Field Detail

• logger

  public static org.slf4j.Logger logger

• PROP_CLASS

  protected static final java.lang.String PROP_CLASS

  See Also:

  Constant Field Values

• PROP_IMPL

  protected static final java.lang.String PROP_IMPL

  See Also:

  Constant Field Values

• PROP_EVAL

  protected static final java.lang.String PROP_EVAL

  See Also:

  Constant Field Values

• ACLS_ATTR

  protected static final java.lang.String ACLS_ATTR

  See Also:

  Constant Field Values

• mExtendedPluginInfo

  protected static java.util.Vector<java.lang.String> mExtendedPluginInfo

• mConfigParams

  protected static java.lang.String[] mConfigParams

Constructor Detail

• AAclAuthz

  public AAclAuthz()

  Constructor

Method Detail

• init

  public void init(java.lang.String name,
                   java.lang.String implName,
                   AuthzManagerConfig config)
            throws EBaseException

  Initializes

  Specified by:

  init in interface IAuthzManager

  Parameters:

  name - The name of this authorization manager instance.

  implName - The name of the authorization manager plugin.

  config - The configuration store for this authorization manager.

  Throws:

  EBaseException - If an initialization error occurred.

• getName

  public java.lang.String getName()

  gets the name of this authorization manager instance

  Specified by:

  getName in interface IAuthzManager

  Returns:

  String the name of this authorization manager.

• getImplName

  public java.lang.String getImplName()

  gets the plugin name of this authorization manager.

  Specified by:

  getImplName in interface IAuthzManager

  Returns:

  The name of the authorization manager plugin.

• addACLs

  public void addACLs(java.lang.String resACLs)
               throws EBaseException

  Parse ACL resource attributes, then update the ACLs memory store This is intended to be used if storing ACLs on ldap is not desired, and the caller is expected to call this method to add resource and acl info into acls memory store. The resACLs format should conform to the following: :right-1[,right-n]:[allow,deny](right(s))=: Example: resTurnKnob:left,right:allow(left) group="lefties":door knobs for lefties

  Parameters:

  resACLs - same format as the resourceACLs attribute

  Throws:

  EBaseException - parsing error from parseACL

• accessInit

  public void accessInit(java.lang.String accessInfo)
                  throws EBaseException

  Description copied from interface: IAuthzManager
  accessInit is for servlets who want to initialize their own authorization information before full operation. It is supposed to be called from the authzMgrAccessInit() method of the AuthzSubsystem.

  The accessInfo format is determined by each individual authzmgr. For example, for BasicAclAuthz, The accessInfo is the resACLs, whose format should conform to the following:

      :right-1[,right-n]:[allow,deny](right(s))=:
   
  
   Example: resTurnKnob:left,right:allow(left) group="lefties":door knobs for lefties

  Specified by:

  accessInit in interface IAuthzManager

  Parameters:

  accessInfo - the access info string in the format specified in the authorization manager

  Throws:

  EBaseException - error parsing the accessInfo

• getACL

  public IACL getACL(java.lang.String target)

  Description copied from interface: IAuthzManager
  Get individual ACL entry for the given name of entry.

  Specified by:

  getACL in interface IAuthzManager

  Parameters:

  target - The name of the ACL entry

  Returns:

  The ACL entry.

• getTargetNames

  protected java.util.Enumeration<java.lang.String> getTargetNames()

• getACLs

  public java.util.Enumeration<IACL> getACLs()

  Description copied from interface: IAuthzManager
  Get ACL entries

  Specified by:

  getACLs in interface IAuthzManager

  Returns:

  enumeration of ACL entries.

• getConfigStore

  public AuthzManagerConfig getConfigStore()

  Returns the configuration store used by this Authz mgr

  Specified by:

  getConfigStore in interface IAuthzManager

  Returns:

  The configuration store of this authorization manager.

• getExtendedPluginInfo

  public java.lang.String[] getExtendedPluginInfo(java.util.Locale locale)

• getConfigParams

  public java.lang.String[] getConfigParams()

  Returns a list of configuration parameter names. The list is passed to the configuration console so instances of this implementation can be configured through the console.

  Specified by:

  getConfigParams in interface IAuthzManager

  Returns:

  String array of configuration parameter names.

• shutdown

  public abstract void shutdown()

  graceful shutdown

  Specified by:

  shutdown in interface IAuthzManager

• registerEvaluator

  public void registerEvaluator(java.lang.String type,
                                IAccessEvaluator evaluator)

  Registers new handler for the given attribute type in the expressions.

  Specified by:

  registerEvaluator in interface IAuthzManager

  Parameters:

  type - Type of evaluator

  evaluator - Value of evaluator

• checkPermission

  protected void checkPermission(java.lang.String name,
                                 java.lang.String perm)
                          throws EACLsException

  Checks if the permission is granted or denied in the current execution context. If the code is marked as privileged, this methods will simply return.

  note that if a resource does not exist in the aclResources entry, but a higher level node exist, it will still be evaluated. The highest level node's acl determines the permission. If the higher level node doesn't contain any acl information, then it's passed down to the lower node. If a node has no aci in its resourceACLs, then it's considered passed.

  example: certServer.common.users, if failed permission check for "certServer", then it's considered failed, and there is no need to continue the check. If passed permission check for "certServer", then it's considered passed, and no need to continue the check. If certServer contains no aci then "certServer.common" will be checked for permission instead. If down to the leaf level, the node still contains no aci, then it's considered passed. If at the leaf level, no such resource exist, or no acis, it's considered passed.

  If there are multiple aci's for a resource, ALL aci's will be checked, and only if all passed permission checks, will the eventual access be granted.

  Parameters:

  name - resource name

  perm - permission requested

  Throws:

  EACLsException - access permission denied

• checkPermission

  public void checkPermission(IAuthToken authToken,
                              java.lang.String name,
                              java.lang.String perm)
                       throws EACLsException

  Checks if the permission is granted or denied with id from authtoken gotten from authentication that precedes authorization. If the code is marked as privileged, this methods will simply return.

  note that if a resource does not exist in the aclResources entry, but a higher level node exist, it will still be evaluated. The highest level node's acl determines the permission. If the higher level node doesn't contain any acl information, then it's passed down to the lower node. If a node has no aci in its resourceACLs, then it's considered passed.

  example: certServer.common.users, if failed permission check for "certServer", then it's considered failed, and there is no need to continue the check. If passed permission check for "certServer", then it's considered passed, and no need to continue the check. If certServer contains no aci then "certServer.common" will be checked for permission instead. If down to the leaf level, the node still contains no aci, then it's considered passed. If at the leaf level, no such resource exist, or no acis, it's considered passed.

  If there are multiple aci's for a resource, ALL aci's will be checked, and only if all passed permission checks, will the eventual access be granted.

  Parameters:

  authToken - authentication token gotten from authentication

  name - resource name

  perm - permission requested

  Throws:

  EACLsException - access permission denied

• checkAllowEntries

  protected boolean checkAllowEntries(IAuthToken authToken,
                                      java.lang.Iterable<java.lang.String> nodes,
                                      java.lang.String perm)

• checkDenyEntries

  protected void checkDenyEntries(IAuthToken authToken,
                                  java.lang.Iterable<java.lang.String> nodes,
                                  java.lang.String perm)
                           throws EACLsException

  throw EACLsException if a deny entry is matched

  Throws:

  EACLsException

• getEntries

  protected java.lang.Iterable<ACLEntry> getEntries(ACLEntry.Type entryType,
                                                    java.lang.Iterable<java.lang.String> nodes,
                                                    java.lang.String operation)

• getNodes

  public java.util.Vector<java.lang.String> getNodes(java.lang.String resourceID)

• updateACLs

  public void updateACLs(java.lang.String id,
                         java.lang.String rights,
                         java.lang.String strACLs,
                         java.lang.String desc)
                  throws EACLsException

  This one only updates the memory. Classes extend this class should also update to a permanent storage

  Specified by:

  updateACLs in interface IAuthzManager

  Parameters:

  id - The name of the ACL entry (ie, resource id)

  rights - The allowable rights for this resource

  strACLs - The value of the ACL entry

  desc - The description for this resource

  Throws:

  EACLsException - when update fails.

• aclResElements

  public java.util.Enumeration<IACL> aclResElements()

  gets an enumeration of resources

  Returns:

  an enumeration of resources contained in the ACL table

• aclEvaluatorElements

  public java.util.Enumeration<IAccessEvaluator> aclEvaluatorElements()

  gets an enumeration of access evaluators

  Specified by:

  aclEvaluatorElements in interface IAuthzManager

  Returns:

  an enumeraton of access evaluators

• getAccessEvaluators

  public java.util.Hashtable<java.lang.String,IAccessEvaluator> getAccessEvaluators()

  gets the access evaluators

  Specified by:

  getAccessEvaluators in interface IAuthzManager

  Returns:

  handle to the access evaluators table

• isTypeUnique

  public boolean isTypeUnique(java.lang.String type)

  is this resource name unique

  Returns:

  true if unique; false otherwise

• authorize

  public AuthzToken authorize(IAuthToken authToken,
                              java.lang.String resource,
                              java.lang.String operation)
                       throws EAuthzInternalError,
                              EAuthzAccessDenied

  check the authorization permission for the user associated with authToken on operation Example: For example, if UsrGrpAdminServlet needs to authorize the caller it would do be done in the following fashion: try { authzTok = mAuthz.authorize( "DirAclAuthz", authToken, RES_GROUP, "read"); } catch (EBaseException e) { logger.warn("authorize call: " + e.getMessage(), e); }

  Specified by:

  authorize in interface IAuthzManager

  Parameters:

  authToken - the authToken associated with a user

  resource - - the protected resource name

  operation - - the protected resource operation name

  Returns:

  authzToken

  Throws:

  EAuthzAccessDenied - If access was denied

  EAuthzInternalError - If an internal error occurred.

• authorize

  public AuthzToken authorize(IAuthToken authToken,
                              java.lang.String expression)
                       throws EAuthzAccessDenied

  Specified by:

  authorize in interface IAuthzManager

  Throws:

  EAuthzAccessDenied

• getOrder

  public static AAclAuthz.EvaluationOrder getOrder()

• evaluateACLs

  public boolean evaluateACLs(IAuthToken authToken,
                              java.lang.String exp)