org.glite.security.authz
Class ServiceAuthorizationChain

java.lang.Object
  extended byorg.glite.security.authz.ServiceAuthorizationChain
All Implemented Interfaces:
ServiceInterceptor, ServicePAP, ServicePDP

public final class ServiceAuthorizationChain
extends java.lang.Object
implements ServiceInterceptor, ServicePAP, ServicePDP

The ServiceAuthorizationChain class ties together and evaluates chains of ServicePDP and ServicePIP implementations. The chain is evaluated in a strict configuration determined order. If any PIP or PDP throws an Exception the evaluation is stopped, and the Exception is propagated back to the client. If a PDP returns true the evaluation is stopped and the operation is let through. If a PDP returns false or a PIP returns normally the next interceptor in the chain is evaluated. Chains can also be linked, in which case the parent chain is typically evaluated before the child chain. The ServiceAuthorizationChainSpi interface should be implemented by providers who want to implement their own policy combining algorithms. The default algorithm is permit overrides.

See Also:
ServiceInterceptor

Field Summary
static java.lang.String DENY_OVERRIDES_ALGORITHM
          Algorithm that stops evaluation if a deny result is detected (default).
static java.lang.String FIRST_APPLICABLE_ALGORITHM
          Algorithm that stops evaluation if a permit or deny result is detected
static java.lang.String PERMIT_OVERRIDES_ALGORITHM
          Algorithm that stops evaluation if a permit result is detected.
 
Method Summary
 boolean authorize(javax.security.auth.Subject peerSubject, javax.xml.rpc.handler.MessageContext context)
          should be called if an authorization decision must be made for an authenticated subject.
 void close()
          should be called when the chain should be closed.
static ServiceAuthorizationChain getInstance()
          gets an instance of a chain from a provider implementing the default algorithm.
static ServiceAuthorizationChain getInstance(java.security.Provider provider)
          gets an instance of a chain from the specified provider implementing the default algorithm.
static ServiceAuthorizationChain getInstance(java.lang.String algorithm)
          gets an instance of a chain from a provider implementing the specified algorithm.
static ServiceAuthorizationChain getInstance(java.lang.String algorithm, java.security.Provider provider)
          gets an instance of a chain from the specified provider implementing the specified algorithm.
 java.util.Collection getPolicy(org.w3c.dom.Node policy)
          gets the policies of all the PDPs in this chain.
 java.lang.String[] getPolicyNames()
          gets the names of the policies implemented by this engine.
 void initialize(ChainConfig config, java.lang.String name, java.lang.String id)
          initializes the chain with a given configuration of PIPs and PDPs.
 boolean isPermitted(javax.security.auth.Subject peerSubject, javax.xml.rpc.handler.MessageContext context, javax.xml.namespace.QName operation)
          should be called if an authorization decision must be made for an authenticated subject.
 void setParent(ServiceAuthorizationChain parentChain)
          sets the parent chain, which typically will be evaluated before the current chain all authorization, get- and setPolicy, and getPolicyNames requests are propagated to the parent, wheras initialize and close are always only done on the local chain.
 java.util.Collection setPolicy(org.w3c.dom.Node policy)
          sets the policies of all the PDPs in this chain.
 
Methods inherited from class java.lang.Object
equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

DENY_OVERRIDES_ALGORITHM

public static final java.lang.String DENY_OVERRIDES_ALGORITHM
Algorithm that stops evaluation if a deny result is detected (default).

See Also:
Constant Field Values

PERMIT_OVERRIDES_ALGORITHM

public static final java.lang.String PERMIT_OVERRIDES_ALGORITHM
Algorithm that stops evaluation if a permit result is detected.

See Also:
Constant Field Values

FIRST_APPLICABLE_ALGORITHM

public static final java.lang.String FIRST_APPLICABLE_ALGORITHM
Algorithm that stops evaluation if a permit or deny result is detected

See Also:
Constant Field Values
Method Detail

getInstance

public static ServiceAuthorizationChain getInstance()
                                             throws java.lang.ClassNotFoundException,
                                                    java.lang.InstantiationException,
                                                    java.lang.IllegalAccessException
gets an instance of a chain from a provider implementing the default algorithm.

Returns:
chain instance
Throws:
java.lang.ClassNotFoundException - if provider class was not found
java.lang.InstantiationException - if provider could not be created
java.lang.IllegalAccessException - if caller is not allowed to create provider

getInstance

public static ServiceAuthorizationChain getInstance(java.lang.String algorithm)
                                             throws java.lang.ClassNotFoundException,
                                                    java.lang.InstantiationException,
                                                    java.lang.IllegalAccessException
gets an instance of a chain from a provider implementing the specified algorithm.

Parameters:
algorithm - algorithm that the provider should implement
Returns:
chain instance
Throws:
java.lang.ClassNotFoundException - if provider class was not found
java.lang.InstantiationException - if provider could not be created
java.lang.IllegalAccessException - if caller is not allowed to create provider

getInstance

public static ServiceAuthorizationChain getInstance(java.security.Provider provider)
                                             throws java.lang.ClassNotFoundException,
                                                    java.lang.InstantiationException,
                                                    java.lang.IllegalAccessException
gets an instance of a chain from the specified provider implementing the default algorithm.

Parameters:
provider - provider instance that should provide the algorithm
Returns:
chain instance
Throws:
java.lang.ClassNotFoundException - if provider class was not found
java.lang.InstantiationException - if provider could not be created
java.lang.IllegalAccessException - if caller is not allowed to create provider

getInstance

public static ServiceAuthorizationChain getInstance(java.lang.String algorithm,
                                                    java.security.Provider provider)
                                             throws java.lang.ClassNotFoundException,
                                                    java.lang.InstantiationException,
                                                    java.lang.IllegalAccessException
gets an instance of a chain from the specified provider implementing the specified algorithm.

Parameters:
algorithm - algorithm that the provider should implement
provider - provider instance that should provide the algorithm
Returns:
chain instance
Throws:
java.lang.ClassNotFoundException - if provider class was not found
java.lang.InstantiationException - if provider could not be created
java.lang.IllegalAccessException - if caller is not allowed to create provider

setParent

public void setParent(ServiceAuthorizationChain parentChain)
sets the parent chain, which typically will be evaluated before the current chain all authorization, get- and setPolicy, and getPolicyNames requests are propagated to the parent, wheras initialize and close are always only done on the local chain.

Parameters:
parentChain - parent chain to connect to this chain.

initialize

public void initialize(ChainConfig config,
                       java.lang.String name,
                       java.lang.String id)
                throws InitializeException
initializes the chain with a given configuration of PIPs and PDPs.

Specified by:
initialize in interface ServiceInterceptor
Parameters:
config - configuration holding the names and classes of the ServicePDP and ServicePIP inteceptors
name - name of this chain
id - service id associated with this chain
Throws:
InitializeException - if exception occured during initialization

getPolicyNames

public java.lang.String[] getPolicyNames()
gets the names of the policies implemented by this engine.

Specified by:
getPolicyNames in interface ServicePAP
Returns:
array of policy names

getPolicy

public java.util.Collection getPolicy(org.w3c.dom.Node policy)
                               throws InvalidPolicyException
gets the policies of all the PDPs in this chain.

Specified by:
getPolicy in interface ServicePAP
Parameters:
policy - possible filter restricting the result of query
Returns:
a Collection of Node objects returned by the PDPs
Throws:
InvalidPolicyException - if an invalid policy filter was specified

setPolicy

public java.util.Collection setPolicy(org.w3c.dom.Node policy)
                               throws InvalidPolicyException
sets the policies of all the PDPs in this chain.

Specified by:
setPolicy in interface ServicePAP
Parameters:
policy - the new policy or an update request
Returns:
a Collection of Node values returned by the PDPs
Throws:
InvalidPolicyException - if an invalid policy was specified

authorize

public boolean authorize(javax.security.auth.Subject peerSubject,
                         javax.xml.rpc.handler.MessageContext context)
                  throws AuthorizationException
should be called if an authorization decision must be made for an authenticated subject.

Parameters:
peerSubject - subject to be authorized
context - JAX-RPC runtime context
Returns:
true if peerSubject was successfully authorized, false if no PDP in the chain could make a decision
Throws:
AuthorizationException - if the authorization must be denied without further processing

isPermitted

public boolean isPermitted(javax.security.auth.Subject peerSubject,
                           javax.xml.rpc.handler.MessageContext context,
                           javax.xml.namespace.QName operation)
                    throws AuthorizationException
should be called if an authorization decision must be made for an authenticated subject.

Specified by:
isPermitted in interface ServicePDP
Parameters:
peerSubject - subject to be authorized
context - JAX-RPC runtime context
operation - operation requested to be performed
Returns:
true if peerSubject was successfully authorized, false if no PDP in the chain could make a decision
Throws:
AuthorizationException - if the authorization must be denied without further processing

close

public void close()
           throws CloseException
should be called when the chain should be closed. That is, the information sent in the init call is out of scope after this operation has been invoked.

Specified by:
close in interface ServiceInterceptor
Throws:
CloseException - if there was a problem closing this chain