects to it.
name- The name of the role to check for.
Authorizationcontext implies the specified role, otherwise
getRolesString getRoles()Gets the names of all roles implied by this
- The names of all roles implied by this
nullif no roles are in the context. The predefined role
user.anyonewill not be included in this list.