001/** 002 * Copyright 2005-2016 The Kuali Foundation 003 * 004 * Licensed under the Educational Community License, Version 2.0 (the "License"); 005 * you may not use this file except in compliance with the License. 006 * You may obtain a copy of the License at 007 * 008 * http://www.opensource.org/licenses/ecl2.php 009 * 010 * Unless required by applicable law or agreed to in writing, software 011 * distributed under the License is distributed on an "AS IS" BASIS, 012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 013 * See the License for the specific language governing permissions and 014 * limitations under the License. 015 */ 016package org.kuali.rice.kim.api.permission; 017 018import org.kuali.rice.core.api.criteria.QueryByCriteria; 019import org.kuali.rice.core.api.exception.RiceIllegalArgumentException; 020import org.kuali.rice.core.api.exception.RiceIllegalStateException; 021import org.kuali.rice.core.api.util.jaxb.MapStringStringAdapter; 022import org.kuali.rice.kim.api.KimConstants; 023import org.kuali.rice.kim.api.common.assignee.Assignee; 024import org.kuali.rice.kim.api.common.template.Template; 025import org.kuali.rice.kim.api.common.template.TemplateQueryResults; 026import org.springframework.cache.annotation.CacheEvict; 027import org.springframework.cache.annotation.Cacheable; 028 029import javax.jws.WebMethod; 030import javax.jws.WebParam; 031import javax.jws.WebResult; 032import javax.jws.WebService; 033import javax.jws.soap.SOAPBinding; 034import javax.xml.bind.annotation.XmlElement; 035import javax.xml.bind.annotation.XmlElementWrapper; 036import javax.xml.bind.annotation.adapters.XmlJavaTypeAdapter; 037import java.util.List; 038import java.util.Map; 039 040/** 041 * This service provides operations for evaluating permissions and querying for permission data. 042 * 043 * <p>A permission is the ability to perform an action. All permissions have a permission template. 044 * Both permissions and permission templates are uniquely identified by a namespace code plus a name. 045 * The permission template defines the course-grained permission and specifies what additional 046 * permission details need to be collected on permissions that use that template. For example, a 047 * permission template might have a name of "Initiate Document" which requires a permission detail 048 * specifying the document type that can be initiated. A permission created from the "Initiate Document" 049 * template would define the name of the specific Document Type that can be initiated as a permission 050 * detail. 051 * 052 * <p>The isAuthorized and isAuthorizedByTemplate operations 053 * on this service are used to execute authorization checks for a principal against a 054 * permission. Permissions are always assigned to roles (never directly to a principal or 055 * group). A particular principal will be authorized for a given permission if the permission 056 * evaluates to true (according to the permission evaluation logic and based on any supplied 057 * permission details) and that principal is assigned to a role which has been granted the permission. 058 * 059 * <p>The actual logic for how permission evaluation logic is defined and executed is dependent upon 060 * the permission service implementation. However, it will typically be associated with the permission 061 * template used on the permission. 062 * 063 * @author Kuali Rice Team (rice.collab@kuali.org) 064 */ 065@WebService(name = "permissionService", targetNamespace = KimConstants.Namespaces.KIM_NAMESPACE_2_0) 066@SOAPBinding(style = SOAPBinding.Style.DOCUMENT, use = SOAPBinding.Use.LITERAL, parameterStyle = SOAPBinding.ParameterStyle.WRAPPED) 067public interface PermissionService { 068 069 /** 070 * This will create a {@link org.kuali.rice.kim.api.permission.Permission} exactly like the permission passed in. 071 * 072 * @param permission the permission to create 073 * @return the newly created object. will never be null. 074 * @throws RiceIllegalArgumentException if the permission is null 075 * @throws RiceIllegalStateException if the permission is already existing in the system 076 */ 077 @WebMethod(operationName="createPermission") 078 @WebResult(name = "permission") 079 @CacheEvict(value={Permission.Cache.NAME, Template.Cache.NAME + "{Permission}"}, allEntries = true) 080 Permission createPermission(@WebParam(name = "permission") Permission permission) 081 throws RiceIllegalArgumentException, RiceIllegalStateException; 082 083 /** 084 * This will update a {@link Permission}. 085 * 086 * @param permission the permission to update 087 * @return the updated object. will never be null 088 * @throws RiceIllegalArgumentException if the permission is null 089 * @throws RiceIllegalStateException if the permission does not exist in the system 090 */ 091 @WebMethod(operationName="updatePermission") 092 @WebResult(name = "permission") 093 @CacheEvict(value={Permission.Cache.NAME, Template.Cache.NAME + "{Permission}"}, allEntries = true) 094 Permission updatePermission(@WebParam(name = "permission") Permission permission) 095 throws RiceIllegalArgumentException, RiceIllegalStateException; 096 097 // -------------------- 098 // Authorization Checks 099 // -------------------- 100 101 /** 102 * Checks in a given principal id has a permission using the passed in permission information. 103 * This method should not be used for true authorization checks since a principal 104 * may only have this permission within a given context. It could be used to 105 * identify that the user would have some permissions within a certain area. 106 * Later checks would identify exactly what permissions were granted. 107 * 108 * It can also be used when the client application KNOWS that this is a role which 109 * is never qualified. 110 * 111 * @param principalId the principal id to check. cannot be null or blank. 112 * @param namespaceCode the namespace code. cannot be null or blank. 113 * @param permissionName the permission name. cannot be null or blank. 114 * @return true is principal has permission 115 * @throws RiceIllegalArgumentException if the principalId, namespaceCode, permissionName is null or blank 116 */ 117 @WebMethod(operationName = "hasPermission") 118 @WebResult(name = "hasPermission") 119 boolean hasPermission( @WebParam(name="principalId") String principalId, 120 @WebParam(name="namespaceCode") String namespaceCode, 121 @WebParam(name="permissionName") String permissionName) throws RiceIllegalArgumentException; 122 123 124 125 /** 126 * Checks whether the given qualified permission is granted to the principal given 127 * the passed roleQualification. If no roleQualification is passed (null or empty) 128 * then this method behaves the same as {@link #hasPermission(String, String, String)}. 129 * 130 * Each role assigned to the principal is checked for qualifications. If a qualifier 131 * exists on the principal's membership in that role, that is checked first through 132 * the role's type service. Once it is determined that the principal has the role 133 * in the given context (qualification), the permissions are examined. 134 * 135 * 136 * @param principalId the principal id to check. cannot be null or blank. 137 * @param namespaceCode the namespace code. cannot be null or blank. 138 * @param permissionName the permission name. cannot be null or blank. 139 * @param qualification the qualifications to test against. 140 * @return true is principal has permission 141 * @throws RiceIllegalArgumentException if the principalId, namespaceCode, permissionName is null or blank 142 */ 143 @WebMethod(operationName = "isAuthorized") 144 @WebResult(name = "isAuthorized") 145 boolean isAuthorized( @WebParam(name="principalId") String principalId, 146 @WebParam(name="namespaceCode") String namespaceCode, 147 @WebParam(name="permissionName") String permissionName, 148 @XmlJavaTypeAdapter(value = MapStringStringAdapter.class) 149 @WebParam(name="qualification") Map<String, String> qualification ) throws RiceIllegalArgumentException; 150 151 /** 152 * Checks whether the principal has been granted a permission matching the given details 153 * without taking role qualifiers into account. 154 * 155 * This method should not be used for true authorization checks since a principal 156 * may only have this permission within a given context. It could be used to 157 * identify that the user would have some permissions within a certain area. 158 * Later checks would identify exactly what permissions were granted. 159 * 160 * It can also be used when the client application KNOWS that this is a role which 161 * is never qualified. 162 * 163 * @param principalId the principal id to check. cannot be null or blank. 164 * @param namespaceCode the namespace code. cannot be null or blank. 165 * @param permissionTemplateName the permission name. cannot be null or blank. 166 * @param permissionDetails the permission details 167 * @return true is principal has permission 168 * @throws RiceIllegalArgumentException if the principalId, namespaceCode, permissionName is null or blank 169 */ 170 @WebMethod(operationName = "hasPermissionByTemplate") 171 @WebResult(name = "hasPermission") 172 boolean hasPermissionByTemplate(@WebParam(name = "principalId") String principalId, 173 @WebParam(name = "namespaceCode") String namespaceCode, 174 @WebParam(name = "permissionTemplateName") String permissionTemplateName, 175 @XmlJavaTypeAdapter(value = MapStringStringAdapter.class) @WebParam( 176 name = "permissionDetails") Map<String, String> permissionDetails) throws RiceIllegalArgumentException; 177 178 179 /** 180 * Checks whether the given qualified permission is granted to the principal given 181 * the passed roleQualification. If no roleQualification is passed (null or empty) 182 * then this method behaves the same as {@link #hasPermission(String, String, String)}. 183 * 184 * Each role assigned to the principal is checked for qualifications. If a qualifier 185 * exists on the principal's membership in that role, that is checked first through 186 * the role's type service. Once it is determined that the principal has the role 187 * in the given context (qualification), the permissions are examined. 188 * 189 * Each permission is checked against the permissionDetails. The PermissionTypeService 190 * is called for each permission with the given permissionName to see if the 191 * permissionDetails matches its details. 192 * 193 * @param principalId the principal id to check. cannot be null or blank. 194 * @param namespaceCode the namespace code. cannot be null or blank. 195 * @param permissionTemplateName the permission name. cannot be null or blank. 196 * @param permissionDetails the permission details 197 * @param qualification the permission qualifications 198 * @return true is principal has permission 199 * @throws RiceIllegalArgumentException if the principalId, namespaceCode, permissionName is null or blank 200 */ 201 @WebMethod(operationName = "isAuthorizedByTemplate") 202 @WebResult(name = "isAuthorized") 203 boolean isAuthorizedByTemplate(@WebParam(name = "principalId") String principalId, 204 @WebParam(name = "namespaceCode") String namespaceCode, 205 @WebParam(name = "permissionTemplateName") String permissionTemplateName, 206 @XmlJavaTypeAdapter(value = MapStringStringAdapter.class) 207 @WebParam(name = "permissionDetails") Map<String, String> permissionDetails, 208 @XmlJavaTypeAdapter(value = MapStringStringAdapter.class) 209 @WebParam(name = "qualification") Map<String, String> qualification) 210 throws RiceIllegalArgumentException; 211 212 213 /** 214 * Get the list of principals/groups who have a given permission. This also returns delegates 215 * for the given principals/groups who also have this permission given the context in the 216 * qualification parameter. 217 * 218 * Each role assigned to the principal is checked for qualifications. If a qualifier 219 * exists on the principal's membership in that role, that is checked first through 220 * the role's type service. Once it is determined that the principal has the role 221 * in the given context (qualification), the permissions are examined. 222 * 223 * @param namespaceCode the namespace code. cannot be null or blank. 224 * @param permissionName the permission name. cannot be null or blank. 225 * @param qualification the permission qualifications 226 * @return list of assignees that have been assigned the permissions 227 * @throws RiceIllegalArgumentException if the principalId, namespaceCode, permissionName is null or blank 228 */ 229 @WebMethod(operationName = "getPermissionAssignees") 230 @XmlElementWrapper(name = "assignees", required = true) 231 @XmlElement(name = "assignee", required = false) 232 @WebResult(name = "assignees") 233 List<Assignee> getPermissionAssignees( @WebParam(name="namespaceCode") String namespaceCode, 234 @WebParam(name="permissionName") String permissionName, 235 @XmlJavaTypeAdapter(value = MapStringStringAdapter.class) 236 @WebParam(name="qualification") Map<String, String> qualification ) 237 throws RiceIllegalArgumentException; 238 239 /** 240 * Get the list of principals/groups who have a given permission that match the given 241 * permission template and permission details. This also returns delegates 242 * for the given principals/groups who also have this permission given the context in the 243 * qualification parameter. 244 * 245 * Each role assigned to the principal is checked for qualifications. If a qualifier 246 * exists on the principal's membership in that role, that is checked first through 247 * the role's type service. Once it is determined that the principal has the role 248 * in the given context (qualification), the permissions are examined. 249 * 250 * @param namespaceCode the namespace code. cannot be null or blank. 251 * @param permissionTemplateName the permission name. cannot be null or blank. 252 * @param permissionDetails the permission details. 253 * @param qualification the permission qualifications 254 * @return list of assignees that have been assigned the permissions by template 255 * @throws RiceIllegalArgumentException if the principalId, namespaceCode, permissionName is null or blank 256 */ 257 @WebMethod(operationName = "getPermissionAssigneesByTemplate") 258 @XmlElementWrapper(name = "assignees", required = true) 259 @XmlElement(name = "assignee", required = false) 260 @WebResult(name = "assignees") 261 List<Assignee> getPermissionAssigneesByTemplate(@WebParam(name = "namespaceCode") String namespaceCode, 262 @WebParam(name = "permissionTemplateName") String permissionTemplateName, 263 @XmlJavaTypeAdapter(value = MapStringStringAdapter.class) @WebParam( 264 name = "permissionDetails") Map<String, String> permissionDetails, 265 @XmlJavaTypeAdapter(value = MapStringStringAdapter.class) @WebParam( 266 name = "qualification") Map<String, String> qualification) throws RiceIllegalArgumentException; 267 268 /** 269 * Returns true if the given permission is defined on any Roles. 270 * 271 * @param namespaceCode the namespace code. cannot be null or blank. 272 * @param permissionName the permission name. cannot be null or blank. 273 * @return true if given permission is defined on any Roles 274 * @throws RiceIllegalArgumentException if the namespaceCode or permissionName is null or blank 275 */ 276 @WebMethod(operationName = "isPermissionDefined") 277 @WebResult(name = "isPermissionDefined") 278 @Cacheable(value= Permission.Cache.NAME, key="'{isPermissionDefined}' + 'namespaceCode=' + #p0 + '|' + 'permissionName=' + #p1") 279 boolean isPermissionDefined( @WebParam(name="namespaceCode") String namespaceCode, 280 @WebParam(name="permissionName") String permissionName) 281 throws RiceIllegalArgumentException; 282 283 /** 284 * Returns true if the given permission template is defined on any Roles. 285 * 286 * @param namespaceCode the namespace code. cannot be null or blank. 287 * @param permissionTemplateName the permission name. cannot be null or blank. 288 * @param permissionDetails the permission template details 289 * @return true if given permission template is defined on any Roles 290 * @throws RiceIllegalArgumentException if the namespaceCode or permissionName is null or blank 291 */ 292 @WebMethod(operationName = "isPermissionDefinedByTemplate") 293 @WebResult(name = "isPermissionDefinedByTemplate") 294 @Cacheable(value= Permission.Cache.NAME, key="'{isPermissionDefinedByTemplate}' + 'namespaceCode=' + #p0 + '|' + 'permissionTemplateName=' + #p1 + '|' + 'permissionDetails=' + T(org.kuali.rice.core.api.cache.CacheKeyUtils).mapKey(#p2)") 295 boolean isPermissionDefinedByTemplate(@WebParam(name = "namespaceCode") 296 String namespaceCode, 297 @WebParam(name = "permissionTemplateName") 298 String permissionTemplateName, 299 @XmlJavaTypeAdapter(value = MapStringStringAdapter.class) 300 @WebParam(name = "permissionDetails") 301 Map<String, String> permissionDetails) 302 throws RiceIllegalArgumentException; 303 304 /** 305 * Returns permissions (with their details) that are granted to the principal given 306 * the passed qualification. If no qualification is passed (null or empty) 307 * then this method does not check any qualifications on the roles. 308 * 309 * After the permissions are determined, the roles that hold those permissions are determined. 310 * Each role that matches between the principal and the permission objects is checked for 311 * qualifications. If a qualifier 312 * exists on the principal's membership in that role, that is checked through 313 * the role's type service. 314 * 315 * @param principalId the principal Id. cannot be null or blank. 316 * @param namespaceCode the namespace code. cannot be null or blank. 317 * @param permissionName the permission name. cannot be null or blank. 318 * @param qualification the permission qualifications 319 * @return list of permissions that are authorized with the given parameters 320 * @throws RiceIllegalArgumentException if the principalId, namespaceCode or permissionName is null or blank 321 */ 322 @WebMethod(operationName = "getAuthorizedPermissions") 323 @XmlElementWrapper(name = "permissions", required = true) 324 @XmlElement(name = "permission", required = false) 325 @WebResult(name = "permissions") 326 List<Permission> getAuthorizedPermissions( @WebParam(name="principalId") String principalId, 327 @WebParam(name="namespaceCode") String namespaceCode, 328 @WebParam(name="permissionName") String permissionName, 329 @XmlJavaTypeAdapter(value = MapStringStringAdapter.class) 330 @WebParam(name="qualification") Map<String, String> qualification ) 331 throws RiceIllegalArgumentException; 332 333 /** 334 * Returns permissions (with their details) that are granted to the principal given 335 * the passed qualification. If no qualification is passed (null or empty) 336 * then this method does not check any qualifications on the roles. 337 * 338 * All permissions with the given name are checked against the permissionDetails. 339 * The PermissionTypeService is called for each permission to see if the 340 * permissionDetails matches its details. 341 * 342 * An asterisk (*) as a value in any permissionDetails key-value pair will match any value. 343 * This forms a way to provide a wildcard to obtain multiple permissions in one call. 344 * 345 * After the permissions are determined, the roles that hold those permissions are determined. 346 * Each role that matches between the principal and the permission objects is checked for 347 * qualifications. If a qualifier 348 * exists on the principal's membership in that role, that is checked through 349 * the role's type service. 350 * 351 * @param principalId the principal Id. cannot be null or blank. 352 * @param namespaceCode the namespace code. cannot be null or blank. 353 * @param permissionTemplateName the permission name. cannot be null or blank. 354 * @param permissionDetails the permission template details. 355 * @param qualification the permission qualifications 356 * @return list of permissions that are authorized with the given parameters 357 * @throws RiceIllegalArgumentException if the principalId, namespaceCode or permissionTemplateName is null or blank 358 */ 359 @WebMethod(operationName = "getAuthorizedPermissionsByTemplate") 360 @XmlElementWrapper(name = "permissions", required = true) 361 @XmlElement(name = "permission", required = false) 362 @WebResult(name = "permissions") 363 List<Permission> getAuthorizedPermissionsByTemplate(@WebParam(name = "principalId") String principalId, 364 @WebParam(name = "namespaceCode") String namespaceCode, 365 @WebParam(name = "permissionTemplateName") String permissionTemplateName, 366 @XmlJavaTypeAdapter(value = MapStringStringAdapter.class) @WebParam( 367 name = "permissionDetails") Map<String, String> permissionDetails, 368 @XmlJavaTypeAdapter(value = MapStringStringAdapter.class) @WebParam( 369 name = "qualification") Map<String, String> qualification) throws RiceIllegalArgumentException; 370 371 // -------------------- 372 // Permission Data 373 // -------------------- 374 375 /** 376 * Gets a {@link org.kuali.rice.kim.api.permission.Permission} from an id. 377 * 378 * <p> 379 * This method will return null if the permission does not exist. 380 * </p> 381 * 382 * @param id the unique id to retrieve the permission by. cannot be null or blank. 383 * @return a {@link org.kuali.rice.kim.api.permission.Permission} or null 384 * @throws RiceIllegalArgumentException if the id is null or blank 385 */ 386 @WebMethod(operationName = "getPermission") 387 @WebResult(name = "permission") 388 @Cacheable(value=Permission.Cache.NAME, key="'id=' + #p0") 389 Permission getPermission( @WebParam(name="id") String id ); 390 391 /** 392 * Gets a {@link org.kuali.rice.kim.api.permission.Permission} with the unique combination of namespace and name. 393 * 394 * <p> 395 * This method will return null if the permission does not exist. 396 * </p> 397 * 398 * @param namespaceCode namespace code for permission. cannot be null or blank. 399 * @param name name of permission. cannot be null or blank. 400 * @return a {@link org.kuali.rice.kim.api.permission.Permission} or null 401 * @throws RiceIllegalArgumentException if the namespaceCode or name is null or blank 402 */ 403 @WebMethod(operationName = "findPermByNamespaceCodeAndName") 404 @WebResult(name = "permission") 405 @Cacheable(value=Permission.Cache.NAME, key="'namespaceCode=' + #p0 + '|' + 'name=' + #p1") 406 Permission findPermByNamespaceCodeAndName( 407 @WebParam(name = "namespaceCode") String namespaceCode, 408 @WebParam(name = "name") String name) 409 throws RiceIllegalArgumentException; 410 411 /** 412 * Return the permissions for the given unique combination of namespace, 413 * component and permission template name. 414 * 415 * @param namespaceCode namespace code for permission. cannot be null or blank. 416 * @param templateName name of permission template. cannot be null or blank. 417 * @return a list of {@link org.kuali.rice.kim.api.permission.Permission} or null 418 * @throws RiceIllegalArgumentException if the namespaceCode or name is null or blank 419 */ 420 @WebMethod(operationName = "findPermissionsByTemplate") 421 @XmlElementWrapper(name = "permissions", required = true) 422 @XmlElement(name = "permission", required = false) 423 @WebResult(name = "permissions") 424 @Cacheable(value=Permission.Cache.NAME, key="'namespaceCode=' + #p1 + '|' + 'templateName=' + #p2") 425 List<Permission> findPermissionsByTemplate( 426 @WebParam(name = "namespaceCode") String namespaceCode, 427 @WebParam(name = "templateName") String templateName) 428 throws RiceIllegalArgumentException; 429 430 /** 431 * Gets a {@link Template} from an id. 432 * 433 * <p> 434 * This method will return null if the template does not exist. 435 * </p> 436 * 437 * @param id the unique id to retrieve the template by. cannot be null or blank. 438 * @return a {@link Template} or null 439 * @throws RiceIllegalArgumentException if the id is null or blank 440 */ 441 @WebMethod(operationName = "getPermissionTemplate") 442 @WebResult(name = "id") 443 @Cacheable(value=Template.Cache.NAME + "{Permission}", key="'id=' + #p0") 444 Template getPermissionTemplate( @WebParam(name="id") String id ) throws RiceIllegalArgumentException; 445 446 /** 447 * Finds a {@link Template} for namespaceCode and name. 448 * 449 * @param namespaceCode the namespace code. cannot be null or blank. 450 * @param name the template name. cannot be null or blank. 451 * @return a {@link Template} or null 452 * @throws RiceIllegalArgumentException if the id or namespaceCode is null or blank 453 */ 454 @WebMethod(operationName = "findPermTemplateByNamespaceCodeAndName") 455 @WebResult(name = "permissionTemplate") 456 @Cacheable(value=Template.Cache.NAME + "{Permission}", key="'namespaceCode=' + #p0 + '|' + 'name=' + #p1") 457 Template findPermTemplateByNamespaceCodeAndName( 458 @WebParam(name = "namespaceCode") String namespaceCode, 459 @WebParam(name = "name") String name) throws RiceIllegalArgumentException; 460 461 462 /** 463 * Finds a {@link Template} for namespaceCode and name. 464 * 465 * @return a list of {@link Template} or an empty list if none found 466 */ 467 @WebMethod(operationName = "getAllTemplates") 468 @XmlElementWrapper(name = "templates", required = true) 469 @XmlElement(name = "template", required = false) 470 @WebResult(name = "templates") 471 @Cacheable(value=Template.Cache.NAME + "{Permission}", key="'all'") 472 List<Template> getAllTemplates(); 473 474 /** 475 * Get the role IDs for the given permission. 476 * 477 * @param namespaceCode the permission namespace code. cannot be null or blank. 478 * @param permissionName the permission name. cannot be null or blank. 479 * @return a list of role Ids, or an empty list if none found 480 * @throws RiceIllegalArgumentException if the namespaceCode or permissionName is null or blank 481 */ 482 @WebMethod(operationName = "getRoleIdsForPermission") 483 @XmlElementWrapper(name = "roleIds", required = true) 484 @XmlElement(name = "roleId", required = false) 485 @WebResult(name = "roleIds") 486 @Cacheable(value=Permission.Cache.NAME, key="'{RoleIds}namespaceCode=' + #p0 + '|' + 'name=' + #p1") 487 List<String> getRoleIdsForPermission( @WebParam(name="namespaceCode") String namespaceCode, 488 @WebParam(name="permissionName") String permissionName) throws RiceIllegalArgumentException; 489 490 /** 491 * This method find Permissions based on a query criteria. The criteria cannot be null. 492 * 493 * @param queryByCriteria the criteria. Cannot be null. 494 * @return query results. will never return null. 495 * @throws RiceIllegalArgumentException if the queryByCriteria is null 496 */ 497 @WebMethod(operationName = "findPermissions") 498 @WebResult(name = "results") 499 PermissionQueryResults findPermissions(@WebParam(name = "query") QueryByCriteria queryByCriteria) throws RiceIllegalArgumentException; 500 501 502 /** 503 * This method find Permission Templates based on a query criteria. The criteria cannot be null. 504 * 505 * @param queryByCriteria the criteria. Cannot be null. 506 * @return query results. will never return null. 507 * @throws RiceIllegalArgumentException if the queryByCriteria is null 508 */ 509 @WebMethod(operationName = "findPermissionTemplates") 510 @WebResult(name = "results") 511 TemplateQueryResults findPermissionTemplates(@WebParam(name = "query") QueryByCriteria queryByCriteria) throws RiceIllegalArgumentException; 512}