org.glite.security.authz.providers
Class AbstractChain

java.lang.Object
  extended byorg.glite.security.authz.providers.AbstractChain
All Implemented Interfaces:
ServiceAuthorizationChainSpi
Direct Known Subclasses:
DenyOverridesChain, FirstApplicableChain, PermitOverridesChain

public abstract class AbstractChain
extends java.lang.Object
implements ServiceAuthorizationChainSpi

The AbstractChain class ties together and evaluates chains of ServicePDP and ServicePIP implementations. The chains are evaluated in a strict configuration determined order. Chains can also be linked, in which case the parent chain is evaluated before the child chain. See the ServiceAuthorizationChainSpi documentation for information about the individual operations.


Constructor Summary
AbstractChain()
           
 
Method Summary
 boolean engineAuthorize(javax.security.auth.Subject peerSubject, javax.xml.rpc.handler.MessageContext context)
          called by the framework if an authorization decision must be made for an authenticated subject.
 void engineClose()
          called by the framework when the chain shoudl be closed.
 java.util.Collection engineGetPolicy(org.w3c.dom.Node policy)
          gets the policies of all the PDPs in this chain.
 java.lang.String[] engineGetPolicyNames()
          gets the names of the policies implemented by this engine.
 void engineInitialize(ChainConfig config, java.lang.String name, java.lang.String id)
          initializes the chain with a given configuration of PIPs and PDPs.
 boolean engineIsPermitted(javax.security.auth.Subject peerSubject, javax.xml.rpc.handler.MessageContext context, javax.xml.namespace.QName operation)
          called by the framework if an authorization decision must be made for an authenticated subject.
 void engineSetParent(ServiceAuthorizationChain chain)
          sets the parent chain, which will be evaluated before the current chain all authorization, get- and setPolicy, and getPolicyNames requests are propagated to the parent, wheras initialize and close are always only done on the local chain.
 java.util.Collection engineSetPolicy(org.w3c.dom.Node policy)
          sets the policies of all the PDPs in this chain.
 
Methods inherited from class java.lang.Object
equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

AbstractChain

public AbstractChain()
Method Detail

engineSetParent

public void engineSetParent(ServiceAuthorizationChain chain)
sets the parent chain, which will be evaluated before the current chain all authorization, get- and setPolicy, and getPolicyNames requests are propagated to the parent, wheras initialize and close are always only done on the local chain.

Specified by:
engineSetParent in interface ServiceAuthorizationChainSpi
Parameters:
chain - parent chain to connect to this chain.

engineInitialize

public void engineInitialize(ChainConfig config,
                             java.lang.String name,
                             java.lang.String id)
                      throws InitializeException
initializes the chain with a given configuration of PIPs and PDPs.

Specified by:
engineInitialize in interface ServiceAuthorizationChainSpi
Parameters:
config - configuration holding the names and classes of the ServicePDP and ServicePIP inteceptors
name - name of this chain
id - service id associated with this chain
Throws:
InitializeException - if the chain was not initialized correctly.

engineGetPolicyNames

public java.lang.String[] engineGetPolicyNames()
gets the names of the policies implemented by this engine.

Specified by:
engineGetPolicyNames in interface ServiceAuthorizationChainSpi
Returns:
array of policy names

engineGetPolicy

public java.util.Collection engineGetPolicy(org.w3c.dom.Node policy)
                                     throws InvalidPolicyException
gets the policies of all the PDPs in this chain.

Specified by:
engineGetPolicy in interface ServiceAuthorizationChainSpi
Parameters:
policy - possible filter restricting the result of query
Returns:
a Collection of Node objects returned by the PAPs
Throws:
InvalidPolicyException - if an invalid policy filter was specified

engineSetPolicy

public java.util.Collection engineSetPolicy(org.w3c.dom.Node policy)
                                     throws InvalidPolicyException
sets the policies of all the PDPs in this chain.

Specified by:
engineSetPolicy in interface ServiceAuthorizationChainSpi
Parameters:
policy - the new policy or an update request
Returns:
a Collection of Node values returned by the PDPs
Throws:
InvalidPolicyException - if an invalid policy was specified

engineAuthorize

public boolean engineAuthorize(javax.security.auth.Subject peerSubject,
                               javax.xml.rpc.handler.MessageContext context)
                        throws AuthorizationException
called by the framework if an authorization decision must be made for an authenticated subject.

Specified by:
engineAuthorize in interface ServiceAuthorizationChainSpi
Parameters:
peerSubject - subject to be authorized
context - JAX-RPC runtime context
Returns:
true if peerSubject was successfully authorized, false if no PDP in the chain could make a decision
Throws:
AuthorizationException - if the authorization must be denied without further processing

engineIsPermitted

public boolean engineIsPermitted(javax.security.auth.Subject peerSubject,
                                 javax.xml.rpc.handler.MessageContext context,
                                 javax.xml.namespace.QName operation)
                          throws AuthorizationException
called by the framework if an authorization decision must be made for an authenticated subject.

Specified by:
engineIsPermitted in interface ServiceAuthorizationChainSpi
Parameters:
peerSubject - subject to be authorized
context - JAX-RPC runtime context
operation - operation requested to be performed
Returns:
true if peerSubject was successfully authorized, false if no PDP in the chain could make a decision
Throws:
AuthorizationException - if the authorization must be denied without further processing

engineClose

public void engineClose()
                 throws CloseException
called by the framework when the chain shoudl be closed. That is, the information sent in the init call is out of scope after this operation has been invoked.

Specified by:
engineClose in interface ServiceAuthorizationChainSpi
Throws:
CloseException - if there was a problem closing this chain