org.opends.server.authorization.dseecompat
Class AciHandler

java.lang.Object
  extended by org.opends.server.api.AccessControlHandler<DseeCompatAccessControlHandlerCfg>
      extended by org.opends.server.authorization.dseecompat.AciHandler

public class AciHandler
extends AccessControlHandler<DseeCompatAccessControlHandlerCfg>

The AciHandler class performs the main processing for the dseecompat package.


Field Summary
static java.lang.String ALL_ATTRS_RESOURCE_ENTRY
          String used to save a resource entry containing all the attributes in the SearchOperation attachment list.
static java.lang.String ALL_OP_ATTRS_MATCHED
          String used to indicate that the evaluating ACI had a all operational attributes targetattr match (targetattr="+").
static java.lang.String ALL_USER_ATTRS_MATCHED
          String used to indicate that the evaluating ACI had a all user attributes targetattr match (targetattr="*").
static java.lang.String ORIG_AUTH_ENTRY
          String used to save the original authorization entry in an operation attachment if a proxied authorization control was seen.
 
Constructor Summary
AciHandler()
          Creates a new DSEE-compatible access control handler.
 
Method Summary
 SearchResultEntry filterEntry(SearchOperation operation, SearchResultEntry entry)
          Checks access on each attribute in an entry.
 void finalizeAccessControlHandler()
          Performs any necessary finalization for the access control handler implementation.
 void initializeAccessControlHandler(DseeCompatAccessControlHandlerCfg configuration)
          Initializes the access control handler implementation based on the information in the provided configuration entry.
 boolean isAllowed(DN entryDN, Operation op, Control control)
          Indicates whether the provided control is allowed based on the access control configuration and the specified operation.
 boolean isAllowed(ExtendedOperation operation)
          Indicates whether the provided extended operation is allowed based on the access control configuration.
 boolean isAllowed(LocalBackendAddOperation operation)
          Check access on add operations.
 boolean isAllowed(LocalBackendBindOperation bindOperation)
          Indicates whether the provided bind operation is allowed based on the access control configuration.
 boolean isAllowed(LocalBackendCompareOperation operation)
          Check access on compare operations.
 boolean isAllowed(LocalBackendDeleteOperation operation)
          Check access on delete operations.
 boolean isAllowed(LocalBackendModifyDNOperation operation)
          Checks access on a modifyDN operation.
 boolean isAllowed(LocalBackendModifyOperation operation)
          Check access on modify operations.
 boolean isAllowed(LocalBackendSearchOperation searchOperation)
          Indicates whether the provided search operation is allowed based on the access control configuration.
 boolean maySend(DN dn, SearchOperation operation, SearchResultReference reference)
          Indicates whether the provided search result reference may be sent to the client based on the access control configuration.
 boolean maySend(SearchOperation operation, SearchResultEntry entry)
          Checks access on a search operation.
 
Methods inherited from class org.opends.server.api.AccessControlHandler
isConfigurationAcceptable
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

ORIG_AUTH_ENTRY

public static final java.lang.String ORIG_AUTH_ENTRY
String used to save the original authorization entry in an operation attachment if a proxied authorization control was seen.

See Also:
Constant Field Values

ALL_ATTRS_RESOURCE_ENTRY

public static final java.lang.String ALL_ATTRS_RESOURCE_ENTRY
String used to save a resource entry containing all the attributes in the SearchOperation attachment list. This is only used during geteffectiverights read right processing when all of an entry'ss attributes need to examined.

See Also:
Constant Field Values

ALL_USER_ATTRS_MATCHED

public static final java.lang.String ALL_USER_ATTRS_MATCHED
String used to indicate that the evaluating ACI had a all user attributes targetattr match (targetattr="*").

See Also:
Constant Field Values

ALL_OP_ATTRS_MATCHED

public static final java.lang.String ALL_OP_ATTRS_MATCHED
String used to indicate that the evaluating ACI had a all operational attributes targetattr match (targetattr="+").

See Also:
Constant Field Values
Constructor Detail

AciHandler

public AciHandler()
Creates a new DSEE-compatible access control handler.

Method Detail

initializeAccessControlHandler

public void initializeAccessControlHandler(DseeCompatAccessControlHandlerCfg configuration)
                                    throws ConfigException,
                                           InitializationException
Initializes the access control handler implementation based on the information in the provided configuration entry.

Specified by:
initializeAccessControlHandler in class AccessControlHandler<DseeCompatAccessControlHandlerCfg>
Parameters:
configuration - The configuration object that contains the information to use to initialize this access control handler.
Throws:
ConfigException - If an unrecoverable problem arises in the process of performing the initialization.
InitializationException - If a problem occurs during initialization that is not related to the server configuration.

finalizeAccessControlHandler

public void finalizeAccessControlHandler()
Performs any necessary finalization for the access control handler implementation. This will be called just after the handler has been deregistered with the server but before it has been unloaded.

Specified by:
finalizeAccessControlHandler in class AccessControlHandler<DseeCompatAccessControlHandlerCfg>

isAllowed

public boolean isAllowed(LocalBackendAddOperation operation)
Check access on add operations.

Specified by:
isAllowed in class AccessControlHandler<DseeCompatAccessControlHandlerCfg>
Parameters:
operation - The add operation to check access on.
Returns:
True if access is allowed.

isAllowed

public boolean isAllowed(LocalBackendCompareOperation operation)
Check access on compare operations. Note that the attribute type is unavailable at this time, so this method partially parses the raw attribute string to get the base attribute type. Options are ignored.

Specified by:
isAllowed in class AccessControlHandler<DseeCompatAccessControlHandlerCfg>
Parameters:
operation - The compare operation to check access on.
Returns:
True if access is allowed.

isAllowed

public boolean isAllowed(LocalBackendDeleteOperation operation)
Check access on delete operations.

Specified by:
isAllowed in class AccessControlHandler<DseeCompatAccessControlHandlerCfg>
Parameters:
operation - The delete operation to check access on.
Returns:
True if access is allowed.

isAllowed

public boolean isAllowed(LocalBackendModifyOperation operation)
Check access on modify operations.

Specified by:
isAllowed in class AccessControlHandler<DseeCompatAccessControlHandlerCfg>
Parameters:
operation - The modify operation to check access on.
Returns:
True if access is allowed.

maySend

public boolean maySend(SearchOperation operation,
                       SearchResultEntry entry)
Checks access on a search operation.

Specified by:
maySend in class AccessControlHandler<DseeCompatAccessControlHandlerCfg>
Parameters:
operation - The search operation class containing information to check the access on.
entry - The entry to evaluate access.
Returns:
True if access is allowed.

filterEntry

public SearchResultEntry filterEntry(SearchOperation operation,
                                     SearchResultEntry entry)
Checks access on each attribute in an entry. It removes those attributes that fail access check.

Specified by:
filterEntry in class AccessControlHandler<DseeCompatAccessControlHandlerCfg>
Parameters:
operation - The search operation class containing information to check access on.
entry - The entry containing the attributes.
Returns:
The entry to return minus filtered attributes.

isAllowed

public boolean isAllowed(LocalBackendModifyDNOperation operation)
Checks access on a modifyDN operation.

Specified by:
isAllowed in class AccessControlHandler<DseeCompatAccessControlHandlerCfg>
Parameters:
operation - The modifyDN operation to check access on.
Returns:
True if access is allowed.

isAllowed

public boolean isAllowed(DN entryDN,
                         Operation op,
                         Control control)
Indicates whether the provided control is allowed based on the access control configuration and the specified operation. This method should not alter the provided operation in any way.

Specified by:
isAllowed in class AccessControlHandler<DseeCompatAccessControlHandlerCfg>
Parameters:
entryDN - A DN that can be used in the access determination.
op - The operation to use in the determination.
control - The control for which to make the determination.
Returns:
true if the control should be allowed by the access control configuration, or false if not.

isAllowed

public boolean isAllowed(ExtendedOperation operation)
Indicates whether the provided extended operation is allowed based on the access control configuration. This method should not alter the provided extended operation in any way.

Specified by:
isAllowed in class AccessControlHandler<DseeCompatAccessControlHandlerCfg>
Parameters:
operation - The operation for which to make the determination.
Returns:
true if the operation should be allowed by the access control configuration, or false if not.

maySend

public boolean maySend(DN dn,
                       SearchOperation operation,
                       SearchResultReference reference)
Indicates whether the provided search result reference may be sent to the client based on the access control configuration.

Specified by:
maySend in class AccessControlHandler<DseeCompatAccessControlHandlerCfg>
Parameters:
dn - A DN that can be used in the access determination.
operation - The search operation with which the provided reference is associated.
reference - The search result reference for which to make the determination.
Returns:
true if the access control configuration allows the reference to be returned to the client, or false if not.

isAllowed

public boolean isAllowed(LocalBackendBindOperation bindOperation)
Indicates whether the provided bind operation is allowed based on the access control configuration. This method should not alter the provided bind operation in any way.

Specified by:
isAllowed in class AccessControlHandler<DseeCompatAccessControlHandlerCfg>
Parameters:
bindOperation - The operation for which to make the determination.
Returns:
true if the operation should be allowed by the access control configuration, or false if not.

isAllowed

public boolean isAllowed(LocalBackendSearchOperation searchOperation)
Indicates whether the provided search operation is allowed based on the access control configuration. This method may only alter the provided search operation in order to add an opaque block of data to it that will be made available for use in determining whether matching search result entries or search result references may be allowed.

Specified by:
isAllowed in class AccessControlHandler<DseeCompatAccessControlHandlerCfg>
Parameters:
searchOperation - The operation for which to make the determination.
Returns:
true if the operation should be allowed by the access control configuration, or false if not.