Class AccessMgrImpl
- java.lang.Object
-
- org.apache.directory.fortress.core.impl.Manageable
-
- org.apache.directory.fortress.core.impl.AccessMgrImpl
-
- All Implemented Interfaces:
Serializable
,AccessMgr
,Manageable
- Direct Known Subclasses:
DelAccessMgrImpl
public class AccessMgrImpl extends Manageable implements AccessMgr, Serializable
Implementation class that performs runtime access control operations on data objects of type Fortress entities This class performs runtime access control operations on objects that are provisioned RBAC entities that reside in LDAP directory. These APIs map directly to similar named APIs specified by ANSI and NIST RBAC system functions. Many of the java doc function descriptions found below were taken directly from ANSI INCITS 359-2004. The RBAC Functional specification describes administrative operations for the creation and maintenance of RBAC element sets and relations; administrative review functions for performing administrative queries; and system functions for creating and managing RBAC attributes on user sessions and making access control decisions.
RBAC0 - Core
Many-to-many relationship between Users, Roles and Permissions. Selective role activation into sessions. API to add, update, delete identity data and perform identity and access control decisions during runtime operations.
RBAC1 - General Hierarchical Roles
Simplifies role engineering tasks using inheritance of one or more parent roles.
RBAC2 - Static Separation of Duty (SSD) Relations
Enforce mutual membership exclusions across role assignments. Facilitate dual control policies by restricting which roles may be assigned to users in combination. SSD provide added granularity for authorization limits which help enterprises meet strict compliance regulations.
RBAC3 - Dynamic Separation of Duty (DSD) Relations
Control allowed role combinations to be activated within an RBAC session. DSD policies fine tune role policies that facilitate authorization dual control and two man policy restrictions during runtime security checks.
This class is NOT thread safe if parent instance variables (
Manageable.contextId
orManageable.adminSess
) are set.- Author:
- Apache Directory Project
- See Also:
- Serialized Form
-
-
Field Summary
-
Fields inherited from class org.apache.directory.fortress.core.impl.Manageable
adminSess, contextId
-
-
Constructor Summary
Constructors Constructor Description AccessMgrImpl()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description void
addActiveRole(Session session, UserRole role)
This function adds a role as an active role of a session whose owner is a given user.Session
authenticate(String userId, String password)
Perform user authentication only.Set<String>
authorizedRoles(Session session)
This function returns the authorized roles associated with a session based on hierarchical relationships.boolean
checkAccess(Session session, Permission perm)
Perform user RBAC authorization.boolean
checkAccess(User user, Permission perm, boolean isTrusted)
Combine createSession and checkAccess into a single method.Session
createSession(Group group)
Session
createSession(User user, boolean isTrusted)
Perform user authenticationUser.password
and role activations.
This method must be called once per user prior to calling other methods within this class.Session
createSession(User user, List<RoleConstraint> constraints, boolean isTrusted)
Same asAccessMgr.createSession( User user, boolean isTrusted )
Plus constraint which places attribute key:value, e.g.void
dropActiveRole(Session session, UserRole role)
This function deletes a role from the active role set of a session owned by a given user.User
getUser(Session session)
This function returns the user object that is contained within the session object.String
getUserId(Session session)
This function returns the userId value that is contained within the session object.boolean
isUserInRole(User user, Role role, boolean isTrusted)
Combine createSession and a role check into a single method.List<Permission>
sessionPermissions(Session session)
This function returns the permissions of the session, i.e., the permissions assigned to its authorized roles.List<UserRole>
sessionRoles(Session session)
This function returns the active roles associated with a session.-
Methods inherited from class org.apache.directory.fortress.core.impl.Manageable
assertContext, assertContext, checkAccess, getFullMethodName, setAdmin, setAdminData, setContextId, setEntitySession
-
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
-
Methods inherited from interface org.apache.directory.fortress.core.Manageable
setAdmin, setContextId
-
-
-
-
Method Detail
-
authenticate
public Session authenticate(String userId, String password) throws SecurityException
Perform user authentication only. It does not activate RBAC roles in session but will evaluate password policies.- Specified by:
authenticate
in interfaceAccessMgr
- Parameters:
userId
- Contains the userid of the user signing on.password
- Contains the user's password.- Returns:
- Session object will be returned if authentication successful. This will not contain user's roles.
- Throws:
SecurityException
- in the event of data validation failure, security policy violation or DAO error.
-
createSession
public Session createSession(User user, boolean isTrusted) throws SecurityException
Perform user authenticationUser.password
and role activations.
This method must be called once per user prior to calling other methods within this class. The successful result isSession
that contains target user's RBACUser.roles
and Admin roleUser.adminRoles
.
In addition to checking user password validity it will apply configured password policy checksUser.pwPolicy
.
Method may also store parms passed in for audit trailFortEntity
.This API will...
- authenticate user password if trusted == false.
- perform password policy evaluation.
-
fail for any user who is locked by pw policies
User.isLocked()
, regardless of trusted flag being set as parm on API. -
evaluate temporal
Constraint
(s) onUser
,UserRole
andUserAdminRole
entities. - process selective role activations into User RBAC Session
User.roles
. -
check Dynamic Separation of Duties
DSDChecker.validate( org.apache.directory.fortress.core.model.Session, org.apache.directory.fortress.core.model.Constraint, org.apache.directory.fortress.core.util.time.Time, org.apache.directory.fortress.core.util.VUtil.ConstraintType)
onUser.roles
. - process selective administrative role activations
User.adminRoles
. -
return a
Session
containingSession.getUser()
,Session.getRoles()
and (if admin user)Session.getAdminRoles()
if everything checks out good. - throw a checked exception that will be
SecurityException
or its derivation. - throw a
SecurityException
for system failures. - throw a
PasswordException
for authentication and password policy violations. - throw a
ValidationException
for data validation errors. - throw a
FinderException
if User id not found.
The function is valid if and only if:
- the user is a member of the USERS data set
- the password is supplied (unless trusted).
- the (optional) active role set is a subset of the roles authorized for that user.
The following attributes may be set when calling this method
User.userId
- requiredUser.password
-
User.roles
contains a list of RBAC role names authorized for user and targeted for activation within this session. Default is all authorized RBAC roles will be activated into this Session. -
User.adminRoles
contains a list of Admin role names authorized for user and targeted for activation. Default is all authorized ARBAC roles will be activated into this Session. -
User.props
collection of name value pairs collected on behalf of User during signon. For example hostname:myservername or ip:192.168.1.99
Notes:
- roles that violate Dynamic Separation of Duty Relationships will not be activated into session.
- role activations will proceed in same order as supplied to User entity setter, see
User.setRoleName(String)
.
- Specified by:
createSession
in interfaceAccessMgr
- Parameters:
user
- ContainsUser.userId
,User.password
(optional ifisTrusted
is 'true'), optionalUser.roles
, optionalUser.adminRoles
isTrusted
- if true password is not required.- Returns:
- Session object will contain authentication result code
Session.errorId
, RBAC role activationsSession.getRoles()
, Admin Role activationsSession.getAdminRoles()
, Password policy codesSession.warnings
,Session.expirationSeconds
,Session.graceLogins
and more. - Throws:
SecurityException
- in the event of data validation failure, security policy violation or DAO error.
-
createSession
public Session createSession(User user, List<RoleConstraint> constraints, boolean isTrusted) throws SecurityException
Same asAccessMgr.createSession( User user, boolean isTrusted )
Plus constraint which places attribute key:value, e.g. location=north, into the runtime context, for evaluation during role activation.- Specified by:
createSession
in interfaceAccessMgr
- Parameters:
user
- ContainsUser.userId
,User.password
(optional ifisTrusted
is 'true'), optionalUser.roles
, optionalUser.adminRoles
constraints
- List of case-sensitiveRoleConstraint.key
,RoleConstraint.value
, bound for role activation checks.isTrusted
- if true password is not required.- Returns:
- Session object will contain authentication result code
Session.errorId
, RBAC role activationsSession.getRoles()
, Admin Role activationsSession.getAdminRoles()
, Password policy codesSession.warnings
,Session.expirationSeconds
,Session.graceLogins
and more. - Throws:
SecurityException
- in the event of data validation failure, security policy violation or DAO error.
-
createSession
public Session createSession(Group group) throws SecurityException
Perform groupGroup
role activationsGroup.members
.
Group sessions are always trusted.
This method must be called once per group prior to calling other methods within this class. The successful result isSession
that contains target group's RBACGroup.members
This API will...
- fail for any non-existing group
-
evaluate temporal
Constraint
(s) on memberUserRole
entities. - process selective role activations into Group RBAC Session
Group.roles
. -
check Dynamic Separation of Duties
DSDChecker.validate( org.apache.directory.fortress.core.model.Session, org.apache.directory.fortress.core.model.Constraint, org.apache.directory.fortress.core.util.time.Time, org.apache.directory.fortress.core.util.VUtil.ConstraintType)
onUser.roles
. -
return a
Session
containingSession.getGroup()
,Session.getRoles()
- throw a checked exception that will be
SecurityException
or its derivation. - throw a
SecurityException
for system failures. - throw a
ValidationException
for data validation errors. - throw a
FinderException
if Group name not found.
The function is valid if and only if:
- the group is a member of the GROUPS data set
- the (optional) active role set is a subset of the roles authorized for that group.
The following attributes may be set when calling this method
Group.name
- required-
Group.members
contains a list of RBAC role names authorized for group and targeted for activation within this session. Default is all authorized RBAC roles will be activated into this Session.
Notes:
- roles that violate Dynamic Separation of Duty Relationships will not be activated into session.
- Specified by:
createSession
in interfaceAccessMgr
- Parameters:
group
- ContainsGroup.name
,Group.members
(optional), optionalGroup.type
, optional- Returns:
- Session object will contain authentication result code
Session.errorId
, RBAC role activationsSession.getRoles()
, Password policy codesSession.warnings
,Session.expirationSeconds
,Session.graceLogins
and more. - Throws:
SecurityException
- in the event of data validation failure, security policy violation or DAO error.
-
checkAccess
public boolean checkAccess(Session session, Permission perm) throws SecurityException
Perform user RBAC authorization. This function returns a Boolean value meaning whether the subject of a given session is allowed or not to perform a given operation on a given object. The function is valid if and only if the session is a valid Fortress session, the object is a member of the OBJS data set, and the operation is a member of the OPS data set. The session's subject has the permission to perform the operation on that object if and only if that permission is assigned to (at least) one of the session's active roles. This implementation will verify the roles or userId correspond to the subject's active roles are registered in the object's access control list.- Specified by:
checkAccess
in interfaceAccessMgr
- Parameters:
session
- This object must be instantiated by callingAccessMgr.createSession(org.apache.directory.fortress.core.model.User, boolean)
method before passing into the method. No variables need to be set by client after returned from createSession.perm
- must contain the object,Permission.objName
, and operation,Permission.opName
, of permission User is trying to access.- Returns:
- True if user has access, false otherwise.
- Throws:
SecurityException
- in the event of data validation failure, security policy violation or DAO error.
-
checkAccess
public boolean checkAccess(User user, Permission perm, boolean isTrusted) throws SecurityException
Combine createSession and checkAccess into a single method. This function returns a Boolean value meaning whether the User is allowed or not to perform a given operation on a given object. The function is valid if and only if the user is a valid Fortress user, the object is a member of the OBJS data set, and the operation is a member of the OPS data set. The user has the permission to perform the operation on that object if and only if that permission is assigned to (at least) one of the session's active roles. This implementation will verify the roles or userId correspond to the user's active roles are registered in the object's access control list.- Specified by:
checkAccess
in interfaceAccessMgr
- Parameters:
user
- ContainsUser.userId
,User.password
(optional ifisTrusted
is 'true'), optionalUser.roles
}perm
- must contain the object,Permission.objName
, and operation,Permission.opName
, of permission User is trying to access.- Returns:
- True if user has access, false otherwise.
- Throws:
SecurityException
- in the event of data validation failure, security policy violation or DAO error.
-
isUserInRole
public boolean isUserInRole(User user, Role role, boolean isTrusted) throws SecurityException
Combine createSession and a role check into a single method. This function returns a Boolean value meaning whether the User has a particular role. The function is valid if and only if the user is a valid Fortress user and the role is a member of the ROLES data set.- Specified by:
isUserInRole
in interfaceAccessMgr
- Parameters:
user
- ContainsUser.userId
,User.password
(optional ifisTrusted
is 'true'), optionalUser.roles
}role
- object contains the role name,Role.name
, to be checked.- Returns:
- True if user has role, false otherwise.
- Throws:
SecurityException
- in the event of data validation failure, security policy violation or DAO error.
-
sessionPermissions
public List<Permission> sessionPermissions(Session session) throws SecurityException
This function returns the permissions of the session, i.e., the permissions assigned to its authorized roles. The function is valid if and only if the session is a valid Fortress session.- Specified by:
sessionPermissions
in interfaceAccessMgr
- Parameters:
session
- This object must be instantiated by callingAccessMgr.createSession(org.apache.directory.fortress.core.model.User, boolean)
method before passing into the method. No variables need to be set by client after returned from createSession.- Returns:
- List<Permission> containing permissions (op, obj) active for user's session.
- Throws:
SecurityException
- is thrown if runtime error occurs with system.
-
sessionRoles
public List<UserRole> sessionRoles(Session session) throws SecurityException
This function returns the active roles associated with a session. The function is valid if and only if the session is a valid Fortress session.- Specified by:
sessionRoles
in interfaceAccessMgr
- Parameters:
session
- object contains the user's returned RBAC session from the createSession method.- Returns:
- List<UserRole> containing all roles active in user's session. This will NOT contain inherited roles.
- Throws:
SecurityException
- is thrown if session invalid or system. error.
-
authorizedRoles
public Set<String> authorizedRoles(Session session) throws SecurityException
This function returns the authorized roles associated with a session based on hierarchical relationships. The function is valid if and only if the session is a valid Fortress session.- Specified by:
authorizedRoles
in interfaceAccessMgr
- Parameters:
session
- object contains the user's returned RBAC session from the createSession method.- Returns:
- Set<String> containing all roles active in user's session. This will contain inherited roles.
- Throws:
SecurityException
- is thrown if session invalid or system. error.
-
addActiveRole
public void addActiveRole(Session session, UserRole role) throws SecurityException
This function adds a role as an active role of a session whose owner is a given user.The function is valid if and only if:
- the user is a member of the USERS data set
- the role is a member of the ROLES data set
- the role inclusion does not violate Dynamic Separation of Duty Relationships
- the session is a valid Fortress session
- the user is authorized to that role
- the session is owned by that user.
- Specified by:
addActiveRole
in interfaceAccessMgr
- Parameters:
session
- object contains the user's returned RBAC session from the createSession method.role
- object contains the role name,UserRole.name
, to be activated into session.- Throws:
SecurityException
- is thrown if user is not allowed to activate or runtime error occurs with system.
-
dropActiveRole
public void dropActiveRole(Session session, UserRole role) throws SecurityException
This function deletes a role from the active role set of a session owned by a given user. The function is valid if and only if the user is a member of the USERS data set, the session object contains a valid Fortress session, the session is owned by the user, and the role is an active role of that session.- Specified by:
dropActiveRole
in interfaceAccessMgr
- Parameters:
session
- object contains the user's returned RBAC session from the createSession method.role
- object contains the role name,UserRole.name
, to be deactivated.- Throws:
SecurityException
- is thrown if user is not allowed to deactivate or runtime error occurs with system.
-
getUserId
public String getUserId(Session session) throws SecurityException
This function returns the userId value that is contained within the session object. The function is valid if and only if the session object contains a valid Fortress session.- Specified by:
getUserId
in interfaceAccessMgr
- Parameters:
session
- object contains the user's returned RBAC session from the createSession method.- Returns:
- The userId value
- Throws:
SecurityException
- is thrown if user session not active or runtime error occurs with system.
-
getUser
public User getUser(Session session) throws SecurityException
This function returns the user object that is contained within the session object. The function is valid if and only if the session object contains a valid Fortress session.- Specified by:
getUser
in interfaceAccessMgr
- Parameters:
session
- object contains the user's returned RBAC session from the createSession method.- Returns:
- The user value
Sample User data contained in Session object:
Session- session.getUserId() => demoUser4
- session.getInternalUserId() => be2dd2e:12a82ba707e:-7fee
- session.getMessage() => Fortress checkPwPolicies userId <demouser4> VALIDATION GOOD
- session.getErrorId() => 0
- session.getWarningId() => 11
- session.getExpirationSeconds() => 469831
- session.getGraceLogins() => 0
- session.getIsAuthenticated() => true
- session.getLastAccess() => 1283623680440
- session.getSessionId() => -7410986f:12addeea576:-7fff
- ------------------------------------------
- User user = session.getUser();
-
- user.getUserId() => demoUser4
- user.getInternalId() => be2dd2e:12a82ba707e:-7fee
- user.getCn() => JoeUser4
- user.getDescription() => Demo Test User 4
- user.getOu() => test
- user.getSn() => User4
- user.getBeginDate() => 20090101
- user.getEndDate() => none
- user.getBeginLockDate() => none
- user.getEndLockDate() => none
- user.getDayMask() => 1234567
- user.getTimeout() => 60
- List<UserRole> roles = session.getRoles();
-
- UserRole userRole = roles.get(i);
- userRole.getName() => role1
- userRole.getBeginTime() => 0000
- userRole.getEndTime() => 0000
- userRole.getBeginDate() => none
- userRole.getEndDate() => none
- userRole.getBeginLockDate() => null
- userRole.getEndLockDate() => null
- userRole.getDayMask() => null
- userRole.getTimeout() => 0
- Throws:
SecurityException
- is thrown if user session not active or runtime error occurs with system.
-
-