org.glite.security.authz
Interface ServiceAuthorizationChainSpi

All Known Implementing Classes:
AbstractChain

public interface ServiceAuthorizationChainSpi

The ServiceAuthorizationChainSpi is the interface that should be implemented by ServiceAuthorizationChain providers.

See Also:
ServiceAuthorizationChain

Method Summary
 boolean engineAuthorize(javax.security.auth.Subject peerSubject, javax.xml.rpc.handler.MessageContext context)
          called by the framework if an authorization decision must be made for an authenticated subject.
 void engineClose()
          called by the framework when the chain should be closed.
 java.util.Collection engineGetPolicy(org.w3c.dom.Node policy)
          gets the policies of all the PDPs in this chain.
 java.lang.String[] engineGetPolicyNames()
          gets the names of the policies implemented by this engine.
 void engineInitialize(ChainConfig config, java.lang.String name, java.lang.String id)
          initializes the chain with a given configuration of PIPs and PDPs.
 boolean engineIsPermitted(javax.security.auth.Subject peerSubject, javax.xml.rpc.handler.MessageContext context, javax.xml.namespace.QName operation)
          called by the framework if an authorization decision must be made for an authenticated subject.
 void engineSetParent(ServiceAuthorizationChain parentChain)
          sets the parent chain, which will be evaluated before the current chain all authorization, get- and setPolicy, and getPolicyNames requests are propagated to the parent, wheras initialize and close are always only done on the local chain.
 java.util.Collection engineSetPolicy(org.w3c.dom.Node policy)
          sets the policies of all the PDPs in this chain.
 

Method Detail

engineSetParent

public void engineSetParent(ServiceAuthorizationChain parentChain)
sets the parent chain, which will be evaluated before the current chain all authorization, get- and setPolicy, and getPolicyNames requests are propagated to the parent, wheras initialize and close are always only done on the local chain.

Parameters:
parentChain - parent chain to connect to this chain.

engineInitialize

public void engineInitialize(ChainConfig config,
                             java.lang.String name,
                             java.lang.String id)
                      throws InitializeException
initializes the chain with a given configuration of PIPs and PDPs.

Parameters:
config - configuration holding the names and classes of the ServicePDP and ServicePIP inteceptors
name - name of this chain
id - service id associated with this chain
Throws:
InitializeException - if the chain was not initialized correctly.

engineGetPolicyNames

public java.lang.String[] engineGetPolicyNames()
gets the names of the policies implemented by this engine.

Returns:
array of policy names

engineGetPolicy

public java.util.Collection engineGetPolicy(org.w3c.dom.Node policy)
                                     throws InvalidPolicyException
gets the policies of all the PDPs in this chain.

Parameters:
policy - possible filter restricting the result of query
Returns:
a Collection of Node objects returned by the PDPs
Throws:
InvalidPolicyException - if an invalid policy filter was specified

engineSetPolicy

public java.util.Collection engineSetPolicy(org.w3c.dom.Node policy)
                                     throws InvalidPolicyException
sets the policies of all the PDPs in this chain.

Parameters:
policy - the new policy or an update request
Returns:
a Collection of Node values returned by the PDPs
Throws:
InvalidPolicyException - if an invalid policy was specified

engineAuthorize

public boolean engineAuthorize(javax.security.auth.Subject peerSubject,
                               javax.xml.rpc.handler.MessageContext context)
                        throws AuthorizationException
called by the framework if an authorization decision must be made for an authenticated subject.

Parameters:
peerSubject - subject to be authorized
context - JAX-RPC runtime context
Returns:
true if peerSubject was successfully authorized, false if no PDP in the chain could make a decision
Throws:
AuthorizationException - if the authorization must be denied without further processing

engineIsPermitted

public boolean engineIsPermitted(javax.security.auth.Subject peerSubject,
                                 javax.xml.rpc.handler.MessageContext context,
                                 javax.xml.namespace.QName operation)
                          throws AuthorizationException
called by the framework if an authorization decision must be made for an authenticated subject.

Parameters:
peerSubject - subject to be authorized
context - JAX-RPC runtime context
operation - operation requested to be performed
Returns:
true if peerSubject was successfully authorized, false if no PDP in the chain could make a decision
Throws:
AuthorizationException - if the authorization must be denied without further processing

engineClose

public void engineClose()
                 throws CloseException
called by the framework when the chain should be closed. That is, the information sent in the init call is out of scope after this operation has been invoked.

Throws:
CloseException - if there was a problem closing this chain