|
|||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
public interface PBAAPI
This is a generic Privilege Based Access Control interface. It can be used for making decisions based on authorisation tokens.
The interface defines a two-staged decision mechanism. At the first stage the credentials for the user are retrieved, at the second stage a decision is made, based on the set of credentials, retrieved at the previous stage. The caller decides how many times to use the credential set for decisions, and when the credentials cannot be used anymore they must call getCreds again to retrieve the up-to-date set of credentials for the user. Note that the caller may specify an additional restriction on usage of the credentials by supplying an appropriate credentials service object. If the credentials service does not allow the use of the credentials, the decision fails, throwing a special kind of exception to signal the caller about that.
Note that Subject objects returned in the first stage for different users can be used simultaneously. Note also that they know their parent - the PBAAPI object that created them, and if the caller tried to reuse them with a different parent PBAAPI object the operation would fail.
The interface defines both push and pull modes of operation. When pushing, the sufficient set of authorisation tokens should be provided, including the delegation chain, if the delegation is supported. When pulling, the repository containing all the needed authorisation tokens should be configured in by implementation-specific means. Note that the format of the authorisation tokens is not defined and is implementation- specific.
Implementation objects would have their implementation-specific
constructors for proper initialising of the object, and they should
implement the finalize
method for proper destruction of the
object by the garbage collector.
Method Summary | |
---|---|
Response |
authzDecision(Subject creds,
Action action,
Target target,
java.util.Map contextualParams)
This method generates a response regarding the the request of the user with the given set of credentials to perform the specified action on the specified target. |
boolean |
decision(Subject creds,
Action action,
Target target,
java.util.Map contextualParams)
This method decides if the user with the given set of credentials is allowed to perform the specified action on the specified target. |
Subject |
getCreds(java.security.Principal user,
CredentialsService service)
This method defines the pull mode for retrieving user's credentials. |
Subject |
getCreds(java.security.Principal user,
java.lang.Object[] pushedCreds,
CredentialsService service)
This method defines the push mode for retrieving user's credentials. |
Method Detail |
---|
Subject getCreds(java.security.Principal user, CredentialsService service) throws PbaException
user
- is the name of the userservice
- is an object that will perform some additional checks
on the returned set of credentials each time the decision is
made (for example, Session Time); if null, no additional
service is provided for the resulting Subject object
PbaException
Subject getCreds(java.security.Principal user, java.lang.Object[] pushedCreds, CredentialsService service) throws PbaException
user
- is the name of the userpushedCreds
- is the array of authorisation tokens, containing
all the credentials allocated to the user and its delegatorsservice
- is an object that will perform some additional checks
on the returned set of credentials each time the decision is
made (for example, Session Time); if null, no additional
service is provided for the resulting Subject object
PbaException
boolean decision(Subject creds, Action action, Target target, java.util.Map contextualParams) throws PbaException
creds
- is a Subject object, containing the credentials and
other parameters about the user (CredentialService object)action
- is the action the user is going to performtarget
- is the target on which the action is being performedcontextualParams
- is a collection of contextual ADI parameters
PbaException,
- if there was a problem during evaluation of
the decision;
DecisionWithObligationException,
- if the
decision requires a set of obligations to be fulfilled with the
decisions enforcement; it is suggested that either this exception is
handled to retrieve the Obligations, or the response method is
used to acquire authorisation response with Obligations.
This method is deprecated in favor of the method authzDecision() because authzDecision()
returns obligations and decision() cannot.
PbaException
PbaException
Response authzDecision(Subject creds, Action action, Target target, java.util.Map contextualParams) throws PbaException
creds
- is a Subject object, containing the credentials and
other parameters about the user (CredentialService object)action
- is the action the user is going to performtarget
- is the target on which the action is being performedcontextualParams
- is a collection of contextual ADI parameters
PbaException
The method name is changed from response() to authzDecision()
|
|||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |