Class DirAclAuthz

All Implemented Interfaces:
IExtendedPluginInfo

public class DirAclAuthz extends AAclAuthz implements IExtendedPluginInfo
A class for ldap acls based authorization manager The ldap server used for acls is the cms internal ldap db.
  • Field Details

    • logger

      public static org.slf4j.Logger logger
    • PROP_SEARCHBASE

      protected static final String PROP_SEARCHBASE
      See Also:
  • Constructor Details

    • DirAclAuthz

      public DirAclAuthz()
      Default constructor
  • Method Details

    • init

      public void init(String name, String implName, AuthzManagerConfig config) throws EBaseException
      Description copied from class: AAclAuthz
      Initializes
      Overrides:
      init in class AAclAuthz
      Parameters:
      name - The name of this authorization manager instance.
      implName - The name of the authorization manager plugin.
      config - The configuration store for this authorization manager.
      Throws:
      EBaseException - If an initialization error occurred.
    • loadACLs

      public void loadACLs() throws EACLsException
      Load ACLs from LDAP. The method is synchronized to prevent race conditions.
      Throws:
      EACLsException
    • addACLs

      public void addACLs(String resACLs) throws EACLsException
      Description copied from class: AAclAuthz
      Parse ACL resource attributes, then update the ACLs memory store This is intended to be used if storing ACLs on ldap is not desired, and the caller is expected to call this method to add resource and acl info into acls memory store. The resACLs format should conform to the following: Example: resTurnKnob:left,right:allow(left) group="lefties":door knobs for lefties
      Overrides:
      addACLs in class AAclAuthz
      Parameters:
      resACLs - same format as the resourceACLs attribute
      Throws:
      EACLsException - parsing error from parseACL
    • addACLs

      public void addACLs(ACL acl) throws EACLsException
      Overrides:
      addACLs in class AAclAuthz
      Throws:
      EACLsException
    • accessInit

      public void accessInit(String accessInfo) throws EBaseException
      Description copied from class: AuthzManager
      accessInit is for servlets who want to initialize their own authorization information before full operation. It is supposed to be called from the authzMgrAccessInit() method of the AuthzSubsystem.

      The accessInfo format is determined by each individual authzmgr. For example, for BasicAclAuthz, The accessInfo is the resACLs, whose format should conform to the following: Example: resTurnKnob:left,right:allow(left) group="lefties":door knobs for lefties

      Overrides:
      accessInit in class AAclAuthz
      Parameters:
      accessInfo - the access info string in the format specified in the authorization manager
      Throws:
      EBaseException - error parsing the accessInfo
    • getACL

      public ACL getACL(String target) throws EACLsException
      Description copied from class: AuthzManager
      Get individual ACL entry for the given name of entry.
      Overrides:
      getACL in class AAclAuthz
      Parameters:
      target - The name of the ACL entry
      Returns:
      The ACL entry.
      Throws:
      EACLsException
    • getTargetNames

      protected Set<String> getTargetNames() throws EACLsException
      Overrides:
      getTargetNames in class AAclAuthz
      Throws:
      EACLsException
    • getACLs

      public Collection<ACL> getACLs() throws EACLsException
      Description copied from class: AuthzManager
      Get ACL entries
      Overrides:
      getACLs in class AAclAuthz
      Returns:
      collection of ACL entries.
      Throws:
      EACLsException
    • checkACLs

      protected boolean checkACLs(String name, String perm) throws EACLsException
      Description copied from class: AAclAuthz
      Checks if the permission is granted or denied in the current execution context.

      An ACL may contain one or more ACLEntry. However, in case of multiple ACLEntry, a subject must pass ALL of the ACLEntry evaluation for permission to be granted

      negative ("deny") aclEntries are treated differently than positive ("allow") statements. If a negative aclEntries fails the acl check, the permission check will return "false" right away; while in the case of a positive aclEntry, if the the aclEntry fails the acl check, the next aclEntry will be evaluated.

      Overrides:
      checkACLs in class AAclAuthz
      Parameters:
      name - resource name
      perm - permission requested
      Returns:
      true if access allowed false if should be passed down to the next node
      Throws:
      EACLsException - if access disallowed
    • getEntries

      protected Iterable<ACLEntry> getEntries(ACLEntry.Type entryType, Iterable<String> nodes, String operation) throws EACLsException
      Overrides:
      getEntries in class AAclAuthz
      Throws:
      EACLsException
    • isTypeUnique

      public boolean isTypeUnique(String type) throws EACLsException
      Description copied from class: AAclAuthz
      is this resource name unique
      Overrides:
      isTypeUnique in class AAclAuthz
      Returns:
      true if unique; false otherwise
      Throws:
      EACLsException
    • updateACLs

      public void updateACLs(String id, String rights, String strACLs, String desc) throws EACLsException
      update acls. when memory update is done, flush to ldap.

      Currently, it is possible that when the memory is updated successfully, and the ldap isn't, the memory upates lingers. The result is that the changes will only be done on ldap at the next update, or when the system shuts down, another flush will be attempted.

      Overrides:
      updateACLs in class AAclAuthz
      Parameters:
      id - is the resource id
      rights - The allowable rights for this resource
      strACLs - has the same format as a resourceACLs entry acis on the ldap server
      desc - The description for this resource
      Throws:
      EACLsException - when update fails.
    • flushResourceACLs

      protected void flushResourceACLs() throws EACLsException
      updates resourceACLs to ldap.
      Throws:
      EACLsException
    • getConn

      protected netscape.ldap.LDAPConnection getConn() throws DBException
      Throws:
      DBException
    • returnConn

      protected void returnConn(netscape.ldap.LDAPConnection conn)
    • shutdown

      public void shutdown()
      graceful shutdown
      Specified by:
      shutdown in class AuthzManager