Class AAclAuthz
- All Implemented Interfaces:
IAuthzManager
- Direct Known Subclasses:
BasicAclAuthz
,DirAclAuthz
checkPermission
for code that needs to verify access before
performing
actions.
Here is a sample resourceACLS for a resource
certServer.UsrGrpAdminServlet: execute: deny (execute) user="tempAdmin"; allow (execute) group="Administrators";To perform permission checking, code call authz mgr authorize() method to verify access. See AuthzMgr for calling example.
default "evaluators" are used to evaluate the "group=.." or "user=.." rules. See evaluator for more info
- Version:
- $Revision$, $Date$
- See Also:
-
Nested Class Summary
Nested Classes -
Field Summary
Fields -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionvoid
accessInit
(String accessInfo) accessInit
is for servlets who want to initialize their own authorization information before full operation.gets an enumeration of access evaluatorsgets an enumeration of resourcesvoid
Parse ACL resource attributes, then update the ACLs memory store This is intended to be used if storing ACLs on ldap is not desired, and the caller is expected to call this method to add resource and acl info into acls memory store.authorize
(IAuthToken authToken, String expression) authorize
(IAuthToken authToken, String resource, String operation) check the authorization permission for the user associated with authToken on operation Example: For example, if UsrGrpAdminServlet needs to authorize the caller it would do be done in the following fashion: try { authzTok = mAuthz.authorize( "DirAclAuthz", authToken, RES_GROUP, "read"); } catch (EBaseException e) { logger.warn("authorize call: " + e.getMessage(), e); }protected boolean
checkAllowEntries
(IAuthToken authToken, Iterable<String> nodes, String perm) protected void
checkDenyEntries
(IAuthToken authToken, Iterable<String> nodes, String perm) throw EACLsException if a deny entry is matchedvoid
checkPermission
(IAuthToken authToken, String name, String perm) Checks if the permission is granted or denied with id from authtoken gotten from authentication that precedes authorization.protected void
checkPermission
(String name, String perm) Checks if the permission is granted or denied in the current execution context.boolean
evaluateACLs
(IAuthToken authToken, String exp) gets the access evaluatorsGet individual ACL entry for the given name of entry.getACLs()
Get ACL entriesString[]
Returns a list of configuration parameter names.Returns the configuration store used by this Authz mgrgetEntries
(ACLEntry.Type entryType, Iterable<String> nodes, String operation) String[]
gets the plugin name of this authorization manager.getName()
gets the name of this authorization manager instancestatic AAclAuthz.EvaluationOrder
getOrder()
protected Enumeration<String>
void
init
(String name, String implName, AuthzManagerConfig config) Initializesboolean
isTypeUnique
(String type) is this resource name uniquevoid
registerEvaluator
(String type, IAccessEvaluator evaluator) Registers new handler for the given attribute type in the expressions.void
updateACLs
(String id, String rights, String strACLs, String desc) This one only updates the memory.Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
Methods inherited from interface org.dogtagpki.server.authorization.IAuthzManager
shutdown
-
Field Details
-
logger
public static final org.slf4j.Logger logger -
PROP_CLASS
- See Also:
-
PROP_IMPL
- See Also:
-
PROP_EVAL
- See Also:
-
ACLS_ATTR
- See Also:
-
mExtendedPluginInfo
-
mConfigParams
-
-
Constructor Details
-
AAclAuthz
protected AAclAuthz()Constructor
-
-
Method Details
-
init
Initializes- Specified by:
init
in interfaceIAuthzManager
- Parameters:
name
- The name of this authorization manager instance.implName
- The name of the authorization manager plugin.config
- The configuration store for this authorization manager.- Throws:
EBaseException
- If an initialization error occurred.
-
getName
gets the name of this authorization manager instance- Specified by:
getName
in interfaceIAuthzManager
- Returns:
- String the name of this authorization manager.
-
getImplName
gets the plugin name of this authorization manager.- Specified by:
getImplName
in interfaceIAuthzManager
- Returns:
- The name of the authorization manager plugin.
-
addACLs
Parse ACL resource attributes, then update the ACLs memory store This is intended to be used if storing ACLs on ldap is not desired, and the caller is expected to call this method to add resource and acl info into acls memory store. The resACLs format should conform to the following: Example: resTurnKnob:left,right:allow(left) group="lefties":door knobs for lefties- Parameters:
resACLs
- same format as the resourceACLs attribute- Throws:
EBaseException
- parsing error fromparseACL
-
accessInit
Description copied from interface:IAuthzManager
accessInit
is for servlets who want to initialize their own authorization information before full operation. It is supposed to be called from the authzMgrAccessInit() method of the AuthzSubsystem.The accessInfo format is determined by each individual authzmgr. For example, for BasicAclAuthz, The accessInfo is the resACLs, whose format should conform to the following: Example: resTurnKnob:left,right:allow(left) group="lefties":door knobs for lefties
- Specified by:
accessInit
in interfaceIAuthzManager
- Parameters:
accessInfo
- the access info string in the format specified in the authorization manager- Throws:
EBaseException
- error parsing the accessInfo
-
getACL
Description copied from interface:IAuthzManager
Get individual ACL entry for the given name of entry.- Specified by:
getACL
in interfaceIAuthzManager
- Parameters:
target
- The name of the ACL entry- Returns:
- The ACL entry.
-
getTargetNames
-
getACLs
Description copied from interface:IAuthzManager
Get ACL entries- Specified by:
getACLs
in interfaceIAuthzManager
- Returns:
- enumeration of ACL entries.
-
getConfigStore
Returns the configuration store used by this Authz mgr- Specified by:
getConfigStore
in interfaceIAuthzManager
- Returns:
- The configuration store of this authorization manager.
-
getExtendedPluginInfo
-
getConfigParams
Returns a list of configuration parameter names. The list is passed to the configuration console so instances of this implementation can be configured through the console.- Specified by:
getConfigParams
in interfaceIAuthzManager
- Returns:
- String array of configuration parameter names.
-
registerEvaluator
Registers new handler for the given attribute type in the expressions.- Specified by:
registerEvaluator
in interfaceIAuthzManager
- Parameters:
type
- Type of evaluatorevaluator
- Value of evaluator
-
checkPermission
Checks if the permission is granted or denied in the current execution context. If the code is marked as privileged, this methods will simply return.note that if a resource does not exist in the aclResources entry, but a higher level node exist, it will still be evaluated. The highest level node's acl determines the permission. If the higher level node doesn't contain any acl information, then it's passed down to the lower node. If a node has no aci in its resourceACLs, then it's considered passed.
example: certServer.common.users, if failed permission check for "certServer", then it's considered failed, and there is no need to continue the check. If passed permission check for "certServer", then it's considered passed, and no need to continue the check. If certServer contains no aci then "certServer.common" will be checked for permission instead. If down to the leaf level, the node still contains no aci, then it's considered passed. If at the leaf level, no such resource exist, or no acis, it's considered passed.
If there are multiple aci's for a resource, ALL aci's will be checked, and only if all passed permission checks, will the eventual access be granted.
- Parameters:
name
- resource nameperm
- permission requested- Throws:
EACLsException
- access permission denied
-
checkPermission
Checks if the permission is granted or denied with id from authtoken gotten from authentication that precedes authorization. If the code is marked as privileged, this methods will simply return.note that if a resource does not exist in the aclResources entry, but a higher level node exist, it will still be evaluated. The highest level node's acl determines the permission. If the higher level node doesn't contain any acl information, then it's passed down to the lower node. If a node has no aci in its resourceACLs, then it's considered passed.
example: certServer.common.users, if failed permission check for "certServer", then it's considered failed, and there is no need to continue the check. If passed permission check for "certServer", then it's considered passed, and no need to continue the check. If certServer contains no aci then "certServer.common" will be checked for permission instead. If down to the leaf level, the node still contains no aci, then it's considered passed. If at the leaf level, no such resource exist, or no acis, it's considered passed.
If there are multiple aci's for a resource, ALL aci's will be checked, and only if all passed permission checks, will the eventual access be granted.
- Parameters:
authToken
- authentication token gotten from authenticationname
- resource nameperm
- permission requested- Throws:
EACLsException
- access permission denied
-
checkAllowEntries
-
checkDenyEntries
protected void checkDenyEntries(IAuthToken authToken, Iterable<String> nodes, String perm) throws EACLsException throw EACLsException if a deny entry is matched- Throws:
EACLsException
-
getEntries
-
getNodes
-
updateACLs
This one only updates the memory. Classes extend this class should also update to a permanent storage- Specified by:
updateACLs
in interfaceIAuthzManager
- Parameters:
id
- The name of the ACL entry (ie, resource id)rights
- The allowable rights for this resourcestrACLs
- The value of the ACL entrydesc
- The description for this resource- Throws:
EACLsException
- when update fails.
-
aclResElements
gets an enumeration of resources- Returns:
- an enumeration of resources contained in the ACL table
-
aclEvaluatorElements
gets an enumeration of access evaluators- Specified by:
aclEvaluatorElements
in interfaceIAuthzManager
- Returns:
- an enumeraton of access evaluators
-
getAccessEvaluators
gets the access evaluators- Specified by:
getAccessEvaluators
in interfaceIAuthzManager
- Returns:
- handle to the access evaluators table
-
isTypeUnique
is this resource name unique- Returns:
- true if unique; false otherwise
-
authorize
public AuthzToken authorize(IAuthToken authToken, String resource, String operation) throws EAuthzInternalError, EAuthzAccessDenied check the authorization permission for the user associated with authToken on operation Example: For example, if UsrGrpAdminServlet needs to authorize the caller it would do be done in the following fashion: try { authzTok = mAuthz.authorize( "DirAclAuthz", authToken, RES_GROUP, "read"); } catch (EBaseException e) { logger.warn("authorize call: " + e.getMessage(), e); }- Specified by:
authorize
in interfaceIAuthzManager
- Parameters:
authToken
- the authToken associated with a userresource
- - the protected resource nameoperation
- - the protected resource operation name- Returns:
- authzToken
- Throws:
EAuthzAccessDenied
- If access was deniedEAuthzInternalError
- If an internal error occurred.
-
authorize
- Specified by:
authorize
in interfaceIAuthzManager
- Throws:
EAuthzAccessDenied
-
getOrder
-
evaluateACLs
-