You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by sm...@apache.org on 2014/10/22 17:44:21 UTC
[02/51] [partial] Rename packages from org.openldap.fortress to
org.apache.directory.fortress.core. Change default suffix to org.apache.
Switch default ldap api from unbound to apache ldap.
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/687ee1ad/src/main/java/org/apache/directory/fortress/core/util/time/Constraint.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/util/time/Constraint.java b/src/main/java/org/apache/directory/fortress/core/util/time/Constraint.java
new file mode 100755
index 0000000..936b650
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/util/time/Constraint.java
@@ -0,0 +1,223 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.directory.fortress.core.util.time;
+
+
+/**
+ * The Fortress Constraint interface prescribes attributes that are used to store, process and retrieve temporal validation attributes on
+ * {@link org.apache.directory.fortress.core.rbac.User}, {@link org.apache.directory.fortress.core.rbac.UserRole}, {@link org.apache.directory.fortress.core.rbac.Role},
+ * {@link org.apache.directory.fortress.core.rbac.AdminRole}, {@link org.apache.directory.fortress.core.rbac.UserAdminRole} entities.
+ * <p/>
+ * <img src="../../doc-files/TemporalRbac.png">
+ * <p/>
+ * <h3>Temporal Constraints on User and Role Assignments</h3>
+ * In addition to the standard RBAC support, Fortress provides coverage for temporal constraints on role and user activation into session.
+ * Temporal constraints affect when Users may activate Roles within runtime system at a particular point in time. For example a nurse may be assigned to the "ChargeNurse" role but be limited as to when she is permitted to perform those duties, i.e. weekend graveyard shift. Another example is a bank teller who is assigned to a "Teller" role but may only act within role between the hours of 9:00 to 5:00 on Monday thru Friday during normal business hours.
+ * Additionally Fortress temporal constraints are checked during user authentication to control when a user is actually permitted to sign-on to a system. The constraints may also be applied to enforce temporary blackout periods to cover vacations, leave of absences, sabbaticals, etc.
+ * <p/>
+ * <h4>Constraint Schema</h4>
+ * The entity maps to Fortress LDAP Schema object classes:
+ * <p/>
+ * 1. ftRls Structural objectclass is used to store the Role information like name and temporal constraint attributes.
+ * <ul>
+ * <li> ------------------------------------------
+ * <li> <code>objectclass ( 1.3.6.1.4.1.38088.2.1</code>
+ * <li> <code>NAME 'ftRls'</code>
+ * <li> <code>DESC 'Fortress Role Object Class'</code>
+ * <li> <code>SUP organizationalrole</code>
+ * <li> <code>STRUCTURAL</code>
+ * <li> <code>MUST ( ftId $ ftRoleName )</code>
+ * <li> <code>MAY ( description $ ftCstr ) )</code>
+ * <li> ------------------------------------------
+ * </ul>
+ * <p/>
+ * 2. ftUserAttrs is used to store user RBAC and Admin role assignment and other security attributes on User entity.
+ * <ul>
+ * <li> ------------------------------------------
+ * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.1</code>
+ * <li> <code>NAME 'ftUserAttrs'</code>
+ * <li> <code>DESC 'Fortress User Attribute AUX Object Class'</code>
+ * <li> <code>AUXILIARY</code>
+ * <li> <code>MUST ( ftId )</code>
+ * <li> <code>MAY ( ftRC $ ftRA $ ftARC $ ftARA $ ftCstr</code>
+ * <li> ------------------------------------------
+ * </ul>
+ * <p/>
+ *
+ * @author Shawn McKinney
+ */
+public interface Constraint
+{
+ /**
+ * temporal boolean flag is used by internal Fortress components.
+ *
+ * @return boolean indicating if temporal constraints are placed on user.
+ */
+ public boolean isTemporalSet();
+
+ /**
+ * Set the integer timeout that contains max time (in seconds) that entity may remain inactive.
+ * This attribute is optional but if set will be validated for reasonableness.
+ *
+ * @param timeout maps to {@code ftCstr}, {@code ftRC}, {@code ftARC} attributes in {@code ftUserAttrs} object class and {@code ftCstr} attribute in {@code ftRls} object class.
+ */
+ public void setTimeout(Integer timeout);
+
+ /**
+ * Set the begin time of day entity is allowed to be activated in system. The format is military time - HHMM, i.e. 0800 (8:00 am) or 1700 (5:00 p.m.).
+ * This attribute is optional but if set will be validated for reasonableness.
+ *
+ * @param beginTime maps to {@code ftCstr}, {@code ftRC}, {@code ftARC} attributes in {@code ftUserAttrs} object class and {@code ftCstr} attribute in {@code ftRls} object class.
+ */
+ public void setBeginTime(String beginTime);
+
+ /**
+ * Set the end time of day entity is allowed to be activated in system. The format is military time - HHMM, i.e. 0000 (12:00 am) or 2359 (11:59 p.m.).
+ * This attribute is optional but if set will be validated for reasonableness.
+ *
+ * @param endTime maps to {@code ftCstr}, {@code ftRC}, {@code ftARC} attributes in {@code ftUserAttrs} object class and {@code ftCstr} attribute in {@code ftRls} object class.
+ */
+ public void setEndTime(String endTime);
+
+ /**
+ * Set the beginDate when entity is allowed to be activated in system. The format is - YYYYMMDD, i.e. 20100101 (January 1, 2001).
+ * This attribute is optional but if set will be validated for reasonableness.
+ *
+ * @param beginDate maps to {@code ftCstr}, {@code ftRC}, {@code ftARC} attributes in {@code ftUserAttrs} object class and {@code ftCstr} attribute in {@code ftRls} object class.
+ */
+ public void setBeginDate(String beginDate);
+
+ /**
+ * Set the end date when entity is not allowed to be activated in system. The format is - YYYYMMDD, i.e. 20100101 (January 1, 2010).
+ * This attribute is optional but if set will be validated for reasonableness.
+ *
+ * @param endDate maps to {@code ftCstr}, {@code ftRC}, {@code ftARC} attributes in {@code ftUserAttrs} object class and {@code ftCstr} attribute in {@code ftRls} object class.
+ */
+ public void setEndDate(String endDate);
+
+ /**
+ * Set the daymask that specifies what days of week entity is allowed to be activated in system. The format is 1234567, i.e. 23456 (Monday, Tuesday, Wednesday, Thursday, Friday).
+ * This attribute is optional but if set will be validated for reasonableness.
+ *
+ * @param dayMask maps to {@code ftCstr}, {@code ftRC}, {@code ftARC} attributes in {@code ftUserAttrs} object class and {@code ftCstr} attribute in {@code ftRls} object class.
+ */
+ public void setDayMask(String dayMask);
+
+ /**
+ * Set the begin lock date when entity is temporarily not allowed to be activated in system. The format is - YYYYMMDD, 20100101 (January 1, 2010).
+ * This attribute is optional but if set will be validated for reasonableness.
+ *
+ * @param beginLockDate maps to {@code ftCstr}, {@code ftRC}, {@code ftARC} attributes in {@code ftUserAttrs} object class and {@code ftCstr} attribute in {@code ftRls} object class.
+ */
+ public void setBeginLockDate(String beginLockDate);
+
+ /**
+ * Set the end lock date when entity is allowed to be activated in system once again. The format is - YYYYMMDD, i.e. 20100101 (January 1, 2010).
+ * This attribute is optional but if set will be validated for reasonableness.
+ *
+ * @param endLockDate maps to {@code ftCstr}, {@code ftRC}, {@code ftARC} attributes in {@code ftUserAttrs} object class and {@code ftCstr} attribute in {@code ftRls} object class.
+ */
+ public void setEndLockDate(String endLockDate);
+
+ /**
+ * This is used internally by Fortress for Constraint operations. Values set here by external caller will be ignored.
+ *
+ * @param name contains attribute used internally for constraint checking.
+ */
+ public void setName(String name);
+
+ /**
+ * Required on DAO classes convert from raw data to object format. Not intended for external use.
+ *
+ * @return String that maps to {@code ftCstr}, {@code ftRC}, {@code ftARC} attributes in {@code ftUserAttrs} object class and {@code ftCstr} attribute in {@code ftRls} object class.
+ */
+ public String getRawData();
+
+ /**
+ * Return the integer timeout that contains total time (in seconds) that entity may remain inactive.
+ * This attribute is optional but if set will be validated for reasonableness.
+ *
+ * @return int that maps to {@code ftCstr}, {@code ftRC}, {@code ftARC} attributes in {@code ftUserAttrs} object class and {@code ftCstr} attribute in {@code ftRls} object class.
+ */
+ public Integer getTimeout();
+
+ /**
+ * Contains the begin time of day entity is allowed to be activated in system. The format is military time - HHMM, i.e. 0800 (8:00 am) or 1700 (5:00 p.m.).
+ * This attribute is optional but if set will be validated for reasonableness.
+ *
+ * @return String that maps to 'ftCstr', 'ftRC', 'ftARC' attributes in 'ftUserAttrs' object class and 'ftCstr' attribute in 'ftRls' object class.
+ */
+ public String getBeginTime();
+
+ /**
+ * Contains the end time of day entity is allowed to be activated in system. The format is military time - HHMM, i.e. 0000 (12:00 am) or 2359 (11:59 p.m.).
+ * This attribute is optional but if set will be validated for reasonableness.
+ *
+ * @return String that maps to {@code ftCstr}, {@code ftRC}, {@code ftARC} attributes in {@code ftUserAttrs} object class and {@code ftCstr} attribute in {@code ftRls} object class.
+ */
+ public String getEndTime();
+
+ /**
+ * Contains the begin date when entity is allowed to be activated in system. The format is - YYYYMMDD, i.e. 20100101 (January 1, 2010).
+ * This attribute is optional but if set will be validated for reasonableness.
+ *
+ * @return String that maps to {@code ftCstr}, {@code ftRC}, {@code ftARC} attributes in {@code ftUserAttrs} object class and {@code ftCstr} attribute in {@code ftRls} object class.
+ */
+ public String getBeginDate();
+
+ /**
+ * Contains the end date when entity is allowed to be activated in system. The format is - YYYYMMDD, i.e. 20101231 (December 31, 2011).
+ * This attribute is optional but if set will be validated for reasonableness.
+ *
+ * @return String that maps to {@code ftCstr}, {@code ftRC}, {@code ftARC} attributes in {@code ftUserAttrs} object class and {@code ftCstr} attribute in {@code ftRls} object class.
+ */
+ public String getEndDate();
+
+ /**
+ * Contains the begin lock date when entity is temporarily not allowed to activated in system. The format is - YYYYMMDD, i.e. 20100101 (January 1, 2010).
+ * This attribute is optional but if set will be validated for reasonableness.
+ *
+ * @return String that maps to {@code ftCstr}, {@code ftRC}, {@code ftARC} attributes in {@code ftUserAttrs} object class and {@code ftCstr} attribute in {@code ftRls} object class.
+ */
+ public String getBeginLockDate();
+
+ /**
+ * Contains the end lock date when entity is allowed to be activated in system once again. The format is - YYYYMMDD, i.e. 20100101 (January 1, 2010).
+ * This attribute is optional but if set will be validated for reasonableness.
+ *
+ * @return String that maps to {@code ftCstr}, {@code ftRC}, {@code ftARC} attributes in {@code ftUserAttrs} object class and {@code ftCstr} attribute in {@code ftRls} object class.
+ */
+ public String getEndLockDate();
+
+ /**
+ * Get the daymask that indicates what days of week entity is allowed to be activated in system. The format is 1234567, i.e. 23456 (Monday, Tuesday, Wednesday, Thursday, Friday).
+ * This attribute is optional but if set will be validated for reasonableness.
+ *
+ * @return String that maps to {@code ftCstr}, {@code ftRC}, {@code ftARC} attributes in {@code ftUserAttrs} object class and {@code ftCstr} attribute in {@code ftRls} object class.
+ */
+ public String getDayMask();
+
+ /**
+ * This is used internally by Fortress for Constraint operations.
+ *
+ * @return String that maps to {@code ftCstr}, {@code ftRC}, {@code ftARC} attributes in {@code ftUserAttrs} object class and {@code ftCstr} attribute in {@code ftRls} object class.
+ */
+ public String getName();
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/687ee1ad/src/main/java/org/apache/directory/fortress/core/util/time/Date.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/util/time/Date.java b/src/main/java/org/apache/directory/fortress/core/util/time/Date.java
new file mode 100755
index 0000000..f19bdfb
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/util/time/Date.java
@@ -0,0 +1,101 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.directory.fortress.core.util.time;
+
+import org.apache.directory.fortress.core.GlobalErrIds;
+import org.apache.directory.fortress.core.GlobalIds;
+import org.apache.directory.fortress.core.rbac.Session;
+
+/**
+ * This class performs date validation for {@link Constraint}. This validator will ensure the current date falls between {@link Constraint#getBeginDate()} and {@link Constraint#getEndDate()}
+ * The format requires YYYYMMDD, i.e. 20110101 for January 1, 2011. The constant {@link org.apache.directory.fortress.core.GlobalIds#NONE} may be used to disable checks for a particular entity.
+ * <h4> Constraint Targets include</h4>
+ * <ol>
+ * <li>{@link org.apache.directory.fortress.core.rbac.User} maps to 'ftCstr' attribute on 'ftUserAttrs' object class</li>
+ * <li>{@link org.apache.directory.fortress.core.rbac.UserRole} maps to 'ftRC' attribute on 'ftUserAttrs' object class</li>
+ * <li>{@link org.apache.directory.fortress.core.rbac.Role} maps to 'ftCstr' attribute on 'ftRls' object class</li>
+ * <li>{@link org.apache.directory.fortress.core.rbac.AdminRole} maps to 'ftCstr' attribute on 'ftRls' object class</li>
+ * <li>{@link org.apache.directory.fortress.core.rbac.UserAdminRole} maps to 'ftARC' attribute on 'ftRls' object class</li>
+ * </ol>
+ * </p>
+ *
+ * @author Shawn McKinney
+ */
+public class Date
+ implements Validator
+{
+ /**
+ * This method is called during entity activation, {@link CUtil#validateConstraints} and ensures the current date is
+ * between {@link Constraint#getBeginDate()} and {@link Constraint#getEndDate()}.
+ *
+ * This validation routine allows for either beginDate or endDate to be null or set to "none" which will disable the corresponding check.
+ * For example if beginDate is null or equal to 'none', the validator will not skip the date eval for begin date.
+ * If either begin or end dates are set the validator will compare to the current date to ensure within range.
+ * If set, the expected date format is YYYYMMDD. For example, '20110101' equals Jan 1, 2011.
+ *
+ * @param session required for {@link Validator} interface but not used here.
+ * @param constraint contains the begin and end dates. Maps listed above.
+ * @param time contains the current time stamp.
+ * @return '0' if validation succeeds else {@link GlobalErrIds#ACTV_FAILED_DATE} if failed.
+ */
+ @Override
+ public int validate(Session session, Constraint constraint, Time time)
+ {
+ int rc = GlobalErrIds.ACTV_FAILED_DATE;
+ boolean noBegin = false;
+ boolean noEnd = false;
+ if (constraint.getBeginDate() == null || constraint.getBeginDate().compareToIgnoreCase(GlobalIds.NONE) == 0)
+ {
+ noBegin = true;
+ }
+ if (constraint.getEndDate() == null || constraint.getEndDate().compareToIgnoreCase(GlobalIds.NONE) == 0)
+ {
+ noEnd = true;
+ }
+ if(noBegin && noEnd)
+ {
+ rc = 0;
+ }
+ else if(noBegin)
+ {
+ if (constraint.getEndDate().compareTo(time.date) >= 0)
+ {
+ rc = 0;
+ }
+ }
+ else if(noEnd)
+ {
+ if (constraint.getBeginDate().compareTo(time.date) <= 0)
+ {
+ rc = 0;
+ }
+ }
+ else if(!noEnd)
+ {
+ if (constraint.getBeginDate().compareTo(time.date) <= 0
+ && constraint.getEndDate().compareTo(time.date) >= 0)
+ {
+ rc = 0;
+ }
+ }
+ return rc;
+ }
+}
+
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/687ee1ad/src/main/java/org/apache/directory/fortress/core/util/time/Day.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/util/time/Day.java b/src/main/java/org/apache/directory/fortress/core/util/time/Day.java
new file mode 100755
index 0000000..21b9a04
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/util/time/Day.java
@@ -0,0 +1,71 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.directory.fortress.core.util.time;
+
+import org.apache.directory.fortress.core.GlobalErrIds;
+import org.apache.directory.fortress.core.GlobalIds;
+import org.apache.directory.fortress.core.rbac.Session;
+
+/**
+ * This class performs lock day of week validation for {@link Constraint}. This validator will ensure the current day is allowed for {@link Constraint#getDayMask()}.
+ * The data format requires 1234567 for Sun, Mon, Tue, Wed, Thur, Fri, Sat, Sun respectively. i.e. 23456 will allow entity to activated Monday - Friday. The constant {@link org.apache.directory.fortress.core.GlobalIds#ALL} may be used to disable checks for a particular entity.
+ * <h4> Constraint Targets include</h4>
+ * <ol>
+ * <li>{@link org.apache.directory.fortress.core.rbac.User} maps to 'ftCstr' attribute on 'ftUserAttrs' object class</li>
+ * <li>{@link org.apache.directory.fortress.core.rbac.UserRole} maps to 'ftRC' attribute on 'ftUserAttrs' object class</li>
+ * <li>{@link org.apache.directory.fortress.core.rbac.Role} maps to 'ftCstr' attribute on 'ftRls' object class</li>
+ * <li>{@link org.apache.directory.fortress.core.rbac.AdminRole} maps to 'ftCstr' attribute on 'ftRls' object class</li>
+ * <li>{@link org.apache.directory.fortress.core.rbac.UserAdminRole} maps to 'ftARC' attribute on 'ftRls' object class</li>
+ * </ol>
+ * </p>
+ *
+ * @author Shawn McKinney
+ */
+public class Day
+ implements Validator
+{
+ /**
+ * This method is called during entity activation, {@link CUtil#validateConstraints} and ensures the current day falls
+ * within {@link Constraint#getDayMask()} range.
+ *
+ * @param session required for {@link Validator} interface but not used here.
+ * @param constraint contains the days of week entity may be activated. Data mappings listed above.
+ * @param time contains the current time stamp.
+ * @return '0' if validation succeeds else {@link org.apache.directory.fortress.core.GlobalErrIds#ACTV_FAILED_DAY} if failed.
+ */
+ @Override
+ public int validate(Session session, Constraint constraint, Time time)
+ {
+ int rc = GlobalErrIds.ACTV_FAILED_DAY;
+ if (constraint.getDayMask() == null || constraint.getDayMask().compareToIgnoreCase(GlobalIds.ALL) == 0)
+ {
+ rc = 0;
+ }
+ else
+ {
+ if (constraint.getDayMask().contains(time.day))
+ {
+ rc = 0;
+ }
+ }
+ return rc;
+ }
+}
+
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/687ee1ad/src/main/java/org/apache/directory/fortress/core/util/time/LockDate.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/util/time/LockDate.java b/src/main/java/org/apache/directory/fortress/core/util/time/LockDate.java
new file mode 100755
index 0000000..399cb74
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/util/time/LockDate.java
@@ -0,0 +1,88 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.directory.fortress.core.util.time;
+
+
+import org.apache.directory.fortress.core.GlobalErrIds;
+import org.apache.directory.fortress.core.GlobalIds;
+import org.apache.directory.fortress.core.rbac.Session;
+
+/**
+ * This class performs lock date validation for {@link Constraint}. This validator will ensure the current date falls outside {@link Constraint#getBeginLockDate()} and {@link Constraint#getEndLockDate()} range.
+ * The idea is an entity can be barred from activation for a particular blackout period, i.e. vacation, leave of absence, etc.
+ * The data format requires YYYYMMDD, i.e. 20110101 for January 1, 2011. The constant {@link org.apache.directory.fortress.core.GlobalIds#NONE} may be used to disable checks for a particular entity.
+ * <h4> Constraint Targets include</h4>
+ * <ol>
+ * <li>{@link org.apache.directory.fortress.core.rbac.User} maps to 'ftCstr' attribute on 'ftUserAttrs' object class</li>
+ * <li>{@link org.apache.directory.fortress.core.rbac.UserRole} maps to 'ftRC' attribute on 'ftUserAttrs' object class</li>
+ * <li>{@link org.apache.directory.fortress.core.rbac.Role} maps to 'ftCstr' attribute on 'ftRls' object class</li>
+ * <li>{@link org.apache.directory.fortress.core.rbac.AdminRole} maps to 'ftCstr' attribute on 'ftRls' object class</li>
+ * <li>{@link org.apache.directory.fortress.core.rbac.UserAdminRole} maps to 'ftARC' attribute on 'ftRls' object class</li>
+ * </ol>
+ * </p>
+ *
+ * @author Shawn McKinney
+ */
+public class LockDate
+ implements Validator
+{
+ /**
+ * This method is called during entity activation, {@link CUtil#validateConstraints} and ensures the current date falls
+ * outside the {@link Constraint#getBeginLockDate()} and {@link Constraint#getEndLockDate()} range.
+ *
+ * This validation routine will automatically pass if either beginLockDate or endLockDate equals null or "none".
+ * If both beginLockDate and endLockDate are set the validator will ensure current date does not fall between the date range.
+ * The format expected if date is set is YYYYMMDD. For example, '20110101' equals Jan 1, 2011.
+ *
+ * @param session required for {@link Validator} interface but not used here.
+ * @param constraint contains the begin and end lock dates. Maps listed above.
+ * @param time contains the current time stamp.
+ * @return '0' if validation succeeds else {@link org.apache.directory.fortress.core.GlobalErrIds#ACTV_FAILED_LOCK} if failed.
+ */
+ @Override
+ public int validate(Session session, Constraint constraint, Time time)
+ {
+ int rc = GlobalErrIds.ACTV_FAILED_LOCK;
+
+ // if either beginLockDate or endLockDate equal to null or 'none', validation will automatically pass.
+ if ( constraint.getBeginLockDate() == null || constraint.getBeginLockDate().compareToIgnoreCase(GlobalIds.NONE) == 0
+ || constraint.getEndLockDate() == null || constraint.getEndLockDate().compareToIgnoreCase(GlobalIds.NONE) == 0)
+ {
+ rc = 0;
+ }
+ else
+ {
+ if (!(constraint.getBeginLockDate().compareTo(time.date) <= 0
+ && constraint.getEndLockDate().compareTo(time.date) >= 0))
+
+ //if (!(constraint.getBeginLockDate().compareTo(time.date) <= 0
+ // && constraint.getEndLockDate().compareTo(time.date) >= 0))
+ //{
+ // rc = 0;
+ //}
+
+ {
+ rc = 0;
+ }
+ }
+ return rc;
+ }
+}
+
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/687ee1ad/src/main/java/org/apache/directory/fortress/core/util/time/TUtil.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/util/time/TUtil.java b/src/main/java/org/apache/directory/fortress/core/util/time/TUtil.java
new file mode 100755
index 0000000..70ded67
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/util/time/TUtil.java
@@ -0,0 +1,74 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.directory.fortress.core.util.time;
+
+import java.util.GregorianCalendar;
+
+/**
+ * Utility class to convert current time/date into internal format, {@link Time}, used for {@link Constraint} checks {@link CUtil#validateConstraints(org.apache.directory.fortress.core.rbac.Session, CUtil.ConstraintType, boolean)}.
+ * This utility processes custom date formats and should not be used by external programs.
+ *
+ * @author Shawn McKinney
+ */
+public class TUtil
+{
+
+ /**
+ * Get the curent timestamp from Java and convert to {@link Time} format.
+ *
+ * @return Time
+ */
+ public static Time getCurrentTime()
+ {
+ Time time = new Time();
+ GregorianCalendar gc = new GregorianCalendar();
+ String szMinute = "" + gc.get(GregorianCalendar.MINUTE);
+ String szHour = "" + gc.get(GregorianCalendar.HOUR_OF_DAY);
+
+ time.day = "" + gc.get(GregorianCalendar.DAY_OF_WEEK);
+ String szDay = "" + gc.get(GregorianCalendar.DAY_OF_MONTH);
+ int month = gc.get(GregorianCalendar.MONTH);
+ String szMonth = "" + (month + 1);
+ String szYear = "" + gc.get(GregorianCalendar.YEAR);
+
+ if (szMinute.length() == 1)
+ {
+ szMinute = "0" + szMinute;
+ }
+ if (szHour.length() == 1)
+ {
+ szHour = "0" + szHour;
+ }
+ if (szDay.length() == 1)
+ {
+ szDay = "0" + szDay;
+ }
+ if (szMonth.length() == 1)
+ {
+ szMonth = "0" + szMonth;
+ }
+ String szCurrentTime = szHour + szMinute;
+
+ time.currentTime = new Integer(szCurrentTime);
+ time.date = szYear + szMonth + szDay;
+ return time;
+ }
+}
+
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/687ee1ad/src/main/java/org/apache/directory/fortress/core/util/time/Time.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/util/time/Time.java b/src/main/java/org/apache/directory/fortress/core/util/time/Time.java
new file mode 100755
index 0000000..38685dc
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/util/time/Time.java
@@ -0,0 +1,44 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.directory.fortress.core.util.time;
+
+/**
+ * Class contains a custom timestamp that is processed by {@link Validator} to check {@link Constraint}.
+ *
+ * @author Shawn McKinney
+ */
+public class Time
+{
+ /**
+ * Stored as {@code System.out.getCurrentMillis()} format.
+ */
+ public Integer currentTime;
+
+ /**
+ * Stored in '1234567' format for Sun, Mon, Tue, Wed, Thur, Fri, Sat respectively. i.e. '23456' is Mon-Friday.
+ */
+ public String day;
+
+ /**
+ * Stored in 'YYYYMMDD' format. i.e. '20110101' is January 1, 2011.
+ */
+ public String date;
+}
+
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/687ee1ad/src/main/java/org/apache/directory/fortress/core/util/time/Timeout.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/util/time/Timeout.java b/src/main/java/org/apache/directory/fortress/core/util/time/Timeout.java
new file mode 100755
index 0000000..7d22e30
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/util/time/Timeout.java
@@ -0,0 +1,73 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.directory.fortress.core.util.time;
+
+import org.apache.directory.fortress.core.GlobalErrIds;
+import org.apache.directory.fortress.core.rbac.Session;
+
+/**
+ * This class performs timeout validation for {@link Constraint}. This validator will ensure the elapsed time an entity is active is less than {@link Constraint#getTimeout()} and {@link Constraint#getEndTime()}
+ * The timeout is in minutes and is stored as integer value. i.e. 30 for 30 minutes. A value of '0' specifies no timeout for a particular entity.
+ * <h4> Constraint Targets include</h4>
+ * <ol>
+ * <li>{@link org.apache.directory.fortress.core.rbac.User} maps to 'ftCstr' attribute on 'ftUserAttrs' object class</li>
+ * <li>{@link org.apache.directory.fortress.core.rbac.UserRole} maps to 'ftRC' attribute on 'ftUserAttrs' object class</li>
+ * <li>{@link org.apache.directory.fortress.core.rbac.Role} maps to 'ftCstr' attribute on 'ftRls' object class</li>
+ * <li>{@link org.apache.directory.fortress.core.rbac.AdminRole} maps to 'ftCstr' attribute on 'ftRls' object class</li>
+ * <li>{@link org.apache.directory.fortress.core.rbac.UserAdminRole} maps to 'ftARC' attribute on 'ftRls' object class</li>
+ * </ol>
+ * </p>
+ *
+ * @author Shawn McKinney
+ */
+public class Timeout
+ implements Validator
+{
+ /**
+ * This method is called during entity activation, {@link CUtil#validateConstraints} and ensures the elapsed time a particular entity has been activated does not exceed specified.
+ * value {@link Constraint#getTimeout()}.
+ *
+ * @param session required for {@link Validator} interface but not used here.
+ * @param constraint contains the elapsed time entity may remain inactive in minutes. Maps listed above.
+ * @param time contains the current timestamp.
+ * @return '0' if validation succeeds else {@link org.apache.directory.fortress.core.GlobalErrIds#ACTV_FAILED_TIMEOUT} if failed.
+ */
+ public int validate(Session session, Constraint constraint, Time time)
+ {
+ int rc = GlobalErrIds.ACTV_FAILED_TIMEOUT;
+ long timeLimit;
+ long lastTime = session.getLastAccess();
+ if (lastTime == 0)
+ {
+ rc = 0;
+ }
+ else
+ {
+ long elapsedTime = System.currentTimeMillis() - lastTime;
+ timeLimit = constraint.getTimeout() * 60000;
+ if (elapsedTime < timeLimit || constraint.getTimeout() == 0)
+ {
+ rc = 0;
+ }
+ }
+ return rc;
+ }
+}
+
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/687ee1ad/src/main/java/org/apache/directory/fortress/core/util/time/Validator.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/util/time/Validator.java b/src/main/java/org/apache/directory/fortress/core/util/time/Validator.java
new file mode 100755
index 0000000..5adb79f
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/util/time/Validator.java
@@ -0,0 +1,81 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.directory.fortress.core.util.time;
+
+import org.apache.directory.fortress.core.rbac.Session;
+
+/**
+ * Interface used by Fortress to provide pluggable validation routines for constraints.
+ *
+ * <h4> Constraint Targets</h4>
+ * <ol>
+ * <li>{@link org.apache.directory.fortress.core.rbac.User}</li>
+ * <li>{@link org.apache.directory.fortress.core.rbac.UserRole}</li>
+ * <li>{@link org.apache.directory.fortress.core.rbac.Role}</li>
+ * <li>{@link org.apache.directory.fortress.core.rbac.AdminRole}</li>
+ * <li>{@link org.apache.directory.fortress.core.rbac.UserAdminRole}</li>
+ * </ol>
+ * </p>
+ * <h4> Constraint Processors </h4>
+ * <ol>
+ * <li>Time of day: {@link ClockTime}</li>
+ * <li>Date: {@link Date}</li>
+ * <li>Days of week: {@link Day}</li>
+ * <li>Timeout: {@link Timeout}</li>
+ * <li>Lock dates: {@link LockDate}</li>
+ * <li>DSDs: {@link org.apache.directory.fortress.core.rbac.DSDChecker}</li>
+ * </ol>
+ * </p>
+ * <h4> Constraint Error Codes </h4>
+ * <ol>
+ * <li>{@link org.apache.directory.fortress.core.GlobalErrIds#ACTV_FAILED_DAY}</li>
+ * <li>{@link org.apache.directory.fortress.core.GlobalErrIds#ACTV_FAILED_DATE}</li>
+ * <li>{@link org.apache.directory.fortress.core.GlobalErrIds#ACTV_FAILED_TIME}</li>
+ * <li>{@link org.apache.directory.fortress.core.GlobalErrIds#ACTV_FAILED_TIMEOUT}</li>
+ * <li>{@link org.apache.directory.fortress.core.GlobalErrIds#ACTV_FAILED_LOCK}</li>
+ * <li>{@link org.apache.directory.fortress.core.GlobalErrIds#ACTV_FAILED_DSD}</li>
+ * </ol>
+ *
+ * @author Shawn McKinney
+ */
+public interface Validator
+{
+ /**
+ * This method is called during activation of {@link org.apache.directory.fortress.core.rbac.UserRole} and {@link org.apache.directory.fortress.core.rbac.UserAdminRole}
+ * </p>
+ * The following error codes can be returned for validations:
+ * <ol>
+ * <li>{@link org.apache.directory.fortress.core.GlobalErrIds#ACTV_FAILED_DAY}</li>
+ * <li>{@link org.apache.directory.fortress.core.GlobalErrIds#ACTV_FAILED_DATE}</li>
+ * <li>{@link org.apache.directory.fortress.core.GlobalErrIds#ACTV_FAILED_TIME}</li>
+ * <li>{@link org.apache.directory.fortress.core.GlobalErrIds#ACTV_FAILED_TIMEOUT}</li>
+ * <li>{@link org.apache.directory.fortress.core.GlobalErrIds#ACTV_FAILED_LOCK}</li>
+ * <li>{@link org.apache.directory.fortress.core.GlobalErrIds#ACTV_FAILED_DSD}</li>
+ * </ol>
+ *
+ * @param session contains the reference to Fortress entities that are targets for constraints.
+ * @param constraint contains the temporal attributes.
+ * @param time current time of day.
+ * @return activation failure code.
+ * @throws org.apache.directory.fortress.core.SecurityException in the event of validation fails or system exception.
+ */
+ public int validate(Session session, Constraint constraint, Time time) throws org.apache.directory.fortress.core.SecurityException;
+}
+
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/687ee1ad/src/main/java/org/apache/directory/fortress/core/util/time/package.html
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/util/time/package.html b/src/main/java/org/apache/directory/fortress/core/util/time/package.html
new file mode 100755
index 0000000..320be82
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/util/time/package.html
@@ -0,0 +1,34 @@
+<!--
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+-->
+<html>
+ <head>
+ <title>Package Documentation for org.apache.directory.fortress.util.time</title>
+ </head>
+ <body>
+ <p>
+ This package contains utilities used to process fortress temporal constraint checks on entities being activated within the runtime system.
+ </p>
+ <p>
+ The <b>org.apache.directory.fortress.util.time</b> package contains utilities to process temporal constraint checks on fortress runtime data entities. The
+ temporal constraint checks may be activated and deactivated via switches in the configuration system. The apis contained within this package are for fortress use only.
+ See the corresponding javadoc contained with this package for more info.
+ </p>
+ </body>
+</html>
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/687ee1ad/src/main/java/org/openldap/fortress/AccelMgr.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/openldap/fortress/AccelMgr.java b/src/main/java/org/openldap/fortress/AccelMgr.java
deleted file mode 100644
index 6c339de..0000000
--- a/src/main/java/org/openldap/fortress/AccelMgr.java
+++ /dev/null
@@ -1,214 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.openldap.fortress;
-
-import java.util.List;
-
-import org.openldap.fortress.rbac.Permission;
-import org.openldap.fortress.rbac.User;
-import org.openldap.fortress.rbac.Session;
-import org.openldap.fortress.rbac.UserRole;
-
-/**
- * This object performs runtime access control operations on objects that are provisioned RBAC entities
- * that reside in LDAP directory. These APIs map directly to similar named APIs specified by ANSI and NIST
- * RBAC system functions.
- * Many of the java doc function descriptions found below were taken directly from ANSI INCITS 359-2004.
- * The RBAC Functional specification describes administrative operations for the creation
- * and maintenance of RBAC element sets and relations; administrative review functions for
- * performing administrative queries; and system functions for creating and managing
- * RBAC attributes on user sessions and making access control decisions.
- * <p/>
- * <hr>
- * <h4>RBAC0 - Core</h4>
- * Many-to-many relationship between Users, Roles and Permissions. Selective role activation into sessions. API to add, update, delete identity data and perform identity and access control decisions during runtime operations.
- * <p/>
- * <img src="./doc-files/RbacCore.png">
- * <hr>
- * <h4>RBAC1 - General Hierarchical Roles</h4>
- * Simplifies role engineering tasks using inheritance of one or more parent roles.
- * <p/>
- * <img src="./doc-files/RbacHier.png">
- * <hr>
- * <h4>RBAC2 - Static Separation of Duty (SSD) Relations</h4>
- * Enforce mutual membership exclusions across role assignments. Facilitate dual control policies by restricting which roles may be assigned to users in combination. SSD provide added granularity for authorization limits which help enterprises meet strict compliance regulations.
- * <p/>
- * <img src="./doc-files/RbacSSD.png">
- * <hr>
- * <h4>RBAC3 - Dynamic Separation of Duty (DSD) Relations</h4>
- * Control allowed role combinations to be activated within an RBAC session. DSD policies fine tune role policies that facilitate authorization dual control and two man policy restrictions during runtime security checks.
- * <p/>
- * <img src="./doc-files/RbacDSD.png">
- * <hr>
- * <p/>
- * This interface's implementer will NOT be thread safe if parent instance variables ({@link Manageable#setContextId(String)} or {@link Manageable#setAdmin(org.openldap.fortress.rbac.Session)}) are set.
- * @author Shawn McKinney
- */
-public interface AccelMgr extends Manageable
-{
-
- /**
- * Perform user authentication {@link User#password} and role activations.<br />
- * This method must be called once per user prior to calling other methods within this class.
- * The successful result is {@link org.openldap.fortress.rbac.Session} that contains target user's RBAC {@link User#roles} and Admin role {@link User#adminRoles}.<br />
- * In addition to checking user password validity it will apply configured password policy checks {@link org.openldap.fortress.rbac.User#pwPolicy}..<br />
- * Method may also store parms passed in for audit trail {@link org.openldap.fortress.rbac.FortEntity}.
- * <h4> This API will...</h4>
- * <ul>
- * <li> authenticate user password if trusted == false.
- * <li> perform <a href="http://www.openldap.org/">OpenLDAP</a> <a href="http://tools.ietf.org/html/draft-behera-ldap-password-policy-10">password policy evaluation</a>, see {@link org.openldap.fortress.ldap.openldap.OLPWControlImpl}.
- * <li> fail for any user who is locked by OpenLDAP's policies {@link org.openldap.fortress.rbac.User#isLocked()}, regardless of trusted flag being set as parm on API.
- * <li> evaluate temporal {@link org.openldap.fortress.util.time.Constraint}(s) on {@link User}, {@link UserRole} and {@link org.openldap.fortress.rbac.UserAdminRole} entities.
- * <li> process selective role activations into User RBAC Session {@link User#roles}.
- * <li> check Dynamic Separation of Duties {@link org.openldap.fortress.rbac.DSDChecker#validate(org.openldap.fortress.rbac.Session, org.openldap.fortress.util.time.Constraint, org.openldap.fortress.util.time.Time)} on {@link org.openldap.fortress.rbac.User#roles}.
- * <li> process selective administrative role activations {@link User#adminRoles}.
- * <li> return a {@link org.openldap.fortress.rbac.Session} containing {@link org.openldap.fortress.rbac.Session#getUser()}, {@link org.openldap.fortress.rbac.Session#getRoles()} and (if admin user) {@link org.openldap.fortress.rbac.Session#getAdminRoles()} if everything checks out good.
- * <li> throw a checked exception that will be {@link org.openldap.fortress.SecurityException} or its derivation.
- * <li> throw a {@link SecurityException} for system failures.
- * <li> throw a {@link PasswordException} for authentication and password policy violations.
- * <li> throw a {@link ValidationException} for data validation errors.
- * <li> throw a {@link FinderException} if User id not found.
- * </ul>
- * <h4>
- * The function is valid if and only if:
- * </h4>
- * <ul>
- * <li> the user is a member of the USERS data set
- * <li> the password is supplied (unless trusted).
- * <li> the (optional) active role set is a subset of the roles authorized for that user.
- * </ul>
- * <h4>
- * The following attributes may be set when calling this method
- * </h4>
- * <ul>
- * <li> {@link User#userId} - required
- * <li> {@link org.openldap.fortress.rbac.User#password}
- * <li> {@link org.openldap.fortress.rbac.User#roles} contains a list of RBAC role names authorized for user and targeted for activation within this session. Default is all authorized RBAC roles will be activated into this Session.
- * <li> {@link org.openldap.fortress.rbac.User#adminRoles} contains a list of Admin role names authorized for user and targeted for activation. Default is all authorized ARBAC roles will be activated into this Session.
- * <li> {@link User#props} collection of name value pairs collected on behalf of User during signon. For example hostname:myservername or ip:192.168.1.99
- * </ul>
- * <h4>
- * Notes:
- * </h4>
- * <ul>
- * <li> roles that violate Dynamic Separation of Duty Relationships will not be activated into session.
- * <li> role activations will proceed in same order as supplied to User entity setter, see {@link User#setRole(String)}.
- * </ul>
- * </p>
- *
- * @param user Contains {@link User#userId}, {@link org.openldap.fortress.rbac.User#password} (optional if {@code isTrusted} is 'true'), optional {@link User#roles}, optional {@link org.openldap.fortress.rbac.User#adminRoles}
- * @param isTrusted if true password is not required.
- * @return Session object will contain authentication result code {@link org.openldap.fortress.rbac.Session#errorId}, RBAC role activations {@link org.openldap.fortress.rbac.Session#getRoles()}, Admin Role activations {@link org.openldap.fortress.rbac.Session#getAdminRoles()},OpenLDAP pw policy codes {@link org.openldap.fortress.rbac.Session#warningId}, {@link org.openldap.fortress.rbac.Session#expirationSeconds}, {@link org.openldap.fortress.rbac.Session#graceLogins} and more.
- * @throws org.openldap.fortress.SecurityException
- * in the event of data validation failure, security policy violation or DAO error.
- */
- public Session createSession(User user, boolean isTrusted)
- throws SecurityException;
-
-
- /**
- * This function deletes a fortress session from the RBAC Policy Decision Point inside OpenLDAP RBAC Accelerator. The function is valid if
- * and only if the session is a valid Fortress session.
- *
- * @param session object contains the user's returned RBAC session from the createSession method.
- * @throws SecurityException is thrown if session invalid or system. error.
- */
- public void deleteSession(Session session)
- throws SecurityException;
-
- /**
- * This function returns the active roles associated with a session. The function is valid if
- * and only if the session is a valid Fortress session.
- *
- * @param session object contains the user's returned RBAC session from the createSession method.
- * @return List<UserRole> containing all roles active in user's session. This will NOT contain inherited roles.
- * @throws SecurityException is thrown if session invalid or system. error.
- */
- public List<UserRole> sessionRoles(Session session)
- throws SecurityException;
-
-
- /**
- * Perform user RBAC authorization. This function returns a Boolean value meaning whether the subject of a given session is
- * allowed or not to perform a given operation on a given object. The function is valid if and
- * only if the session is a valid Fortress session, the object is a member of the OBJS data set,
- * and the operation is a member of the OPS data set. The session's subject has the permission
- * to perform the operation on that object if and only if that permission is assigned to (at least)
- * one of the session's active roles. This implementation will verify the roles or userId correspond
- * to the subject's active roles are registered in the object's access control list.
- *
- * @param perm must contain the object, {@link Permission#objName}, and operation, {@link Permission#opName}, of permission User is trying to access.
- * @param session This object must be instantiated by calling {@link AccessMgr#createSession} method before passing into the method. No variables need to be set by client after returned from createSession.
- * @return True if user has access, false otherwise.
- * @throws org.openldap.fortress.SecurityException
- * in the event of data validation failure, security policy violation or DAO error.
- */
- public boolean checkAccess(Session session, Permission perm)
- throws SecurityException;
-
-
- /**
- * This function returns the permissions of the session, i.e., the permissions assigned
- * to its authorized roles. The function is valid if and only if the session is a valid Fortress session.
- *
- * @param session This object must be instantiated by calling {@link AccessMgr#createSession} method before passing into the method. No variables need to be set by client after returned from createSession.
- * @return List<Permission> containing permissions (op, obj) active for user's session.
- * @throws SecurityException is thrown if runtime error occurs with system.
- */
- public List<Permission> sessionPermissions(Session session)
- throws SecurityException;
-
-
- /**
- * This function adds a role as an active role of a session whose owner is a given user.
- * <p>
- * The function is valid if and only if:
- * <ul>
- * <li> the user is a member of the USERS data set
- * <li> the role is a member of the ROLES data set
- * <li> the role inclusion does not violate Dynamic Separation of Duty Relationships
- * <li> the session is a valid Fortress session
- * <li> the user is authorized to that role
- * <li> the session is owned by that user.
- * </ul>
- * </p>
- *
- * @param session object contains the user's returned RBAC session from the createSession method.
- * @param role object contains the role name, {@link UserRole#name}, to be activated into session.
- * @throws SecurityException is thrown if user is not allowed to activate or runtime error occurs with system.
- */
- public void addActiveRole(Session session, UserRole role)
- throws SecurityException;
-
-
- /**
- * This function deletes a role from the active role set of a session owned by a given user.
- * The function is valid if and only if the user is a member of the USERS data set, the
- * session object contains a valid Fortress session, the session is owned by the user,
- * and the role is an active role of that session.
- *
- * @param session object contains the user's returned RBAC session from the createSession method.
- * @param role object contains the role name, {@link org.openldap.fortress.rbac.UserRole#name}, to be deactivated.
- * @throws SecurityException is thrown if user is not allowed to deactivate or runtime error occurs with system.
- */
- public void dropActiveRole(Session session, UserRole role)
- throws SecurityException;
-}
-
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/687ee1ad/src/main/java/org/openldap/fortress/AccelMgrFactory.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/openldap/fortress/AccelMgrFactory.java b/src/main/java/org/openldap/fortress/AccelMgrFactory.java
deleted file mode 100644
index 5b6f08c..0000000
--- a/src/main/java/org/openldap/fortress/AccelMgrFactory.java
+++ /dev/null
@@ -1,74 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.openldap.fortress;
-
-import org.openldap.fortress.cfg.Config;
-import org.openldap.fortress.rbac.AccelMgrImpl;
-import org.openldap.fortress.rbac.ClassUtil;
-import org.openldap.fortress.util.attr.VUtil;
-
-/**
- * Creates an instance of the AccelMgr object.
- * <p/>
- * The default implementation class is specified as {@link AccelMgrImpl} but can be overridden by
- * adding the {@link GlobalIds#ACCEL_IMPLEMENTATION} config property.
- * <p/>
-
- *
- * @author Shawn McKinney
- */
-public class AccelMgrFactory
-{
- private static String accelClassName = Config.getProperty(GlobalIds.ACCEL_IMPLEMENTATION);
- private static final String CLS_NM = AccelMgrFactory.class.getName();
-
- /**
- * Create and return a reference to {@link org.openldap.fortress.AccelMgr} object using HOME context.
- *
- * @return instance of {@link org.openldap.fortress.AccelMgr}.
- * @throws org.openldap.fortress.SecurityException in the event of failure during instantiation.
- */
- public static AccelMgr createInstance()
- throws SecurityException
- {
- return createInstance( GlobalIds.HOME );
- }
-
- /**
- * Create and return a reference to {@link org.openldap.fortress.AccelMgr} object.
- *
- * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
- * @return instance of {@link org.openldap.fortress.AccelMgr}.
- * @throws org.openldap.fortress.SecurityException in the event of failure during instantiation.
- */
- public static AccelMgr createInstance(String contextId)
- throws SecurityException
- {
- VUtil.assertNotNull(contextId, GlobalErrIds.CONTEXT_NULL, CLS_NM + ".createInstance");
- if (!VUtil.isNotNullOrEmpty(accelClassName))
- {
- accelClassName = AccelMgrImpl.class.getName();
- }
-
- AccelMgr accelMgr = (AccelMgr) ClassUtil.createInstance(accelClassName);
- accelMgr.setContextId(contextId);
- return accelMgr;
- }
-}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/687ee1ad/src/main/java/org/openldap/fortress/AccessMgr.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/openldap/fortress/AccessMgr.java b/src/main/java/org/openldap/fortress/AccessMgr.java
deleted file mode 100755
index 75c79d1..0000000
--- a/src/main/java/org/openldap/fortress/AccessMgr.java
+++ /dev/null
@@ -1,294 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.openldap.fortress;
-
-import java.util.List;
-import java.util.Set;
-
-import org.openldap.fortress.rbac.Permission;
-import org.openldap.fortress.rbac.User;
-import org.openldap.fortress.rbac.Session;
-import org.openldap.fortress.rbac.UserRole;
-
-/**
- * This object performs runtime access control operations on objects that are provisioned RBAC entities
- * that reside in LDAP directory. These APIs map directly to similar named APIs specified by ANSI and NIST
- * RBAC system functions.
- * Many of the java doc function descriptions found below were taken directly from ANSI INCITS 359-2004.
- * The RBAC Functional specification describes administrative operations for the creation
- * and maintenance of RBAC element sets and relations; administrative review functions for
- * performing administrative queries; and system functions for creating and managing
- * RBAC attributes on user sessions and making access control decisions.
- * <p/>
- * <hr>
- * <h4>RBAC0 - Core</h4>
- * Many-to-many relationship between Users, Roles and Permissions. Selective role activation into sessions. API to add, update, delete identity data and perform identity and access control decisions during runtime operations.
- * <p/>
- * <img src="./doc-files/RbacCore.png">
- * <hr>
- * <h4>RBAC1 - General Hierarchical Roles</h4>
- * Simplifies role engineering tasks using inheritance of one or more parent roles.
- * <p/>
- * <img src="./doc-files/RbacHier.png">
- * <hr>
- * <h4>RBAC2 - Static Separation of Duty (SSD) Relations</h4>
- * Enforce mutual membership exclusions across role assignments. Facilitate dual control policies by restricting which roles may be assigned to users in combination. SSD provide added granularity for authorization limits which help enterprises meet strict compliance regulations.
- * <p/>
- * <img src="./doc-files/RbacSSD.png">
- * <hr>
- * <h4>RBAC3 - Dynamic Separation of Duty (DSD) Relations</h4>
- * Control allowed role combinations to be activated within an RBAC session. DSD policies fine tune role policies that facilitate authorization dual control and two man policy restrictions during runtime security checks.
- * <p/>
- * <img src="./doc-files/RbacDSD.png">
- * <hr>
- * <p/>
- * This interface's implementer will NOT be thread safe if parent instance variables ({@link Manageable#setContextId(String)} or {@link Manageable#setAdmin(org.openldap.fortress.rbac.Session)}) are set.
- * @author Shawn McKinney
- */
-public interface AccessMgr extends Manageable
-{
-
- /**
- * Perform user authentication only. It does not activate RBAC roles in session but will evaluate
- * password policies.
- *
- * @param userId Contains the userid of the user signing on.
- * @param password Contains the user's password.
- * @return Session object will be returned if authentication successful. This will not contain user's roles.
- * @throws org.openldap.fortress.SecurityException
- * in the event of data validation failure, security policy violation or DAO error.
- */
- public Session authenticate(String userId, char[] password)
- throws org.openldap.fortress.SecurityException;
-
-
- /**
- * Perform user authentication {@link User#password} and role activations.<br />
- * This method must be called once per user prior to calling other methods within this class.
- * The successful result is {@link org.openldap.fortress.rbac.Session} that contains target user's RBAC {@link User#roles} and Admin role {@link User#adminRoles}.<br />
- * In addition to checking user password validity it will apply configured password policy checks {@link org.openldap.fortress.rbac.User#pwPolicy}..<br />
- * Method may also store parms passed in for audit trail {@link org.openldap.fortress.rbac.FortEntity}.
- * <h4> This API will...</h4>
- * <ul>
- * <li> authenticate user password if trusted == false.
- * <li> perform <a href="http://www.openldap.org/">OpenLDAP</a> <a href="http://tools.ietf.org/html/draft-behera-ldap-password-policy-10">password policy evaluation</a>, see {@link org.openldap.fortress.ldap.openldap.OLPWControlImpl}.
- * <li> fail for any user who is locked by OpenLDAP's policies {@link org.openldap.fortress.rbac.User#isLocked()}, regardless of trusted flag being set as parm on API.
- * <li> evaluate temporal {@link org.openldap.fortress.util.time.Constraint}(s) on {@link User}, {@link UserRole} and {@link org.openldap.fortress.rbac.UserAdminRole} entities.
- * <li> process selective role activations into User RBAC Session {@link User#roles}.
- * <li> check Dynamic Separation of Duties {@link org.openldap.fortress.rbac.DSDChecker#validate(org.openldap.fortress.rbac.Session, org.openldap.fortress.util.time.Constraint, org.openldap.fortress.util.time.Time)} on {@link org.openldap.fortress.rbac.User#roles}.
- * <li> process selective administrative role activations {@link User#adminRoles}.
- * <li> return a {@link org.openldap.fortress.rbac.Session} containing {@link org.openldap.fortress.rbac.Session#getUser()}, {@link org.openldap.fortress.rbac.Session#getRoles()} and (if admin user) {@link org.openldap.fortress.rbac.Session#getAdminRoles()} if everything checks out good.
- * <li> throw a checked exception that will be {@link org.openldap.fortress.SecurityException} or its derivation.
- * <li> throw a {@link SecurityException} for system failures.
- * <li> throw a {@link PasswordException} for authentication and password policy violations.
- * <li> throw a {@link ValidationException} for data validation errors.
- * <li> throw a {@link FinderException} if User id not found.
- * </ul>
- * <h4>
- * The function is valid if and only if:
- * </h4>
- * <ul>
- * <li> the user is a member of the USERS data set
- * <li> the password is supplied (unless trusted).
- * <li> the (optional) active role set is a subset of the roles authorized for that user.
- * </ul>
- * <h4>
- * The following attributes may be set when calling this method
- * </h4>
- * <ul>
- * <li> {@link User#userId} - required
- * <li> {@link org.openldap.fortress.rbac.User#password}
- * <li> {@link org.openldap.fortress.rbac.User#roles} contains a list of RBAC role names authorized for user and targeted for activation within this session. Default is all authorized RBAC roles will be activated into this Session.
- * <li> {@link org.openldap.fortress.rbac.User#adminRoles} contains a list of Admin role names authorized for user and targeted for activation. Default is all authorized ARBAC roles will be activated into this Session.
- * <li> {@link User#props} collection of name value pairs collected on behalf of User during signon. For example hostname:myservername or ip:192.168.1.99
- * </ul>
- * <h4>
- * Notes:
- * </h4>
- * <ul>
- * <li> roles that violate Dynamic Separation of Duty Relationships will not be activated into session.
- * <li> role activations will proceed in same order as supplied to User entity setter, see {@link User#setRole(String)}.
- * </ul>
- * </p>
- *
- * @param user Contains {@link User#userId}, {@link org.openldap.fortress.rbac.User#password} (optional if {@code isTrusted} is 'true'), optional {@link User#roles}, optional {@link org.openldap.fortress.rbac.User#adminRoles}
- * @param isTrusted if true password is not required.
- * @return Session object will contain authentication result code {@link org.openldap.fortress.rbac.Session#errorId}, RBAC role activations {@link org.openldap.fortress.rbac.Session#getRoles()}, Admin Role activations {@link org.openldap.fortress.rbac.Session#getAdminRoles()},OpenLDAP pw policy codes {@link org.openldap.fortress.rbac.Session#warningId}, {@link org.openldap.fortress.rbac.Session#expirationSeconds}, {@link org.openldap.fortress.rbac.Session#graceLogins} and more.
- * @throws org.openldap.fortress.SecurityException
- * in the event of data validation failure, security policy violation or DAO error.
- */
- public Session createSession(User user, boolean isTrusted)
- throws SecurityException;
-
-
- /**
- * Perform user RBAC authorization. This function returns a Boolean value meaning whether the subject of a given session is
- * allowed or not to perform a given operation on a given object. The function is valid if and
- * only if the session is a valid Fortress session, the object is a member of the OBJS data set,
- * and the operation is a member of the OPS data set. The session's subject has the permission
- * to perform the operation on that object if and only if that permission is assigned to (at least)
- * one of the session's active roles. This implementation will verify the roles or userId correspond
- * to the subject's active roles are registered in the object's access control list.
- *
- * @param perm must contain the object, {@link Permission#objName}, and operation, {@link Permission#opName}, of permission User is trying to access.
- * @param session This object must be instantiated by calling {@link AccessMgr#createSession} method before passing into the method. No variables need to be set by client after returned from createSession.
- * @return True if user has access, false otherwise.
- * @throws org.openldap.fortress.SecurityException
- * in the event of data validation failure, security policy violation or DAO error.
- */
- public boolean checkAccess(Session session, Permission perm)
- throws SecurityException;
-
-
- /**
- * This function returns the permissions of the session, i.e., the permissions assigned
- * to its authorized roles. The function is valid if and only if the session is a valid Fortress session.
- *
- * @param session This object must be instantiated by calling {@link AccessMgr#createSession} method before passing into the method. No variables need to be set by client after returned from createSession.
- * @return List<Permission> containing permissions (op, obj) active for user's session.
- * @throws SecurityException is thrown if runtime error occurs with system.
- */
- public List<Permission> sessionPermissions(Session session)
- throws SecurityException;
-
-
- /**
- * This function returns the active roles associated with a session. The function is valid if
- * and only if the session is a valid Fortress session.
- *
- * @param session object contains the user's returned RBAC session from the createSession method.
- * @return List<UserRole> containing all roles active in user's session. This will NOT contain inherited roles.
- * @throws SecurityException is thrown if session invalid or system. error.
- */
- public List<UserRole> sessionRoles(Session session)
- throws SecurityException;
-
-
- /**
- * This function returns the authorized roles associated with a session based on hierarchical relationships. The function is valid if
- * and only if the session is a valid Fortress session.
- *
- * @param session object contains the user's returned RBAC session from the createSession method.
- * @return Set<String> containing all roles active in user's session. This will contain inherited roles.
- * @throws SecurityException is thrown if session invalid or system. error.
- */
- public Set<String> authorizedRoles(Session session)
- throws SecurityException;
-
-
- /**
- * This function adds a role as an active role of a session whose owner is a given user.
- * <p>
- * The function is valid if and only if:
- * <ul>
- * <li> the user is a member of the USERS data set
- * <li> the role is a member of the ROLES data set
- * <li> the role inclusion does not violate Dynamic Separation of Duty Relationships
- * <li> the session is a valid Fortress session
- * <li> the user is authorized to that role
- * <li> the session is owned by that user.
- * </ul>
- * </p>
- *
- * @param session object contains the user's returned RBAC session from the createSession method.
- * @param role object contains the role name, {@link UserRole#name}, to be activated into session.
- * @throws SecurityException is thrown if user is not allowed to activate or runtime error occurs with system.
- */
- public void addActiveRole(Session session, UserRole role)
- throws SecurityException;
-
-
- /**
- * This function deletes a role from the active role set of a session owned by a given user.
- * The function is valid if and only if the user is a member of the USERS data set, the
- * session object contains a valid Fortress session, the session is owned by the user,
- * and the role is an active role of that session.
- *
- * @param session object contains the user's returned RBAC session from the createSession method.
- * @param role object contains the role name, {@link org.openldap.fortress.rbac.UserRole#name}, to be deactivated.
- * @throws SecurityException is thrown if user is not allowed to deactivate or runtime error occurs with system.
- */
- public void dropActiveRole(Session session, UserRole role)
- throws SecurityException;
-
-
- /**
- * This function returns the userId value that is contained within the session object.
- * The function is valid if and only if the session object contains a valid Fortress session.
- *
- * @param session object contains the user's returned RBAC session from the createSession method.
- * @return The userId value
- * @throws SecurityException is thrown if user session not active or runtime error occurs with system.
- */
- public String getUserId(Session session)
- throws SecurityException;
-
- /**
- * This function returns the user object that is contained within the session object.
- * The function is valid if and only if the session object contains a valid Fortress session.
- *
- * @param session object contains the user's returned RBAC session from the createSession method.
- * @return The user value
- * Sample User data contained in Session object:
- * <ul> <code>Session</code>
- * <li> <code>session.getUserId() => demoUser4</code>
- * <li> <code>session.getInternalUserId() => be2dd2e:12a82ba707e:-7fee</code>
- * <li> <code>session.getMessage() => Fortress checkPwPolicies userId <demouser4> VALIDATION GOOD</code>
- * <li> <code>session.getErrorId() => 0</code>
- * <li> <code>session.getWarningId() => 11</code>
- * <li> <code>session.getExpirationSeconds() => 469831</code>
- * <li> <code>session.getGraceLogins() => 0</code>
- * <li> <code>session.getIsAuthenticated() => true</code>
- * <li> <code>session.getLastAccess() => 1283623680440</code>
- * <li> <code>session.getSessionId() => -7410986f:12addeea576:-7fff</code>
- * <li> ------------------------------------------
- * <li> <code>User user = session.getUser();</code>
- * <ul> <li> <code>user.getUserId() => demoUser4</code>
- * <li> <code>user.getInternalId() => be2dd2e:12a82ba707e:-7fee</code>
- * <li> <code>user.getCn() => JoeUser4</code>
- * <li> <code>user.getDescription() => Demo Test User 4</code>
- * <li> <code>user.getOu() => test</code>
- * <li> <code>user.getSn() => User4</code>
- * <li> <code>user.getBeginDate() => 20090101</code>
- * <li> <code>user.getEndDate() => none</code>
- * <li> <code>user.getBeginLockDate() => none</code>
- * <li> <code>user.getEndLockDate() => none</code>
- * <li> <code>user.getDayMask() => 1234567</code>
- * <li> <code>user.getTimeout() => 60</code>
- * <li> <code>List<UserRole> roles = session.getRoles();</code>
- * <ul> <li><code>UserRole userRole = roles.get(i);</code>
- * <li> <code>userRole.getName() => role1</code>
- * <li> <code>userRole.getBeginTime() => 0000</code>
- * <li> <code>userRole.getEndTime() => 0000</code>
- * <li> <code>userRole.getBeginDate() => none</code>
- * <li> <code>userRole.getEndDate() => none</code>
- * <li> <code>userRole.getBeginLockDate() => null</code>
- * <li> <code>userRole.getEndLockDate() => null</code>
- * <li> <code>userRole.getDayMask() => null</code>
- * <li> <code>userRole.getTimeout() => 0</code>
- * </ul>
- * </ul>
- * </ul>
- * @throws SecurityException is thrown if user session not active or runtime error occurs with system.
- */
- public User getUser(Session session)
- throws SecurityException;
-}
-
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/687ee1ad/src/main/java/org/openldap/fortress/AccessMgrFactory.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/openldap/fortress/AccessMgrFactory.java b/src/main/java/org/openldap/fortress/AccessMgrFactory.java
deleted file mode 100755
index 97f84bd..0000000
--- a/src/main/java/org/openldap/fortress/AccessMgrFactory.java
+++ /dev/null
@@ -1,82 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.openldap.fortress;
-
-import org.openldap.fortress.cfg.Config;
-import org.openldap.fortress.rbac.AccessMgrImpl;
-import org.openldap.fortress.rbac.ClassUtil;
-import org.openldap.fortress.rest.AccessMgrRestImpl;
-import org.openldap.fortress.util.attr.VUtil;
-
-/**
- * Creates an instance of the AccessMgr object.
- * <p/>
- * The default implementation class is specified as {@link AccessMgrImpl} but can be overridden by
- * adding the {@link GlobalIds#ACCESS_IMPLEMENTATION} config property.
- * <p/>
-
- *
- * @author Shawn McKinney
- */
-public class AccessMgrFactory
-{
- private static String accessClassName = Config.getProperty(GlobalIds.ACCESS_IMPLEMENTATION);
- private static final String CLS_NM = AccessMgrFactory.class.getName();
-
- /**
- * Create and return a reference to {@link org.openldap.fortress.AccessMgr} object using HOME context.
- *
- * @return instance of {@link org.openldap.fortress.AccessMgr}.
- * @throws org.openldap.fortress.SecurityException in the event of failure during instantiation.
- */
- public static AccessMgr createInstance()
- throws SecurityException
- {
- return createInstance( GlobalIds.HOME );
- }
-
- /**
- * Create and return a reference to {@link org.openldap.fortress.AccessMgr} object.
- *
- * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
- * @return instance of {@link org.openldap.fortress.AccessMgr}.
- * @throws org.openldap.fortress.SecurityException in the event of failure during instantiation.
- */
- public static AccessMgr createInstance(String contextId)
- throws SecurityException
- {
- VUtil.assertNotNull(contextId, GlobalErrIds.CONTEXT_NULL, CLS_NM + ".createInstance");
- if (!VUtil.isNotNullOrEmpty(accessClassName))
- {
- if(GlobalIds.IS_REST)
- {
- accessClassName = AccessMgrRestImpl.class.getName();
- }
- else
- {
- accessClassName = AccessMgrImpl.class.getName();
- }
- }
-
- AccessMgr accessMgr = (AccessMgr) ClassUtil.createInstance(accessClassName);
- accessMgr.setContextId(contextId);
- return accessMgr;
- }
-}
\ No newline at end of file