public interface MethodInvocationAuthorizer
Methodis allowed to be executed on a specific
Objectinstance. Implementations of this interface should provide a no-arg constructor. There are mainly four security risks when allowing users to execute arbitrary methods in OQL, which should be addressed by implementations of this interface:
|Modifier and Type||Method and Description|
Executes the authorization logic to determine whether the
Stringparameters. This method exists to allow user-specified method authorizers to be configured and used at runtime. If this method is not overridden in a user-specified authorizer then that authorizer will not be configurable.
methodis allowed to be executed on the
targetobject instance. Implementation Note: the query engine will remember whether the method invocation has been already authorized or not for the current query context, so this method will be called once in the lifetime of a query for every new method seen while traversing the objects. Nevertheless, the implementation should be lighting fast as it will be called by the OQL engine in runtime during the query execution.