org.apache.directory.server.core.authz.support
Class ACDFEngine

java.lang.Object
  extended byorg.apache.directory.server.core.authz.support.ACDFEngine

public class ACDFEngine
extends java.lang.Object

An implementation of Access Control Decision Function (18.8, X.501).

This engine simply filters the collection of tuples using the following ACITupleFilters sequentially:

  1. RelatedUserClassFilter
  2. RelatedProtectedItemFilter
  3. MaxValueCountFilter
  4. MaxImmSubFilter
  5. RestrictedByFilter
  6. MicroOperationFilter
  7. HighestPrecedenceFilter
  8. MostSpecificUserClassFilter
  9. MostSpecificProtectedItemFilter

Operation is determined to be permitted if and only if there is at least one tuple left and all of them grants the access. (18.8.4. X.501)

Version:
$Rev: 434579 $, $Date: 2006-08-25 02:19:11 +0200 (Fri, 25 Aug 2006) $
Author:
Apache Directory Project

Field Summary
static java.util.Collection USER_LOOKUP_BYPASS
           
 
Constructor Summary
ACDFEngine(OidRegistry oidRegistry, AttributeTypeRegistry attrTypeRegistry)
          Creates a new instance.
 
Method Summary
 void checkPermission(PartitionNexusProxy proxy, java.util.Collection userGroupNames, LdapDN username, AuthenticationLevel authenticationLevel, LdapDN entryName, java.lang.String attrId, java.lang.Object attrValue, java.util.Collection microOperations, java.util.Collection aciTuples, javax.naming.directory.Attributes entry)
          Checks the user with the specified name can access the specified resource (entry, attribute type, or attribute value) and throws LdapNoPermissionException if the user doesn't have any permission to perform the specified grants.
 boolean hasPermission(PartitionNexusProxy proxy, java.util.Collection userGroupNames, LdapDN userName, AuthenticationLevel authenticationLevel, LdapDN entryName, java.lang.String attrId, java.lang.Object attrValue, java.util.Collection microOperations, java.util.Collection aciTuples, javax.naming.directory.Attributes entry)
          Returns true if the user with the specified name can access the specified resource (entry, attribute type, or attribute value) and throws LdapNoPermissionException if the user doesn't have any permission to perform the specified grants.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

USER_LOOKUP_BYPASS

public static final java.util.Collection USER_LOOKUP_BYPASS
Constructor Detail

ACDFEngine

public ACDFEngine(OidRegistry oidRegistry,
                  AttributeTypeRegistry attrTypeRegistry)
           throws javax.naming.NamingException
Creates a new instance.

Parameters:
oidRegistry - an OID registry to be used by internal components
attrTypeRegistry - an attribute type registry to be used by internal components
Throws:
javax.naming.NamingException - if failed to initialize internal components
Method Detail

checkPermission

public void checkPermission(PartitionNexusProxy proxy,
                            java.util.Collection userGroupNames,
                            LdapDN username,
                            AuthenticationLevel authenticationLevel,
                            LdapDN entryName,
                            java.lang.String attrId,
                            java.lang.Object attrValue,
                            java.util.Collection microOperations,
                            java.util.Collection aciTuples,
                            javax.naming.directory.Attributes entry)
                     throws javax.naming.NamingException
Checks the user with the specified name can access the specified resource (entry, attribute type, or attribute value) and throws LdapNoPermissionException if the user doesn't have any permission to perform the specified grants.

Parameters:
proxy - the proxy to the partition nexus
userGroupNames - the collection of the group DNs the user who is trying to access the resource belongs
username - the DN of the user who is trying to access the resource
entryName - the DN of the entry the user is trying to access
attrId - the attribute type of the attribute the user is trying to access. null if the user is not accessing a specific attribute type.
attrValue - the attribute value of the attribute the user is trying to access. null if the user is not accessing a specific attribute value.
microOperations - the org.apache.directory.shared.ldap.aci.MicroOperations to perform
aciTuples - org.apache.directory.shared.ldap.aci.ACITuples translated from org.apache.directory.shared.ldap.aci.ACIItems in the subtree entries
Throws:
javax.naming.NamingException - if failed to evaluate ACI items

hasPermission

public boolean hasPermission(PartitionNexusProxy proxy,
                             java.util.Collection userGroupNames,
                             LdapDN userName,
                             AuthenticationLevel authenticationLevel,
                             LdapDN entryName,
                             java.lang.String attrId,
                             java.lang.Object attrValue,
                             java.util.Collection microOperations,
                             java.util.Collection aciTuples,
                             javax.naming.directory.Attributes entry)
                      throws javax.naming.NamingException
Returns true if the user with the specified name can access the specified resource (entry, attribute type, or attribute value) and throws LdapNoPermissionException if the user doesn't have any permission to perform the specified grants.

Parameters:
proxy - the proxy to the partition nexus
userGroupNames - the collection of the group DNs the user who is trying to access the resource belongs
userName - the DN of the user who is trying to access the resource
entryName - the DN of the entry the user is trying to access
attrId - the attribute type of the attribute the user is trying to access. null if the user is not accessing a specific attribute type.
attrValue - the attribute value of the attribute the user is trying to access. null if the user is not accessing a specific attribute value.
microOperations - the org.apache.directory.shared.ldap.aci.MicroOperations to perform
aciTuples - org.apache.directory.shared.ldap.aci.ACITuples translated from org.apache.directory.shared.ldap.aci.ACIItems in the subtree entries
Throws:
javax.naming.NamingException