JXTA

net.jxta.impl.access.simpleACL
Class SimpleACLAccessService

java.lang.Object
  extended by net.jxta.impl.access.simpleACL.SimpleACLAccessService
All Implemented Interfaces:
AccessService, Module, Service

public class SimpleACLAccessService
extends Object
implements AccessService

Implements the AccessService using a simple ACL scheme.

The ACL table is read from the group advertisement. Each perm entry of the Access Service parameters in the group adv is assumed to be a permission in the following format:

    <operation> ":" ( <identity> )* ( "," <identity> )*
 

A sample ACL table extracted from a PeerGroupAdvertisement:

 ...
 <Svc>
   <MCID>urn:jxta:uuid-DEADBEEFDEAFBABAFEEDBABE0000001005</MCID>
   <Parm>
     <perm>&lt;&lt;DEFAULT>>:nobody,permit</perm>
     <perm>everyone:&lt;&lt;ALL>></perm>
     <perm>permit:nobody,permit,allow</perm>
     <perm>deny:notpermit,notallow</perm>
   </Parm>
 </Svc>
 ...
 

If <<ALL>> is provided as an identity then the operation is permitted for all valid credentials.

if <<DEFAULT>> is provided as an operation then the provided identities will be allowed for all operations which are not recognized.

This implementation makes no effort to ensure that the permission table has not been altered. It is not appropriate for use in security sensitive deployments unless the integrity of the group advertisement is ensured.

See Also:
AccessService

Nested Class Summary
 
Nested classes/interfaces inherited from interface net.jxta.access.AccessService
AccessService.AccessResult
 
Field Summary
(package private)  PeerGroup group
          The peer group we are working for.
(package private)  ModuleImplAdvertisement implAdvertisement
          Implementation advertisement for this instance.
static ModuleSpecID simpleACLAccessSpecID
          Well known access specification identifier: the simple ACL access service
 
Fields inherited from interface net.jxta.platform.Module
START_AGAIN_PROGRESS, START_AGAIN_STALLED, START_DISABLED, START_OK
 
Constructor Summary
SimpleACLAccessService()
          The default constructor
 
Method Summary
 AccessService.AccessResult doAccessCheck(PrivilegedOperation op, Credential cred)
          Determine if a privileged operation is permitted for a given identity.
 ModuleImplAdvertisement getImplAdvertisement()
          Returns the advertisement for this service.
 SimpleACLAccessService getInterface()
          Service objects are not manipulated directly to protect usage of the service.
(package private)  PeerGroup getPeerGroup()
          
 void init(PeerGroup group, ID assignedID, Advertisement implAdv)
          Initialize the module, passing it its peer group and advertisement.
 PrivilegedOperation newPrivilegedOperation(Element source)
          Read a privileged operation from a portion of a structured document.
 PrivilegedOperation newPrivilegedOperation(Object subject, Credential offerer)
          Create a new privileged operation with the specified subject.
 int startApp(String[] args)
          Complete any remaining initialization of the module.
 void stopApp()
          Stop a module.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

simpleACLAccessSpecID

public static final ModuleSpecID simpleACLAccessSpecID
Well known access specification identifier: the simple ACL access service


group

PeerGroup group
The peer group we are working for.


implAdvertisement

ModuleImplAdvertisement implAdvertisement
Implementation advertisement for this instance.

Constructor Detail

SimpleACLAccessService

public SimpleACLAccessService()
The default constructor

Method Detail

init

public void init(PeerGroup group,
                 ID assignedID,
                 Advertisement implAdv)
          throws PeerGroupException
Initialize the module, passing it its peer group and advertisement.

Note: when subclassing one of the existing PeerGroup implementations (which implement Module), it may not be recommended to overload the init method. See the documentation of the PeerGroup class being subclassed.

Specified by:
init in interface Module
Parameters:
group - The PeerGroup from which this Module can obtain services. If this module is a Service, this is also the PeerGroup of which this module is a service.
assignedID - Identity of Module within group. modules can use it as a the root of their namespace to create names that are unique within the group but predictable by the same module on another peer. This is normally the ModuleClassID which is also the name under which the module is known by other modules. For a group it is the PeerGroupID itself. The parameters of a service, in the Peer configuration, are indexed by the assignedID of that service, and a Service must publish its run-time parameters in the Peer Advertisement under its assigned ID.
implAdv - The implementation advertisement for this Module. It is permissible to pass null if no implementation advertisement is available. This may happen if the implementation was selected by explicit class name rather than by following an implementation advertisement. Modules are not required to support that style of loading, but if they do, then their documentation should mention it.
Throws:
PeerGroupException - This module failed to initialize.

startApp

public int startApp(String[] args)
Complete any remaining initialization of the module. The module should be fully functional after startApp() is completed. That is also the opportunity to supply arbitrary arguments (mostly to applications).

If this module is a PeerGroup service, it may be invoked several times depending on its return value.

Specified by:
startApp in interface Module
Parameters:
args - An array of Strings forming the parameters for this Module.
Returns:
int A status indication which may be one of Module.START_OK, Module.START_AGAIN_PROGRESS, Module.START_AGAIN_STALLED, which indicates partial or complete success, or any other value (negative values are recommended for future compatibility), which indicates failure.

stopApp

public void stopApp()
Stop a module. This may be called any time after init() completes and should not assume that startApp() has been called or completed.

The Module cannot be forced to comply, but in the future we might be able to deny it access to anything after some timeout.

Specified by:
stopApp in interface Module

getImplAdvertisement

public ModuleImplAdvertisement getImplAdvertisement()
Returns the advertisement for this service.

Specified by:
getImplAdvertisement in interface Service
Returns:
Advertisement the advertisement. This is always a ModuleImplAdvertisement.

getInterface

public SimpleACLAccessService getInterface()
Service objects are not manipulated directly to protect usage of the service. A Service interface is returned to access the service methods.

Specified by:
getInterface in interface Service
Returns:
Service public interface of the service

doAccessCheck

public AccessService.AccessResult doAccessCheck(PrivilegedOperation op,
                                                Credential cred)
Determine if a privileged operation is permitted for a given identity.

Specified by:
doAccessCheck in interface AccessService
Parameters:
op - The operation which is being requested or null. null signifies that the operation is unimportant though the credential must be valid.
cred - The identity which is requesting or null. A null value indicates that no credential is available.
Returns:
the result of the access check.

newPrivilegedOperation

public PrivilegedOperation newPrivilegedOperation(Object subject,
                                                  Credential offerer)
Create a new privileged operation with the specified subject. Each operation is also associated with an identity, the offerer. Generally the privileged operation is cryptographically signed by the offerer.

Specified by:
newPrivilegedOperation in interface AccessService
Parameters:
subject - The subject of the operation. This usually identifies what operation is being requested.
offerer - The identity which is offering the operation.
Returns:
The privileged operation object
See Also:
Credential

newPrivilegedOperation

public PrivilegedOperation newPrivilegedOperation(Element source)
Read a privileged operation from a portion of a structured document.

Specified by:
newPrivilegedOperation in interface AccessService
Parameters:
source - The root of the document portion containing the serialized representation of the privileged operation.
Returns:
The privileged operation object.

getPeerGroup

PeerGroup getPeerGroup()


JXSE