|
|||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Object issrg.pba.rbac.policies.AccessPolicy
public class AccessPolicy
This is the class representing the Target Access Policy. It delivers the decision on whether a user with a certain set of credentials is allowed to access a target.
It knows the rules for accessing targets, and can make a decision based on those rules, when passed the set of credentials, the action and the target parameters.
It is aware of the Target domains and all Target Access Policy statements, including the IF statement.
AccessRule
Field Summary | |
---|---|
protected XMLPolicyParser.ActionPolicyNode |
actionPolicy
This is where the action policy is stored for internal purposes |
protected java.util.Map |
rules
This is where the Access Rules are stored |
protected XMLPolicyParser.DomainPolicyNode |
targetPolicy
This is where the target domain policy is stored for internal purposes |
Constructor Summary | |
---|---|
protected |
AccessPolicy()
|
|
AccessPolicy(java.util.Map accessRules)
This constructor creates the object out of a set of the access Rules. |
|
AccessPolicy(java.util.Map accessRules,
MSoDPolicySet msodPS)
This constructor is for MSoD. |
Method Summary | |
---|---|
boolean |
decision(Credentials creds,
Action a,
Target t,
java.util.Map environment)
This method performs the actual access control. |
Response |
response(Credentials creds,
Action a,
Target t,
java.util.Map environment)
This method makes a decision, and returns a response regarding to the request represented by a set of Credentials, an Action, the Target and the Environment. |
Methods inherited from class java.lang.Object |
---|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
Field Detail |
---|
protected XMLPolicyParser.ActionPolicyNode actionPolicy
protected XMLPolicyParser.DomainPolicyNode targetPolicy
protected java.util.Map rules
Constructor Detail |
---|
protected AccessPolicy()
public AccessPolicy(java.util.Map accessRules)
The other special rule is the Target Policy, specifying the domains of targets. To find it among the rules, XMLPolicyParser.DomainPolicyNode.class is used as the key and the value is assumed to be a XMLPolicyParser.DomainPolicyNode
All the other rules are indexed by Action name and constitute Vectors of AccessRule objects. There is a special action with an empty name (""). The entry for this action contains the rules that allow any action to be executed, without explicitly naming them. So to make a decision, the AccessPolicy finds all the rules that belong to the named action (i.e. the TargetAccess names the action explicitly) and all the rules that do not name any action (i.e. the TargetAccess allows any action to be executed, if the condition is met). If there is a rule that can be satisfied (the Subject has the required Credentials and the IF-condition evaluates to true, if present), then access can be granted.
accessRules
- is a map of rules, created by the PolicyParser; the map
is indexed by Action name, and contains
Vectors of Target access rules for each of them, including the
specification of what targets can execute this action, and what is the
minimal set of credentials for gaining that access;public AccessPolicy(java.util.Map accessRules, MSoDPolicySet msodPS)
Method Detail |
---|
public boolean decision(Credentials creds, Action a, Target t, java.util.Map environment) throws PbaException
Note that the IF statement is the interpretation tree, which is built by the PolicyParser, and it can evaluate itself.
To find the rules, the rule set provided to the constructor is searched for rules mentioning the Action explicitly, and for the rules implying the Action (i.e. the rules allowing "any" action).
creds
- is the set of credentials the user possessesa
- is the action the user wants to perform (name + action ADI)t
- is the target the user wants to perform (name + target ADI);
Target must return TargetADI implementing Entry interfaceenvironment
- is the collection of environmental parameters to the
action; contextual ADI
PbaException
- in any case of error; for example, malformed
parameters
to the method, or an error in decision evaluation, thrown by an Access
Rule
DecisionWithObligationException,
- if the policy requires some
Obligations to be enforced along with the decision; either handle this
case specially to enforce the obligations, or use response methodresponse(issrg.pba.Credentials, issrg.pba.Action, issrg.pba.Target, java.util.Map)
public Response response(Credentials creds, Action a, Target t, java.util.Map environment) throws PbaException
creds
- is the set of credentials the user possessesa
- is the action the user wants to perform (name + action ADI)t
- is the target the user wants to perform (name + target ADI);
Target
must return TargetADI implementing Entry interfaceenvironment
- is the collection of environmental parameters to the
action; contextual ADI
PbaException
|
|||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |