org.glite.security.authz
Class SimpleServicePDP

java.lang.Object
  extended byorg.glite.security.authz.SimpleServicePDP
All Implemented Interfaces:
ServiceInterceptor, ServicePAP, ServicePDP

public class SimpleServicePDP
extends java.lang.Object
implements ServicePDP, ServicePAP

Simple ServicePDP implementation allowing role permissions and blacklists to be set.

See Also:
ServicePDP

Field Summary
static java.lang.String BLACK_LIST
          This configuration property should point to a Map of blacklisted Subject DNs.
static java.lang.String ROLE_PERMISSION
          This configuration property should point to an operation (QName) keyed Map of Maps with allowed users (Subject DNs).
 
Constructor Summary
SimpleServicePDP()
           
 
Method Summary
 void close()
          this method is called by the PDP framework to indicate that the interceptor now should remove all state that was allocated in the initialize call.
 java.util.Collection getPolicy(org.w3c.dom.Node query)
          gets the current policy of the PDP.
 java.lang.String[] getPolicyNames()
          gets the names (typically uris) of all the policies that the PDP supports.
 void initialize(ChainConfig config, java.lang.String name, java.lang.String id)
          initializes the interceptor with configuration information that are valid up until the point when close is called.
 boolean isPermitted(javax.security.auth.Subject peerSubject, javax.xml.rpc.handler.MessageContext context, javax.xml.namespace.QName operation)
          this operation is called by the PDP Framework whenever the application needs to call secured operations.
 java.util.Collection setPolicy(org.w3c.dom.Node policy)
          sets the current policy of the PDP.
 
Methods inherited from class java.lang.Object
equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

BLACK_LIST

public static final java.lang.String BLACK_LIST
This configuration property should point to a Map of blacklisted Subject DNs.

See Also:
Constant Field Values

ROLE_PERMISSION

public static final java.lang.String ROLE_PERMISSION
This configuration property should point to an operation (QName) keyed Map of Maps with allowed users (Subject DNs).

See Also:
Constant Field Values
Constructor Detail

SimpleServicePDP

public SimpleServicePDP()
Method Detail

initialize

public void initialize(ChainConfig config,
                       java.lang.String name,
                       java.lang.String id)
                throws InitializeException
initializes the interceptor with configuration information that are valid up until the point when close is called.

Specified by:
initialize in interface ServiceInterceptor
Parameters:
config - holding interceptor specific configuration values, that may be obtained using the name paramter
name - the name that should be used to access all the interceptor local configuration
id - the id in common for all interceptors in a chain (it is valid up until close is called) if close is not called the interceptor may assume that the id still exists after a process restart
Throws:
InitializeException - if role permission map was not set

getPolicyNames

public java.lang.String[] getPolicyNames()
gets the names (typically uris) of all the policies that the PDP supports.

Specified by:
getPolicyNames in interface ServicePAP
Returns:
array of policy names

getPolicy

public java.util.Collection getPolicy(org.w3c.dom.Node query)
                               throws InvalidPolicyException
gets the current policy of the PDP.

Specified by:
getPolicy in interface ServicePAP
Parameters:
query - may be used to query for a subset of a policy
Returns:
the policy
Throws:
InvalidPolicyException - if an invalid policy was detected

setPolicy

public java.util.Collection setPolicy(org.w3c.dom.Node policy)
                               throws InvalidPolicyException
sets the current policy of the PDP.

Specified by:
setPolicy in interface ServicePAP
Parameters:
policy - new policy
Returns:
optional set policy result
Throws:
InvalidPolicyException - if an invalid policy was passed in

isPermitted

public boolean isPermitted(javax.security.auth.Subject peerSubject,
                           javax.xml.rpc.handler.MessageContext context,
                           javax.xml.namespace.QName operation)
                    throws AuthorizationException
this operation is called by the PDP Framework whenever the application needs to call secured operations. The PDP should return true if the local policy allows the subject to invoke the operation. If the PDP has no local knowledge about whether the operation is allowed or not it should return false to allow other PDPs and PIPs in the chain to continue the evaluation. Obligations to be read by other PIPs or PDPs may be set as attributes in the Subject credentials.

Specified by:
isPermitted in interface ServicePDP
Parameters:
peerSubject - authenticated client subject with credentials and attributes
context - holds properties of this XML message exchange
operation - operation that the subject wants to invoke
Returns:
true if user role was found and permitted, otherwise false
Throws:
AuthorizationException - if user was found on blacklist

close

public void close()
           throws CloseException
this method is called by the PDP framework to indicate that the interceptor now should remove all state that was allocated in the initialize call.

Specified by:
close in interface ServiceInterceptor
Throws:
CloseException - if exception occured when closing this PDP