|
|||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Object issrg.pba.rbac.policies.AllocationPolicy
public class AllocationPolicy
This class represents an Allocation and Delegation Policy. Its responsibility is to return a set of Credentials (Roles in Permis) that have been assigned to the subject in accordance with the (Role) Assignment policy and delegation rules.
This class is quite abstract and can be used for many other projects, even non-role based, and non-AC based, because it operates on abstract authorisation tokens and credentials.
The delegation model assumed is: the policy states a number of trusted Sources of Authority, along with the specification of what they can delegate and to whom; these entities can delegate their powers or subset of it (i.e. the Credentials specified in the policy or the subset of it) to the other entities that must be from their Subject Domain. This way a delegation chain is established from one of the Sources of Authority (SOAs) to the end users.
AllocationPolicy can recursively trace the delegation chains by looking up the Authorisation Tokens of the Issuer of each Authorisation Token available to it, until one of the SOAs is reached. To validate the chain, the same rule is applied on each iteration: the subordinate authority can have the same or less power as the superior authority; so a subordinate authority has the intersection of the Credentials that it has in the Authorisation Tokens with the Credentials of the superior authority, the Subject Domain is an intersection of the superior's Subject Domain and the subordinate's Subject Domain excluding the subordinate himself, the delegation depth is at most one less than the delegation depth of the superior authority.
Allocation Policy checks that the Holder principal is the same as the Subject principal and does not consider the ones that do not belong to the Subject.
Allocation Policy conceptually intersects the credentials from the Parsed Token with the credentials of the Issuer of that token, and then builds a union of all such intersections for every token, and that's what goes into the Subject object.
In reality Allocation Policy uses a RuleComparator to order the Parsed Tokens by validation priority and depending on RuleComparator logic may return a subset of all available credentials without validating all of the Parsed Tokens.
Field Summary | |
---|---|
protected Logger |
log
|
protected Clock |
theClock
|
Constructor Summary | |
---|---|
protected |
AllocationPolicy()
|
|
AllocationPolicy(java.util.Map assignmentRules)
This constructor builds an AllocationPolicy with the default RuleComparator; this is a shortcut to AllocationPolicy(assignmentRules, null) See that constructor for details of the meaning. |
|
AllocationPolicy(java.util.Map assignmentRules,
RuleComparator comparator)
The constructor builds a policy out of assignment Rules and the reference to the AuthTokenParser. |
Method Summary | |
---|---|
Credentials |
getCredentials(TokenLocator who,
AuthzTokenRepository acR)
This method does the allocation. |
java.util.Vector |
validate(Entry holder,
TokenLocator issuerTokenLocator,
AssignmentRule rule,
AuthzTokenRepository acR,
java.util.Vector holders)
This function validates a requested RAR. |
Credentials |
validate(Entry holder,
TokenLocator issuerTokenLocator,
Credentials credentials,
AuthzTokenRepository acR,
java.util.Vector holders)
This method validates a requested set of Credentials. |
Methods inherited from class java.lang.Object |
---|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
Field Detail |
---|
protected Clock theClock
protected Logger log
Constructor Detail |
---|
protected AllocationPolicy()
public AllocationPolicy(java.util.Map assignmentRules, RuleComparator comparator)
The rule set contains a special rule, which is the coverage domain of the whole AllocationPolicy. This rule is found by using Subtree.class as the key, and the value is assumed to be a Subtree.
assignmentRules
- is a Map of Vectors of AssignmentRule objects; the
key for each AssignmentRule collection is the SOA's DNcomparator
- defines the preference in validation of Authorisation
Tokens, so that the most relevant ones are validated first, and the
less relevant or irrelevant ones are not validated at all; if it is
null, the default RuleComparator will be used as defined in
CustomisePERMIS.getComparator()CustomisePERMIS.getComparator()
public AllocationPolicy(java.util.Map assignmentRules)
AllocationPolicy(java.util.Map,RuleComparator)
Method Detail |
---|
public Credentials getCredentials(TokenLocator who, AuthzTokenRepository acR) throws PbaException
This method does the allocation. It picks the Authorisation Tokens from the given Authorisation Token Repository (assuming it returns only valid tokens), and uses AuthTokenParser to retrieve the credentials. After that it applies each Assignment Rule to ensure that the credentials have been assigned according to the policy; all credentials that do not comply to the policy are discarded and a credentials object containing only complying credentials is returned.
Note that if the User does not match any Subject Domain, an exception will be thrown.
X.509 semantics: It picks all recognisable Roles from the given set of Attribute Certificates, then it exercises the actual Role assignment: looks what roles from the given set of ACs could have been delegated by the AC issuer. The latter step involves RoleAssignmentPolicy interpretation, with SubjectDomain matching, Role matching, SOA matching and the delegation depth matching. The resulting Role will contain validity, as calculated by combining the AC Validity time and Validity restrictions in the RoleAssignmentPolicy.
The issuer name is case insensitive.
End of recursion:
0. All the roles have been granted by the SOA (which should have been
defined in the SOAPolicy)
1. The delegator is already being calculated in this recursion (somewhere
down the stack). (Thus eliminating delegation loops; such delegations are
invalidated; depending on the role caching mechanism, a flag can be set
the role assignment to be calculated later)
2. No ACs obtained for the delegator.
who
- is the user identifier; it contains either user DN, or the
PKC
Issuer DN+Serial Number; it is used when performing SubjectDomain
match and to retrieve the Authorisation Tokens of the SubjectacR
- is the repository with the Authorisation Tokens the user has
got;
it is assumed the signature has already been verified, when the
Authorisation Tokens
are retrieved; if null, no AuthorisationTokens can be obtained for
the Subject, so only public access can be granted at decision time
(an empty set of Credentials will be returned)
PbaException
public Credentials validate(Entry holder, TokenLocator issuerTokenLocator, Credentials credentials, AuthzTokenRepository acR, java.util.Vector holders) throws PbaException
holder
- is the holder Entry. It is matched against the Subject
Domain of the issuer's RARissuerTokenLocator
- specifies the location of the issuer's
Authorisation Tokenscredentials
- is the credentials asserted by the holder and issued
by the issuer identified by issuerTokenLocatoracR
- is the default repository for the Authorisation Tokens; if
null, the Authorisation Token Repository mentioned in the
issuerTokenLocator will be used; if neither is specified, the issuer's
Authorisation Tokens cannot be found and the assignment will only be
validated using the RARs available in the policyholders
- is the vector that stores list of holders on the
delegation path; it is used for detecting loops in assignment
PbaException
public java.util.Vector validate(Entry holder, TokenLocator issuerTokenLocator, AssignmentRule rule, AuthzTokenRepository acR, java.util.Vector holders) throws PbaException
holder
- is the Entry of the holder of the asserted RARissuerTokenLocator
- specifies the location of the issuer's
Authorisation Tokensrule
- is the RAR asserted by the holder and issued by the issuer
identified by issuerTokenLocatoracR
- is the default repository for the Authorisation Tokens; if
null, the Authorisation Token Repository mentioned in the
issuerTokenLocator will be used; if neither is specified, the issuer's
Authorisation Tokens cannot be found and the assignment will only be
validated using the RARs available in the policyholders
- is the vector that stores list of holders on the
delegation path; it is used for detecting loops in assignment
PbaException
|
|||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |