|
|||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Object issrg.pba.rbac.PermisRBAC issrg.pba.management.agent.managed.ManagedPermisRBAC
public class ManagedPermisRBAC
This is a Managed PERMIS engine.
as a Managed PERMIS engine it must implement ManagedPermis, which is the Functionality provided to the PERMIS Agent. And it must implement an MBean interface, which provides the instrumentation to the PERMIS Manager.
one purpose of this class it to encapsulate the initialisation parameters, in order that they can be used to re get the policy should the PERMIS Manager instruct it to.
at the moment no initialisation parameters are required for the current management-information.
implementing the read lock on the PEP access to PermisRBAC methods only required overwriting two methods, performing the lock and calling the corresponding method in PermisRBAC.
The only problem may arise if the methods in PermisRBAC are ever changed in the future.
Field Summary |
---|
Fields inherited from class issrg.pba.rbac.PermisRBAC |
---|
TIME_VARIABLE, TIMEOUT |
Constructor Summary | |
---|---|
ManagedPermisRBAC(PolicyFinder pf,
AttributeRepository ar,
AuthzTokenParser authParser,
PAConfiguration configuration)
managed PERMIS engine. |
Method Summary | |
---|---|
Response |
authzDecision(Subject subject,
Action action,
Target target,
java.util.Map contextualParams)
This overridden method adds a PEP read lock on the making of a decision. |
protected void |
finalize()
ensure that the PERMIS agent stops listening for connections. |
protected Subject |
getCreds(UserEntry subjectDN,
java.lang.Object[] creds,
AuthzTokenRepository repository,
CredentialsService service)
This overridden method adds a PEP read lock to the getting of subject credentials. |
java.security.Principal |
getPrincipalSOA()
the Source of Authority. |
protected PermisSubject |
newPermisSubject(java.security.Principal dN,
CredentialsService service,
java.lang.String policyOID,
Credentials creds)
This method is used by getCreds to return a PermisSubject. |
void |
stopAgent()
stop the agent. |
void |
stoppedAgent()
the agent has stopped. |
java.lang.String |
updatePolicy(java.lang.String xmlPolicy)
Updates the policy with the given one. |
java.lang.String |
updatePolicy(java.lang.String policyName,
byte[] policyACbyteArray)
engine.updatePolicy instrumentation. |
java.lang.String |
updatePolicyFromLDAP(java.lang.String policyName,
java.lang.String host,
java.lang.Integer port,
java.lang.String aCName,
java.lang.String version)
engine.updatePolicyInLDAP instrumentation. |
java.lang.String |
updatePolicyFromWebDAV(java.lang.String policyName,
java.lang.String host,
java.lang.Integer port)
engine.updatePolicyFromWebDAV instrumentation. |
Methods inherited from class issrg.pba.rbac.PermisRBAC |
---|
decision, getCreds, getCreds, getCreds, getCreds, getCreds, getPolicyFinder, getRepositories, getRepositories, getTimeOut, initEnv, SAWSCloseLog |
Methods inherited from class java.lang.Object |
---|
clone, equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
Constructor Detail |
---|
public ManagedPermisRBAC(PolicyFinder pf, AttributeRepository ar, AuthzTokenParser authParser, PAConfiguration configuration) throws PbaException
pf
- -
the PolicyFinder that locates the policy it must implement
"ManagedPolicyFinder" interface.ar
- -
the AttributeRepository used to retrieve AuthorisationauthParser
- -
the AuthTokenParser used to decode the Authorisation
Tokensconfiguration
- -
the configuration used to set up the PERMIS agent as a
server and listen for PERMIS managers to connect.
PbaException
- if something goes wrongMethod Detail |
---|
protected Subject getCreds(UserEntry subjectDN, java.lang.Object[] creds, AuthzTokenRepository repository, CredentialsService service) throws PbaException
getCreds
in class PermisRBAC
subjectDN
- is the identifier of the subject; when X.509 flavour is
configured it must contain either the PKC subject DN, or
the PKC SerialNumber and Issuer DN, or bothcreds
- is an array of Authorisation Tokens
(e.g. AttributeCertificates to use (push model); can
be null
(pull model)repository
- -
the AuthTokenRepository from which the missing
Authorisation Tokens will be obtained; if null, the
AuthTokenRepository provided at construction time will be
used; if creds is not null, this parameter is ignoredservice
- is attached to the Subject object, and will be called each
time a decision is made; this way, for example, it is
possible to expire the Subject object by throwing an
exception
PbaException
- if creating the subject fails.protected PermisSubject newPermisSubject(java.security.Principal dN, CredentialsService service, java.lang.String policyOID, Credentials creds)
the default PermisSubject is being replaces with a ManagedPermisSubject, in order that the subject can keep a track of the policy version it was created against.
newPermisSubject
in class PermisRBAC
dN
- ??service
- ??policyOID
- ??creds
- ??
(java.security.Principal,
issrg.pba.CredentialsService, java.lang.String,
issrg.pba.Credentials)
public Response authzDecision(Subject subject, Action action, Target target, java.util.Map contextualParams) throws PbaException
authzDecision
in interface PBAAPI
authzDecision
in class PermisRBAC
subject
- wishing to carry out the action on the targetaction
- that the subject wishes to carry outtarget
- object on which the action is carried outcontextualParams
- Application_Context a list of application contextual
parameters
PbaException
- if something goes wrong whilst making a decision(issrg.pba.Subject,
issrg.pba.Action, issrg.pba.Target, java.util.Map)
public java.security.Principal getPrincipalSOA()
protected void finalize()
finalize
in class PermisRBAC
public void stopAgent()
public void stoppedAgent()
this is a PERMIS agent callback method, informing this managed PERMIS that the agent has stopped listening to, and communicating with any PERMIS managers.
public java.lang.String updatePolicy(java.lang.String policyName, byte[] policyACbyteArray) throws PbaException
Plase the the byte array containing the AC (with policy) into a Virtual Repository and pass it into the Policy Finders updatePolicy method.
updatePolicy
in interface ManagedPermisRBACMBean
policyName
- unique policy name (normally an object identifier)policyACbyteArray
- the Attribute Certificate containing the policy
PbaException
- -
if one it thrown during the update Processpublic java.lang.String updatePolicyFromWebDAV(java.lang.String policyName, java.lang.String host, java.lang.Integer port) throws PbaException
Place the the location of the policy, which is in a WebDAV directory into a WebDAV Repository and pass that into the Policy Finders updatePolicy method.
updatePolicyFromWebDAV
in interface ManagedPermisRBACMBean
policyName
- unique policy name (normally an object identifier)host
- location of the WebDAV directoryport
- number of the WebDAV directory
PbaException
- if one it thrown during the update Processpublic java.lang.String updatePolicyFromLDAP(java.lang.String policyName, java.lang.String host, java.lang.Integer port, java.lang.String aCName, java.lang.String version) throws PbaException
Place the location of the policy, which is in an LDAP directory into an LDAP Repository and pass that into the Policy Finders updatePolicy method.
updatePolicyFromLDAP
in interface ManagedPermisRBACMBean
policyName
- unique policy name (normally an object identifier)host
- location of the LDAP directoryport
- number of the LDAP directoryaCName
- LDAP attribute name use to identify Attribute Certificate
entriesversion
- of the LDAP installation
PbaException
- if one it thrown during the update Processpublic java.lang.String updatePolicy(java.lang.String xmlPolicy) throws PbaException
updatePolicy
in interface ManagedPermisRBACMBean
xmlPolicy
- a string containing the new policy
PbaException
- when something goes wrong while updating the policy
|
|||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |