issrg.pba.management.agent.managed
Class ManagedPermisRBAC

java.lang.Object
  extended by issrg.pba.rbac.PermisRBAC
      extended by issrg.pba.management.agent.managed.ManagedPermisRBAC
All Implemented Interfaces:
ManagedPermisRBACMBean, PBAAPI

public class ManagedPermisRBAC
extends PermisRBAC
implements ManagedPermisRBACMBean

This is a Managed PERMIS engine.

as a Managed PERMIS engine it must implement ManagedPermis, which is the Functionality provided to the PERMIS Agent. And it must implement an MBean interface, which provides the instrumentation to the PERMIS Manager.

one purpose of this class it to encapsulate the initialisation parameters, in order that they can be used to re get the policy should the PERMIS Manager instruct it to.

at the moment no initialisation parameters are required for the current management-information.

implementing the read lock on the PEP access to PermisRBAC methods only required overwriting two methods, performing the lock and calling the corresponding method in PermisRBAC.

The only problem may arise if the methods in PermisRBAC are ever changed in the future.

Version:
0.3.2008.03.20
Author:
mfb4@kent.ac.uk

Field Summary
 
Fields inherited from class issrg.pba.rbac.PermisRBAC
TIME_VARIABLE, TIMEOUT
 
Constructor Summary
ManagedPermisRBAC(PolicyFinder pf, AttributeRepository ar, AuthzTokenParser authParser, PAConfiguration configuration)
          managed PERMIS engine.
 
Method Summary
 Response authzDecision(Subject subject, Action action, Target target, java.util.Map contextualParams)
          This overridden method adds a PEP read lock on the making of a decision.
protected  void finalize()
          ensure that the PERMIS agent stops listening for connections.
protected  Subject getCreds(UserEntry subjectDN, java.lang.Object[] creds, AuthzTokenRepository repository, CredentialsService service)
          This overridden method adds a PEP read lock to the getting of subject credentials.
 java.security.Principal getPrincipalSOA()
          the Source of Authority.
protected  PermisSubject newPermisSubject(java.security.Principal dN, CredentialsService service, java.lang.String policyOID, Credentials creds)
          This method is used by getCreds to return a PermisSubject.
 void stopAgent()
          stop the agent.
 void stoppedAgent()
          the agent has stopped.
 java.lang.String updatePolicy(java.lang.String xmlPolicy)
          Updates the policy with the given one.
 java.lang.String updatePolicy(java.lang.String policyName, byte[] policyACbyteArray)
          engine.updatePolicy instrumentation.
 java.lang.String updatePolicyFromLDAP(java.lang.String policyName, java.lang.String host, java.lang.Integer port, java.lang.String aCName, java.lang.String version)
          engine.updatePolicyInLDAP instrumentation.
 java.lang.String updatePolicyFromWebDAV(java.lang.String policyName, java.lang.String host, java.lang.Integer port)
          engine.updatePolicyFromWebDAV instrumentation.
 
Methods inherited from class issrg.pba.rbac.PermisRBAC
decision, getCreds, getCreds, getCreds, getCreds, getCreds, getPolicyFinder, getRepositories, getRepositories, getTimeOut, initEnv, SAWSCloseLog
 
Methods inherited from class java.lang.Object
clone, equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

ManagedPermisRBAC

public ManagedPermisRBAC(PolicyFinder pf,
                         AttributeRepository ar,
                         AuthzTokenParser authParser,
                         PAConfiguration configuration)
                  throws PbaException
managed PERMIS engine. If the configuration is not null then a PERMIS agent is created and used to allow PERMIS managers to connect.

Parameters:
pf - - the PolicyFinder that locates the policy it must implement "ManagedPolicyFinder" interface.
ar - - the AttributeRepository used to retrieve Authorisation
authParser - - the AuthTokenParser used to decode the Authorisation Tokens
configuration - - the configuration used to set up the PERMIS agent as a server and listen for PERMIS managers to connect.
Throws:
PbaException - if something goes wrong
Since:
0.2.2008.02.20
Method Detail

getCreds

protected Subject getCreds(UserEntry subjectDN,
                           java.lang.Object[] creds,
                           AuthzTokenRepository repository,
                           CredentialsService service)
                    throws PbaException
This overridden method adds a PEP read lock to the getting of subject credentials. Parameter description taken form super method.

Overrides:
getCreds in class PermisRBAC
Parameters:
subjectDN - is the identifier of the subject; when X.509 flavour is configured it must contain either the PKC subject DN, or the PKC SerialNumber and Issuer DN, or both
creds - is an array of Authorisation Tokens (e.g. AttributeCertificates to use (push model); can be null (pull model)
repository - - the AuthTokenRepository from which the missing Authorisation Tokens will be obtained; if null, the AuthTokenRepository provided at construction time will be used; if creds is not null, this parameter is ignored
service - is attached to the Subject object, and will be called each time a decision is made; this way, for example, it is possible to expire the Subject object by throwing an exception
Returns:
a Subject that implements ManagedSubject
Throws:
PbaException - if creating the subject fails.
Since:
0.2.2008.02.20

newPermisSubject

protected PermisSubject newPermisSubject(java.security.Principal dN,
                                         CredentialsService service,
                                         java.lang.String policyOID,
                                         Credentials creds)
This method is used by getCreds to return a PermisSubject.

the default PermisSubject is being replaces with a ManagedPermisSubject, in order that the subject can keep a track of the policy version it was created against.

Overrides:
newPermisSubject in class PermisRBAC
Parameters:
dN - ??
service - ??
policyOID - ??
creds - ??
Returns:
a ManagedPermisSubject
Since:
0.2.2008.02.20
See Also:
(java.security.Principal, issrg.pba.CredentialsService, java.lang.String, issrg.pba.Credentials)

authzDecision

public Response authzDecision(Subject subject,
                              Action action,
                              Target target,
                              java.util.Map contextualParams)
                       throws PbaException
This overridden method adds a PEP read lock on the making of a decision.

Specified by:
authzDecision in interface PBAAPI
Overrides:
authzDecision in class PermisRBAC
Parameters:
subject - wishing to carry out the action on the target
action - that the subject wishes to carry out
target - object on which the action is carried out
contextualParams - Application_Context a list of application contextual parameters
Returns:
a Response object with the decision
Throws:
PbaException - if something goes wrong whilst making a decision
Since:
0.2.2008.02.20
See Also:
(issrg.pba.Subject, issrg.pba.Action, issrg.pba.Target, java.util.Map)

getPrincipalSOA

public java.security.Principal getPrincipalSOA()
the Source of Authority. who owns the policy.

Returns:
the principal object representing the SOA.
Since:
0.2.2008.02.20

finalize

protected void finalize()
ensure that the PERMIS agent stops listening for connections.

Overrides:
finalize in class PermisRBAC
Since:
0.3.2008.03.21

stopAgent

public void stopAgent()
stop the agent. i.e. stop the MBean server form listening on the port. and communication with any PERMIS managers.

Since:
0.3.2008.03.21

stoppedAgent

public void stoppedAgent()
the agent has stopped.

this is a PERMIS agent callback method, informing this managed PERMIS that the agent has stopped listening to, and communicating with any PERMIS managers.

Since:
0.3.2008.03.21

updatePolicy

public java.lang.String updatePolicy(java.lang.String policyName,
                                     byte[] policyACbyteArray)
                              throws PbaException
engine.updatePolicy instrumentation. replace the current policy with the one held in the policy contained in the AC.

Plase the the byte array containing the AC (with policy) into a Virtual Repository and pass it into the Policy Finders updatePolicy method.

Specified by:
updatePolicy in interface ManagedPermisRBACMBean
Parameters:
policyName - unique policy name (normally an object identifier)
policyACbyteArray - the Attribute Certificate containing the policy
Returns:
A String value response (Message) to report back to the PERMIS Manager
Throws:
PbaException - - if one it thrown during the update Process
Since:
0.3.2008.03.20

updatePolicyFromWebDAV

public java.lang.String updatePolicyFromWebDAV(java.lang.String policyName,
                                               java.lang.String host,
                                               java.lang.Integer port)
                                        throws PbaException
engine.updatePolicyFromWebDAV instrumentation. replace the current policy with the one held in the specified WevDAV directory.

Place the the location of the policy, which is in a WebDAV directory into a WebDAV Repository and pass that into the Policy Finders updatePolicy method.

Specified by:
updatePolicyFromWebDAV in interface ManagedPermisRBACMBean
Parameters:
policyName - unique policy name (normally an object identifier)
host - location of the WebDAV directory
port - number of the WebDAV directory
Returns:
A String value response (Message) to report back to the PERMIS Manager
Throws:
PbaException - if one it thrown during the update Process
Since:
0.3.2008.03.20

updatePolicyFromLDAP

public java.lang.String updatePolicyFromLDAP(java.lang.String policyName,
                                             java.lang.String host,
                                             java.lang.Integer port,
                                             java.lang.String aCName,
                                             java.lang.String version)
                                      throws PbaException
engine.updatePolicyInLDAP instrumentation. replace the current policy with the one held in the specified LDAP directory.

Place the location of the policy, which is in an LDAP directory into an LDAP Repository and pass that into the Policy Finders updatePolicy method.

Specified by:
updatePolicyFromLDAP in interface ManagedPermisRBACMBean
Parameters:
policyName - unique policy name (normally an object identifier)
host - location of the LDAP directory
port - number of the LDAP directory
aCName - LDAP attribute name use to identify Attribute Certificate entries
version - of the LDAP installation
Returns:
A String value response (Message) to report back to the PERMIS Manager
Throws:
PbaException - if one it thrown during the update Process
Since:
0.3.2008.03.20

updatePolicy

public java.lang.String updatePolicy(java.lang.String xmlPolicy)
                              throws PbaException
Updates the policy with the given one.

Specified by:
updatePolicy in interface ManagedPermisRBACMBean
Parameters:
xmlPolicy - a string containing the new policy
Returns:
a String containing the status
Throws:
PbaException - when something goes wrong while updating the policy