|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Object | +--org.edg.security.authorization.AuthorizationManager
An Authorization Manager checks whether a subject is entitled to act in a certain role or not. It can act as a singleton, although multiple managers can be instantiated in the same JVM.
The Authorization Manager uses pluggable backend repositories to deduce whether or not a certain subject can be associated with a given attribute or not.
The Authorization Manager may be configured with one or many policies. A policy uses a mapping of an external name to an attribute repository. Only ONE of the policies MAY be configured as the default policy.
Once a user is authorized with a certain attribute, an optional translation
phase may take place, where the name of the attribute (whose naming typically is
mandated elsewhere) is mapped into something else (specific for the local
application).
The Authorization Manager translates the attribute name into something else by
using a table supplied by the 'map'. If the lookup returns in a no-hit, it will be
treated as a failed authorization.
Configuration example:
<-- config element --> <policy name="name1" default="true"> <repository> ...AttributeRepository definition </repository> <translation name="translation1"> <!-- optional --> <map name="globalToLocal"> Map definition </map> </translation> </policy> <policy name="name2"> </policy> </-- config element -->
AttributeRepository
,
AttributeRepositoryFactory
,
AttributeMap
,
AttributeMapFactory
Nested Class Summary | |
protected class |
AuthorizationManager.Policy
Internal class extending the AttributeRepository with a possible extra transformation. |
protected class |
AuthorizationManager.RefreshConfigTask
The reload timer task |
Field Summary | |
protected java.lang.String |
myConfigElement
|
protected java.io.File |
myConfigFile
|
protected boolean |
myDoStat
|
protected long |
myLastModified
|
protected int |
myPeriod
|
protected java.util.HashMap |
myPolicies
|
protected AttributeRepositoryFactory |
myRepositoryFactory
|
protected java.util.Timer |
myTimer
|
protected static AuthorizationManager |
theAuthorizationManager
Deprecated. OLLE 030220: Don't use the singleton anymore -- will go away ASAP. |
static java.lang.String |
theDefaultAttribute
|
static java.lang.String |
theFileRecheck
|
protected static org.apache.log4j.Logger |
theLogger
|
static java.lang.String |
theNameAttribute
|
static java.lang.String |
thePolicyElement
|
static java.lang.String |
theTranslationElement
|
Constructor Summary | |
AuthorizationManager()
Default constructor. |
|
AuthorizationManager(java.io.File configFile)
Creates a new Authorization Manager instance. |
|
AuthorizationManager(java.lang.String configFile,
java.lang.String elementTag)
Creates a new Authorization Manager instance. |
Method Summary | |
java.util.List |
authorize(SecurityContext secContext,
java.lang.String policy)
A convenience method to authorize(String, String, List) |
java.util.List |
authorize(java.lang.String subject,
java.lang.String policy,
java.util.List attributes)
Authorizes a subject against a mask of attributes with a given policy. |
java.lang.String |
authorizeSingle(java.lang.String subject,
java.lang.String policy,
java.util.List attributes)
Authorizes a subject's association with any attribute in a list using a given policy. |
java.lang.String |
authorizeSingle(java.lang.String subject,
java.lang.String policy,
java.lang.String attribute)
Authorizes a subject's association with an attribute using a given policy. |
java.lang.String |
authorizeSingle(java.security.cert.X509Certificate subject,
java.lang.String policy,
java.lang.String attribute)
A convenience method to authorizeSingle() |
protected void |
copy(java.io.File newConfigFile)
Convenience method to copy the content of a source file in the AuthorizationManager configuration file. |
AttributeMap |
getAttributeMap(java.lang.String mapName)
Convenience method that returns the AttributeMap corresponding to the given name. |
java.util.List |
getAttributeMaps()
Convenience method that returns all AttributeMaps created in this instance of the AuthorizationManager. |
static AuthorizationManager |
getInstance()
Deprecated. It was a bad idea to have a singleton instance of this object |
protected AuthorizationManager.Policy |
getPolicy(java.lang.String policy)
Convenience method that returns a particular policy. |
void |
init(java.lang.String configFile,
java.lang.String elementTag)
|
protected java.util.HashMap |
parse(org.w3c.dom.Element config)
Adds the policy information supplied in the given config to the Authorization Manager. |
protected void |
reload(java.io.File file,
java.lang.String elementTag)
|
void |
terminate()
Terminate all Timers refreshing the configuration of the AuthorizationManager. |
void |
uploadConfigFile(java.io.File newConfigFile)
Upload the configuration file with a new file and force the AuthorizationManager to reload its configuration. |
Methods inherited from class java.lang.Object |
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
Field Detail |
public static final java.lang.String theFileRecheck
public static final java.lang.String thePolicyElement
public static final java.lang.String theTranslationElement
public static final java.lang.String theNameAttribute
public static final java.lang.String theDefaultAttribute
protected static AuthorizationManager theAuthorizationManager
protected static org.apache.log4j.Logger theLogger
protected java.util.HashMap myPolicies
protected AttributeRepositoryFactory myRepositoryFactory
protected java.io.File myConfigFile
protected java.lang.String myConfigElement
protected int myPeriod
protected boolean myDoStat
protected long myLastModified
protected java.util.Timer myTimer
Constructor Detail |
public AuthorizationManager()
public AuthorizationManager(java.lang.String configFile, java.lang.String elementTag) throws java.lang.Exception
new AuthorizationManager().init(configFile, elementTag)
configFile
- Configuration file with necessary parameters (see above)elementTag
- XML tag that identifies the AM configuration portion of the file.
Default is null
== the root element.
java.lang.Exception
- In case of an errorinit(String, String)
public AuthorizationManager(java.io.File configFile) throws java.lang.Exception
new AuthorizationManager(configFile.getCanonicalPath(), null)
configFile
- Configuration file with necessary parameters (see above)
java.lang.Exception
- In case of an errorAuthorizationManager(String, String)
Method Detail |
public void init(java.lang.String configFile, java.lang.String elementTag) throws java.lang.Exception
java.lang.Exception
protected void reload(java.io.File file, java.lang.String elementTag) throws java.lang.Exception
java.lang.Exception
protected java.util.HashMap parse(org.w3c.dom.Element config) throws java.lang.Exception
config
- an XML element with policy configuration as described at
the top of this document.
java.lang.Exception
- in case of an errorpublic static AuthorizationManager getInstance()
null
, which means the file's root element.
java.lang.RuntimeException
- if there is an error during the initialization.init(String, String)
protected AuthorizationManager.Policy getPolicy(java.lang.String policy)
policy
- The name of the requested policy.
public java.util.List getAttributeMaps()
public AttributeMap getAttributeMap(java.lang.String mapName)
mapName
- The name of the requested AttributeMap.
public java.lang.String authorizeSingle(java.lang.String subject, java.lang.String policy, java.lang.String attribute)
subject
- The subjects namepolicy
- The policy to apply. May be null (=use default policy)attribute
- The attribute to authorize the subject for. May be null.
public java.lang.String authorizeSingle(java.lang.String subject, java.lang.String policy, java.util.List attributes)
subject
- The subject namepolicy
- The policy to use. May be null
.attributes
- A list of attributes to try out. May be null
.
attributes
list.
authorizeSingle(String, String, String)
,
authorize(String, String, List)
public java.lang.String authorizeSingle(java.security.cert.X509Certificate subject, java.lang.String policy, java.lang.String attribute)
subject
- The subject's (proxy) certificate, possibly containing
VOMS extensions.policy
- The policy to use (may be null)attribute
- Overriding attribute that the subject wants to be
associated with. May be null
authorizeSingle(String, String, List)
public java.util.List authorize(java.lang.String subject, java.lang.String policy, java.util.List attributes)
subject
- The subject namepolicy
- The policy to use. May be null
.attributes
- A mask of attributes to verify against.
If null
or empty, all attributes associated with
the subject is returned.
public java.util.List authorize(SecurityContext secContext, java.lang.String policy)
secContext
- A SecurityContext
containing the
subject (mandatory), VOMS information, policy, and list of
requested attributes (all optional).policy
- Overriding policy (may be null)
authorize(String, String, List)
,
SecurityContext.setAuthorizationManager(AuthorizationManager)
,
SecurityContext.setAuthorizedAttributes(List)
public void uploadConfigFile(java.io.File newConfigFile) throws java.io.IOException
newConfigFile
- The new configuration file
java.io.IOException
protected void copy(java.io.File newConfigFile) throws java.io.IOException
newConfigFile
- The source file
java.io.IOException
public void terminate()
|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |