Class AAclAuthz

java.lang.Object
com.netscape.cms.authorization.AAclAuthz
All Implemented Interfaces:
IAuthzManager
Direct Known Subclasses:
BasicAclAuthz, DirAclAuthz

public abstract class AAclAuthz extends Object implements IAuthzManager
An abstract class represents an authorization manager that governs the access of internal resources such as servlets. It parses in the ACLs associated with each protected resources, and provides protected method checkPermission for code that needs to verify access before performing actions.

Here is a sample resourceACLS for a resource

   certServer.UsrGrpAdminServlet:
       execute:
           deny (execute) user="tempAdmin";
           allow (execute) group="Administrators";
 
To perform permission checking, code call authz mgr authorize() method to verify access. See AuthzMgr for calling example.

default "evaluators" are used to evaluate the "group=.." or "user=.." rules. See evaluator for more info

Version:
$Revision$, $Date$
See Also:
  • Field Details

  • Constructor Details

    • AAclAuthz

      protected AAclAuthz()
      Constructor
  • Method Details

    • init

      public void init(String name, String implName, AuthzManagerConfig config) throws EBaseException
      Initializes
      Specified by:
      init in interface IAuthzManager
      Parameters:
      name - The name of this authorization manager instance.
      implName - The name of the authorization manager plugin.
      config - The configuration store for this authorization manager.
      Throws:
      EBaseException - If an initialization error occurred.
    • getName

      public String getName()
      gets the name of this authorization manager instance
      Specified by:
      getName in interface IAuthzManager
      Returns:
      String the name of this authorization manager.
    • getImplName

      public String getImplName()
      gets the plugin name of this authorization manager.
      Specified by:
      getImplName in interface IAuthzManager
      Returns:
      The name of the authorization manager plugin.
    • addACLs

      public void addACLs(String resACLs) throws EBaseException
      Parse ACL resource attributes, then update the ACLs memory store This is intended to be used if storing ACLs on ldap is not desired, and the caller is expected to call this method to add resource and acl info into acls memory store. The resACLs format should conform to the following: Example: resTurnKnob:left,right:allow(left) group="lefties":door knobs for lefties
      Parameters:
      resACLs - same format as the resourceACLs attribute
      Throws:
      EBaseException - parsing error from parseACL
    • accessInit

      public void accessInit(String accessInfo) throws EBaseException
      Description copied from interface: IAuthzManager
      accessInit is for servlets who want to initialize their own authorization information before full operation. It is supposed to be called from the authzMgrAccessInit() method of the AuthzSubsystem.

      The accessInfo format is determined by each individual authzmgr. For example, for BasicAclAuthz, The accessInfo is the resACLs, whose format should conform to the following: Example: resTurnKnob:left,right:allow(left) group="lefties":door knobs for lefties

      Specified by:
      accessInit in interface IAuthzManager
      Parameters:
      accessInfo - the access info string in the format specified in the authorization manager
      Throws:
      EBaseException - error parsing the accessInfo
    • getACL

      public IACL getACL(String target)
      Description copied from interface: IAuthzManager
      Get individual ACL entry for the given name of entry.
      Specified by:
      getACL in interface IAuthzManager
      Parameters:
      target - The name of the ACL entry
      Returns:
      The ACL entry.
    • getTargetNames

      protected Enumeration<String> getTargetNames()
    • getACLs

      public Enumeration<IACL> getACLs()
      Description copied from interface: IAuthzManager
      Get ACL entries
      Specified by:
      getACLs in interface IAuthzManager
      Returns:
      enumeration of ACL entries.
    • getConfigStore

      public AuthzManagerConfig getConfigStore()
      Returns the configuration store used by this Authz mgr
      Specified by:
      getConfigStore in interface IAuthzManager
      Returns:
      The configuration store of this authorization manager.
    • getExtendedPluginInfo

      public String[] getExtendedPluginInfo()
    • getConfigParams

      public String[] getConfigParams()
      Returns a list of configuration parameter names. The list is passed to the configuration console so instances of this implementation can be configured through the console.
      Specified by:
      getConfigParams in interface IAuthzManager
      Returns:
      String array of configuration parameter names.
    • registerEvaluator

      public void registerEvaluator(String type, IAccessEvaluator evaluator)
      Registers new handler for the given attribute type in the expressions.
      Specified by:
      registerEvaluator in interface IAuthzManager
      Parameters:
      type - Type of evaluator
      evaluator - Value of evaluator
    • checkPermission

      protected void checkPermission(String name, String perm) throws EACLsException
      Checks if the permission is granted or denied in the current execution context. If the code is marked as privileged, this methods will simply return.

      note that if a resource does not exist in the aclResources entry, but a higher level node exist, it will still be evaluated. The highest level node's acl determines the permission. If the higher level node doesn't contain any acl information, then it's passed down to the lower node. If a node has no aci in its resourceACLs, then it's considered passed.

      example: certServer.common.users, if failed permission check for "certServer", then it's considered failed, and there is no need to continue the check. If passed permission check for "certServer", then it's considered passed, and no need to continue the check. If certServer contains no aci then "certServer.common" will be checked for permission instead. If down to the leaf level, the node still contains no aci, then it's considered passed. If at the leaf level, no such resource exist, or no acis, it's considered passed.

      If there are multiple aci's for a resource, ALL aci's will be checked, and only if all passed permission checks, will the eventual access be granted.

      Parameters:
      name - resource name
      perm - permission requested
      Throws:
      EACLsException - access permission denied
    • checkPermission

      public void checkPermission(IAuthToken authToken, String name, String perm) throws EACLsException
      Checks if the permission is granted or denied with id from authtoken gotten from authentication that precedes authorization. If the code is marked as privileged, this methods will simply return.

      note that if a resource does not exist in the aclResources entry, but a higher level node exist, it will still be evaluated. The highest level node's acl determines the permission. If the higher level node doesn't contain any acl information, then it's passed down to the lower node. If a node has no aci in its resourceACLs, then it's considered passed.

      example: certServer.common.users, if failed permission check for "certServer", then it's considered failed, and there is no need to continue the check. If passed permission check for "certServer", then it's considered passed, and no need to continue the check. If certServer contains no aci then "certServer.common" will be checked for permission instead. If down to the leaf level, the node still contains no aci, then it's considered passed. If at the leaf level, no such resource exist, or no acis, it's considered passed.

      If there are multiple aci's for a resource, ALL aci's will be checked, and only if all passed permission checks, will the eventual access be granted.

      Parameters:
      authToken - authentication token gotten from authentication
      name - resource name
      perm - permission requested
      Throws:
      EACLsException - access permission denied
    • checkAllowEntries

      protected boolean checkAllowEntries(IAuthToken authToken, Iterable<String> nodes, String perm)
    • checkDenyEntries

      protected void checkDenyEntries(IAuthToken authToken, Iterable<String> nodes, String perm) throws EACLsException
      throw EACLsException if a deny entry is matched
      Throws:
      EACLsException
    • getEntries

      protected Iterable<ACLEntry> getEntries(ACLEntry.Type entryType, Iterable<String> nodes, String operation)
    • getNodes

      public Vector<String> getNodes(String resourceID)
    • updateACLs

      public void updateACLs(String id, String rights, String strACLs, String desc) throws EACLsException
      This one only updates the memory. Classes extend this class should also update to a permanent storage
      Specified by:
      updateACLs in interface IAuthzManager
      Parameters:
      id - The name of the ACL entry (ie, resource id)
      rights - The allowable rights for this resource
      strACLs - The value of the ACL entry
      desc - The description for this resource
      Throws:
      EACLsException - when update fails.
    • aclResElements

      public Enumeration<IACL> aclResElements()
      gets an enumeration of resources
      Returns:
      an enumeration of resources contained in the ACL table
    • aclEvaluatorElements

      public Enumeration<IAccessEvaluator> aclEvaluatorElements()
      gets an enumeration of access evaluators
      Specified by:
      aclEvaluatorElements in interface IAuthzManager
      Returns:
      an enumeraton of access evaluators
    • getAccessEvaluators

      public Hashtable<String,IAccessEvaluator> getAccessEvaluators()
      gets the access evaluators
      Specified by:
      getAccessEvaluators in interface IAuthzManager
      Returns:
      handle to the access evaluators table
    • isTypeUnique

      public boolean isTypeUnique(String type)
      is this resource name unique
      Returns:
      true if unique; false otherwise
    • authorize

      public AuthzToken authorize(IAuthToken authToken, String resource, String operation) throws EAuthzInternalError, EAuthzAccessDenied
      check the authorization permission for the user associated with authToken on operation Example: For example, if UsrGrpAdminServlet needs to authorize the caller it would do be done in the following fashion: try { authzTok = mAuthz.authorize( "DirAclAuthz", authToken, RES_GROUP, "read"); } catch (EBaseException e) { logger.warn("authorize call: " + e.getMessage(), e); }
      Specified by:
      authorize in interface IAuthzManager
      Parameters:
      authToken - the authToken associated with a user
      resource - - the protected resource name
      operation - - the protected resource operation name
      Returns:
      authzToken
      Throws:
      EAuthzAccessDenied - If access was denied
      EAuthzInternalError - If an internal error occurred.
    • authorize

      public AuthzToken authorize(IAuthToken authToken, String expression) throws EAuthzAccessDenied
      Specified by:
      authorize in interface IAuthzManager
      Throws:
      EAuthzAccessDenied
    • getOrder

      public static AAclAuthz.EvaluationOrder getOrder()
    • evaluateACLs

      public boolean evaluateACLs(IAuthToken authToken, String exp)