|
|||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Object issrg.pba.rbac.x509.RoleBasedACParser
public class RoleBasedACParser
This is the implementation of the AuthTokenParser that extracts Roles from the Attribute Certificates as defined by the Policy.
This is the default AuthTokenParser used by PERMIS, when X.509 flavour is configured in using issrg.pba.rbac.CustomisePERMIS.configureX509Flavour method.
Constructor Summary | |
---|---|
RoleBasedACParser()
This is the default constructor. |
|
RoleBasedACParser(java.util.Map m,
SignatureVerifier signatureVerifier)
The constructor takes the Map of Assignment Rules, as returned by the PolicyParser and the Signature Verifier, which can be null. |
|
RoleBasedACParser(RoleHierarchyPolicy rhpn,
SignatureVerifier signatureVerifier)
The constructor uses the Role Hierarchy policy and the Signature Verifier to subsequently decode the Attribute Certificates. |
Method Summary | |
---|---|
ParsedToken |
decode(java.lang.Object acB)
This method decodes the Authorisation Token into internal representation. |
protected ParsedToken |
decodeX509AC(java.lang.Object acB)
This method decodes a given Attribute Certificate. |
java.util.Map |
getAuthzTokenParsingRules()
This method returns the Authorisation Token Parsing Rules, as a Map with a single entry with the key issrg.pba.rbac.RoleHierarchyPolicy.class and the value being the RoleHierarchyPolicy used by this RoleBasedACParser. |
SignatureVerifier |
getSignatureVerifier()
This method returns the SignatureVerifier used by this RoleBasedACParser. |
void |
setAuthzTokenParsingRules(java.util.Map m)
This method sets the Authorisation Token Parsing Rules. |
void |
setRoleHierarchy(RoleHierarchyPolicy rhpn)
This method sets the Authorisation Token Parsing Rules by directly specifying the Role Hierarchy to be used. |
void |
setSignatureVerifier(SignatureVerifier signatureVerifier)
This method sets the SignatureVerifier to be used to validate the X.509 Attribute Certificates. |
Methods inherited from class java.lang.Object |
---|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
Constructor Detail |
---|
public RoleBasedACParser()
public RoleBasedACParser(RoleHierarchyPolicy rhpn, SignatureVerifier signatureVerifier)
rhpn
- is the RoleHierarchyPolicy used to decode the role values in
the Attribute Certificates; can't be nullsignatureVerifier
- will be used to validate digital signatures;
if null, no signature verification will be performed (NOT RECOMMENDED
FOR REAL DEPLOYMENT AS INSECURE!)public RoleBasedACParser(java.util.Map m, SignatureVerifier signatureVerifier)
m
- is the map of assignment rules to usesignatureVerifier
- will be used to validate digital signatures;
if null, no signature verification will be performed (NOT RECOMMENDED
FOR REAL DEPLOYMENT AS INSECURE!)Method Detail |
---|
public java.util.Map getAuthzTokenParsingRules()
getAuthzTokenParsingRules
in interface AuthzTokenParser
public void setSignatureVerifier(SignatureVerifier signatureVerifier)
setSignatureVerifier
in interface AuthzTokenParser
signatureVerifier
- is the SignatureVerifier used to validate the
ACs; if null, no signature verification will be performed (SHOULD NOT
BE USED IN PRODUCTION SCENARIOS!)public SignatureVerifier getSignatureVerifier()
getSignatureVerifier
in interface AuthzTokenParser
public void setAuthzTokenParsingRules(java.util.Map m)
setAuthzTokenParsingRules
in interface AuthzTokenParser
m
- - the Map of rules with a RoleHierarchyPolicy insidepublic void setRoleHierarchy(RoleHierarchyPolicy rhpn)
setRoleHierarchy
in interface RoleBasedAuthzTokenParser
rhpn
- - the RoleHierarchyPolicy to be used; if null, decoding the
ACs will always failprotected ParsedToken decodeX509AC(java.lang.Object acB) throws PbaException
First it is seen if the Authorisation Token is an X.509 Attribute Certificate. If there is no SignatureVerifier provided, the next stage is skipped; otherwise the digital signature on it is verified using the Signature Verifier provided at construction time or by calling the setSignatureVerifier method. If this fails, a SignatureVerificationFailedException is thrown with the would-be-valid ParsedToken and the original object in it.
If the X.509 Attribute Certificate to be decoded contains an attribute with the OID matching one of the role types defined in the RoleHierarchyPolicy, all the values are assumed to be Printable Strings. Among these values the ones not mentioned in the RoleHierarchyPolicy are ignored; the known values are mapped into the role hierarchy, so that the resulting Credentials contained in the ParsedToken can be compared.
The attributes with OID not mentioned in the RoleHierarchyPolicy are ignored.
If an unknown critical extension is encountered, parsing of the AC fails.
If the AC contains a noAssertion extension, the ParsedToken's Credentials will be an empty set (but the delegatable Credentials may not be an empty set).
If the AC contains a basicAttributeConstraints extension, the result will be a DelegatableToken with the delegatable Credentials set to the set of Credentials contained in the AC. It will be the same as the assertable Credentials, if no noAssertion extension is there. The depth of delegation in the DelegatableToken will be the value of the basicAttributeContraints cast to a 32 bit non-negative number (should be enough to express any delegation tree in the world) with the same semantics as in basicAttributeConstraints, or "-1", if unconstrained delegation is allowed by the extension (no delegation depth was specified in the AC).
acB
- a byte array of the BER-encoded X.509 AttributeCertificate
PbaException,
- if no Role Hierarchy Policy has been specified
through the constructor or either of the methods, or if there was a
problem when decoding the Authorisation Token
PbaException
public ParsedToken decode(java.lang.Object acB) throws PbaException
AuthzTokenParser
decode
in interface AuthzTokenParser
acB
- - implementation-specific object returned by the Repository; it is
the authorisation token to be decoded
PbaException
- if any error occurs; for example, the given object is
not a proper Authorisation Token that the implementation can handle
|
|||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |