Class DirAclAuthz
- All Implemented Interfaces:
IExtendedPluginInfo
-
Nested Class Summary
Nested classes/interfaces inherited from class com.netscape.cms.authorization.AAclAuthz
AAclAuthz.EvaluationOrder
-
Field Summary
FieldsFields inherited from class com.netscape.cms.authorization.AAclAuthz
ACLS_ATTR, mConfigParams, mExtendedPluginInfo, PROP_CLASS, PROP_EVAL, PROP_IMPL
Fields inherited from class org.dogtagpki.server.authorization.AuthzManager
config, engine, implName, name
Fields inherited from interface com.netscape.certsrv.base.IExtendedPluginInfo
HELP_TEXT, HELP_TOKEN
-
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionvoid
accessInit
(String accessInfo) accessInit
is for servlets who want to initialize their own authorization information before full operation.void
void
Parse ACL resource attributes, then update the ACLs memory store This is intended to be used if storing ACLs on ldap is not desired, and the caller is expected to call this method to add resource and acl info into acls memory store.protected boolean
Checks if the permission is granted or denied in the current execution context.protected void
updates resourceACLs to ldap.Get individual ACL entry for the given name of entry.getACLs()
Get ACL entriesprotected netscape.ldap.LDAPConnection
getConn()
getEntries
(ACLEntry.Type entryType, Iterable<String> nodes, String operation) void
init
(String name, String implName, AuthzManagerConfig config) Initializesboolean
isTypeUnique
(String type) is this resource name uniquevoid
loadACLs()
Load ACLs from LDAP.protected void
returnConn
(netscape.ldap.LDAPConnection conn) void
shutdown()
graceful shutdownvoid
updateACLs
(String id, String rights, String strACLs, String desc) update acls.Methods inherited from class com.netscape.cms.authorization.AAclAuthz
aclEvaluatorElements, authorize, authorize, checkAllowEntries, checkDenyEntries, checkPermission, checkPermission, evaluateACLs, getAccessEvaluators, getConfigParams, getExtendedPluginInfo, getNodes, getOrder, registerEvaluator
Methods inherited from class org.dogtagpki.server.authorization.AuthzManager
getCMSEngine, getConfigStore, getImplName, getName, setCMSEngine
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
Methods inherited from interface com.netscape.certsrv.base.IExtendedPluginInfo
getExtendedPluginInfo
-
Field Details
-
logger
public static org.slf4j.Logger logger -
PROP_SEARCHBASE
- See Also:
-
-
Constructor Details
-
DirAclAuthz
public DirAclAuthz()Default constructor
-
-
Method Details
-
init
Description copied from class:AAclAuthz
Initializes- Overrides:
init
in classAAclAuthz
- Parameters:
name
- The name of this authorization manager instance.implName
- The name of the authorization manager plugin.config
- The configuration store for this authorization manager.- Throws:
EBaseException
- If an initialization error occurred.
-
loadACLs
Load ACLs from LDAP. The method is synchronized to prevent race conditions.- Throws:
EACLsException
-
addACLs
Description copied from class:AAclAuthz
Parse ACL resource attributes, then update the ACLs memory store This is intended to be used if storing ACLs on ldap is not desired, and the caller is expected to call this method to add resource and acl info into acls memory store. The resACLs format should conform to the following: Example: resTurnKnob:left,right:allow(left) group="lefties":door knobs for lefties- Overrides:
addACLs
in classAAclAuthz
- Parameters:
resACLs
- same format as the resourceACLs attribute- Throws:
EACLsException
- parsing error fromparseACL
-
addACLs
- Overrides:
addACLs
in classAAclAuthz
- Throws:
EACLsException
-
accessInit
Description copied from class:AuthzManager
accessInit
is for servlets who want to initialize their own authorization information before full operation. It is supposed to be called from the authzMgrAccessInit() method of the AuthzSubsystem.The accessInfo format is determined by each individual authzmgr. For example, for BasicAclAuthz, The accessInfo is the resACLs, whose format should conform to the following: Example: resTurnKnob:left,right:allow(left) group="lefties":door knobs for lefties
- Overrides:
accessInit
in classAAclAuthz
- Parameters:
accessInfo
- the access info string in the format specified in the authorization manager- Throws:
EBaseException
- error parsing the accessInfo
-
getACL
Description copied from class:AuthzManager
Get individual ACL entry for the given name of entry.- Overrides:
getACL
in classAAclAuthz
- Parameters:
target
- The name of the ACL entry- Returns:
- The ACL entry.
- Throws:
EACLsException
-
getTargetNames
- Overrides:
getTargetNames
in classAAclAuthz
- Throws:
EACLsException
-
getACLs
Description copied from class:AuthzManager
Get ACL entries- Overrides:
getACLs
in classAAclAuthz
- Returns:
- collection of ACL entries.
- Throws:
EACLsException
-
checkACLs
Description copied from class:AAclAuthz
Checks if the permission is granted or denied in the current execution context.An
ACL
may contain one or moreACLEntry
. However, in case of multipleACLEntry
, a subject must pass ALL of theACLEntry
evaluation for permission to be grantednegative ("deny") aclEntries are treated differently than positive ("allow") statements. If a negative aclEntries fails the acl check, the permission check will return "false" right away; while in the case of a positive aclEntry, if the the aclEntry fails the acl check, the next aclEntry will be evaluated.
- Overrides:
checkACLs
in classAAclAuthz
- Parameters:
name
- resource nameperm
- permission requested- Returns:
- true if access allowed false if should be passed down to the next node
- Throws:
EACLsException
- if access disallowed
-
getEntries
protected Iterable<ACLEntry> getEntries(ACLEntry.Type entryType, Iterable<String> nodes, String operation) throws EACLsException - Overrides:
getEntries
in classAAclAuthz
- Throws:
EACLsException
-
isTypeUnique
Description copied from class:AAclAuthz
is this resource name unique- Overrides:
isTypeUnique
in classAAclAuthz
- Returns:
- true if unique; false otherwise
- Throws:
EACLsException
-
updateACLs
update acls. when memory update is done, flush to ldap.Currently, it is possible that when the memory is updated successfully, and the ldap isn't, the memory upates lingers. The result is that the changes will only be done on ldap at the next update, or when the system shuts down, another flush will be attempted.
- Overrides:
updateACLs
in classAAclAuthz
- Parameters:
id
- is the resource idrights
- The allowable rights for this resourcestrACLs
- has the same format as a resourceACLs entry acis on the ldap serverdesc
- The description for this resource- Throws:
EACLsException
- when update fails.
-
flushResourceACLs
updates resourceACLs to ldap.- Throws:
EACLsException
-
getConn
- Throws:
DBException
-
returnConn
protected void returnConn(netscape.ldap.LDAPConnection conn) -
shutdown
public void shutdown()graceful shutdown- Specified by:
shutdown
in classAuthzManager
-