public abstract class AAclAuthz extends java.lang.Object implements IAuthzManager
checkPermission
for code that needs to verify access before
performing
actions.
Here is a sample resourceACLS for a resource
certServer.UsrGrpAdminServlet: execute: deny (execute) user="tempAdmin"; allow (execute) group="Administrators";To perform permission checking, code call authz mgr authorize() method to verify access. See AuthzMgr for calling example.
default "evaluators" are used to evaluate the "group=.." or "user=.." rules. See evaluator for more info
Modifier and Type | Class and Description |
---|---|
static class |
AAclAuthz.EvaluationOrder |
Modifier and Type | Field and Description |
---|---|
protected static java.lang.String |
ACLS_ATTR |
static org.slf4j.Logger |
logger |
protected static java.lang.String[] |
mConfigParams |
protected static java.util.Vector<java.lang.String> |
mExtendedPluginInfo |
protected static java.lang.String |
PROP_CLASS |
protected static java.lang.String |
PROP_EVAL |
protected static java.lang.String |
PROP_IMPL |
Constructor and Description |
---|
AAclAuthz()
Constructor
|
Modifier and Type | Method and Description |
---|---|
void |
accessInit(java.lang.String accessInfo)
accessInit is for servlets who want to initialize their
own authorization information before full operation. |
java.util.Enumeration<IAccessEvaluator> |
aclEvaluatorElements()
gets an enumeration of access evaluators
|
java.util.Enumeration<IACL> |
aclResElements()
gets an enumeration of resources
|
void |
addACLs(java.lang.String resACLs)
Parse ACL resource attributes, then update the ACLs memory store
This is intended to be used if storing ACLs on ldap is not desired,
and the caller is expected to call this method to add resource
and acl info into acls memory store.
|
AuthzToken |
authorize(IAuthToken authToken,
java.lang.String expression) |
AuthzToken |
authorize(IAuthToken authToken,
java.lang.String resource,
java.lang.String operation)
check the authorization permission for the user associated with
authToken on operation
Example:
For example, if UsrGrpAdminServlet needs to authorize the
caller it would do be done in the following fashion:
try {
authzTok = mAuthz.authorize(
"DirAclAuthz", authToken, RES_GROUP, "read");
} catch (EBaseException e) {
log(ILogger.LL_FAILURE, "authorize call: " + e.toString());
}
|
protected boolean |
checkAllowEntries(IAuthToken authToken,
java.lang.Iterable<java.lang.String> nodes,
java.lang.String perm) |
protected void |
checkDenyEntries(IAuthToken authToken,
java.lang.Iterable<java.lang.String> nodes,
java.lang.String perm)
throw EACLsException if a deny entry is matched
|
void |
checkPermission(IAuthToken authToken,
java.lang.String name,
java.lang.String perm)
Checks if the permission is granted or denied with id from authtoken
gotten from authentication that precedes authorization.
|
protected void |
checkPermission(java.lang.String name,
java.lang.String perm)
Checks if the permission is granted or denied in
the current execution context.
|
boolean |
evaluateACLs(IAuthToken authToken,
java.lang.String exp) |
java.util.Hashtable<java.lang.String,IAccessEvaluator> |
getAccessEvaluators()
gets the access evaluators
|
IACL |
getACL(java.lang.String target)
Get individual ACL entry for the given name of entry.
|
java.util.Enumeration<IACL> |
getACLs()
Get ACL entries
|
java.lang.String[] |
getConfigParams()
Returns a list of configuration parameter names.
|
IConfigStore |
getConfigStore()
Returns the configuration store used by this Authz mgr
|
protected java.lang.Iterable<ACLEntry> |
getEntries(ACLEntry.Type entryType,
java.lang.Iterable<java.lang.String> nodes,
java.lang.String operation) |
java.lang.String[] |
getExtendedPluginInfo(java.util.Locale locale) |
java.lang.String |
getImplName()
gets the plugin name of this authorization manager.
|
java.lang.String |
getName()
gets the name of this authorization manager instance
|
java.util.Vector<java.lang.String> |
getNodes(java.lang.String resourceID) |
static AAclAuthz.EvaluationOrder |
getOrder() |
protected java.util.Enumeration<java.lang.String> |
getTargetNames() |
void |
init(java.lang.String name,
java.lang.String implName,
IConfigStore config)
Initializes
|
boolean |
isTypeUnique(java.lang.String type)
is this resource name unique
|
void |
registerEvaluator(java.lang.String type,
IAccessEvaluator evaluator)
Registers new handler for the given attribute type
in the expressions.
|
abstract void |
shutdown()
graceful shutdown
|
void |
updateACLs(java.lang.String id,
java.lang.String rights,
java.lang.String strACLs,
java.lang.String desc)
This one only updates the memory.
|
public static org.slf4j.Logger logger
protected static final java.lang.String PROP_CLASS
protected static final java.lang.String PROP_IMPL
protected static final java.lang.String PROP_EVAL
protected static final java.lang.String ACLS_ATTR
protected static java.util.Vector<java.lang.String> mExtendedPluginInfo
protected static java.lang.String[] mConfigParams
public void init(java.lang.String name, java.lang.String implName, IConfigStore config) throws EBaseException
init
in interface IAuthzManager
name
- The name of this authorization manager instance.implName
- The name of the authorization manager plugin.config
- The configuration store for this authorization manager.EBaseException
- If an initialization error occurred.public java.lang.String getName()
getName
in interface IAuthzManager
public java.lang.String getImplName()
getImplName
in interface IAuthzManager
public void addACLs(java.lang.String resACLs) throws EBaseException
resACLs
- same format as the resourceACLs attributeEBaseException
- parsing error from parseACL
public void accessInit(java.lang.String accessInfo) throws EBaseException
IAuthzManager
accessInit
is for servlets who want to initialize their
own authorization information before full operation. It is supposed
to be called from the authzMgrAccessInit() method of the AuthzSubsystem.
The accessInfo format is determined by each individual authzmgr. For example, for BasicAclAuthz, The accessInfo is the resACLs, whose format should conform to the following:
:right-1[,right-n]:[allow,deny](right(s)) = : Example: resTurnKnob:left,right:allow(left) group="lefties":door knobs for lefties
accessInit
in interface IAuthzManager
accessInfo
- the access info string in the format specified in the authorization managerEBaseException
- error parsing the accessInfopublic IACL getACL(java.lang.String target)
IAuthzManager
getACL
in interface IAuthzManager
target
- The name of the ACL entryprotected java.util.Enumeration<java.lang.String> getTargetNames()
public java.util.Enumeration<IACL> getACLs()
IAuthzManager
getACLs
in interface IAuthzManager
public IConfigStore getConfigStore()
getConfigStore
in interface IAuthzManager
public java.lang.String[] getExtendedPluginInfo(java.util.Locale locale)
public java.lang.String[] getConfigParams()
getConfigParams
in interface IAuthzManager
public abstract void shutdown()
shutdown
in interface IAuthzManager
public void registerEvaluator(java.lang.String type, IAccessEvaluator evaluator)
registerEvaluator
in interface IAuthzManager
type
- Type of evaluatorevaluator
- Value of evaluatorprotected void checkPermission(java.lang.String name, java.lang.String perm) throws EACLsException
note that if a resource does not exist in the aclResources entry, but a higher level node exist, it will still be evaluated. The highest level node's acl determines the permission. If the higher level node doesn't contain any acl information, then it's passed down to the lower node. If a node has no aci in its resourceACLs, then it's considered passed.
example: certServer.common.users, if failed permission check for "certServer", then it's considered failed, and there is no need to continue the check. If passed permission check for "certServer", then it's considered passed, and no need to continue the check. If certServer contains no aci then "certServer.common" will be checked for permission instead. If down to the leaf level, the node still contains no aci, then it's considered passed. If at the leaf level, no such resource exist, or no acis, it's considered passed.
If there are multiple aci's for a resource, ALL aci's will be checked, and only if all passed permission checks, will the eventual access be granted.
name
- resource nameperm
- permission requestedEACLsException
- access permission deniedpublic void checkPermission(IAuthToken authToken, java.lang.String name, java.lang.String perm) throws EACLsException
note that if a resource does not exist in the aclResources entry, but a higher level node exist, it will still be evaluated. The highest level node's acl determines the permission. If the higher level node doesn't contain any acl information, then it's passed down to the lower node. If a node has no aci in its resourceACLs, then it's considered passed.
example: certServer.common.users, if failed permission check for "certServer", then it's considered failed, and there is no need to continue the check. If passed permission check for "certServer", then it's considered passed, and no need to continue the check. If certServer contains no aci then "certServer.common" will be checked for permission instead. If down to the leaf level, the node still contains no aci, then it's considered passed. If at the leaf level, no such resource exist, or no acis, it's considered passed.
If there are multiple aci's for a resource, ALL aci's will be checked, and only if all passed permission checks, will the eventual access be granted.
authToken
- authentication token gotten from authenticationname
- resource nameperm
- permission requestedEACLsException
- access permission deniedprotected boolean checkAllowEntries(IAuthToken authToken, java.lang.Iterable<java.lang.String> nodes, java.lang.String perm)
protected void checkDenyEntries(IAuthToken authToken, java.lang.Iterable<java.lang.String> nodes, java.lang.String perm) throws EACLsException
EACLsException
protected java.lang.Iterable<ACLEntry> getEntries(ACLEntry.Type entryType, java.lang.Iterable<java.lang.String> nodes, java.lang.String operation)
public java.util.Vector<java.lang.String> getNodes(java.lang.String resourceID)
public void updateACLs(java.lang.String id, java.lang.String rights, java.lang.String strACLs, java.lang.String desc) throws EACLsException
updateACLs
in interface IAuthzManager
id
- The name of the ACL entry (ie, resource id)rights
- The allowable rights for this resourcestrACLs
- The value of the ACL entrydesc
- The description for this resourceEACLsException
- when update fails.public java.util.Enumeration<IACL> aclResElements()
public java.util.Enumeration<IAccessEvaluator> aclEvaluatorElements()
aclEvaluatorElements
in interface IAuthzManager
public java.util.Hashtable<java.lang.String,IAccessEvaluator> getAccessEvaluators()
getAccessEvaluators
in interface IAuthzManager
public boolean isTypeUnique(java.lang.String type)
public AuthzToken authorize(IAuthToken authToken, java.lang.String resource, java.lang.String operation) throws EAuthzInternalError, EAuthzAccessDenied
authorize
in interface IAuthzManager
authToken
- the authToken associated with a userresource
- - the protected resource nameoperation
- - the protected resource operation nameEAuthzAccessDenied
- If access was deniedEAuthzInternalError
- If an internal error occurred.public AuthzToken authorize(IAuthToken authToken, java.lang.String expression) throws EAuthzAccessDenied
authorize
in interface IAuthzManager
EAuthzAccessDenied
public static AAclAuthz.EvaluationOrder getOrder()
public boolean evaluateACLs(IAuthToken authToken, java.lang.String exp)