Class AAclAuthz

java.lang.Object
org.dogtagpki.server.authorization.AuthzManager
com.netscape.cms.authorization.AAclAuthz
Direct Known Subclasses:
BasicAclAuthz, DirAclAuthz

public abstract class AAclAuthz extends AuthzManager
An abstract class represents an authorization manager that governs the access of internal resources such as servlets. It parses in the ACLs associated with each protected resources, and provides protected method checkPermission for code that needs to verify access before performing actions. Here is a sample resourceACLS for a resource
   certServer.UsrGrpAdminServlet:
       execute:
           deny (execute) user="tempAdmin";
           allow (execute) group="Administrators";
 
To perform permission checking, code call authz mgr authorize() method to verify access. See AuthzMgr for calling example. Default "evaluators" are used to evaluate the "group=.." or "user=.." rules. See evaluator for more info.
See Also:
  • Field Details

  • Constructor Details

    • AAclAuthz

      protected AAclAuthz()
      Constructor
  • Method Details

    • init

      public void init(String name, String implName, AuthzManagerConfig config) throws EBaseException
      Initializes
      Specified by:
      init in class AuthzManager
      Parameters:
      name - The name of this authorization manager instance.
      implName - The name of the authorization manager plugin.
      config - The configuration store for this authorization manager.
      Throws:
      EBaseException - If an initialization error occurred.
    • addACLs

      public void addACLs(String resACLs) throws EACLsException
      Parse ACL resource attributes, then update the ACLs memory store This is intended to be used if storing ACLs on ldap is not desired, and the caller is expected to call this method to add resource and acl info into acls memory store. The resACLs format should conform to the following: Example: resTurnKnob:left,right:allow(left) group="lefties":door knobs for lefties
      Parameters:
      resACLs - same format as the resourceACLs attribute
      Throws:
      EACLsException - parsing error from parseACL
    • addACLs

      public void addACLs(ACL acl) throws EACLsException
      Throws:
      EACLsException
    • accessInit

      public void accessInit(String accessInfo) throws EBaseException
      Description copied from class: AuthzManager
      accessInit is for servlets who want to initialize their own authorization information before full operation. It is supposed to be called from the authzMgrAccessInit() method of the AuthzSubsystem.

      The accessInfo format is determined by each individual authzmgr. For example, for BasicAclAuthz, The accessInfo is the resACLs, whose format should conform to the following: Example: resTurnKnob:left,right:allow(left) group="lefties":door knobs for lefties

      Specified by:
      accessInit in class AuthzManager
      Parameters:
      accessInfo - the access info string in the format specified in the authorization manager
      Throws:
      EBaseException - error parsing the accessInfo
    • getACL

      public ACL getACL(String target) throws EACLsException
      Description copied from class: AuthzManager
      Get individual ACL entry for the given name of entry.
      Specified by:
      getACL in class AuthzManager
      Parameters:
      target - The name of the ACL entry
      Returns:
      The ACL entry.
      Throws:
      EACLsException
    • getTargetNames

      protected Set<String> getTargetNames() throws EACLsException
      Throws:
      EACLsException
    • getACLs

      public Collection<ACL> getACLs() throws EACLsException
      Description copied from class: AuthzManager
      Get ACL entries
      Specified by:
      getACLs in class AuthzManager
      Returns:
      collection of ACL entries.
      Throws:
      EACLsException
    • getExtendedPluginInfo

      public String[] getExtendedPluginInfo()
    • getConfigParams

      public String[] getConfigParams()
      Returns a list of configuration parameter names. The list is passed to the configuration console so instances of this implementation can be configured through the console.
      Specified by:
      getConfigParams in class AuthzManager
      Returns:
      String array of configuration parameter names.
    • registerEvaluator

      public void registerEvaluator(String type, AccessEvaluator evaluator)
      Registers new handler for the given attribute type in the expressions.
      Specified by:
      registerEvaluator in class AuthzManager
      Parameters:
      type - Type of evaluator
      evaluator - Value of evaluator
    • checkPermission

      protected void checkPermission(String name, String perm) throws EACLsException
      Checks if the permission is granted or denied in the current execution context. If the code is marked as privileged, this methods will simply return.

      note that if a resource does not exist in the aclResources entry, but a higher level node exist, it will still be evaluated. The highest level node's acl determines the permission. If the higher level node doesn't contain any acl information, then it's passed down to the lower node. If a node has no aci in its resourceACLs, then it's considered passed.

      example: certServer.common.users, if failed permission check for "certServer", then it's considered failed, and there is no need to continue the check. If passed permission check for "certServer", then it's considered passed, and no need to continue the check. If certServer contains no aci then "certServer.common" will be checked for permission instead. If down to the leaf level, the node still contains no aci, then it's considered passed. If at the leaf level, no such resource exist, or no acis, it's considered passed.

      If there are multiple aci's for a resource, ALL aci's will be checked, and only if all passed permission checks, will the eventual access be granted.

      Parameters:
      name - resource name
      perm - permission requested
      Throws:
      EACLsException - access permission denied
    • checkACLs

      protected boolean checkACLs(String name, String perm) throws EACLsException
      Checks if the permission is granted or denied in the current execution context.

      An ACL may contain one or more ACLEntry. However, in case of multiple ACLEntry, a subject must pass ALL of the ACLEntry evaluation for permission to be granted

      negative ("deny") aclEntries are treated differently than positive ("allow") statements. If a negative aclEntries fails the acl check, the permission check will return "false" right away; while in the case of a positive aclEntry, if the the aclEntry fails the acl check, the next aclEntry will be evaluated.

      Parameters:
      name - resource name
      perm - permission requested
      Returns:
      true if access allowed false if should be passed down to the next node
      Throws:
      EACLsException - if access disallowed
    • checkPermission

      public void checkPermission(AuthToken authToken, String name, String perm) throws EACLsException
      Checks if the permission is granted or denied with id from authtoken gotten from authentication that precedes authorization. If the code is marked as privileged, this methods will simply return.

      note that if a resource does not exist in the aclResources entry, but a higher level node exist, it will still be evaluated. The highest level node's acl determines the permission. If the higher level node doesn't contain any acl information, then it's passed down to the lower node. If a node has no aci in its resourceACLs, then it's considered passed.

      example: certServer.common.users, if failed permission check for "certServer", then it's considered failed, and there is no need to continue the check. If passed permission check for "certServer", then it's considered passed, and no need to continue the check. If certServer contains no aci then "certServer.common" will be checked for permission instead. If down to the leaf level, the node still contains no aci, then it's considered passed. If at the leaf level, no such resource exist, or no acis, it's considered passed.

      If there are multiple aci's for a resource, ALL aci's will be checked, and only if all passed permission checks, will the eventual access be granted.

      Parameters:
      authToken - authentication token gotten from authentication
      name - resource name
      perm - permission requested
      Throws:
      EACLsException - access permission denied
    • checkAllowEntries

      protected boolean checkAllowEntries(AuthToken authToken, Iterable<String> nodes, String perm) throws EACLsException
      Throws:
      EACLsException
    • checkDenyEntries

      protected void checkDenyEntries(AuthToken authToken, Iterable<String> nodes, String perm) throws EACLsException
      throw EACLsException if a deny entry is matched
      Throws:
      EACLsException
    • getEntries

      protected Iterable<ACLEntry> getEntries(ACLEntry.Type entryType, Iterable<String> nodes, String operation) throws EACLsException
      Throws:
      EACLsException
    • getNodes

      public Vector<String> getNodes(String resourceID)
    • updateACLs

      public void updateACLs(String id, String rights, String strACLs, String desc) throws EACLsException
      This one only updates the memory. Classes extend this class should also update to a permanent storage
      Specified by:
      updateACLs in class AuthzManager
      Parameters:
      id - The name of the ACL entry (ie, resource id)
      rights - The allowable rights for this resource
      strACLs - The value of the ACL entry
      desc - The description for this resource
      Throws:
      EACLsException - when update fails.
    • aclEvaluatorElements

      public Enumeration<AccessEvaluator> aclEvaluatorElements()
      gets an enumeration of access evaluators
      Specified by:
      aclEvaluatorElements in class AuthzManager
      Returns:
      an enumeraton of access evaluators
    • getAccessEvaluators

      public Hashtable<String,AccessEvaluator> getAccessEvaluators()
      gets the access evaluators
      Specified by:
      getAccessEvaluators in class AuthzManager
      Returns:
      handle to the access evaluators table
    • isTypeUnique

      public boolean isTypeUnique(String type) throws EACLsException
      is this resource name unique
      Returns:
      true if unique; false otherwise
      Throws:
      EACLsException
    • authorize

      public AuthzToken authorize(AuthToken authToken, String resource, String operation) throws EAuthzInternalError, EAuthzAccessDenied
      check the authorization permission for the user associated with authToken on operation Example: For example, if UsrGrpAdminServlet needs to authorize the caller it would do be done in the following fashion: try { authzTok = mAuthz.authorize( "DirAclAuthz", authToken, RES_GROUP, "read"); } catch (EBaseException e) { logger.warn("authorize call: " + e.getMessage(), e); }
      Specified by:
      authorize in class AuthzManager
      Parameters:
      authToken - the authToken associated with a user
      resource - - the protected resource name
      operation - - the protected resource operation name
      Returns:
      authzToken
      Throws:
      EAuthzAccessDenied - If access was denied
      EAuthzInternalError - If an internal error occurred.
    • authorize

      public AuthzToken authorize(AuthToken authToken, String expression) throws EAuthzAccessDenied
      Specified by:
      authorize in class AuthzManager
      Throws:
      EAuthzAccessDenied
    • getOrder

      public AAclAuthz.EvaluationOrder getOrder()
    • evaluateACLs

      public boolean evaluateACLs(AuthToken authToken, String exp)