issrg.shibboleth
Class ShibbolethAuthzTokenParser

java.lang.Object
  extended by issrg.shibboleth.ShibbolethAuthzTokenParser
All Implemented Interfaces:
AuthzTokenParser, RoleBasedAuthzTokenParser

public class ShibbolethAuthzTokenParser
extends java.lang.Object
implements RoleBasedAuthzTokenParser

This class is a AuthTokenParser that can be used in connection with Shibboleth. mod_permis Apache module collects the attributes that are made available by Shibboleth, then it can use PERMIS to make access control decisions. For this purpose it should call getCreds method on PERMIS RBAC. Since by default PermisRBAC uses RoleBasedACParser (which expects X.509 Attribute Certificates) a different AuthTokenParser should be provided for PermisRBAC at construction time (see CustomisePERMIS).

By extending from RoleBasedAuthTokenParser it inherits some existing functionality.

Author:
A.Otenko
See Also:
issrg.pba.rbac.CustomisePERMIS, issrg.pba.rbac.RoleBasedAuthTokenParser

Field Summary
protected  Entry h
           
protected  RoleHierarchyPolicy roleHierarchy
           
 
Constructor Summary
ShibbolethAuthzTokenParser()
           
 
Method Summary
 ParsedToken decode(java.lang.Object creds)
          This method decodes the given Shibboleth credentials.
 ParsedToken decode(java.lang.Object creds, Entry h)
          This method parses the Credentials that is a String encoding of a role and assumes the holder of the Credentials is provided.
 java.util.Map getAuthzTokenParsingRules()
          This method returns the Auth Token parsing rules currently used by the parser.
 SignatureVerifier getSignatureVerifier()
          This method always returns null, as no signature verification happens.
 void setAuthzTokenParsingRules(java.util.Map m)
          This method sets the Auth Token parsing rules.
 void setRoleHierarchy(RoleHierarchyPolicy rhp)
          Sets the Role Hierarchy Policy.
 void setSignatureVerifier(SignatureVerifier sv)
          This method does nothing, as Shibboleth Credentials are not signed.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

roleHierarchy

protected RoleHierarchyPolicy roleHierarchy

h

protected Entry h
Constructor Detail

ShibbolethAuthzTokenParser

public ShibbolethAuthzTokenParser()
Method Detail

getAuthzTokenParsingRules

public java.util.Map getAuthzTokenParsingRules()
Description copied from interface: AuthzTokenParser
This method returns the Auth Token parsing rules currently used by the parser.

Specified by:
getAuthzTokenParsingRules in interface AuthzTokenParser

setAuthzTokenParsingRules

public void setAuthzTokenParsingRules(java.util.Map m)
Description copied from interface: AuthzTokenParser
This method sets the Auth Token parsing rules.

Specified by:
setAuthzTokenParsingRules in interface AuthzTokenParser

setRoleHierarchy

public void setRoleHierarchy(RoleHierarchyPolicy rhp)
Description copied from interface: RoleBasedAuthzTokenParser
Sets the Role Hierarchy Policy. The policy defines the types of the roles, the values of the roles of each type, and the hierarchical relationship between them.

Specified by:
setRoleHierarchy in interface RoleBasedAuthzTokenParser
Parameters:
rhp - is a reference to the Role Hierarchy

decode

public ParsedToken decode(java.lang.Object creds)
                   throws PbaException
This method decodes the given Shibboleth credentials. It expects RoleBasedCredentials objects on input, and its value is mapped directly into the roles defined in PERMIS Policy.

Note that the type of the role and its value are taken from HTTP Header. by mod_permis. This method assumes the holder of the Credentials is "whole world", which corresponds to a null LDAP Distinguished Name.

Specified by:
decode in interface AuthzTokenParser
Parameters:
creds - - the Object representing a credentials; must be a String of a format, supported by ShibbolethPrincipal
Returns:
ParsedToken corresponding to the credentials String on input, the holder of which is "the whole world".
Throws:
PbaException - if any error occurs; for example, the given object is not a proper Authorisation Token that the implementation can handle
See Also:
ShibbolethPrincipal

decode

public ParsedToken decode(java.lang.Object creds,
                          Entry h)
                   throws PbaException
This method parses the Credentials that is a String encoding of a role and assumes the holder of the Credentials is provided. The format of the String is described in ShibbolethPrincipal.

Parameters:
creds - - the Credentials to be decoded
h - - the holder of the Credentials
Returns:
ParsedToken corresponding to the credentials String on input the holder of which is specified explicitly
Throws:
PbaException
See Also:
ShibbolethPrincipal

setSignatureVerifier

public void setSignatureVerifier(SignatureVerifier sv)
This method does nothing, as Shibboleth Credentials are not signed.

Specified by:
setSignatureVerifier in interface AuthzTokenParser

getSignatureVerifier

public SignatureVerifier getSignatureVerifier()
This method always returns null, as no signature verification happens.

Specified by:
getSignatureVerifier in interface AuthzTokenParser