issrg.pba.rbac.policies
Class AccessPolicy

java.lang.Object
  issrg.pba.rbac.policies.AccessPolicy

public class AccessPolicy
extends java.lang.Object

This is the class representing the Target Access Policy. It delivers the decision on whether a user with a certain set of credentials is allowed to access a target.

It knows the rules for accessing targets, and can make a decision based on those rules, when passed the set of credentials, the action and the target parameters.

It is aware of the Target domains and all Target Access Policy statements, including the IF statement.

Version:

1.0

Author:

A Otenko

See Also:

AccessRule

Field Summary

protected XMLPolicyParser.ActionPolicyNode	actionPolicy This is where the action policy is stored for internal purposes
protected java.util.Map	rules This is where the Access Rules are stored
protected XMLPolicyParser.DomainPolicyNode	targetPolicy This is where the target domain policy is stored for internal purposes

Constructor Summary

protected	AccessPolicy()
	AccessPolicy(java.util.Map accessRules) This constructor creates the object out of a set of the access Rules.
	AccessPolicy(java.util.Map accessRules, MSoDPolicySet msodPS) This constructor is for MSoD.

Method Summary

boolean	decision(Credentials creds, Action a, Target t, java.util.Map environment) This method performs the actual access control.
Response	response(Credentials creds, Action a, Target t, java.util.Map environment) This method makes a decision, and returns a response regarding to the request represented by a set of Credentials, an Action, the Target and the Environment.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

actionPolicy

protected XMLPolicyParser.ActionPolicyNode actionPolicy

This is where the action policy is stored for internal purposes

targetPolicy

protected XMLPolicyParser.DomainPolicyNode targetPolicy

This is where the target domain policy is stored for internal purposes

rules

protected java.util.Map rules

This is where the Access Rules are stored

Constructor Detail

AccessPolicy

protected AccessPolicy()

AccessPolicy

public AccessPolicy(java.util.Map accessRules)

This constructor creates the object out of a set of the access Rules. There are two special kinds of rules. One of the rules is the Action Policy that defines the methods. To find it among the rules, the XMLPolicyParser.ActionPolicyNode.class is used as the key, and the value is assumed to be an XMLPolicyParser.ActionPolicyNode object containing the action definitions accessible by the action name.

The other special rule is the Target Policy, specifying the domains of targets. To find it among the rules, XMLPolicyParser.DomainPolicyNode.class is used as the key and the value is assumed to be a XMLPolicyParser.DomainPolicyNode

All the other rules are indexed by Action name and constitute Vectors of AccessRule objects. There is a special action with an empty name (""). The entry for this action contains the rules that allow any action to be executed, without explicitly naming them. So to make a decision, the AccessPolicy finds all the rules that belong to the named action (i.e. the TargetAccess names the action explicitly) and all the rules that do not name any action (i.e. the TargetAccess allows any action to be executed, if the condition is met). If there is a rule that can be satisfied (the Subject has the required Credentials and the IF-condition evaluates to true, if present), then access can be granted.

Parameters:

accessRules - is a map of rules, created by the PolicyParser; the map is indexed by Action name, and contains Vectors of Target access rules for each of them, including the specification of what targets can execute this action, and what is the minimal set of credentials for gaining that access;

AccessPolicy

public AccessPolicy(java.util.Map accessRules,
                    MSoDPolicySet msodPS)

This constructor is for MSoD. DONT YOU EVER COPY PASTE IN YOUR LIFE! IT IS A SIN!

Method Detail

decision

public boolean decision(Credentials creds,
                        Action a,
                        Target t,
                        java.util.Map environment)
                 throws PbaException

This method performs the actual access control. Given a set of credentials, it checks whether there is any statement in the TargetAccessPolicy that allows to perform the given Action on the given Target. After matching the set of credentials and the Target domain, the IF statement is evaluated, involving the Environment and the arguments to the Action.

Note that the IF statement is the interpretation tree, which is built by the PolicyParser, and it can evaluate itself.

To find the rules, the rule set provided to the constructor is searched for rules mentioning the Action explicitly, and for the rules implying the Action (i.e. the rules allowing "any" action).

Parameters:

creds - is the set of credentials the user possesses

a - is the action the user wants to perform (name + action ADI)

t - is the target the user wants to perform (name + target ADI); Target must return TargetADI implementing Entry interface

environment - is the collection of environmental parameters to the action; contextual ADI

Returns:

true, if the requested access can be granted; false, if the access is denied by the policy

Throws:

PbaException - in any case of error; for example, malformed parameters to the method, or an error in decision evaluation, thrown by an Access Rule

DecisionWithObligationException, - if the policy requires some Obligations to be enforced along with the decision; either handle this case specially to enforce the obligations, or use response method

See Also:

response(issrg.pba.Credentials, issrg.pba.Action, issrg.pba.Target, java.util.Map)

response

public Response response(Credentials creds,
                         Action a,
                         Target t,
                         java.util.Map environment)
                  throws PbaException

This method makes a decision, and returns a response regarding to the request represented by a set of Credentials, an Action, the Target and the Environment. The response may contain obligations.

Parameters:

creds - is the set of credentials the user possesses

a - is the action the user wants to perform (name + action ADI)

t - is the target the user wants to perform (name + target ADI); Target must return TargetADI implementing Entry interface

environment - is the collection of environmental parameters to the action; contextual ADI

Returns:

a Response that contains the authorisation decision and the obligations that must be enforced along with it.

Throws:

PbaException