Provides classes necessary to control policy, permissions and roles. Authorization model in WASP is built upon JAAS and Java Security API, it uses standard Java security classes such as {@link java.security.Principal Principal}, {@link java.security.Permission Permission}, {@link javax.security.auth.Subject Subject}. The functionality of standard Java security is extended to provide better control of {@link javax.security.auth.Policy Policy} , including runtime management and roles.

Classes UpdateablePolicy and WASPAccessController enables access control for Wasp Server.

UpdateablePolicy class extends java.security.Policy and provides methods allowing for the management of roles and the modification of permission assignments (both to roles and users) during runtime. Not all the methods of the updatable policy must be implemented, only the methods inherited from JAAS Policy and metadata methods (canManageRoles and isUpdateable) are required.

WASPAccessController class checks the permissions of the invoking client. More specifically, its static checkPermission method checks if the subject contained in received credentials is granted the desired permission.

Wasp enables creating and managing of roles. Management of roles is available through role-oriented methods in the updatable policy. Each role must have a unique name and can contain any Java permission (except the WASPRole permission), that is used to assign a role to a principal. A subject based principal collection query result (UpdateablePolicy.getPermissions) always returns a union of its principal permissions.