org.glite.security.authz
Interface ServicePDP
- All Superinterfaces:
- ServiceInterceptor
- All Known Implementing Classes:
- BlackListServicePDP, GridMapServicePDP, ServiceAuthorizationChain, SimpleServicePDP, VomsServicePDP
- public interface ServicePDP
- extends ServiceInterceptor
Interface that must be implemented by all PDPs in an interceptor chain
A PDP is responsible for making decisions whether a subject is
allowed to invoke a certain operation. The subject may contain public
or private credentials holding attributes collected and verified by PIPs.
A PDP is also responsible for managing a policy associated with a service.
The service is associated with the PDP in the initialize call in
ServiceInterceptor
through the id parameter.
- See Also:
ServiceAuthorizationChain
,
ServicePIP
Method Summary |
boolean |
isPermitted(javax.security.auth.Subject peerSubject,
javax.xml.rpc.handler.MessageContext context,
javax.xml.namespace.QName operation)
this operation is called by the PDP Framework whenever the application
needs to call secured operations. |
isPermitted
public boolean isPermitted(javax.security.auth.Subject peerSubject,
javax.xml.rpc.handler.MessageContext context,
javax.xml.namespace.QName operation)
throws AuthorizationException
- this operation is called by the PDP Framework whenever the application
needs to call secured operations. The PDP should return true if the
local policy allows the subject to invoke the operation. If the PDP
has no local knowledge about whether the operation is allowed or not
it should return false to allow other PDPs and PIPs in the chain to
continue the evaluation. Obligations to be read by other PIPs or PDPs
may be set as attributes in the Subject credentials.
- Parameters:
peerSubject
- authenticated client subject with credentials
and attributescontext
- holds properties of this XML message exchangeoperation
- operation that the subject wants to invoke
- Returns:
- true if operation is permitted, false if outcome can not
be decided
- Throws:
AuthorizationException
- if a serious error occured that should
stop further evaluation