issrg.shibboleth
Class ShibPermisRBAC

java.lang.Object
  extended by issrg.shibboleth.ShibPermisRBAC

public class ShibPermisRBAC
extends java.lang.Object

ShibPermisRBAC can be used in connection with Shibboleth. mod_permis Apache module collects the attributes that are made available by Shibboleth, then it uses PERMIS to make access control decisions.

This class uses the standard PermisRBAC, but uses ShibbolethAuthTokenParser to parse Shibboleth attributes and push them into getCreds method of PERMIS RBAC. The Role Assignment Policy should specify what IdPs can assign what attributes to the whole world, since the identity of the holder of the attributes is not known (is assumed "the whole world", noted as a null LDAP DN).

Shibboleth attributes are encoded by mod_permis as Shibboleth URLs, the format of which is described in ShibbolethPrincipal. The attributes are parsed to extract the attribute type (which must match one of the role types defined in PERMIS Policy - the OID is insignificant in this case), the attribute value, and the scope of the attribute is used as the issuer identifier. The only exception is that if the attribute is called attributeCertificateAttribute;binary, it is not decoded, but is pushed as is into PermisRBAC getCreds method and the usual X.509 AC parsing semantics apply.

This class maintains a hashtable of PermisRBAC objects referenced by the OID of the policy. This way it is possible to serve multiple policies in different circumstances, yet load and initialise them all once.

See Also:
ShibbolethPrincipal

Field Summary
static int debugLevel
           
static int DECLINED
           
static int DENY
           
static int OK
           
 
Constructor Summary
ShibPermisRBAC(java.lang.String[] pConf, java.lang.String[] pACLoS)
          The contructor of the class
 
Method Summary
 int authorise(java.lang.String[] creds, java.lang.String originURL, java.lang.String userDN, java.lang.String action, java.lang.String targetDN, java.lang.String[] pConf, java.lang.String[] pACLoS, int debugLevel)
          This method performs Permis Authorisation and returns OK, DENY or DECLINED, depending on the decision.
 PermisRBAC getPbaApi()
          Get the pbaApi reference of the specified ShibPermisRBAC object
static ShibPermisRBAC getShibPermisRBAC(java.lang.String[] pConf, java.lang.String[] pACLoS)
          Get a ShibPermisRBAC object.
static void loadAC(VirtualRepository vr, java.lang.String filename)
          This is a utility method that loads an X.509 Attribute Certificate from a file and puts it in a VirtualRepository for later use.
static int permisAuth(java.lang.String[] creds, java.lang.String originURL, java.lang.String userDN, java.lang.String action, java.lang.String targetDN, java.lang.String[] pConf, java.lang.String[] pACLoS)
          This method performs Permis Authorisation and returns OK, DENY or DECLINED, depending on the decision.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

OK

public static final int OK
See Also:
Constant Field Values

DENY

public static final int DENY
See Also:
Constant Field Values

DECLINED

public static final int DECLINED
See Also:
Constant Field Values

debugLevel

public static final int debugLevel
See Also:
Constant Field Values
Constructor Detail

ShibPermisRBAC

public ShibPermisRBAC(java.lang.String[] pConf,
                      java.lang.String[] pACLoS)
The contructor of the class

Parameters:
pconf - the specified Permis configuration: {policy OID, SOA DN, Policy LDAP URL, AC Attribute, Root CA PKC file name, PKC attribute}
pACLoS - the locations where to pull ACs from in pull mode; can be null in push mode
Method Detail

getShibPermisRBAC

public static ShibPermisRBAC getShibPermisRBAC(java.lang.String[] pConf,
                                               java.lang.String[] pACLoS)
Get a ShibPermisRBAC object. If a ShibPermisRBAC object corresponding to oid already exists, return the object. Otherwise, create a new ShibPermisRBAC object.

Parameters:
pconf - the specified Permis configuration: {policy OID, SOA DN, URL of the Repository with the Policy, AC Attribute, Root CA PKC file name, PKC attribute}
Returns:
a ShibPermisRBAC object

getPbaApi

public PermisRBAC getPbaApi()
Get the pbaApi reference of the specified ShibPermisRBAC object

Returns:
a pbaApi reference

permisAuth

public static int permisAuth(java.lang.String[] creds,
                             java.lang.String originURL,
                             java.lang.String userDN,
                             java.lang.String action,
                             java.lang.String targetDN,
                             java.lang.String[] pConf,
                             java.lang.String[] pACLoS)
This method performs Permis Authorisation and returns OK, DENY or DECLINED, depending on the decision.

The method finds a ShibPermisRBAC instance corresponding to the policy OID or constructs a new one, then invokes authorise method on it to get the authorisation decision.

Parameters:
creds - - the ACs or Shibboleth attributes; use null, if Pull mode should be used
originURL - - the URL of the Origin; the hostname from the URL will be appended to the unscoped attributes
userDN - - the user dn; normally is an empty string in Shibboleth-Apache integration, but can be a real DN (the "dn" attribute is provided by IdP or the DN of the authenticated user in integration scenarios without Shibboleth)
action - - the action of accessing the Permis protected resource; normally one of the HTTP actions: "GET", "PUT", "POST", etc
targetDN - - the URL of the target
pConf - - the specified Permis configuration.
Returns:
an integer to represent success (OK=0), failed (DENY=1) or not applicable (DECLINED=2); the latter is returned if the target is out of Target Domain

authorise

public int authorise(java.lang.String[] creds,
                     java.lang.String originURL,
                     java.lang.String userDN,
                     java.lang.String action,
                     java.lang.String targetDN,
                     java.lang.String[] pConf,
                     java.lang.String[] pACLoS,
                     int debugLevel)
              throws PbaException,
                     RFC2253ParsingException
This method performs Permis Authorisation and returns OK, DENY or DECLINED, depending on the decision.

Parameters:
creds - - the ACs or Shibboleth attributes; use null, if Pull mode should be used
originURL - - the URL of the Origin; the hostname from the URL will be appended to the unscoped attributes
userDN - - the user dn; normally is an empty string in Shibboleth-Apache integration, but can be a real DN (the "dn" attribute is provided by IdP or the DN of the authenticated user in integration scenarios without Shibboleth)
action - - the action of accessing the Permis protected resource; normally one of the HTTP actions: "GET", "PUT", "POST", etc
targetDN - - the URL of the target
pConf - - the specified Permis configuration.
Returns:
an integer to represent success (OK=0), failed (DENY=1) or not applicable (DECLINED=2); the latter is returned if the target is out of Target Domain
Throws:
PbaException
RFC2253ParsingException

loadAC

public static void loadAC(VirtualRepository vr,
                          java.lang.String filename)
This is a utility method that loads an X.509 Attribute Certificate from a file and puts it in a VirtualRepository for later use.

Parameters:
vr - - the VirtualRepository to place the AC to
filename - - the name of the file with the AC inside