org.edg.security.authorization
Class AuthorizationManager

java.lang.Object
  |
  +--org.edg.security.authorization.AuthorizationManager

public class AuthorizationManager
extends java.lang.Object

An Authorization Manager checks whether a subject is entitled to act in a certain role or not. It can act as a singleton, although multiple managers can be instantiated in the same JVM.

The Authorization Manager uses pluggable backend repositories to deduce whether or not a certain subject can be associated with a given attribute or not.

The Authorization Manager may be configured with one or many policies. A policy uses a mapping of an external name to an attribute repository. Only ONE of the policies MAY be configured as the default policy.

Once a user is authorized with a certain attribute, an optional translation phase may take place, where the name of the attribute (whose naming typically is mandated elsewhere) is mapped into something else (specific for the local application).
The Authorization Manager translates the attribute name into something else by using a table supplied by the 'map'. If the lookup returns in a no-hit, it will be treated as a failed authorization.

Configuration example:

     <-- config element -->
         <policy name="name1" default="true">
             <repository>
                 ...AttributeRepository definition
             </repository>
             <translation name="translation1">   <!-- optional -->
                <map name="globalToLocal">
	                  Map definition
                </map>
             </translation>
         </policy>
         <policy name="name2">
         </policy>
     </-- config element -->
 

Author:
Olle Mulmo
See Also:
AttributeRepository, AttributeRepositoryFactory, AttributeMap, AttributeMapFactory

Nested Class Summary
protected  class AuthorizationManager.Policy
          Internal class extending the AttributeRepository with a possible extra transformation.
protected  class AuthorizationManager.RefreshConfigTask
          The reload timer task
 
Field Summary
protected  java.lang.String myConfigElement
           
protected  java.io.File myConfigFile
           
protected  boolean myDoStat
           
protected  long myLastModified
           
protected  int myPeriod
           
protected  java.util.HashMap myPolicies
           
protected  AttributeRepositoryFactory myRepositoryFactory
           
protected  java.util.Timer myTimer
           
protected static AuthorizationManager theAuthorizationManager
          Deprecated. OLLE 030220: Don't use the singleton anymore -- will go away ASAP.
static java.lang.String theDefaultAttribute
           
static java.lang.String theFileRecheck
           
protected static org.apache.log4j.Logger theLogger
           
static java.lang.String theNameAttribute
           
static java.lang.String thePolicyElement
           
static java.lang.String theTranslationElement
           
 
Constructor Summary
AuthorizationManager()
          Default constructor.
AuthorizationManager(java.io.File configFile)
          Creates a new Authorization Manager instance.
AuthorizationManager(java.lang.String configFile, java.lang.String elementTag)
          Creates a new Authorization Manager instance.
 
Method Summary
 java.util.List authorize(SecurityContext secContext, java.lang.String policy)
          A convenience method to authorize(String, String, List)
 java.util.List authorize(java.lang.String subject, java.lang.String policy, java.util.List attributes)
          Authorizes a subject against a mask of attributes with a given policy.
 java.lang.String authorizeSingle(java.lang.String subject, java.lang.String policy, java.util.List attributes)
          Authorizes a subject's association with any attribute in a list using a given policy.
 java.lang.String authorizeSingle(java.lang.String subject, java.lang.String policy, java.lang.String attribute)
          Authorizes a subject's association with an attribute using a given policy.
 java.lang.String authorizeSingle(java.security.cert.X509Certificate subject, java.lang.String policy, java.lang.String attribute)
          A convenience method to authorizeSingle()
protected  void copy(java.io.File newConfigFile)
          Convenience method to copy the content of a source file in the AuthorizationManager configuration file.
 AttributeMap getAttributeMap(java.lang.String mapName)
          Convenience method that returns the AttributeMap corresponding to the given name.
 java.util.List getAttributeMaps()
          Convenience method that returns all AttributeMaps created in this instance of the AuthorizationManager.
static AuthorizationManager getInstance()
          Deprecated. It was a bad idea to have a singleton instance of this object
protected  AuthorizationManager.Policy getPolicy(java.lang.String policy)
          Convenience method that returns a particular policy.
 void init(java.lang.String configFile, java.lang.String elementTag)
           
protected  java.util.HashMap parse(org.w3c.dom.Element config)
          Adds the policy information supplied in the given config to the Authorization Manager.
protected  void reload(java.io.File file, java.lang.String elementTag)
           
 void terminate()
          Terminate all Timers refreshing the configuration of the AuthorizationManager.
 void uploadConfigFile(java.io.File newConfigFile)
          Upload the configuration file with a new file and force the AuthorizationManager to reload its configuration.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

theFileRecheck

public static final java.lang.String theFileRecheck
See Also:
Constant Field Values

thePolicyElement

public static final java.lang.String thePolicyElement
See Also:
Constant Field Values

theTranslationElement

public static final java.lang.String theTranslationElement
See Also:
Constant Field Values

theNameAttribute

public static final java.lang.String theNameAttribute
See Also:
Constant Field Values

theDefaultAttribute

public static final java.lang.String theDefaultAttribute
See Also:
Constant Field Values

theAuthorizationManager

protected static AuthorizationManager theAuthorizationManager
Deprecated. OLLE 030220: Don't use the singleton anymore -- will go away ASAP.


theLogger

protected static org.apache.log4j.Logger theLogger

myPolicies

protected java.util.HashMap myPolicies

myRepositoryFactory

protected AttributeRepositoryFactory myRepositoryFactory

myConfigFile

protected java.io.File myConfigFile

myConfigElement

protected java.lang.String myConfigElement

myPeriod

protected int myPeriod

myDoStat

protected boolean myDoStat

myLastModified

protected long myLastModified

myTimer

protected java.util.Timer myTimer
Constructor Detail

AuthorizationManager

public AuthorizationManager()
Default constructor.


AuthorizationManager

public AuthorizationManager(java.lang.String configFile,
                            java.lang.String elementTag)
                     throws java.lang.Exception
Creates a new Authorization Manager instance. This is equivalent to new AuthorizationManager().init(configFile, elementTag)

Parameters:
configFile - Configuration file with necessary parameters (see above)
elementTag - XML tag that identifies the AM configuration portion of the file. Default is null == the root element.
Throws:
java.lang.Exception - In case of an error
See Also:
init(String, String)

AuthorizationManager

public AuthorizationManager(java.io.File configFile)
                     throws java.lang.Exception
Creates a new Authorization Manager instance. This is equivalent to new AuthorizationManager(configFile.getCanonicalPath(), null)

Parameters:
configFile - Configuration file with necessary parameters (see above)
Throws:
java.lang.Exception - In case of an error
See Also:
AuthorizationManager(String, String)
Method Detail

init

public void init(java.lang.String configFile,
                 java.lang.String elementTag)
          throws java.lang.Exception
java.lang.Exception

reload

protected void reload(java.io.File file,
                      java.lang.String elementTag)
               throws java.lang.Exception
java.lang.Exception

parse

protected java.util.HashMap parse(org.w3c.dom.Element config)
                           throws java.lang.Exception
Adds the policy information supplied in the given config to the Authorization Manager.

Parameters:
config - an XML element with policy configuration as described at the top of this document.
Throws:
java.lang.Exception - in case of an error

getInstance

public static AuthorizationManager getInstance()
Deprecated. It was a bad idea to have a singleton instance of this object

Returns the singleton instance. If the singleton needs to be instanciated, the initialization procedure may be controlled by the following optional system properties:

getPolicy

protected AuthorizationManager.Policy getPolicy(java.lang.String policy)
Convenience method that returns a particular policy.

Parameters:
policy - The name of the requested policy.
Returns:
Policy The Policy corresponding to the given name.

getAttributeMaps

public java.util.List getAttributeMaps()
Convenience method that returns all AttributeMaps created in this instance of the AuthorizationManager.

Returns:
List List of all AttributeMaps used by this instance of the AuthorizationManager.

getAttributeMap

public AttributeMap getAttributeMap(java.lang.String mapName)
Convenience method that returns the AttributeMap corresponding to the given name.

Parameters:
mapName - The name of the requested AttributeMap.
Returns:
AttributeMap The AttributeMap corresponding to the given name, or null if there is no AttributeMap with the given name.

authorizeSingle

public java.lang.String authorizeSingle(java.lang.String subject,
                                        java.lang.String policy,
                                        java.lang.String attribute)
Authorizes a subject's association with an attribute using a given policy.

Parameters:
subject - The subjects name
policy - The policy to apply. May be null (=use default policy)
attribute - The attribute to authorize the subject for. May be null.
Returns:
String The (possibly translated) attribute if authorized, or null otherwise..

authorizeSingle

public java.lang.String authorizeSingle(java.lang.String subject,
                                        java.lang.String policy,
                                        java.util.List attributes)
Authorizes a subject's association with any attribute in a list using a given policy.

Parameters:
subject - The subject name
policy - The policy to use. May be null.
attributes - A list of attributes to try out. May be null.
Returns:
String the first successfully authorized attributes encountered in the attributes list.
See Also:
authorizeSingle(String, String, String), authorize(String, String, List)

authorizeSingle

public java.lang.String authorizeSingle(java.security.cert.X509Certificate subject,
                                        java.lang.String policy,
                                        java.lang.String attribute)
A convenience method to authorizeSingle()

Parameters:
subject - The subject's (proxy) certificate, possibly containing VOMS extensions.
policy - The policy to use (may be null)
attribute - Overriding attribute that the subject wants to be associated with. May be null
See Also:
authorizeSingle(String, String, List)

authorize

public java.util.List authorize(java.lang.String subject,
                                java.lang.String policy,
                                java.util.List attributes)
Authorizes a subject against a mask of attributes with a given policy.

Parameters:
subject - The subject name
policy - The policy to use. May be null.
attributes - A mask of attributes to verify against. If null or empty, all attributes associated with the subject is returned.
Returns:
List the set of authorized attributes (may be empty)

authorize

public java.util.List authorize(SecurityContext secContext,
                                java.lang.String policy)
A convenience method to authorize(String, String, List)

Parameters:
secContext - A SecurityContext containing the subject (mandatory), VOMS information, policy, and list of requested attributes (all optional).
policy - Overriding policy (may be null)
NOTE: The SecurityContext is modified such that the set of authorized attributes and authorization manager is defined.
Returns:
List of all authorized attributes
See Also:
authorize(String, String, List), SecurityContext.setAuthorizationManager(AuthorizationManager), SecurityContext.setAuthorizedAttributes(List)

uploadConfigFile

public void uploadConfigFile(java.io.File newConfigFile)
                      throws java.io.IOException
Upload the configuration file with a new file and force the AuthorizationManager to reload its configuration.

Parameters:
newConfigFile - The new configuration file
Throws:
java.io.IOException

copy

protected void copy(java.io.File newConfigFile)
             throws java.io.IOException
Convenience method to copy the content of a source file in the AuthorizationManager configuration file. The method is synchronized to prevent concurrent access to the configuration file.

Parameters:
newConfigFile - The source file
Throws:
java.io.IOException

terminate

public void terminate()
Terminate all Timers refreshing the configuration of the AuthorizationManager.