You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by tr...@apache.org on 2005/10/01 10:05:09 UTC

svn commit: r292940 - /directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/

Author: trustin
Date: Sat Oct  1 01:05:01 2005
New Revision: 292940

URL: http://svn.apache.org/viewcvs?rev=292940&view=rev
Log:
Added JavaDoc for ACDFEngine and its support classes.

Modified:
    directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/ACDFEngine.java
    directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/ACITupleFilter.java
    directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/HighestPrecedenceFilter.java
    directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MaxImmSubFilter.java
    directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MaxValueCountFilter.java
    directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MicroOperationFilter.java
    directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MostSpecificProtectedItemFilter.java
    directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MostSpecificUserClassFilter.java
    directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/OperationScope.java
    directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/RelatedProtectedItemFilter.java
    directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/RelatedUserClassFilter.java
    directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/RestrictedByFilter.java

Modified: directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/ACDFEngine.java
URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/ACDFEngine.java?rev=292940&r1=292939&r2=292940&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/ACDFEngine.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/ACDFEngine.java Sat Oct  1 01:05:01 2005
@@ -40,10 +40,41 @@
 import org.apache.ldap.server.subtree.RefinementLeafEvaluator;
 import org.apache.ldap.server.subtree.SubtreeEvaluator;
 
+/**
+ * An implementation of Access Control Decision Function (18.8, X.501).
+ * <p>
+ * This engine simply filters the collection of tuples using the following
+ * {@link ACITupleFilter}s sequentially:
+ * <ol>
+ * <li>{@link RelatedUserClassFilter}</li>
+ * <li>{@link RelatedProtectedItemFilter}</li>
+ * <li>{@link MaxValueCountFilter}</li>
+ * <li>{@link MaxImmSubFilter}</li>
+ * <li>{@link RestrictedByFilter}</li>
+ * <li>{@link MicroOperationFilter}</li>
+ * <li>{@link HighestPrecedenceFilter}</li>
+ * <li>{@link MostSpecificUserClassFilter}</li>
+ * <li>{@link MostSpecificProtectedItemFilter}</li>
+ * </ol>
+ * <p>
+ * Operation is determined to be permitted if and only if there is at least one
+ * tuple left and all of them grants the access. (18.8.4. X.501)
+ * 
+ * @author The Apache Directory Project
+ * @version $Rev$, $Date$
+ */
 public class ACDFEngine
 {
     private final ACITupleFilter[] filters;
     
+    /**
+     * Creates a new instance.
+     * 
+     * @param oidRegistry an OID registry to be used by internal components
+     * @param attrTypeRegistry an attribute type registry to be used by internal components 
+     * 
+     * @throws NamingException if failed to initialize internal components
+     */
     public ACDFEngine( OidRegistry oidRegistry, AttributeTypeRegistry attrTypeRegistry ) throws NamingException
     {
         Evaluator entryEvaluator = new ExpressionEvaluator( oidRegistry, attrTypeRegistry );
@@ -70,7 +101,7 @@
      * if the user doesn't have any permission to perform the specified grants.
      * 
      * @param next the next interceptor to the current interceptor
-     * @param userGroupNames the DN of the group of the user who is trying to access the resource
+     * @param userGroupNames the collection of the group DNs the user who is trying to access the resource belongs
      * @param username the DN of the user who is trying to access the resource
      * @param entryName the DN of the entry the user is trying to access 
      * @param attrId the attribute type of the attribute the user is trying to access.
@@ -103,7 +134,7 @@
      * if the user doesn't have any permission to perform the specified grants.
      * 
      * @param next the next interceptor to the current interceptor 
-     * @param userGroupNames the DN of the group of the user who is trying to access the resource
+     * @param userGroupNames the collection of the group DNs the user who is trying to access the resource belongs
      * @param userName the DN of the user who is trying to access the resource
      * @param entryName the DN of the entry the user is trying to access 
      * @param attrId the attribute type of the attribute the user is trying to access.

Modified: directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/ACITupleFilter.java
URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/ACITupleFilter.java?rev=292940&r1=292939&r2=292940&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/ACITupleFilter.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/ACITupleFilter.java Sat Oct  1 01:05:01 2005
@@ -25,10 +25,39 @@
 import javax.naming.directory.Attributes;
 
 import org.apache.ldap.common.aci.AuthenticationLevel;
+import org.apache.ldap.common.aci.MicroOperation;
 import org.apache.ldap.server.interceptor.NextInterceptor;
 
+/**
+ * An interface that filters the specified collection of tuples using the
+ * specified extra information.
+ *
+ * @author The Apache Directory Project
+ * @version $Rev$, $Date$
+ *
+ */
 public interface ACITupleFilter
 {
+    /**
+     * Returns the collection of the filtered tuples using the specified
+     * extra information.
+     * 
+     * @param tuples the collection of tuples to filter
+     * @param scope the scope of the operation to be performed
+     * @param next the next interceptor for this filter to access the DIT
+     * @param userGroupNames the collection of group ({@link Name})s which the current user belongs to
+     * @param userName the {@link Name} of the current user
+     * @param userEntry the {@link Attributes} of the current user entry in the DIT
+     * @param authenticationLevel the level of authentication of the current user
+     * @param entryName the {@link Name} of the entry the current user accesses
+     * @param attrId the attribute ID the current user accesses
+     * @param attrValue the value of the attribute the current user accesses
+     * @param entry the {@link Attributes} of the entry the current user accesses
+     * @param microOperations the set of {@link MicroOperation}s the current user will perform
+     * 
+     * @return the collection of filtered tuples
+     * @throws NamingException if failed to filter the specifiec tuples
+     */
     Collection filter(
             Collection tuples, OperationScope scope, NextInterceptor next,
             Collection userGroupNames, Name userName, Attributes userEntry,

Modified: directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/HighestPrecedenceFilter.java
URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/HighestPrecedenceFilter.java?rev=292940&r1=292939&r2=292940&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/HighestPrecedenceFilter.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/HighestPrecedenceFilter.java Sat Oct  1 01:05:01 2005
@@ -29,6 +29,13 @@
 import org.apache.ldap.common.aci.AuthenticationLevel;
 import org.apache.ldap.server.interceptor.NextInterceptor;
 
+/**
+ * An {@link ACITupleFilter} that discards all tuples having a precedence less
+ * than the highest remaining precedence. (18.8.4.1, X.501)
+ *
+ * @author The Apache Directory Project
+ * @version $Rev$, $Date$
+ */
 public class HighestPrecedenceFilter implements ACITupleFilter
 {
     public Collection filter( Collection tuples, OperationScope scope, NextInterceptor next, Collection userGroupNames, Name userName, Attributes userEntry, AuthenticationLevel authenticationLevel, Name entryName, String attrId, Object attrValue, Attributes entry, Collection microOperations ) throws NamingException

Modified: directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MaxImmSubFilter.java
URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MaxImmSubFilter.java?rev=292940&r1=292939&r2=292940&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MaxImmSubFilter.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MaxImmSubFilter.java Sat Oct  1 01:05:01 2005
@@ -35,6 +35,13 @@
 import org.apache.ldap.common.filter.PresenceNode;
 import org.apache.ldap.server.interceptor.NextInterceptor;
 
+/**
+ * An {@link ACITupleFilter} that discards all tuples that doesn't satisfy
+ * {@link ProtectedItem.MaxImmSub} constraint if available. (18.8.3.3, X.501)
+ *
+ * @author The Apache Directory Project
+ * @version $Rev$, $Date$
+ */
 public class MaxImmSubFilter implements ACITupleFilter
 {
     private final ExprNode childrenFilter;

Modified: directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MaxValueCountFilter.java
URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MaxValueCountFilter.java?rev=292940&r1=292939&r2=292940&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MaxValueCountFilter.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MaxValueCountFilter.java Sat Oct  1 01:05:01 2005
@@ -32,6 +32,13 @@
 import org.apache.ldap.common.aci.ProtectedItem.MaxValueCountItem;
 import org.apache.ldap.server.interceptor.NextInterceptor;
 
+/**
+ * An {@link ACITupleFilter} that discards all tuples that doesn't satisfy
+ * {@link ProtectedItem.MaxValueCount} constraint if available. (18.8.3.3, X.501)
+ *
+ * @author The Apache Directory Project
+ * @version $Rev$, $Date$
+ */
 public class MaxValueCountFilter implements ACITupleFilter
 {
     public Collection filter( Collection tuples, OperationScope scope, NextInterceptor next, Collection userGroupNames, Name userName, Attributes userEntry, AuthenticationLevel authenticationLevel, Name entryName, String attrId, Object attrValue, Attributes entry, Collection microOperations ) throws NamingException

Modified: directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MicroOperationFilter.java
URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MicroOperationFilter.java?rev=292940&r1=292939&r2=292940&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MicroOperationFilter.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MicroOperationFilter.java Sat Oct  1 01:05:01 2005
@@ -30,6 +30,14 @@
 import org.apache.ldap.common.aci.MicroOperation;
 import org.apache.ldap.server.interceptor.NextInterceptor;
 
+/**
+ * An {@link ACITupleFilter} that discard tuples which doesn't contain any
+ * related {@link MicroOperation}s. (18.8.3.4, X.501) 
+ *
+ * @author The Apache Directory Project
+ * @version $Rev$, $Date$
+ *
+ */
 public class MicroOperationFilter implements ACITupleFilter
 {
     public Collection filter( Collection tuples, OperationScope scope, NextInterceptor next, Collection userGroupNames, Name userName, Attributes userEntry, AuthenticationLevel authenticationLevel, Name entryName, String attrId, Object attrValue, Attributes entry, Collection microOperations ) throws NamingException

Modified: directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MostSpecificProtectedItemFilter.java
URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MostSpecificProtectedItemFilter.java?rev=292940&r1=292939&r2=292940&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MostSpecificProtectedItemFilter.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MostSpecificProtectedItemFilter.java Sat Oct  1 01:05:01 2005
@@ -31,6 +31,21 @@
 import org.apache.ldap.common.aci.ProtectedItem;
 import org.apache.ldap.server.interceptor.NextInterceptor;
 
+/**
+ * An {@link ACITupleFilter} that chooses the tuples with the most specific
+ * protected item. (18.8.4.3, X.501)
+ * <p>
+ * If more than one tuple remains, choose the tuples with the most specific
+ * protected item. If the protected item is an attribute and there are tuples 
+ * that specify the attribute type explicitly, discard all other tuples. If
+ * the protected item is an attribute value, and there are tuples that specify
+ * the attribute value explicitly, discard all other tuples. A protected item
+ * which is a rangeOfValues is to be treated as specifying an attribute value
+ * explicitly.
+ * 
+ * @author The Apache Directory Project
+ * @version $Rev$, $Date$
+ */
 public class MostSpecificProtectedItemFilter implements ACITupleFilter
 {
     public Collection filter( Collection tuples, OperationScope scope, NextInterceptor next, Collection userGroupNames, Name userName, Attributes userEntry, AuthenticationLevel authenticationLevel, Name entryName, String attrId, Object attrValue, Attributes entry, Collection microOperations ) throws NamingException

Modified: directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MostSpecificUserClassFilter.java
URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MostSpecificUserClassFilter.java?rev=292940&r1=292939&r2=292940&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MostSpecificUserClassFilter.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MostSpecificUserClassFilter.java Sat Oct  1 01:05:01 2005
@@ -31,6 +31,19 @@
 import org.apache.ldap.common.aci.UserClass;
 import org.apache.ldap.server.interceptor.NextInterceptor;
 
+/**
+ * An {@link ACITupleFilter} that chooses the tuples with the most specific user
+ * class. (18.8.4.2)
+ * <p>
+ * If more than one tuple remains, choose the tuples with the most specific user
+ * class. If there are any tuples matching the requestor with UserClasses element
+ * name or thisEntry, discard all other tuples. Otherwise if there are any tuples
+ * matching UserGroup, discard all other tuples. Otherwise if there are any tuples
+ * matching subtree, discard all other tuples.
+ *
+ * @author The Apache Directory Project
+ * @version $Rev$, $Date$
+ */
 public class MostSpecificUserClassFilter implements ACITupleFilter
 {
     public Collection filter( Collection tuples, OperationScope scope, NextInterceptor next, Collection userGroupNames, Name userName, Attributes userEntry, AuthenticationLevel authenticationLevel, Name entryName, String attrId, Object attrValue, Attributes entry, Collection microOperations ) throws NamingException

Modified: directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/OperationScope.java
URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/OperationScope.java?rev=292940&r1=292939&r2=292940&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/OperationScope.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/OperationScope.java Sat Oct  1 01:05:01 2005
@@ -18,10 +18,27 @@
  */
 package org.apache.ldap.server.authz.support;
 
+/**
+ * An enumeration that represents the scope of user operation.
+ *
+ * @author The Apache Directory Project
+ * @version $Rev$, $Date$
+ */
 public class OperationScope
 {
+    /**
+     * An operation that affects the whole entry.
+     */
     public static final OperationScope ENTRY = new OperationScope( "Entry" );
+    
+    /**
+     * An operation that affects all values in an attribute type.
+     */
     public static final OperationScope ATTRIBUTE_TYPE = new OperationScope( "Attribute Type" );
+    
+    /**
+     * An operation that affects the specific value in an attribute type.
+     */
     public static final OperationScope ATTRIBUTE_TYPE_AND_VALUE = new OperationScope( "Attribute Type & Value" );
     
     private final String name;
@@ -31,11 +48,17 @@
         this.name = name;
     }
     
+    /**
+     * Return the name of this scope.
+     */
     public String getName()
     {
         return name;
     }
-    
+
+    /**
+     * Returns the name of this scope.
+     */
     public String toString()
     {
         return name;

Modified: directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/RelatedProtectedItemFilter.java
URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/RelatedProtectedItemFilter.java?rev=292940&r1=292939&r2=292940&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/RelatedProtectedItemFilter.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/RelatedProtectedItemFilter.java Sat Oct  1 01:05:01 2005
@@ -37,6 +37,13 @@
 import org.apache.ldap.server.schema.AttributeTypeRegistry;
 import org.apache.ldap.server.subtree.RefinementEvaluator;
 
+/**
+ * An {@link ACITupleFilter} that discards all tuples whose {@link ProtectedItem}s
+ * are not related with the operation. (18.8.3.2, X.501)
+ *
+ * @author The Apache Directory Project
+ * @version $Rev$, $Date$
+ */
 public class RelatedProtectedItemFilter implements ACITupleFilter
 {
     private final AttributeTypeRegistry attrTypeRegistry;

Modified: directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/RelatedUserClassFilter.java
URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/RelatedUserClassFilter.java?rev=292940&r1=292939&r2=292940&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/RelatedUserClassFilter.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/RelatedUserClassFilter.java Sat Oct  1 01:05:01 2005
@@ -33,6 +33,13 @@
 import org.apache.ldap.server.interceptor.NextInterceptor;
 import org.apache.ldap.server.subtree.SubtreeEvaluator;
 
+/**
+ * An {@link ACITupleFilter} that discards all tuples whose {@link UserClass}es
+ * are not related with the current user. (18.8.3.1, X.501)
+ *
+ * @author The Apache Directory Project
+ * @version $Rev$, $Date$
+ */
 public class RelatedUserClassFilter implements ACITupleFilter
 {
     private static final LdapName ROOTDSE_NAME = new LdapName();

Modified: directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/RestrictedByFilter.java
URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/RestrictedByFilter.java?rev=292940&r1=292939&r2=292940&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/RestrictedByFilter.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/RestrictedByFilter.java Sat Oct  1 01:05:01 2005
@@ -32,6 +32,13 @@
 import org.apache.ldap.common.aci.ProtectedItem.RestrictedByItem;
 import org.apache.ldap.server.interceptor.NextInterceptor;
 
+/**
+ * An {@link ACITupleFilter} that discards all tuples that doesn't satisfy
+ * {@link ProtectedItem.RestrictedBy} constraint if available. (18.8.3.3, X.501)
+ *
+ * @author The Apache Directory Proejct
+ * @version $Rev$, $Date$
+ */
 public class RestrictedByFilter implements ACITupleFilter
 {
     public Collection filter( Collection tuples, OperationScope scope, NextInterceptor next, Collection userGroupNames, Name userName, Attributes userEntry, AuthenticationLevel authenticationLevel, Name entryName, String attrId, Object attrValue, Attributes entry, Collection microOperations ) throws NamingException