|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Objectorg.apache.directory.server.core.authz.support.ACDFEngine
public class ACDFEngine
An implementation of Access Control Decision Function (18.8, X.501).
This engine simply filters the collection of tuples using the following
ACITupleFilter
s sequentially:
RelatedUserClassFilter
RelatedProtectedItemFilter
MaxValueCountFilter
MaxImmSubFilter
RestrictedByFilter
MicroOperationFilter
HighestPrecedenceFilter
MostSpecificUserClassFilter
MostSpecificProtectedItemFilter
Operation is determined to be permitted if and only if there is at least one tuple left and all of them grants the access. (18.8.4. X.501)
Field Summary | |
---|---|
static java.util.Collection<java.lang.String> |
USER_LOOKUP_BYPASS
|
Constructor Summary | |
---|---|
ACDFEngine(org.apache.directory.shared.ldap.schema.registries.OidRegistry oidRegistry,
org.apache.directory.shared.ldap.schema.SchemaManager schemaManager)
Creates a new instance. |
Method Summary | |
---|---|
void |
checkPermission(org.apache.directory.shared.ldap.schema.SchemaManager schemaManager,
OperationContext opContext,
java.util.Collection<org.apache.directory.shared.ldap.name.DN> userGroupNames,
org.apache.directory.shared.ldap.name.DN username,
org.apache.directory.shared.ldap.constants.AuthenticationLevel authenticationLevel,
org.apache.directory.shared.ldap.name.DN entryName,
java.lang.String attrId,
org.apache.directory.shared.ldap.entry.Value<?> attrValue,
java.util.Collection<org.apache.directory.shared.ldap.aci.MicroOperation> microOperations,
java.util.Collection<org.apache.directory.shared.ldap.aci.ACITuple> aciTuples,
org.apache.directory.shared.ldap.entry.ServerEntry entry,
org.apache.directory.shared.ldap.entry.ServerEntry entryView)
Checks the user with the specified name can access the specified resource (entry, attribute type, or attribute value) and throws LdapNoPermissionException
if the user doesn't have any permission to perform the specified grants. |
boolean |
hasPermission(org.apache.directory.shared.ldap.schema.SchemaManager schemaManager,
OperationContext opContext,
java.util.Collection<org.apache.directory.shared.ldap.name.DN> userGroupNames,
org.apache.directory.shared.ldap.name.DN userName,
org.apache.directory.shared.ldap.constants.AuthenticationLevel authenticationLevel,
org.apache.directory.shared.ldap.name.DN entryName,
java.lang.String attrId,
org.apache.directory.shared.ldap.entry.Value<?> attrValue,
java.util.Collection<org.apache.directory.shared.ldap.aci.MicroOperation> microOperations,
java.util.Collection<org.apache.directory.shared.ldap.aci.ACITuple> aciTuples,
org.apache.directory.shared.ldap.entry.ServerEntry entry,
org.apache.directory.shared.ldap.entry.ServerEntry entryView)
Returns true if the user with the specified name can access the specified resource (entry, attribute type, or attribute value) and throws LdapNoPermissionException
if the user doesn't have any permission to perform the specified grants. |
Methods inherited from class java.lang.Object |
---|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
Field Detail |
---|
public static final java.util.Collection<java.lang.String> USER_LOOKUP_BYPASS
Constructor Detail |
---|
public ACDFEngine(org.apache.directory.shared.ldap.schema.registries.OidRegistry oidRegistry, org.apache.directory.shared.ldap.schema.SchemaManager schemaManager) throws javax.naming.NamingException
oidRegistry
- an OID registry to be used by internal componentsattrTypeRegistry
- an attribute type registry to be used by internal components
javax.naming.NamingException
- if failed to initialize internal componentsMethod Detail |
---|
public void checkPermission(org.apache.directory.shared.ldap.schema.SchemaManager schemaManager, OperationContext opContext, java.util.Collection<org.apache.directory.shared.ldap.name.DN> userGroupNames, org.apache.directory.shared.ldap.name.DN username, org.apache.directory.shared.ldap.constants.AuthenticationLevel authenticationLevel, org.apache.directory.shared.ldap.name.DN entryName, java.lang.String attrId, org.apache.directory.shared.ldap.entry.Value<?> attrValue, java.util.Collection<org.apache.directory.shared.ldap.aci.MicroOperation> microOperations, java.util.Collection<org.apache.directory.shared.ldap.aci.ACITuple> aciTuples, org.apache.directory.shared.ldap.entry.ServerEntry entry, org.apache.directory.shared.ldap.entry.ServerEntry entryView) throws java.lang.Exception
LdapNoPermissionException
if the user doesn't have any permission to perform the specified grants.
proxy
- the proxy to the partition nexususerGroupNames
- the collection of the group DNs the user who is trying to access the resource belongsusername
- the DN of the user who is trying to access the resourceentryName
- the DN of the entry the user is trying to accessattrId
- the attribute type of the attribute the user is trying to access.
null if the user is not accessing a specific attribute type.attrValue
- the attribute value of the attribute the user is trying to access.
null if the user is not accessing a specific attribute value.microOperations
- the MicroOperation
s to performaciTuples
- ACITuple
s translated from ACIItem
s in the subtree entriesentryView
- in case of a Modify operation, view of the entry being modified as if the modification permitted and completed
javax.naming.NamingException
- if failed to evaluate ACI items
java.lang.Exception
public boolean hasPermission(org.apache.directory.shared.ldap.schema.SchemaManager schemaManager, OperationContext opContext, java.util.Collection<org.apache.directory.shared.ldap.name.DN> userGroupNames, org.apache.directory.shared.ldap.name.DN userName, org.apache.directory.shared.ldap.constants.AuthenticationLevel authenticationLevel, org.apache.directory.shared.ldap.name.DN entryName, java.lang.String attrId, org.apache.directory.shared.ldap.entry.Value<?> attrValue, java.util.Collection<org.apache.directory.shared.ldap.aci.MicroOperation> microOperations, java.util.Collection<org.apache.directory.shared.ldap.aci.ACITuple> aciTuples, org.apache.directory.shared.ldap.entry.ServerEntry entry, org.apache.directory.shared.ldap.entry.ServerEntry entryView) throws java.lang.Exception
LdapNoPermissionException
if the user doesn't have any permission to perform the specified grants.
proxy
- the proxy to the partition nexususerGroupNames
- the collection of the group DNs the user who is trying to access the resource belongsuserName
- the DN of the user who is trying to access the resourceentryName
- the DN of the entry the user is trying to accessattrId
- the attribute type of the attribute the user is trying to access.
null if the user is not accessing a specific attribute type.attrValue
- the attribute value of the attribute the user is trying to access.
null if the user is not accessing a specific attribute value.microOperations
- the MicroOperation
s to performaciTuples
- ACITuple
s translated from ACIItem
s in the subtree entriesentryView
- in case of a Modify operation, view of the entry being modified as if the modification permitted and completed
java.lang.Exception
|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |