com.netscape.cms.authorization
Class AAclAuthz

java.lang.Object
  extended by com.netscape.cms.authorization.AAclAuthz
Direct Known Subclasses:
BasicAclAuthz, DirAclAuthz

public abstract class AAclAuthz
extends java.lang.Object

An abstract class represents an authorization manager that governs the access of internal resources such as servlets. It parses in the ACLs associated with each protected resources, and provides protected method checkPermission for code that needs to verify access before performing actions.

Here is a sample resourceACLS for a resource

   certServer.UsrGrpAdminServlet:
       execute:
           deny (execute) user="tempAdmin";
           allow (execute) group="Administrators";
 
To perform permission checking, code call authz mgr authorize() method to verify access. See AuthzMgr for calling example.

default "evaluators" are used to evaluate the "group=.." or "user=.." rules. See evaluator for more info

Version:
$Revision: 1211 $, $Date: 2010-08-18 10:15:37 -0700 (Wed, 18 Aug 2010) $
See Also:
ACL Files

Field Summary
protected static java.lang.String ACLS_ATTR
           
protected static java.lang.String[] mConfigParams
           
protected static java.util.Vector mExtendedPluginInfo
           
protected static java.lang.String PROP_CLASS
           
protected static java.lang.String PROP_EVAL
           
protected static java.lang.String PROP_IMPL
           
 
Constructor Summary
AAclAuthz()
          Constructor
 
Method Summary
 void accessInit(java.lang.String accessInfo)
           
 java.util.Enumeration aclEvaluatorElements()
          gets an enumeration of access evaluators
 java.util.Enumeration aclResElements()
          gets an enumeration of resources
 void addACLs(java.lang.String resACLs)
          Parse ACL resource attributes, then update the ACLs memory store This is intended to be used if storing ACLs on ldap is not desired, and the caller is expected to call this method to add resource and acl info into acls memory store.
abstract  AuthzToken authorize(IAuthToken authToken, java.lang.String resource, java.lang.String operation)
          an abstract class that enforces implementation of the authorize() method that will authorize an operation on a particular resource
 void checkPermission(IAuthToken authToken, java.lang.String name, java.lang.String perm)
          Checks if the permission is granted or denied with id from authtoken gotten from authentication that precedes authorization.
protected  void checkPermission(java.lang.String name, java.lang.String perm)
          Checks if the permission is granted or denied in the current execution context.
 boolean evaluateACLs(IAuthToken authToken, java.lang.String exp)
           
protected abstract  void flushResourceACLs()
          update acls.
 java.util.Hashtable getAccessEvaluators()
          gets the access evaluators
 IACL getACL(java.lang.String target)
           
 java.util.Enumeration getACLs()
           
protected  java.util.Enumeration getAllowEntries(java.util.Enumeration nodes, java.lang.String operation)
           
 java.lang.String[] getConfigParams()
          Returns a list of configuration parameter names.
 IConfigStore getConfigStore()
          Returns the configuration store used by this Authz mgr
protected  java.util.Enumeration getDenyEntries(java.util.Enumeration nodes, java.lang.String operation)
           
 java.lang.String[] getExtendedPluginInfo(java.util.Locale locale)
           
 java.util.Vector getNodes(java.lang.String resourceID)
           
 java.lang.String getOrder()
           
protected  java.util.Enumeration getTargetNames()
           
protected  void init(IConfigStore config)
          Initializes
 boolean isTypeUnique(java.lang.String type)
          is this resource name unique
 void registerEvaluator(java.lang.String type, IAccessEvaluator evaluator)
          Registers new handler for the given attribute type in the expressions.
abstract  void shutdown()
          graceful shutdown
 void updateACLs(java.lang.String id, java.lang.String rights, java.lang.String strACLs, java.lang.String desc)
          This one only updates the memory.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

PROP_CLASS

protected static final java.lang.String PROP_CLASS
See Also:
Constant Field Values

PROP_IMPL

protected static final java.lang.String PROP_IMPL
See Also:
Constant Field Values

PROP_EVAL

protected static final java.lang.String PROP_EVAL
See Also:
Constant Field Values

ACLS_ATTR

protected static final java.lang.String ACLS_ATTR
See Also:
Constant Field Values

mExtendedPluginInfo

protected static java.util.Vector mExtendedPluginInfo

mConfigParams

protected static java.lang.String[] mConfigParams
Constructor Detail

AAclAuthz

public AAclAuthz()
Constructor

Method Detail

init

protected void init(IConfigStore config)
             throws EBaseException
Initializes

Throws:
EBaseException

addACLs

public void addACLs(java.lang.String resACLs)
             throws EBaseException
Parse ACL resource attributes, then update the ACLs memory store This is intended to be used if storing ACLs on ldap is not desired, and the caller is expected to call this method to add resource and acl info into acls memory store. The resACLs format should conform to the following: :right-1[,right-n]:[allow,deny](right(s))=: Example: resTurnKnob:left,right:allow(left) group="lefties":door knobs for lefties

Parameters:
resACLs - same format as the resourceACLs attribute
Throws:
EBaseException - parsing error from parseACL

accessInit

public void accessInit(java.lang.String accessInfo)
                throws EBaseException
Throws:
EBaseException

getACL

public IACL getACL(java.lang.String target)

getTargetNames

protected java.util.Enumeration getTargetNames()

getACLs

public java.util.Enumeration getACLs()

getConfigStore

public IConfigStore getConfigStore()
Returns the configuration store used by this Authz mgr


getExtendedPluginInfo

public java.lang.String[] getExtendedPluginInfo(java.util.Locale locale)

getConfigParams

public java.lang.String[] getConfigParams()
Returns a list of configuration parameter names. The list is passed to the configuration console so instances of this implementation can be configured through the console.

Returns:
String array of configuration parameter names.

shutdown

public abstract void shutdown()
graceful shutdown


registerEvaluator

public void registerEvaluator(java.lang.String type,
                              IAccessEvaluator evaluator)
Registers new handler for the given attribute type in the expressions.


checkPermission

protected void checkPermission(java.lang.String name,
                               java.lang.String perm)
                        throws EACLsException
Checks if the permission is granted or denied in the current execution context. If the code is marked as privileged, this methods will simply return.

note that if a resource does not exist in the aclResources entry, but a higher level node exist, it will still be evaluated. The highest level node's acl determines the permission. If the higher level node doesn't contain any acl information, then it's passed down to the lower node. If a node has no aci in its resourceACLs, then it's considered passed.

example: certServer.common.users, if failed permission check for "certServer", then it's considered failed, and there is no need to continue the check. If passed permission check for "certServer", then it's considered passed, and no need to continue the check. If certServer contains no aci then "certServer.common" will be checked for permission instead. If down to the leaf level, the node still contains no aci, then it's considered passed. If at the leaf level, no such resource exist, or no acis, it's considered passed.

If there are multiple aci's for a resource, ALL aci's will be checked, and only if all passed permission checks, will the eventual access be granted.

Parameters:
name - resource name
perm - permission requested
Throws:
EACLsException - access permission denied

checkPermission

public void checkPermission(IAuthToken authToken,
                            java.lang.String name,
                            java.lang.String perm)
                     throws EACLsException
Checks if the permission is granted or denied with id from authtoken gotten from authentication that precedes authorization. If the code is marked as privileged, this methods will simply return.

note that if a resource does not exist in the aclResources entry, but a higher level node exist, it will still be evaluated. The highest level node's acl determines the permission. If the higher level node doesn't contain any acl information, then it's passed down to the lower node. If a node has no aci in its resourceACLs, then it's considered passed.

example: certServer.common.users, if failed permission check for "certServer", then it's considered failed, and there is no need to continue the check. If passed permission check for "certServer", then it's considered passed, and no need to continue the check. If certServer contains no aci then "certServer.common" will be checked for permission instead. If down to the leaf level, the node still contains no aci, then it's considered passed. If at the leaf level, no such resource exist, or no acis, it's considered passed.

If there are multiple aci's for a resource, ALL aci's will be checked, and only if all passed permission checks, will the eventual access be granted.

Parameters:
authToken - authentication token gotten from authentication
name - resource name
perm - permission requested
Throws:
EACLsException - access permission denied

getAllowEntries

protected java.util.Enumeration getAllowEntries(java.util.Enumeration nodes,
                                                java.lang.String operation)

getDenyEntries

protected java.util.Enumeration getDenyEntries(java.util.Enumeration nodes,
                                               java.lang.String operation)

getNodes

public java.util.Vector getNodes(java.lang.String resourceID)

updateACLs

public void updateACLs(java.lang.String id,
                       java.lang.String rights,
                       java.lang.String strACLs,
                       java.lang.String desc)
                throws EACLsException
This one only updates the memory. Classes extend this class should also update to a permanent storage

Throws:
EACLsException

aclResElements

public java.util.Enumeration aclResElements()
gets an enumeration of resources

Returns:
an enumeration of resources contained in the ACL table

aclEvaluatorElements

public java.util.Enumeration aclEvaluatorElements()
gets an enumeration of access evaluators

Returns:
an enumeraton of access evaluators

getAccessEvaluators

public java.util.Hashtable getAccessEvaluators()
gets the access evaluators

Returns:
handle to the access evaluators table

isTypeUnique

public boolean isTypeUnique(java.lang.String type)
is this resource name unique

Returns:
true if unique; false otherwise

flushResourceACLs

protected abstract void flushResourceACLs()
                                   throws EACLsException
update acls. called after memory upate is done to flush to permanent storage.

Throws:
EACLsException

authorize

public abstract AuthzToken authorize(IAuthToken authToken,
                                     java.lang.String resource,
                                     java.lang.String operation)
                              throws EBaseException
an abstract class that enforces implementation of the authorize() method that will authorize an operation on a particular resource

Parameters:
authToken - the authToken associated with a user
resource - - the protected resource name
operation - - the protected resource operation name
Returns:
authzToken
Throws:
EBaseException - If an internal error occurred.

getOrder

public java.lang.String getOrder()

evaluateACLs

public boolean evaluateACLs(IAuthToken authToken,
                            java.lang.String exp)