com.netscape.cms.authorization

Class AAclAuthz

java.lang.Object

com.netscape.cms.authorization.AAclAuthz

Direct Known Subclasses:

BasicAclAuthz, DirAclAuthz

public abstract class AAclAuthz
extends java.lang.Object

An abstract class represents an authorization manager that governs the access of internal resources such as servlets. It parses in the ACLs associated with each protected resources, and provides protected method checkPermission for code that needs to verify access before performing actions.

Here is a sample resourceACLS for a resource

   certServer.UsrGrpAdminServlet:
       execute:
           deny (execute) user="tempAdmin";
           allow (execute) group="Administrators";
 

To perform permission checking, code call authz mgr authorize() method to verify access. See AuthzMgr for calling example.

default "evaluators" are used to evaluate the "group=.." or "user=.." rules. See evaluator for more info

Version:

$Revision$, $Date$

See Also:

ACL Files

Field Summary

Fields

Modifier and Type	Field and Description
protected static java.lang.String	ACLS_ATTR
protected static java.lang.String[]	mConfigParams
protected static java.util.Vector	mExtendedPluginInfo
protected static java.lang.String	PROP_CLASS
protected static java.lang.String	PROP_EVAL
protected static java.lang.String	PROP_IMPL

Constructor Summary

Constructors

Constructor and Description
AAclAuthz() Constructor

Method Summary

Methods

Modifier and Type	Method and Description
void	accessInit(java.lang.String accessInfo)
java.util.Enumeration	aclEvaluatorElements() gets an enumeration of access evaluators
java.util.Enumeration	aclResElements() gets an enumeration of resources
void	addACLs(java.lang.String resACLs) Parse ACL resource attributes, then update the ACLs memory store This is intended to be used if storing ACLs on ldap is not desired, and the caller is expected to call this method to add resource and acl info into acls memory store.
abstract AuthzToken	authorize(IAuthToken authToken, java.lang.String resource, java.lang.String operation) an abstract class that enforces implementation of the authorize() method that will authorize an operation on a particular resource
void	checkPermission(IAuthToken authToken, java.lang.String name, java.lang.String perm) Checks if the permission is granted or denied with id from authtoken gotten from authentication that precedes authorization.
protected void	checkPermission(java.lang.String name, java.lang.String perm) Checks if the permission is granted or denied in the current execution context.
boolean	evaluateACLs(IAuthToken authToken, java.lang.String exp)
protected abstract void	flushResourceACLs() update acls.
java.util.Hashtable	getAccessEvaluators() gets the access evaluators
IACL	getACL(java.lang.String target)
java.util.Enumeration	getACLs()
protected java.util.Enumeration	getAllowEntries(java.util.Enumeration nodes, java.lang.String operation)
java.lang.String[]	getConfigParams() Returns a list of configuration parameter names.
IConfigStore	getConfigStore() Returns the configuration store used by this Authz mgr
protected java.util.Enumeration	getDenyEntries(java.util.Enumeration nodes, java.lang.String operation)
java.lang.String[]	getExtendedPluginInfo(java.util.Locale locale)
java.util.Vector	getNodes(java.lang.String resourceID)
java.lang.String	getOrder()
protected java.util.Enumeration	getTargetNames()
protected void	init(IConfigStore config) Initializes
boolean	isTypeUnique(java.lang.String type) is this resource name unique
void	registerEvaluator(java.lang.String type, IAccessEvaluator evaluator) Registers new handler for the given attribute type in the expressions.
abstract void	shutdown() graceful shutdown
void	updateACLs(java.lang.String id, java.lang.String rights, java.lang.String strACLs, java.lang.String desc) This one only updates the memory.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

PROP_CLASS

protected static final java.lang.String PROP_CLASS

See Also:

Constant Field Values

PROP_IMPL

protected static final java.lang.String PROP_IMPL

See Also:

Constant Field Values

PROP_EVAL

protected static final java.lang.String PROP_EVAL

See Also:

Constant Field Values

ACLS_ATTR

protected static final java.lang.String ACLS_ATTR

See Also:

Constant Field Values

mExtendedPluginInfo

protected static java.util.Vector mExtendedPluginInfo

mConfigParams

protected static java.lang.String[] mConfigParams

Constructor Detail

AAclAuthz

public AAclAuthz()

Constructor

Method Detail

init

protected void init(IConfigStore config)
             throws EBaseException

Initializes

Throws:

EBaseException

addACLs

public void addACLs(java.lang.String resACLs)
             throws EBaseException

Parse ACL resource attributes, then update the ACLs memory store This is intended to be used if storing ACLs on ldap is not desired, and the caller is expected to call this method to add resource and acl info into acls memory store. The resACLs format should conform to the following: :right-1[,right-n]:[allow,deny](right(s))=: Example: resTurnKnob:left,right:allow(left) group="lefties":door knobs for lefties

Parameters:

resACLs - same format as the resourceACLs attribute

Throws:

EBaseException - parsing error from parseACL

accessInit

public void accessInit(java.lang.String accessInfo)
                throws EBaseException

Throws:

EBaseException

getACL

public IACL getACL(java.lang.String target)

getTargetNames

protected java.util.Enumeration getTargetNames()

getACLs

public java.util.Enumeration getACLs()

getConfigStore

public IConfigStore getConfigStore()

Returns the configuration store used by this Authz mgr

getExtendedPluginInfo

public java.lang.String[] getExtendedPluginInfo(java.util.Locale locale)

getConfigParams

public java.lang.String[] getConfigParams()

Returns a list of configuration parameter names. The list is passed to the configuration console so instances of this implementation can be configured through the console.

Returns:

String array of configuration parameter names.

shutdown

public abstract void shutdown()

graceful shutdown

registerEvaluator

public void registerEvaluator(java.lang.String type,
                     IAccessEvaluator evaluator)

Registers new handler for the given attribute type in the expressions.

checkPermission

protected void checkPermission(java.lang.String name,
                   java.lang.String perm)
                        throws EACLsException

Checks if the permission is granted or denied in the current execution context. If the code is marked as privileged, this methods will simply return.

note that if a resource does not exist in the aclResources entry, but a higher level node exist, it will still be evaluated. The highest level node's acl determines the permission. If the higher level node doesn't contain any acl information, then it's passed down to the lower node. If a node has no aci in its resourceACLs, then it's considered passed.

example: certServer.common.users, if failed permission check for "certServer", then it's considered failed, and there is no need to continue the check. If passed permission check for "certServer", then it's considered passed, and no need to continue the check. If certServer contains no aci then "certServer.common" will be checked for permission instead. If down to the leaf level, the node still contains no aci, then it's considered passed. If at the leaf level, no such resource exist, or no acis, it's considered passed.

If there are multiple aci's for a resource, ALL aci's will be checked, and only if all passed permission checks, will the eventual access be granted.

Parameters:

name - resource name

perm - permission requested

Throws:

EACLsException - access permission denied

checkPermission

public void checkPermission(IAuthToken authToken,
                   java.lang.String name,
                   java.lang.String perm)
                     throws EACLsException

Checks if the permission is granted or denied with id from authtoken gotten from authentication that precedes authorization. If the code is marked as privileged, this methods will simply return.

note that if a resource does not exist in the aclResources entry, but a higher level node exist, it will still be evaluated. The highest level node's acl determines the permission. If the higher level node doesn't contain any acl information, then it's passed down to the lower node. If a node has no aci in its resourceACLs, then it's considered passed.

example: certServer.common.users, if failed permission check for "certServer", then it's considered failed, and there is no need to continue the check. If passed permission check for "certServer", then it's considered passed, and no need to continue the check. If certServer contains no aci then "certServer.common" will be checked for permission instead. If down to the leaf level, the node still contains no aci, then it's considered passed. If at the leaf level, no such resource exist, or no acis, it's considered passed.

If there are multiple aci's for a resource, ALL aci's will be checked, and only if all passed permission checks, will the eventual access be granted.

Parameters:

authToken - authentication token gotten from authentication

name - resource name

perm - permission requested

Throws:

EACLsException - access permission denied

getAllowEntries

protected java.util.Enumeration getAllowEntries(java.util.Enumeration nodes,
                                    java.lang.String operation)

getDenyEntries

protected java.util.Enumeration getDenyEntries(java.util.Enumeration nodes,
                                   java.lang.String operation)

getNodes

public java.util.Vector getNodes(java.lang.String resourceID)

updateACLs

public void updateACLs(java.lang.String id,
              java.lang.String rights,
              java.lang.String strACLs,
              java.lang.String desc)
                throws EACLsException

This one only updates the memory. Classes extend this class should also update to a permanent storage

Throws:

EACLsException

aclResElements

public java.util.Enumeration aclResElements()

gets an enumeration of resources

Returns:

an enumeration of resources contained in the ACL table

aclEvaluatorElements

public java.util.Enumeration aclEvaluatorElements()

gets an enumeration of access evaluators

Returns:

an enumeraton of access evaluators

getAccessEvaluators

public java.util.Hashtable getAccessEvaluators()

gets the access evaluators

Returns:

handle to the access evaluators table

isTypeUnique

public boolean isTypeUnique(java.lang.String type)

is this resource name unique

Returns:

true if unique; false otherwise

flushResourceACLs

protected abstract void flushResourceACLs()
                                   throws EACLsException

update acls. called after memory upate is done to flush to permanent storage.

Throws:

EACLsException

authorize

public abstract AuthzToken authorize(IAuthToken authToken,
                   java.lang.String resource,
                   java.lang.String operation)
                              throws EBaseException

an abstract class that enforces implementation of the authorize() method that will authorize an operation on a particular resource

Parameters:

authToken - the authToken associated with a user

resource - - the protected resource name

operation - - the protected resource operation name

Returns:

authzToken

Throws:

EBaseException - If an internal error occurred.

getOrder

public java.lang.String getOrder()

evaluateACLs

public boolean evaluateACLs(IAuthToken authToken,
                   java.lang.String exp)