Welcome to the jGuard's wiki » jGuard Documentation » How to create its own Permission

How to create its own Permission

Last modified by RaffaelloPelagalli on 2007/01/24 14:45

How to create its own Permission

what is a permission?

a Permission is a class which represents an access to one or multiple ressources. this class is used by access Control mechanism to protect your ressources. Access control can be done in multiple points. but you should control access homogeneously.

do i need to create a custom permission?

jGuard can handle in its authorization system, any Permission subclasses.

it provides also a convenient Permission to represents access to URL:

so, if your ressources can only be accessed by http(through a navigator for example), you should use the jGuard URLPermission. otherwise,you have to create your own Permission implementation, or use some permissions implementations provided by the java j2se platform like :

Permissions available on java 1.4.2 and higher

Permissions available on java 1.5.0 and higher

Permissions available on java 1.6.0 and higher


Ressources and Permissions relationships

In most cases,Access/use of ressources, are "translated" in java by instantiation of objects, or execution of methods : indirectly,it's these constructors/methods that you want to protect.

In java (i.e in the java platform or in custom code),Ressource protect "themselves" against misuse: the corresponding method involved, create the related permission which will decide if access should be granted.

if your ressource is designed by the Class Ressource, and like no provided permissions are suitable to protect your ressource, you will have too create a RessourcePermission. here is an example of the Ressource class:

public class Ressource{
  private String ressourceName = null;
 public Ressource(String name)throws SecurityException{
   this.ressourceName = name;
   AccessController.checkPermission(new RessourcePermission(this.ressourceName,"create"));
 public void inactivateRessource(Collection coll)throws SecurityException{
   AccessController.checkPermission(new RessourcePermission(this.ressourceName,"inactivate"));
   //inactivation code executed only if the user which calls this code has got the rights permissions
public void updateRessource(Collection coll)throws SecurityException{
   AccessController.checkPermission(new RessourcePermission(this.ressourceName,"update"));
   //update code executed only if the user which calls this code has got the rights permissions

the 'magic' code

AccessController.checkPermission(new RessourcePermission(...));
will invoke a JAAS mechanism to automatically check if the user has got the right permission; otherwise, it will throw a SecurityException. access Control is delegated to the RessourcePermission. A protected ressource can be any kind of ressource, like a physical ressource (a file), but although a LOGICAL ressource like a Debt, a pizzaService(??)....

note that AccessController.checkPermission(....) will always check access, also when the securityManager is not set.When the default securityManager is set, it delegates all the permission checks to AccessController. but if a custom SecurityManager is set, if you call the checkPermission from the SecurityManager, you are not sure that the AccessController class will be called(it's the choice of the SecurityManager custom implementation).

so,for backward compatibility, and to enable access control only when the securityManager is set, you can replace

SecurityManager sManager= Security.getSecurityManager();
if(sManager != null)
 sManager.checkPermission(new Ressourcepermission(...));

implement your own permission:some rules to follow

if you need to protect a ressource( not mapped by any Permission implementations described on top of this page), you have to create your own permission. to do it, you have to extends Permission.

Permissions are often created by the ressources to protect. So, this ressource will give to the Permission the needed informations to 'qualify' the permission, to know what's the caller thread want to do. Permission qualifies actions needed on the Ressource, and decides if the needed permission is compatible with the Permissions owned by the calling thread.

Permission abstract class

here are the methods you need to implements.

  • Permission(String name)
Permission abstract class to extend,implies a Constructor with a name to identify the Permission.

  • boolean equals(Object obj)
this method must be implemented in your subclass.its goal is to test equality of Permissions of the same type, and NOT implies another permission; a dedicated implies method do that.

  • String getActions()
this method must be implemented in your subclass. if you use an additional 'actions' parameter, you will return it; otherwise, return an empty string("").

in our example, the class Ressource give to the RessourcePermission a name and one action String which can be "create","inactivate" or "update".

  • int hashCode()
this method must be implemented in your subclass.

  • boolean implies(Permission permission)
this method is used when JAAS checks that the calling thread (in most cases the user),has got one permission or more which implies this one. so, all your custom code to know if the permission of the caller implies this one should be placed here. This method is the main difference between multiple Permission implementations.


it exists a subclass of Permission called BasicPermission, which provides a convenient mechanism to guards some simple Ressources. it provides also one more constructor with two String(name and actions).

Created by diabolo512 on 2006/02/09 14:36

jGuard team copyright 2004-2009