public abstract class AAclAuthz
extends java.lang.Object
checkPermission
for code that needs to verify access before performing
actions.
Here is a sample resourceACLS for a resource
certServer.UsrGrpAdminServlet: execute: deny (execute) user="tempAdmin"; allow (execute) group="Administrators";To perform permission checking, code call authz mgr authorize() method to verify access. See AuthzMgr for calling example.
default "evaluators" are used to evaluate the "group=.." or "user=.." rules. See evaluator for more info
Modifier and Type | Field and Description |
---|---|
protected static java.lang.String |
ACLS_ATTR |
protected static java.lang.String[] |
mConfigParams |
protected static java.util.Vector |
mExtendedPluginInfo |
protected static java.lang.String |
PROP_CLASS |
protected static java.lang.String |
PROP_EVAL |
protected static java.lang.String |
PROP_IMPL |
Constructor and Description |
---|
AAclAuthz()
Constructor
|
Modifier and Type | Method and Description |
---|---|
void |
accessInit(java.lang.String accessInfo) |
java.util.Enumeration |
aclEvaluatorElements()
gets an enumeration of access evaluators
|
java.util.Enumeration |
aclResElements()
gets an enumeration of resources
|
void |
addACLs(java.lang.String resACLs)
Parse ACL resource attributes, then update the ACLs memory store
This is intended to be used if storing ACLs on ldap is not desired,
and the caller is expected to call this method to add resource
and acl info into acls memory store.
|
abstract AuthzToken |
authorize(IAuthToken authToken,
java.lang.String resource,
java.lang.String operation)
an abstract class that enforces implementation of the
authorize() method that will authorize an operation on a
particular resource
|
void |
checkPermission(IAuthToken authToken,
java.lang.String name,
java.lang.String perm)
Checks if the permission is granted or denied with id from authtoken
gotten from authentication that precedes authorization.
|
protected void |
checkPermission(java.lang.String name,
java.lang.String perm)
Checks if the permission is granted or denied in
the current execution context.
|
boolean |
evaluateACLs(IAuthToken authToken,
java.lang.String exp) |
protected abstract void |
flushResourceACLs()
update acls.
|
java.util.Hashtable |
getAccessEvaluators()
gets the access evaluators
|
IACL |
getACL(java.lang.String target) |
java.util.Enumeration |
getACLs() |
protected java.util.Enumeration |
getAllowEntries(java.util.Enumeration nodes,
java.lang.String operation) |
java.lang.String[] |
getConfigParams()
Returns a list of configuration parameter names.
|
IConfigStore |
getConfigStore()
Returns the configuration store used by this Authz mgr
|
protected java.util.Enumeration |
getDenyEntries(java.util.Enumeration nodes,
java.lang.String operation) |
java.lang.String[] |
getExtendedPluginInfo(java.util.Locale locale) |
java.util.Vector |
getNodes(java.lang.String resourceID) |
java.lang.String |
getOrder() |
protected java.util.Enumeration |
getTargetNames() |
protected void |
init(IConfigStore config)
Initializes
|
boolean |
isTypeUnique(java.lang.String type)
is this resource name unique
|
void |
registerEvaluator(java.lang.String type,
IAccessEvaluator evaluator)
Registers new handler for the given attribute type
in the expressions.
|
abstract void |
shutdown()
graceful shutdown
|
void |
updateACLs(java.lang.String id,
java.lang.String rights,
java.lang.String strACLs,
java.lang.String desc)
This one only updates the memory.
|
protected static final java.lang.String PROP_CLASS
protected static final java.lang.String PROP_IMPL
protected static final java.lang.String PROP_EVAL
protected static final java.lang.String ACLS_ATTR
protected static java.util.Vector mExtendedPluginInfo
protected static java.lang.String[] mConfigParams
protected void init(IConfigStore config) throws EBaseException
EBaseException
public void addACLs(java.lang.String resACLs) throws EBaseException
resACLs
- same format as the resourceACLs attributeEBaseException
- parsing error from parseACL
public void accessInit(java.lang.String accessInfo) throws EBaseException
EBaseException
public IACL getACL(java.lang.String target)
protected java.util.Enumeration getTargetNames()
public java.util.Enumeration getACLs()
public IConfigStore getConfigStore()
public java.lang.String[] getExtendedPluginInfo(java.util.Locale locale)
public java.lang.String[] getConfigParams()
public abstract void shutdown()
public void registerEvaluator(java.lang.String type, IAccessEvaluator evaluator)
protected void checkPermission(java.lang.String name, java.lang.String perm) throws EACLsException
note that if a resource does not exist in the aclResources entry, but a higher level node exist, it will still be evaluated. The highest level node's acl determines the permission. If the higher level node doesn't contain any acl information, then it's passed down to the lower node. If a node has no aci in its resourceACLs, then it's considered passed.
example: certServer.common.users, if failed permission check for "certServer", then it's considered failed, and there is no need to continue the check. If passed permission check for "certServer", then it's considered passed, and no need to continue the check. If certServer contains no aci then "certServer.common" will be checked for permission instead. If down to the leaf level, the node still contains no aci, then it's considered passed. If at the leaf level, no such resource exist, or no acis, it's considered passed.
If there are multiple aci's for a resource, ALL aci's will be checked, and only if all passed permission checks, will the eventual access be granted.
name
- resource nameperm
- permission requestedEACLsException
- access permission deniedpublic void checkPermission(IAuthToken authToken, java.lang.String name, java.lang.String perm) throws EACLsException
note that if a resource does not exist in the aclResources entry, but a higher level node exist, it will still be evaluated. The highest level node's acl determines the permission. If the higher level node doesn't contain any acl information, then it's passed down to the lower node. If a node has no aci in its resourceACLs, then it's considered passed.
example: certServer.common.users, if failed permission check for "certServer", then it's considered failed, and there is no need to continue the check. If passed permission check for "certServer", then it's considered passed, and no need to continue the check. If certServer contains no aci then "certServer.common" will be checked for permission instead. If down to the leaf level, the node still contains no aci, then it's considered passed. If at the leaf level, no such resource exist, or no acis, it's considered passed.
If there are multiple aci's for a resource, ALL aci's will be checked, and only if all passed permission checks, will the eventual access be granted.
authToken
- authentication token gotten from authenticationname
- resource nameperm
- permission requestedEACLsException
- access permission deniedprotected java.util.Enumeration getAllowEntries(java.util.Enumeration nodes, java.lang.String operation)
protected java.util.Enumeration getDenyEntries(java.util.Enumeration nodes, java.lang.String operation)
public java.util.Vector getNodes(java.lang.String resourceID)
public void updateACLs(java.lang.String id, java.lang.String rights, java.lang.String strACLs, java.lang.String desc) throws EACLsException
EACLsException
public java.util.Enumeration aclResElements()
public java.util.Enumeration aclEvaluatorElements()
public java.util.Hashtable getAccessEvaluators()
public boolean isTypeUnique(java.lang.String type)
protected abstract void flushResourceACLs() throws EACLsException
EACLsException
public abstract AuthzToken authorize(IAuthToken authToken, java.lang.String resource, java.lang.String operation) throws EBaseException
authToken
- the authToken associated with a userresource
- - the protected resource nameoperation
- - the protected resource operation nameEBaseException
- If an internal error occurred.public java.lang.String getOrder()
public boolean evaluateACLs(IAuthToken authToken, java.lang.String exp)