|
|||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Object issrg.shibboleth.ShibPermisRBAC
public class ShibPermisRBAC
ShibPermisRBAC can be used in connection with Shibboleth. mod_permis Apache module collects the attributes that are made available by Shibboleth, then it uses PERMIS to make access control decisions.
This class uses the standard PermisRBAC, but uses ShibbolethAuthTokenParser to parse Shibboleth attributes and push them into getCreds method of PERMIS RBAC. The Role Assignment Policy should specify what IdPs can assign what attributes to the whole world, since the identity of the holder of the attributes is not known (is assumed "the whole world", noted as a null LDAP DN).
Shibboleth attributes are encoded by mod_permis as Shibboleth URLs, the format of which is described in ShibbolethPrincipal. The attributes are parsed to extract the attribute type (which must match one of the role types defined in PERMIS Policy - the OID is insignificant in this case), the attribute value, and the scope of the attribute is used as the issuer identifier. The only exception is that if the attribute is called attributeCertificateAttribute;binary, it is not decoded, but is pushed as is into PermisRBAC getCreds method and the usual X.509 AC parsing semantics apply.
This class maintains a hashtable of PermisRBAC objects referenced by the OID of the policy. This way it is possible to serve multiple policies in different circumstances, yet load and initialise them all once.
ShibbolethPrincipal
Field Summary | |
---|---|
static int |
debugLevel
|
static int |
DECLINED
|
static int |
DENY
|
static int |
OK
|
Constructor Summary | |
---|---|
ShibPermisRBAC(java.lang.String[] pConf,
java.lang.String[] pACLoS)
The contructor of the class |
Method Summary | |
---|---|
int |
authorise(java.lang.String[] creds,
java.lang.String originURL,
java.lang.String userDN,
java.lang.String action,
java.lang.String targetDN,
java.lang.String[] pConf,
java.lang.String[] pACLoS,
int debugLevel)
This method performs Permis Authorisation and returns OK, DENY or DECLINED, depending on the decision. |
PermisRBAC |
getPbaApi()
Get the pbaApi reference of the specified ShibPermisRBAC object |
static ShibPermisRBAC |
getShibPermisRBAC(java.lang.String[] pConf,
java.lang.String[] pACLoS)
Get a ShibPermisRBAC object. |
static void |
loadAC(VirtualRepository vr,
java.lang.String filename)
This is a utility method that loads an X.509 Attribute Certificate from a file and puts it in a VirtualRepository for later use. |
static int |
permisAuth(java.lang.String[] creds,
java.lang.String originURL,
java.lang.String userDN,
java.lang.String action,
java.lang.String targetDN,
java.lang.String[] pConf,
java.lang.String[] pACLoS)
This method performs Permis Authorisation and returns OK, DENY or DECLINED, depending on the decision. |
Methods inherited from class java.lang.Object |
---|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
Field Detail |
---|
public static final int OK
public static final int DENY
public static final int DECLINED
public static final int debugLevel
Constructor Detail |
---|
public ShibPermisRBAC(java.lang.String[] pConf, java.lang.String[] pACLoS)
pconf
- the specified Permis configuration: {policy OID, SOA DN,
Policy LDAP
URL, AC Attribute, Root CA PKC file name, PKC attribute}pACLoS
- the locations where to pull ACs from in pull mode; can be
null in push modeMethod Detail |
---|
public static ShibPermisRBAC getShibPermisRBAC(java.lang.String[] pConf, java.lang.String[] pACLoS)
pconf
- the specified Permis configuration: {policy OID, SOA DN,
URL of the Repository with the Policy,
AC Attribute, Root CA PKC file name, PKC attribute}
public PermisRBAC getPbaApi()
public static int permisAuth(java.lang.String[] creds, java.lang.String originURL, java.lang.String userDN, java.lang.String action, java.lang.String targetDN, java.lang.String[] pConf, java.lang.String[] pACLoS)
The method finds a ShibPermisRBAC instance corresponding to the policy OID or constructs a new one, then invokes authorise method on it to get the authorisation decision.
creds
- - the ACs or Shibboleth
attributes; use null, if Pull mode should be usedoriginURL
- - the
URL of the Origin; the hostname from the URL will be appended to
the
unscoped attributesuserDN
- - the user dn; normally is an empty string in
Shibboleth-Apache integration, but can be a real DN (the "dn"
attribute is provided by IdP or the DN of the authenticated user
in integration scenarios without Shibboleth)action
- - the action
of accessing the Permis protected resource; normally one of the
HTTP actions: "GET", "PUT", "POST", etctargetDN
- - the URL of
the targetpConf
- - the specified Permis configuration.
public int authorise(java.lang.String[] creds, java.lang.String originURL, java.lang.String userDN, java.lang.String action, java.lang.String targetDN, java.lang.String[] pConf, java.lang.String[] pACLoS, int debugLevel) throws PbaException, RFC2253ParsingException
creds
- - the ACs or Shibboleth
attributes; use null, if Pull mode should be usedoriginURL
- - the
URL of the Origin; the hostname from the URL will be appended to
the
unscoped attributesuserDN
- - the user dn; normally is an empty string in
Shibboleth-Apache integration, but can be a real DN (the "dn"
attribute is provided by IdP or the DN of the authenticated user
in integration scenarios without Shibboleth)action
- - the action
of accessing the Permis protected resource; normally one of the
HTTP actions: "GET", "PUT", "POST", etctargetDN
- - the URL of
the targetpConf
- - the specified Permis configuration.
PbaException
RFC2253ParsingException
public static void loadAC(VirtualRepository vr, java.lang.String filename)
vr
- - the VirtualRepository to place the AC tofilename
- - the name of the file with the AC inside
|
|||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |