issrg.pba.rbac.policies
Class AssignmentRule

java.lang.Object
  extended by issrg.pba.rbac.policies.AssignmentRule

public class AssignmentRule
extends java.lang.Object

This class represents an assignment (and delegation) rule. It knows the Subject Domain to which it is applied, the delegation depth and the credentials (as obtained from the Policy) that can be assigned according to this rule.

Version:
1.0
Author:
A Otenko

Field Summary
protected  java.util.logging.Logger log
           
 
Constructor Summary
protected AssignmentRule()
           
  AssignmentRule(Subtree subjectDomain, int delegationPathLength, Credentials SOACreds)
          This is the constructor the PolicyParser should use.
 
Method Summary
 java.util.Vector allocate(Entry holder, AssignmentRule ar)
          This method determines the set of RARs that can be delegated to the given user, delegation depth distant from this SOA/AA out of the set of assumed RARs.
 Credentials allocate(Entry him, Credentials assumedCreds)
          This method determines the credential set that can be delegated to the given user, delegation depth distant from this SOA/AA out of the set of assumed credentials.
 SubjectCredsRules assign(ParsedToken token)
          This method validates what Credentials and Assignment rules can be assigned.
 Credentials getCredentials()
           
 int getDelegationDepth()
           
 Subtree getSubjectDomain()
           
 java.lang.String toString()
           
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait
 

Field Detail

log

protected java.util.logging.Logger log
Constructor Detail

AssignmentRule

protected AssignmentRule()

AssignmentRule

public AssignmentRule(Subtree subjectDomain,
                      int delegationPathLength,
                      Credentials SOACreds)
This is the constructor the PolicyParser should use.

Parameters:
subjectDomain - is the domain of subjects that the given set of credentials can be assigned to
delegationPathLength - is an integer number specifying how deep the delegation can be; set to a negative number for unlimited delegation
SOACreds - is the credentials that can be assigned to a subject from the given domain (subjectDomain)
Method Detail

getSubjectDomain

public Subtree getSubjectDomain()
Returns:
the Subtree of Subjects to which this rule applies

getDelegationDepth

public int getDelegationDepth()
Returns:
delegation depth of the chain that starts at the Subjects (i.e. this rule allows some issuer to assign privileges to some Subjects; delegation depth tells how far those Subjects can delegate their privileges further: "0" - they can't; "1" - they can, but those to whom they delegated can't; ... "-1" - no limit on delegation is placed by this rule)

getCredentials

public Credentials getCredentials()
Returns:
the Credentials that can be assigned to the Subjects of this rule

allocate

public Credentials allocate(Entry him,
                            Credentials assumedCreds)
This method determines the credential set that can be delegated to the given user, delegation depth distant from this SOA/AA out of the set of assumed credentials.

If assignment is not allowed then it returns null, as if the intersection of credentials is null.

Parameters:
him - is the user's Entry that must match one of the allowed Subject Domains
assumedCreds - is the set of assumed credentials - the set, extracted from an Authorisation Token
Returns:
the Credential that the holder may legitimately be assigned by the SOA; in fact, it is the intersection of the SOA's credentials and the assumed credentials; can be null, if no Credentials can be assigned

assign

public SubjectCredsRules assign(ParsedToken token)
This method validates what Credentials and Assignment rules can be assigned. First it calls allocate on the Credentials from the token, to find out the set of assertable credentials. Then, if the Token is a DelegatableToken, it calls allocate on the Delegatable Credentials from the token, and computes the constraints on the delegation depth and subject domain.

Parameters:
token - - the token with the credentials to be assigned to the holder
Returns:
issrg.pba.rbac.SubjectCredsRules containing the set of assertable credentials and the assignment rules

allocate

public java.util.Vector allocate(Entry holder,
                                 AssignmentRule ar)
This method determines the set of RARs that can be delegated to the given user, delegation depth distant from this SOA/AA out of the set of assumed RARs.

If assignment is not allowed then it returns an empty set of RARs.

Parameters:
holder - is the user's Entry that must match one of the allowed Subject Domains
ar - is the assumed RAR - as built from an Authorisation Token
Returns:
the Vector of RARs that the holder may legitimately be assigned by the SOA; in fact, it is the intersection of the SOA's RARs and the assumed RAR; each element in the Vector is an AssignmentRule

toString

public java.lang.String toString()
Overrides:
toString in class java.lang.Object