com.netscape.cms.authorization
Class DirAclAuthz

java.lang.Object
  extended by com.netscape.cms.authorization.AAclAuthz
      extended by com.netscape.cms.authorization.DirAclAuthz
All Implemented Interfaces:
IAuthzManager, IExtendedPluginInfo

public class DirAclAuthz
extends AAclAuthz
implements IAuthzManager, IExtendedPluginInfo

A class for ldap acls based authorization manager The ldap server used for acls is the cms internal ldap db.

Version:
$Revision: 1211 $, $Date: 2010-08-18 10:15:37 -0700 (Wed, 18 Aug 2010) $

Field Summary
protected static java.lang.String PROP_BASEDN
           
 
Fields inherited from class com.netscape.cms.authorization.AAclAuthz
ACLS_ATTR, mConfigParams, mExtendedPluginInfo, PROP_CLASS, PROP_EVAL, PROP_IMPL
 
Fields inherited from interface com.netscape.certsrv.base.IExtendedPluginInfo
HELP_TEXT, HELP_TOKEN
 
Constructor Summary
DirAclAuthz()
          Default constructor
 
Method Summary
 AuthzToken authorize(IAuthToken authToken, java.lang.String expression)
           
 AuthzToken authorize(IAuthToken authToken, java.lang.String resource, java.lang.String operation)
          check the authorization permission for the user associated with authToken on operation
protected  void flushResourceACLs()
          updates resourceACLs to ldap.
protected  netscape.ldap.LDAPConnection getConn()
           
 java.lang.String getImplName()
          gets the plugin name of this authorization manager.
 java.lang.String getName()
          gets the name of this authorization manager instance
 void init(java.lang.String name, java.lang.String implName, IConfigStore config)
          Initialize this authorization manager.
protected  void log(int level, java.lang.String msg)
          Logs a message for this class in the system log file.
protected  void returnConn(netscape.ldap.LDAPConnection conn)
           
 void shutdown()
          graceful shutdown
 void updateACLs(java.lang.String id, java.lang.String rights, java.lang.String strACLs, java.lang.String desc)
          update acls.
 
Methods inherited from class com.netscape.cms.authorization.AAclAuthz
accessInit, aclEvaluatorElements, aclResElements, addACLs, checkPermission, checkPermission, evaluateACLs, getAccessEvaluators, getACL, getACLs, getAllowEntries, getConfigParams, getConfigStore, getDenyEntries, getExtendedPluginInfo, getNodes, getOrder, getTargetNames, init, isTypeUnique, registerEvaluator
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 
Methods inherited from interface com.netscape.certsrv.authorization.IAuthzManager
accessInit, aclEvaluatorElements, getAccessEvaluators, getACL, getACLs, getConfigParams, getConfigStore, registerEvaluator
 
Methods inherited from interface com.netscape.certsrv.base.IExtendedPluginInfo
getExtendedPluginInfo
 

Field Detail

PROP_BASEDN

protected static final java.lang.String PROP_BASEDN
See Also:
Constant Field Values
Constructor Detail

DirAclAuthz

public DirAclAuthz()
Default constructor

Method Detail

init

public void init(java.lang.String name,
                 java.lang.String implName,
                 IConfigStore config)
          throws EBaseException
Description copied from interface: IAuthzManager
Initialize this authorization manager.

Specified by:
init in interface IAuthzManager
Parameters:
name - The name of this authorization manager instance.
implName - The name of the authorization manager plugin.
config - The configuration store for this authorization manager.
Throws:
EBaseException - If an initialization error occurred.

getName

public java.lang.String getName()
gets the name of this authorization manager instance

Specified by:
getName in interface IAuthzManager
Returns:
String the name of this authorization manager.

getImplName

public java.lang.String getImplName()
gets the plugin name of this authorization manager.

Specified by:
getImplName in interface IAuthzManager
Returns:
The name of the authorization manager plugin.

authorize

public AuthzToken authorize(IAuthToken authToken,
                            java.lang.String resource,
                            java.lang.String operation)
                     throws EAuthzInternalError,
                            EAuthzAccessDenied
check the authorization permission for the user associated with authToken on operation

Example:

For example, if UsrGrpAdminServlet needs to authorize the caller it would do be done in the following fashion:

   try {
     authzTok = mAuthz.authorize("DirAclAuthz", authToken, RES_GROUP, "read");
   } catch (EBaseException e) {
      log(ILogger.LL_FAILURE, "authorize call: "+ e.toString());
   }
 

Specified by:
authorize in interface IAuthzManager
Specified by:
authorize in class AAclAuthz
Parameters:
authToken - the authToken associated with a user
resource - - the protected resource name
operation - - the protected resource operation name
Returns:
authzToken
Throws:
EBaseException - If an internal error occurred.
EAuthzInternalError - if an internal error occurred.
EAuthzAccessDenied - if access denied

authorize

public AuthzToken authorize(IAuthToken authToken,
                            java.lang.String expression)
                     throws EAuthzAccessDenied
Specified by:
authorize in interface IAuthzManager
Throws:
EAuthzAccessDenied

updateACLs

public void updateACLs(java.lang.String id,
                       java.lang.String rights,
                       java.lang.String strACLs,
                       java.lang.String desc)
                throws EACLsException
update acls. when memory update is done, flush to ldap.

Currently, it is possible that when the memory is updated successfully, and the ldap isn't, the memory upates lingers. The result is that the changes will only be done on ldap at the next update, or when the system shuts down, another flush will be attempted.

Specified by:
updateACLs in interface IAuthzManager
Overrides:
updateACLs in class AAclAuthz
Parameters:
id - is the resource id
rights - The allowable rights for this resource
strACLs - has the same format as a resourceACLs entry acis on the ldap server
desc - The description for this resource
Throws:
EACLsException - when update fails.

flushResourceACLs

protected void flushResourceACLs()
                          throws EACLsException
updates resourceACLs to ldap.

Specified by:
flushResourceACLs in class AAclAuthz
Throws:
EACLsException

getConn

protected netscape.ldap.LDAPConnection getConn()
                                        throws ELdapException
Throws:
ELdapException

returnConn

protected void returnConn(netscape.ldap.LDAPConnection conn)
                   throws ELdapException
Throws:
ELdapException

shutdown

public void shutdown()
graceful shutdown

Specified by:
shutdown in interface IAuthzManager
Specified by:
shutdown in class AAclAuthz

log

protected void log(int level,
                   java.lang.String msg)
Logs a message for this class in the system log file.

Parameters:
level - The log level.
msg - The message to log.
See Also:
ILogger