|
|||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Objectorg.glite.security.authz.ServiceAuthorizationChain
The ServiceAuthorizationChain
class ties together and evaluates
chains of ServicePDP
and ServicePIP
implementations.
The chain is evaluated in a strict configuration determined order. If any
PIP or PDP throws an Exception the evaluation is stopped, and the
Exception is propagated back to the client. If a PDP returns true the
evaluation is stopped and the operation is let through. If a PDP returns
false or a PIP returns normally the next interceptor in the chain is
evaluated.
Chains can also be linked, in which case the parent chain is typically
evaluated before the child chain.
The ServiceAuthorizationChainSpi
interface should be implemented by
providers who want to implement their own policy combining algorithms. The
default algorithm is permit overrides.
ServiceInterceptor
Field Summary | |
static java.lang.String |
DENY_OVERRIDES_ALGORITHM
Algorithm that stops evaluation if a deny result is detected (default). |
static java.lang.String |
FIRST_APPLICABLE_ALGORITHM
Algorithm that stops evaluation if a permit or deny result is detected |
static java.lang.String |
PERMIT_OVERRIDES_ALGORITHM
Algorithm that stops evaluation if a permit result is detected. |
Method Summary | |
boolean |
authorize(javax.security.auth.Subject peerSubject,
javax.xml.rpc.handler.MessageContext context)
should be called if an authorization decision must be made for an authenticated subject. |
void |
close()
should be called when the chain should be closed. |
static ServiceAuthorizationChain |
getInstance()
gets an instance of a chain from a provider implementing the default algorithm. |
static ServiceAuthorizationChain |
getInstance(java.security.Provider provider)
gets an instance of a chain from the specified provider implementing the default algorithm. |
static ServiceAuthorizationChain |
getInstance(java.lang.String algorithm)
gets an instance of a chain from a provider implementing the specified algorithm. |
static ServiceAuthorizationChain |
getInstance(java.lang.String algorithm,
java.security.Provider provider)
gets an instance of a chain from the specified provider implementing the specified algorithm. |
java.util.Collection |
getPolicy(org.w3c.dom.Node policy)
gets the policies of all the PDPs in this chain. |
java.lang.String[] |
getPolicyNames()
gets the names of the policies implemented by this engine. |
void |
initialize(ChainConfig config,
java.lang.String name,
java.lang.String id)
initializes the chain with a given configuration of PIPs and PDPs. |
boolean |
isPermitted(javax.security.auth.Subject peerSubject,
javax.xml.rpc.handler.MessageContext context,
javax.xml.namespace.QName operation)
should be called if an authorization decision must be made for an authenticated subject. |
void |
setParent(ServiceAuthorizationChain parentChain)
sets the parent chain, which typically will be evaluated before the current chain all authorization, get- and setPolicy, and getPolicyNames requests are propagated to the parent, wheras initialize and close are always only done on the local chain. |
java.util.Collection |
setPolicy(org.w3c.dom.Node policy)
sets the policies of all the PDPs in this chain. |
Methods inherited from class java.lang.Object |
equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
Field Detail |
public static final java.lang.String DENY_OVERRIDES_ALGORITHM
public static final java.lang.String PERMIT_OVERRIDES_ALGORITHM
public static final java.lang.String FIRST_APPLICABLE_ALGORITHM
Method Detail |
public static ServiceAuthorizationChain getInstance() throws java.lang.ClassNotFoundException, java.lang.InstantiationException, java.lang.IllegalAccessException
java.lang.ClassNotFoundException
- if provider class was not found
java.lang.InstantiationException
- if provider could not be created
java.lang.IllegalAccessException
- if caller is not allowed to create
providerpublic static ServiceAuthorizationChain getInstance(java.lang.String algorithm) throws java.lang.ClassNotFoundException, java.lang.InstantiationException, java.lang.IllegalAccessException
algorithm
- algorithm that the provider should implement
java.lang.ClassNotFoundException
- if provider class was not found
java.lang.InstantiationException
- if provider could not be created
java.lang.IllegalAccessException
- if caller is not allowed to create
providerpublic static ServiceAuthorizationChain getInstance(java.security.Provider provider) throws java.lang.ClassNotFoundException, java.lang.InstantiationException, java.lang.IllegalAccessException
provider
- provider instance that should provide the algorithm
java.lang.ClassNotFoundException
- if provider class was not found
java.lang.InstantiationException
- if provider could not be created
java.lang.IllegalAccessException
- if caller is not allowed to create
providerpublic static ServiceAuthorizationChain getInstance(java.lang.String algorithm, java.security.Provider provider) throws java.lang.ClassNotFoundException, java.lang.InstantiationException, java.lang.IllegalAccessException
algorithm
- algorithm that the provider should implementprovider
- provider instance that should provide the algorithm
java.lang.ClassNotFoundException
- if provider class was not found
java.lang.InstantiationException
- if provider could not be created
java.lang.IllegalAccessException
- if caller is not allowed to create
providerpublic void setParent(ServiceAuthorizationChain parentChain)
parentChain
- parent chain to connect to this chain.public void initialize(ChainConfig config, java.lang.String name, java.lang.String id) throws InitializeException
initialize
in interface ServiceInterceptor
config
- configuration holding the names and classes of the
ServicePDP and ServicePIP inteceptorsname
- name of this chainid
- service id associated with this chain
InitializeException
- if exception occured during initializationpublic java.lang.String[] getPolicyNames()
getPolicyNames
in interface ServicePAP
public java.util.Collection getPolicy(org.w3c.dom.Node policy) throws InvalidPolicyException
getPolicy
in interface ServicePAP
policy
- possible filter restricting the result of query
InvalidPolicyException
- if an invalid policy filter was
specifiedpublic java.util.Collection setPolicy(org.w3c.dom.Node policy) throws InvalidPolicyException
setPolicy
in interface ServicePAP
policy
- the new policy or an update request
InvalidPolicyException
- if an invalid policy was specifiedpublic boolean authorize(javax.security.auth.Subject peerSubject, javax.xml.rpc.handler.MessageContext context) throws AuthorizationException
peerSubject
- subject to be authorizedcontext
- JAX-RPC runtime context
AuthorizationException
- if the authorization must be denied
without further processingpublic boolean isPermitted(javax.security.auth.Subject peerSubject, javax.xml.rpc.handler.MessageContext context, javax.xml.namespace.QName operation) throws AuthorizationException
isPermitted
in interface ServicePDP
peerSubject
- subject to be authorizedcontext
- JAX-RPC runtime contextoperation
- operation requested to be performed
AuthorizationException
- if the authorization must be denied
without further processingpublic void close() throws CloseException
close
in interface ServiceInterceptor
CloseException
- if there was a problem closing this chain
|
|||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |