You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by ak...@apache.org on 2006/02/20 04:58:21 UTC
svn commit: r379013 [7/45] - in /directory/trunks/apacheds: ./ core-plugin/
core-plugin/src/main/java/org/apache/directory/server/core/tools/schema/
core-plugin/src/test/java/org/apache/directory/server/core/tools/schema/
core-shared/ core-shared/src/m...
Modified: directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/AuthorizationService.java
URL: http://svn.apache.org/viewcvs/directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/AuthorizationService.java?rev=379013&r1=379012&r2=379013&view=diff
==============================================================================
--- directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/AuthorizationService.java (original)
+++ directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/AuthorizationService.java Sun Feb 19 19:57:02 2006
@@ -90,7 +90,6 @@
private static final Collection IMPORT_PERMS;
private static final Collection MOVERENAME_PERMS;
-
static
{
HashSet set = new HashSet( 2 );
@@ -167,7 +166,8 @@
enabled = factoryCfg.getStartupConfiguration().isAccessControlEnabled();
// stuff for dealing with subentries (garbage for now)
- String subschemaSubentry = ( String ) factoryCfg.getPartitionNexus().getRootDSE().get( "subschemaSubentry" ).get();
+ String subschemaSubentry = ( String ) factoryCfg.getPartitionNexus().getRootDSE().get( "subschemaSubentry" )
+ .get();
subschemaSubentryDn = new LdapName( subschemaSubentry ).toString().toLowerCase();
}
@@ -185,9 +185,8 @@
* @param entry the target entry that access to is being controled
* @throws NamingException if there are problems accessing attribute values
*/
- private void addPerscriptiveAciTuples( DirectoryPartitionNexusProxy proxy, Collection tuples,
- Name dn, Attributes entry )
- throws NamingException
+ private void addPerscriptiveAciTuples( DirectoryPartitionNexusProxy proxy, Collection tuples, Name dn,
+ Attributes entry ) throws NamingException
{
/*
* If the protected entry is a subentry, then the entry being evaluated
@@ -245,7 +244,7 @@
}
catch ( ParseException e )
{
- String msg = "failed to parse entryACI: " + aciString ;
+ String msg = "failed to parse entryACI: " + aciString;
log.error( msg, e );
throw new LdapNamingException( msg, ResultCodeEnum.OPERATIONSERROR );
}
@@ -264,11 +263,11 @@
* @param entry the target entry that access to is being regulated
* @throws NamingException if there are problems accessing attribute values
*/
- private void addSubentryAciTuples( DirectoryPartitionNexusProxy proxy, Collection tuples,
- Name dn, Attributes entry ) throws NamingException
+ private void addSubentryAciTuples( DirectoryPartitionNexusProxy proxy, Collection tuples, Name dn, Attributes entry )
+ throws NamingException
{
// only perform this for subentries
- if ( ! entry.get("objectClass").contains("subentry") )
+ if ( !entry.get( "objectClass" ).contains( "subentry" ) )
{
return;
}
@@ -277,8 +276,8 @@
// will contain the subentryACI attributes that effect subentries
Name parentDn = ( Name ) dn.clone();
parentDn.remove( dn.size() - 1 );
- Attributes administrativeEntry = proxy.lookup( parentDn, new String[] { SUBENTRYACI_ATTR },
- DirectoryPartitionNexusProxy.LOOKUP_BYPASS );
+ Attributes administrativeEntry = proxy.lookup( parentDn, new String[]
+ { SUBENTRYACI_ATTR }, DirectoryPartitionNexusProxy.LOOKUP_BYPASS );
Attribute subentryAci = administrativeEntry.get( SUBENTRYACI_ATTR );
if ( subentryAci == null )
@@ -297,7 +296,7 @@
}
catch ( ParseException e )
{
- String msg = "failed to parse subentryACI: " + aciString ;
+ String msg = "failed to parse subentryACI: " + aciString;
log.error( msg, e );
throw new LdapNamingException( msg, ResultCodeEnum.OPERATIONSERROR );
}
@@ -336,7 +335,7 @@
Name userName = dnParser.parse( principal.getName() );
// bypass authz code if we are disabled
- if ( ! enabled )
+ if ( !enabled )
{
next.add( upName, normName, entry );
return;
@@ -355,7 +354,7 @@
SubentryService subentryService = ( SubentryService ) chain.get( "subentryService" );
Attributes subentryAttrs = subentryService.getSubentryAttributes( normName, entry );
NamingEnumeration attrList = entry.getAll();
- while( attrList.hasMore() )
+ while ( attrList.hasMore() )
{
subentryAttrs.put( ( Attribute ) attrList.next() );
}
@@ -371,8 +370,8 @@
// check if entry scope permission is granted
DirectoryPartitionNexusProxy proxy = invocation.getProxy();
- engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(),
- normName, null, null, ADD_PERMS, tuples, subentryAttrs );
+ engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(), normName, null, null,
+ ADD_PERMS, tuples, subentryAttrs );
// now we must check if attribute type and value scope permission is granted
NamingEnumeration attributeList = entry.getAll();
@@ -381,9 +380,8 @@
Attribute attr = ( Attribute ) attributeList.next();
for ( int ii = 0; ii < attr.size(); ii++ )
{
- engine.checkPermission( proxy, userGroups, userName,
- principal.getAuthenticationLevel(), normName, attr.getID(),
- attr.get( ii ), ADD_PERMS, tuples, entry );
+ engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(), normName, attr
+ .getID(), attr.get( ii ), ADD_PERMS, tuples, entry );
}
}
@@ -407,7 +405,7 @@
Name userName = dnParser.parse( principal.getName() );
// bypass authz code if we are disabled
- if ( ! enabled )
+ if ( !enabled )
{
next.delete( name );
return;
@@ -428,8 +426,8 @@
addEntryAciTuples( tuples, entry );
addSubentryAciTuples( proxy, tuples, name, entry );
- engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(), name, null,
- null, REMOVE_PERMS, tuples, entry );
+ engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(), name, null, null,
+ REMOVE_PERMS, tuples, entry );
next.delete( name );
tupleCache.subentryDeleted( name, entry );
@@ -447,7 +445,7 @@
Name userName = dnParser.parse( principal.getName() );
// bypass authz code if we are disabled
- if ( ! enabled )
+ if ( !enabled )
{
next.modify( name, modOp, mods );
return;
@@ -468,31 +466,31 @@
addEntryAciTuples( tuples, entry );
addSubentryAciTuples( proxy, tuples, name, entry );
- engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(), name, null,
- null, Collections.singleton( MicroOperation.MODIFY ), tuples, entry );
+ engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(), name, null, null,
+ Collections.singleton( MicroOperation.MODIFY ), tuples, entry );
NamingEnumeration attrList = mods.getAll();
Collection perms = null;
- switch( modOp )
+ switch ( modOp )
{
- case( DirContext.ADD_ATTRIBUTE ):
+ case ( DirContext.ADD_ATTRIBUTE ):
perms = ADD_PERMS;
break;
- case( DirContext.REMOVE_ATTRIBUTE ):
+ case ( DirContext.REMOVE_ATTRIBUTE ):
perms = REMOVE_PERMS;
break;
- case( DirContext.REPLACE_ATTRIBUTE ):
+ case ( DirContext.REPLACE_ATTRIBUTE ):
perms = REPLACE_PERMS;
break;
}
- while( attrList.hasMore() )
+ while ( attrList.hasMore() )
{
Attribute attr = ( Attribute ) attrList.next();
for ( int ii = 0; ii < attr.size(); ii++ )
{
- engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(),
- name, attr.getID(), attr.get( ii ), perms, tuples, entry );
+ engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(), name, attr
+ .getID(), attr.get( ii ), perms, tuples, entry );
}
}
@@ -512,7 +510,7 @@
Name userName = dnParser.parse( principal.getName() );
// bypass authz code if we are disabled
- if ( ! enabled )
+ if ( !enabled )
{
next.modify( name, mods );
return;
@@ -533,21 +531,21 @@
addEntryAciTuples( tuples, entry );
addSubentryAciTuples( proxy, tuples, name, entry );
- engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(), name, null,
- null, Collections.singleton( MicroOperation.MODIFY ), tuples, entry );
+ engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(), name, null, null,
+ Collections.singleton( MicroOperation.MODIFY ), tuples, entry );
Collection perms = null;
for ( int ii = 0; ii < mods.length; ii++ )
{
- switch( mods[ii].getModificationOp() )
+ switch ( mods[ii].getModificationOp() )
{
- case( DirContext.ADD_ATTRIBUTE ):
+ case ( DirContext.ADD_ATTRIBUTE ):
perms = ADD_PERMS;
break;
- case( DirContext.REMOVE_ATTRIBUTE ):
+ case ( DirContext.REMOVE_ATTRIBUTE ):
perms = REMOVE_PERMS;
break;
- case( DirContext.REPLACE_ATTRIBUTE ):
+ case ( DirContext.REPLACE_ATTRIBUTE ):
perms = REPLACE_PERMS;
break;
}
@@ -555,8 +553,8 @@
Attribute attr = mods[ii].getAttribute();
for ( int jj = 0; jj < attr.size(); jj++ )
{
- engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(),
- name, attr.getID(), attr.get( jj ), perms, tuples, entry );
+ engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(), name, attr
+ .getID(), attr.get( jj ), perms, tuples, entry );
}
}
@@ -574,8 +572,8 @@
LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
Name userName = dnParser.parse( principal.getName() );
- if ( userName.toString().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) || ! enabled
- || name.toString().trim().equals( "" ) ) // no checks on the rootdse
+ if ( userName.toString().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) || !enabled
+ || name.toString().trim().equals( "" ) ) // no checks on the rootdse
{
return next.hasEntry( name );
}
@@ -587,8 +585,8 @@
addSubentryAciTuples( proxy, tuples, name, entry );
// check that we have browse access to the entry
- engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(), name, null,
- null, BROWSE_PERMS, tuples, entry );
+ engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(), name, null, null,
+ BROWSE_PERMS, tuples, entry );
return next.hasEntry( name );
}
@@ -609,8 +607,7 @@
* @param entry the raw entry pulled from the nexus
* @throws NamingException
*/
- private void checkLookupAccess( LdapPrincipal principal, Name dn, Attributes entry )
- throws NamingException
+ private void checkLookupAccess( LdapPrincipal principal, Name dn, Attributes entry ) throws NamingException
{
// no permissions checks on the RootDSE
if ( dn.toString().trim().equals( "" ) )
@@ -627,8 +624,8 @@
addSubentryAciTuples( proxy, tuples, dn, entry );
// check that we have read access to the entry
- engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(), dn, null,
- null, LOOKUP_PERMS, tuples, entry );
+ engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(), dn, null, null,
+ LOOKUP_PERMS, tuples, entry );
// check that we have read access to every attribute type and value
NamingEnumeration attributeList = entry.getAll();
@@ -637,8 +634,8 @@
Attribute attr = ( Attribute ) attributeList.next();
for ( int ii = 0; ii < attr.size(); ii++ )
{
- engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(), dn,
- attr.getID(), attr.get( ii ), READ_PERMS, tuples, entry );
+ engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(), dn, attr
+ .getID(), attr.get( ii ), READ_PERMS, tuples, entry );
}
}
}
@@ -651,7 +648,7 @@
Attributes entry = proxy.lookup( dn, DirectoryPartitionNexusProxy.LOOKUP_BYPASS );
LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
- if ( principal.getName().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) || ! enabled )
+ if ( principal.getName().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) || !enabled )
{
return next.lookup( dn, attrIds );
}
@@ -668,7 +665,7 @@
Attributes entry = proxy.lookup( name, DirectoryPartitionNexusProxy.LOOKUP_BYPASS );
LdapPrincipal user = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
- if ( user.getName().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) || ! enabled )
+ if ( user.getName().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) || !enabled )
{
return next.lookup( name );
}
@@ -690,9 +687,8 @@
newName.remove( name.size() - 1 );
newName.add( dnParser.parse( newRn ).get( 0 ) );
-
// bypass authz code if we are disabled
- if ( ! enabled )
+ if ( !enabled )
{
next.modifyRn( name, newRn, deleteOldRn );
return;
@@ -715,35 +711,35 @@
addEntryAciTuples( tuples, entry );
addSubentryAciTuples( proxy, tuples, name, entry );
- engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(), name, null,
- null, RENAME_PERMS, tuples, entry );
+ engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(), name, null, null,
+ RENAME_PERMS, tuples, entry );
-// if ( deleteOldRn )
-// {
-// String oldRn = name.get( name.size() - 1 );
-// if ( NamespaceTools.hasCompositeComponents( oldRn ) )
-// {
-// String[] comps = NamespaceTools.getCompositeComponents( oldRn );
-// for ( int ii = 0; ii < comps.length; ii++ )
-// {
-// String id = NamespaceTools.getRdnAttribute( comps[ii] );
-// String value = NamespaceTools.getRdnValue( comps[ii] );
-// engine.checkPermission( next, userGroups, user.getJndiName(),
-// user.getAuthenticationLevel(), name, id,
-// value, Collections.singleton( MicroOperation.REMOVE ),
-// tuples, entry );
-// }
-// }
-// else
-// {
-// String id = NamespaceTools.getRdnAttribute( oldRn );
-// String value = NamespaceTools.getRdnValue( oldRn );
-// engine.checkPermission( next, userGroups, user.getJndiName(),
-// user.getAuthenticationLevel(), name, id,
-// value, Collections.singleton( MicroOperation.REMOVE ),
-// tuples, entry );
-// }
-// }
+ // if ( deleteOldRn )
+ // {
+ // String oldRn = name.get( name.size() - 1 );
+ // if ( NamespaceTools.hasCompositeComponents( oldRn ) )
+ // {
+ // String[] comps = NamespaceTools.getCompositeComponents( oldRn );
+ // for ( int ii = 0; ii < comps.length; ii++ )
+ // {
+ // String id = NamespaceTools.getRdnAttribute( comps[ii] );
+ // String value = NamespaceTools.getRdnValue( comps[ii] );
+ // engine.checkPermission( next, userGroups, user.getJndiName(),
+ // user.getAuthenticationLevel(), name, id,
+ // value, Collections.singleton( MicroOperation.REMOVE ),
+ // tuples, entry );
+ // }
+ // }
+ // else
+ // {
+ // String id = NamespaceTools.getRdnAttribute( oldRn );
+ // String value = NamespaceTools.getRdnValue( oldRn );
+ // engine.checkPermission( next, userGroups, user.getJndiName(),
+ // user.getAuthenticationLevel(), name, id,
+ // value, Collections.singleton( MicroOperation.REMOVE ),
+ // tuples, entry );
+ // }
+ // }
next.modifyRn( name, newRn, deleteOldRn );
tupleCache.subentryRenamed( name, newName );
@@ -752,7 +748,7 @@
public void move( NextInterceptor next, Name oriChildName, Name newParentName, String newRn, boolean deleteOldRn )
- throws NamingException
+ throws NamingException
{
// Access the principal requesting the operation, and bypass checks if it is the admin
Invocation invocation = InvocationStack.getInstance().peek();
@@ -764,7 +760,7 @@
newName.add( newRn );
// bypass authz code if we are disabled
- if ( ! enabled )
+ if ( !enabled )
{
next.move( oriChildName, newParentName, newRn, deleteOldRn );
return;
@@ -785,42 +781,42 @@
addEntryAciTuples( tuples, entry );
addSubentryAciTuples( proxy, tuples, oriChildName, entry );
- engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(),
- oriChildName, null, null, MOVERENAME_PERMS, tuples, entry );
+ engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(), oriChildName, null,
+ null, MOVERENAME_PERMS, tuples, entry );
Collection destTuples = new HashSet();
addPerscriptiveAciTuples( proxy, destTuples, oriChildName, entry );
addEntryAciTuples( destTuples, entry );
addSubentryAciTuples( proxy, destTuples, oriChildName, entry );
- engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(),
- oriChildName, null, null, IMPORT_PERMS, tuples, entry );
+ engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(), oriChildName, null,
+ null, IMPORT_PERMS, tuples, entry );
-// if ( deleteOldRn )
-// {
-// String oldRn = oriChildName.get( oriChildName.size() - 1 );
-// if ( NamespaceTools.hasCompositeComponents( oldRn ) )
-// {
-// String[] comps = NamespaceTools.getCompositeComponents( oldRn );
-// for ( int ii = 0; ii < comps.length; ii++ )
-// {
-// String id = NamespaceTools.getRdnAttribute( comps[ii] );
-// String value = NamespaceTools.getRdnValue( comps[ii] );
-// engine.checkPermission( next, userGroups, user.getJndiName(),
-// user.getAuthenticationLevel(), oriChildName, id,
-// value, Collections.singleton( MicroOperation.REMOVE ),
-// tuples, entry );
-// }
-// }
-// else
-// {
-// String id = NamespaceTools.getRdnAttribute( oldRn );
-// String value = NamespaceTools.getRdnValue( oldRn );
-// engine.checkPermission( next, userGroups, user.getJndiName(),
-// user.getAuthenticationLevel(), oriChildName, id,
-// value, Collections.singleton( MicroOperation.REMOVE ),
-// tuples, entry );
-// }
-// }
+ // if ( deleteOldRn )
+ // {
+ // String oldRn = oriChildName.get( oriChildName.size() - 1 );
+ // if ( NamespaceTools.hasCompositeComponents( oldRn ) )
+ // {
+ // String[] comps = NamespaceTools.getCompositeComponents( oldRn );
+ // for ( int ii = 0; ii < comps.length; ii++ )
+ // {
+ // String id = NamespaceTools.getRdnAttribute( comps[ii] );
+ // String value = NamespaceTools.getRdnValue( comps[ii] );
+ // engine.checkPermission( next, userGroups, user.getJndiName(),
+ // user.getAuthenticationLevel(), oriChildName, id,
+ // value, Collections.singleton( MicroOperation.REMOVE ),
+ // tuples, entry );
+ // }
+ // }
+ // else
+ // {
+ // String id = NamespaceTools.getRdnAttribute( oldRn );
+ // String value = NamespaceTools.getRdnValue( oldRn );
+ // engine.checkPermission( next, userGroups, user.getJndiName(),
+ // user.getAuthenticationLevel(), oriChildName, id,
+ // value, Collections.singleton( MicroOperation.REMOVE ),
+ // tuples, entry );
+ // }
+ // }
next.move( oriChildName, newParentName, newRn, deleteOldRn );
tupleCache.subentryRenamed( oriChildName, newName );
@@ -840,7 +836,7 @@
Name userName = dnParser.parse( principal.getName() );
// bypass authz code if we are disabled
- if ( ! enabled )
+ if ( !enabled )
{
next.move( oriChildName, newParentName );
return;
@@ -861,31 +857,31 @@
addEntryAciTuples( tuples, entry );
addSubentryAciTuples( proxy, tuples, oriChildName, entry );
- engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(),
- oriChildName, null, null, EXPORT_PERMS, tuples, entry );
+ engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(), oriChildName, null,
+ null, EXPORT_PERMS, tuples, entry );
Collection destTuples = new HashSet();
addPerscriptiveAciTuples( proxy, destTuples, oriChildName, entry );
addEntryAciTuples( destTuples, entry );
addSubentryAciTuples( proxy, destTuples, oriChildName, entry );
- engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(),
- oriChildName, null, null, IMPORT_PERMS, tuples, entry );
+ engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(), oriChildName, null,
+ null, IMPORT_PERMS, tuples, entry );
next.move( oriChildName, newParentName );
tupleCache.subentryRenamed( oriChildName, newName );
groupCache.groupRenamed( oriChildName, newName );
}
-
public static final SearchControls DEFUALT_SEARCH_CONTROLS = new SearchControls();
+
public NamingEnumeration list( NextInterceptor next, Name base ) throws NamingException
{
Invocation invocation = InvocationStack.getInstance().peek();
ServerLdapContext ctx = ( ServerLdapContext ) invocation.getCaller();
LdapPrincipal user = ctx.getPrincipal();
NamingEnumeration e = next.list( base );
- if ( user.getName().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) || ! enabled )
+ if ( user.getName().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) || !enabled )
{
return e;
}
@@ -895,7 +891,7 @@
public NamingEnumeration search( NextInterceptor next, Name base, Map env, ExprNode filter,
- SearchControls searchCtls ) throws NamingException
+ SearchControls searchCtls ) throws NamingException
{
Invocation invocation = InvocationStack.getInstance().peek();
ServerLdapContext ctx = ( ServerLdapContext ) invocation.getCaller();
@@ -904,8 +900,8 @@
boolean isSubschemaSubentryLookup = subschemaSubentryDn.equals( base.toString() );
boolean isRootDSELookup = base.size() == 0 && searchCtls.getSearchScope() == SearchControls.OBJECT_SCOPE;
- if ( user.getName().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL )
- || ! enabled || isRootDSELookup || isSubschemaSubentryLookup )
+ if ( user.getName().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) || !enabled || isRootDSELookup
+ || isSubschemaSubentryLookup )
{
return e;
}
@@ -923,7 +919,7 @@
LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
Name userName = dnParser.parse( principal.getName() );
- if ( userName.toString().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) || ! enabled )
+ if ( userName.toString().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) || !enabled )
{
return next.compare( name, oid, value );
}
@@ -934,10 +930,10 @@
addEntryAciTuples( tuples, entry );
addSubentryAciTuples( proxy, tuples, name, entry );
- engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(), name, null,
- null, READ_PERMS, tuples, entry );
- engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(), name, oid,
- value, COMPARE_PERMS, tuples, entry );
+ engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(), name, null, null,
+ READ_PERMS, tuples, entry );
+ engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(), name, oid, value,
+ COMPARE_PERMS, tuples, entry );
return next.compare( name, oid, value );
}
@@ -950,7 +946,7 @@
DirectoryPartitionNexusProxy proxy = invocation.getProxy();
LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
Name userName = dnParser.parse( principal.getName() );
- if ( userName.toString().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) || ! enabled )
+ if ( userName.toString().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) || !enabled )
{
return next.getMatchedName( dn, normalized );
}
@@ -979,9 +975,8 @@
addEntryAciTuples( tuples, entry );
addSubentryAciTuples( proxy, tuples, matched, entry );
- if ( engine.hasPermission( proxy, userGroups, userName,
- principal.getAuthenticationLevel(), matched, null, null,
- MATCHEDNAME_PERMS, tuples, entry ) )
+ if ( engine.hasPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(), matched, null,
+ null, MATCHEDNAME_PERMS, tuples, entry ) )
{
return matched;
}
@@ -1001,11 +996,11 @@
private boolean filter( Invocation invocation, Name normName, SearchResult result ) throws NamingException
{
- /*
- * First call hasPermission() for entry level "Browse" and "ReturnDN" perm
- * tests. If we hasPermission() returns false we immediately short the
- * process and return false.
- */
+ /*
+ * First call hasPermission() for entry level "Browse" and "ReturnDN" perm
+ * tests. If we hasPermission() returns false we immediately short the
+ * process and return false.
+ */
Attributes entry = invocation.getProxy().lookup( normName, DirectoryPartitionNexusProxy.LOOKUP_BYPASS );
ServerLdapContext ctx = ( ServerLdapContext ) invocation.getCaller();
Name userDn = dnParser.parse( ctx.getPrincipal().getName() );
@@ -1015,9 +1010,8 @@
addEntryAciTuples( tuples, entry );
addSubentryAciTuples( invocation.getProxy(), tuples, normName, entry );
- if ( ! engine.hasPermission( invocation.getProxy(), userGroups, userDn,
- ctx.getPrincipal().getAuthenticationLevel(),
- normName, null, null, SEARCH_ENTRY_PERMS, tuples, entry ) )
+ if ( !engine.hasPermission( invocation.getProxy(), userGroups, userDn, ctx.getPrincipal()
+ .getAuthenticationLevel(), normName, null, null, SEARCH_ENTRY_PERMS, tuples, entry ) )
{
return false;
}
@@ -1035,9 +1029,8 @@
// if attribute type scope access is not allowed then remove the attribute and continue
String id = ( String ) idList.next();
Attribute attr = result.getAttributes().get( id );
- if ( ! engine.hasPermission( invocation.getProxy(), userGroups, userDn,
- ctx.getPrincipal().getAuthenticationLevel(),
- normName, attr.getID(), null, SEARCH_ATTRVAL_PERMS, tuples, entry ) )
+ if ( !engine.hasPermission( invocation.getProxy(), userGroups, userDn, ctx.getPrincipal()
+ .getAuthenticationLevel(), normName, attr.getID(), null, SEARCH_ATTRVAL_PERMS, tuples, entry ) )
{
result.getAttributes().remove( attr.getID() );
@@ -1051,9 +1044,9 @@
// attribute type scope is ok now let's determine value level scope
for ( int ii = 0; ii < attr.size(); ii++ )
{
- if ( ! engine.hasPermission( invocation.getProxy(), userGroups, userDn,
- ctx.getPrincipal().getAuthenticationLevel(), normName,
- attr.getID(), attr.get( ii ), SEARCH_ATTRVAL_PERMS, tuples, entry ) )
+ if ( !engine.hasPermission( invocation.getProxy(), userGroups, userDn, ctx.getPrincipal()
+ .getAuthenticationLevel(), normName, attr.getID(), attr.get( ii ), SEARCH_ATTRVAL_PERMS, tuples,
+ entry ) )
{
attr.remove( ii );
@@ -1068,7 +1061,6 @@
return true;
}
-
/**
* WARNING: create one of these filters fresh every time for each new search.
*/
@@ -1077,6 +1069,7 @@
/** dedicated normalizing parser for this search - cheaper than synchronization */
final DnParser parser;
+
public AuthorizationFilter() throws NamingException
{
parser = new DnParser( new ConcreteNameComponentNormalizer( attrRegistry ) );
@@ -1084,18 +1077,18 @@
public boolean accept( Invocation invocation, SearchResult result, SearchControls controls )
- throws NamingException
+ throws NamingException
{
Name normName = parser.parse( result.getName() );
-// looks like isRelative returns true even when the names for results are absolute!!!!
-// @todo this is a big bug in JNDI provider
+ // looks like isRelative returns true even when the names for results are absolute!!!!
+ // @todo this is a big bug in JNDI provider
-// if ( result.isRelative() )
-// {
-// Name base = parser.parse( ctx.getNameInNamespace() );
-// normName = base.addAll( normName );
-// }
+ // if ( result.isRelative() )
+ // {
+ // Name base = parser.parse( ctx.getNameInNamespace() );
+ // normName = base.addAll( normName );
+ // }
return filter( invocation, normName, result );
}
Propchange: directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/AuthorizationService.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/AuthorizationService.java
------------------------------------------------------------------------------
--- svn:keywords (original)
+++ svn:keywords Sun Feb 19 19:57:02 2006
@@ -1 +1,4 @@
-HeadURL Id LastChangedBy LastChangedDate LastChangedRevision
+Rev
+Revision
+Date
+Id
Modified: directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/GroupCache.java
URL: http://svn.apache.org/viewcvs/directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/GroupCache.java?rev=379013&r1=379012&r2=379013&view=diff
==============================================================================
--- directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/GroupCache.java (original)
+++ directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/GroupCache.java Sun Feb 19 19:57:02 2006
@@ -70,12 +70,12 @@
*
* @param factoryCfg the context factory configuration for the server
*/
- public GroupCache( DirectoryServiceConfiguration factoryCfg ) throws NamingException
+ public GroupCache(DirectoryServiceConfiguration factoryCfg) throws NamingException
{
this.nexus = factoryCfg.getPartitionNexus();
this.env = ( Hashtable ) factoryCfg.getEnvironment().clone();
- this.parser = new DnParser( new ConcreteNameComponentNormalizer(
- factoryCfg.getGlobalRegistries().getAttributeTypeRegistry() ) );
+ this.parser = new DnParser( new ConcreteNameComponentNormalizer( factoryCfg.getGlobalRegistries()
+ .getAttributeTypeRegistry() ) );
initialize();
}
@@ -288,17 +288,17 @@
switch ( modOp )
{
- case ( DirContext.ADD_ATTRIBUTE ):
+ case ( DirContext.ADD_ATTRIBUTE ):
addMembers( memberSet, members );
break;
- case ( DirContext.REPLACE_ATTRIBUTE ):
+ case ( DirContext.REPLACE_ATTRIBUTE ):
if ( members.size() > 0 )
{
memberSet.clear();
addMembers( memberSet, members );
}
break;
- case ( DirContext.REMOVE_ATTRIBUTE ):
+ case ( DirContext.REMOVE_ATTRIBUTE ):
removeMembers( memberSet, members );
break;
default:
@@ -405,7 +405,10 @@
}
catch ( NamingException e )
{
- log.warn( "Malformed member DN. Could not find groups for member in GroupCache. Returning empty set for groups!", e );
+ log
+ .warn(
+ "Malformed member DN. Could not find groups for member in GroupCache. Returning empty set for groups!",
+ e );
return Collections.EMPTY_SET;
}
Propchange: directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/GroupCache.java
------------------------------------------------------------------------------
--- svn:keywords (added)
+++ svn:keywords Sun Feb 19 19:57:02 2006
@@ -0,0 +1,4 @@
+Rev
+Revision
+Date
+Id
Modified: directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/OldAuthorizationService.java
URL: http://svn.apache.org/viewcvs/directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/OldAuthorizationService.java?rev=379013&r1=379012&r2=379013&view=diff
==============================================================================
--- directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/OldAuthorizationService.java (original)
+++ directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/OldAuthorizationService.java Sun Feb 19 19:57:02 2006
@@ -54,7 +54,7 @@
* thrown and therefore the current invocation chain will terminate.
*
* @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
- * @version $Rev: 201550 $, $Date: 2005-06-23 23:08:31 -0400 (Thu, 23 Jun 2005) $
+ * @version $Rev$, $Date$
*/
public class OldAuthorizationService extends BaseInterceptor
{
@@ -80,7 +80,6 @@
private boolean enabled = true;
-
/**
* Creates a new instance.
*/
@@ -95,7 +94,7 @@
dnParser = new DnParser( new ConcreteNameComponentNormalizer( atr ) );
// disable this static module if basic access control mechanisms are enabled
- enabled = ! factoryCfg.getStartupConfiguration().isAccessControlEnabled();
+ enabled = !factoryCfg.getStartupConfiguration().isAccessControlEnabled();
}
@@ -127,8 +126,7 @@
throw new LdapNoPermissionException( msg );
}
- if ( name.size() > 2 && name.startsWith( USER_BASE_DN )
- && !principalDn.equals( ADMIN_DN ) )
+ if ( name.size() > 2 && name.startsWith( USER_BASE_DN ) && !principalDn.equals( ADMIN_DN ) )
{
String msg = "User " + principalDn;
msg += " does not have permission to delete the user account: ";
@@ -136,8 +134,7 @@
throw new LdapNoPermissionException( msg );
}
- if ( name.size() > 2 && name.startsWith( GROUP_BASE_DN )
- && !principalDn.equals( ADMIN_DN ) )
+ if ( name.size() > 2 && name.startsWith( GROUP_BASE_DN ) && !principalDn.equals( ADMIN_DN ) )
{
String msg = "User " + principalDn;
msg += " does not have permission to delete the group entry: ";
@@ -165,14 +162,14 @@
// Entry Modification Operations
// ------------------------------------------------------------------------
-
/**
* This policy needs to be really tight too because some attributes may take
* part in giving the user permissions to protected resources. We do not want
* users to self access these resources. As far as we're concerned no one but
* the admin needs access.
*/
- public void modify( NextInterceptor nextInterceptor, Name name, int modOp, Attributes attrs ) throws NamingException
+ public void modify( NextInterceptor nextInterceptor, Name name, int modOp, Attributes attrs )
+ throws NamingException
{
if ( enabled )
{
@@ -218,7 +215,7 @@
msg += " admin user.";
throw new LdapNoPermissionException( msg );
}
-
+
if ( dn.size() > 2 && dn.startsWith( USER_BASE_DN ) )
{
String msg = "User " + principalDn;
@@ -249,8 +246,8 @@
// o The administrator entry cannot be moved or renamed by anyone
// ------------------------------------------------------------------------
-
- public void modifyRn( NextInterceptor nextInterceptor, Name name, String newRn, boolean deleteOldRn ) throws NamingException
+ public void modifyRn( NextInterceptor nextInterceptor, Name name, String newRn, boolean deleteOldRn )
+ throws NamingException
{
if ( enabled )
{
@@ -270,9 +267,8 @@
}
- public void move( NextInterceptor nextInterceptor,
- Name oriChildName, Name newParentName, String newRn,
- boolean deleteOldRn ) throws NamingException
+ public void move( NextInterceptor nextInterceptor, Name oriChildName, Name newParentName, String newRn,
+ boolean deleteOldRn ) throws NamingException
{
if ( enabled )
{
@@ -323,7 +319,7 @@
public Attributes lookup( NextInterceptor nextInterceptor, Name name ) throws NamingException
{
Attributes attributes = nextInterceptor.lookup( name );
- if ( ! enabled || attributes == null )
+ if ( !enabled || attributes == null )
{
return attributes;
}
@@ -336,7 +332,7 @@
public Attributes lookup( NextInterceptor nextInterceptor, Name name, String[] attrIds ) throws NamingException
{
Attributes attributes = nextInterceptor.lookup( name, attrIds );
- if ( ! enabled || attributes == null )
+ if ( !enabled || attributes == null )
{
return attributes;
}
@@ -348,8 +344,7 @@
private void protectLookUp( Name dn ) throws NamingException
{
- LdapContext ctx =
- ( LdapContext ) InvocationStack.getInstance().peek().getCaller();
+ LdapContext ctx = ( LdapContext ) InvocationStack.getInstance().peek().getCaller();
Name principalDn = ( ( ServerContext ) ctx ).getPrincipal().getJndiName();
if ( !principalDn.equals( ADMIN_DN ) )
@@ -399,9 +394,8 @@
}
- public NamingEnumeration search( NextInterceptor nextInterceptor,
- Name base, Map env, ExprNode filter,
- SearchControls searchCtls ) throws NamingException
+ public NamingEnumeration search( NextInterceptor nextInterceptor, Name base, Map env, ExprNode filter,
+ SearchControls searchCtls ) throws NamingException
{
NamingEnumeration e = nextInterceptor.search( base, env, filter, searchCtls );
if ( !enabled )
@@ -412,17 +406,16 @@
//{
// return null;
//}
-
+
Invocation invocation = InvocationStack.getInstance().peek();
- return new SearchResultFilteringEnumeration( e, searchCtls, invocation,
- new SearchResultFilter()
+ return new SearchResultFilteringEnumeration( e, searchCtls, invocation, new SearchResultFilter()
+ {
+ public boolean accept( Invocation invocation, SearchResult result, SearchControls controls )
+ throws NamingException
{
- public boolean accept( Invocation invocation, SearchResult result, SearchControls controls )
- throws NamingException
- {
- return OldAuthorizationService.this.isSearchable( invocation, result );
- }
- });
+ return OldAuthorizationService.this.isSearchable( invocation, result );
+ }
+ } );
}
@@ -435,20 +428,18 @@
}
Invocation invocation = InvocationStack.getInstance().peek();
- return new SearchResultFilteringEnumeration( e, null, invocation,
- new SearchResultFilter()
+ return new SearchResultFilteringEnumeration( e, null, invocation, new SearchResultFilter()
+ {
+ public boolean accept( Invocation invocation, SearchResult result, SearchControls controls )
+ throws NamingException
{
- public boolean accept( Invocation invocation, SearchResult result, SearchControls controls )
- throws NamingException
- {
- return OldAuthorizationService.this.isSearchable( invocation, result );
- }
- } );
+ return OldAuthorizationService.this.isSearchable( invocation, result );
+ }
+ } );
}
- private boolean isSearchable( Invocation invocataion, SearchResult result )
- throws NamingException
+ private boolean isSearchable( Invocation invocataion, SearchResult result ) throws NamingException
{
Name dn;
Propchange: directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/OldAuthorizationService.java
------------------------------------------------------------------------------
--- svn:keywords (added)
+++ svn:keywords Sun Feb 19 19:57:02 2006
@@ -0,0 +1,4 @@
+Rev
+Revision
+Date
+Id
Modified: directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/TupleCache.java
URL: http://svn.apache.org/viewcvs/directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/TupleCache.java?rev=379013&r1=379012&r2=379013&view=diff
==============================================================================
--- directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/TupleCache.java (original)
+++ directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/TupleCache.java Sun Feb 19 19:57:02 2006
@@ -83,7 +83,7 @@
*
* @param factoryCfg the context factory configuration for the server
*/
- public TupleCache( DirectoryServiceConfiguration factoryCfg ) throws NamingException
+ public TupleCache(DirectoryServiceConfiguration factoryCfg) throws NamingException
{
this.nexus = factoryCfg.getPartitionNexus();
AttributeTypeRegistry registry = factoryCfg.getGlobalRegistries().getAttributeTypeRegistry();
@@ -151,7 +151,7 @@
{
// only do something if the entry contains prescriptiveACI
Attribute aci = entry.get( ACI_ATTR );
- if ( ! hasPrescriptiveACI( entry ) )
+ if ( !hasPrescriptiveACI( entry ) )
{
return;
}
@@ -167,7 +167,7 @@
}
catch ( ParseException e )
{
- String msg = "ACIItem parser failure on '"+item+"'. Cannnot add ACITuples to TupleCache.";
+ String msg = "ACIItem parser failure on '" + item + "'. Cannnot add ACITuples to TupleCache.";
log.warn( msg, e );
}
@@ -178,8 +178,8 @@
public void subentryDeleted( Name normName, Attributes entry ) throws NamingException
- {
- if ( ! hasPrescriptiveACI( entry ) )
+ {
+ if ( !hasPrescriptiveACI( entry ) )
{
return;
}
@@ -190,7 +190,7 @@
public void subentryModified( Name normName, ModificationItem[] mods, Attributes entry ) throws NamingException
{
- if ( ! hasPrescriptiveACI( entry ) )
+ if ( !hasPrescriptiveACI( entry ) )
{
return;
}
@@ -210,7 +210,7 @@
public void subentryModified( Name normName, int modOp, Attributes mods, Attributes entry ) throws NamingException
{
- if ( ! hasPrescriptiveACI( entry ) )
+ if ( !hasPrescriptiveACI( entry ) )
{
return;
}
@@ -220,7 +220,7 @@
subentryDeleted( normName, entry );
subentryAdded( normName.toString(), normName, entry );
}
- }
+ }
public List getACITuples( String subentryDn )
Propchange: directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/TupleCache.java
------------------------------------------------------------------------------
--- svn:keywords (added)
+++ svn:keywords Sun Feb 19 19:57:02 2006
@@ -0,0 +1,4 @@
+Rev
+Revision
+Date
+Id
Modified: directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/ACDFEngine.java
URL: http://svn.apache.org/viewcvs/directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/ACDFEngine.java?rev=379013&r1=379012&r2=379013&view=diff
==============================================================================
--- directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/ACDFEngine.java (original)
+++ directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/ACDFEngine.java Sun Feb 19 19:57:02 2006
@@ -1,223 +1,210 @@
-/*
- * @(#) $Id$
- *
- * Copyright 2004 The Apache Software Foundation
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- */
-package org.apache.directory.server.core.authz.support;
-
-import java.util.*;
-
-import javax.naming.Name;
-import javax.naming.NamingException;
-import javax.naming.directory.Attributes;
-
-import org.apache.directory.server.core.event.Evaluator;
-import org.apache.directory.server.core.event.ExpressionEvaluator;
-import org.apache.directory.server.core.partition.DirectoryPartitionNexusProxy;
-import org.apache.directory.server.core.schema.AttributeTypeRegistry;
-import org.apache.directory.server.core.schema.OidRegistry;
-import org.apache.directory.server.core.subtree.RefinementEvaluator;
-import org.apache.directory.server.core.subtree.RefinementLeafEvaluator;
-import org.apache.directory.server.core.subtree.SubtreeEvaluator;
-import org.apache.directory.shared.ldap.aci.ACIItem;
-import org.apache.directory.shared.ldap.aci.ACITuple;
-import org.apache.directory.shared.ldap.aci.AuthenticationLevel;
-import org.apache.directory.shared.ldap.aci.MicroOperation;
-import org.apache.directory.shared.ldap.exception.LdapNoPermissionException;
-
-
-/**
- * An implementation of Access Control Decision Function (18.8, X.501).
- * <p>
- * This engine simply filters the collection of tuples using the following
- * {@link ACITupleFilter}s sequentially:
- * <ol>
- * <li>{@link RelatedUserClassFilter}</li>
- * <li>{@link RelatedProtectedItemFilter}</li>
- * <li>{@link MaxValueCountFilter}</li>
- * <li>{@link MaxImmSubFilter}</li>
- * <li>{@link RestrictedByFilter}</li>
- * <li>{@link MicroOperationFilter}</li>
- * <li>{@link HighestPrecedenceFilter}</li>
- * <li>{@link MostSpecificUserClassFilter}</li>
- * <li>{@link MostSpecificProtectedItemFilter}</li>
- * </ol>
- * <p>
- * Operation is determined to be permitted if and only if there is at least one
- * tuple left and all of them grants the access. (18.8.4. X.501)
- *
- * @author The Apache Directory Project
- * @version $Rev$, $Date$
- */
-public class ACDFEngine
-{
- private final ACITupleFilter[] filters;
-
- /**
- * Creates a new instance.
- *
- * @param oidRegistry an OID registry to be used by internal components
- * @param attrTypeRegistry an attribute type registry to be used by internal components
- *
- * @throws NamingException if failed to initialize internal components
- */
- public ACDFEngine( OidRegistry oidRegistry, AttributeTypeRegistry attrTypeRegistry ) throws NamingException
- {
- Evaluator entryEvaluator = new ExpressionEvaluator( oidRegistry, attrTypeRegistry );
- SubtreeEvaluator subtreeEvaluator = new SubtreeEvaluator( oidRegistry );
- RefinementEvaluator refinementEvaluator = new RefinementEvaluator(
- new RefinementLeafEvaluator( oidRegistry ) );
-
- filters = new ACITupleFilter[] {
- new RelatedUserClassFilter( subtreeEvaluator ),
- new RelatedProtectedItemFilter( refinementEvaluator, entryEvaluator ),
- new MaxValueCountFilter(),
- new MaxImmSubFilter(),
- new RestrictedByFilter(),
- new MicroOperationFilter(),
- new HighestPrecedenceFilter(),
- new MostSpecificUserClassFilter(),
- new MostSpecificProtectedItemFilter(),
- };
- }
-
- /**
- * Checks the user with the specified name can access the specified resource
- * (entry, attribute type, or attribute value) and throws {@link LdapNoPermissionException}
- * if the user doesn't have any permission to perform the specified grants.
- *
- * @param proxy the proxy to the partition nexus
- * @param userGroupNames the collection of the group DNs the user who is trying to access the resource belongs
- * @param username the DN of the user who is trying to access the resource
- * @param entryName the DN of the entry the user is trying to access
- * @param attrId the attribute type of the attribute the user is trying to access.
- * <tt>null</tt> if the user is not accessing a specific attribute type.
- * @param attrValue the attribute value of the attribute the user is trying to access.
- * <tt>null</tt> if the user is not accessing a specific attribute value.
- * @param microOperations the {@link MicroOperation}s to perform
- * @param aciTuples {@link ACITuple}s translated from {@link ACIItem}s in the subtree entries
- * @throws NamingException if failed to evaluate ACI items
- */
- public void checkPermission(
- DirectoryPartitionNexusProxy proxy,
- Collection userGroupNames, Name username, AuthenticationLevel authenticationLevel,
- Name entryName, String attrId, Object attrValue,
- Collection microOperations, Collection aciTuples, Attributes entry ) throws NamingException
- {
- if( !hasPermission(
- proxy,
- userGroupNames, username, authenticationLevel,
- entryName, attrId, attrValue,
- microOperations, aciTuples, entry ) )
- {
- throw new LdapNoPermissionException();
- }
- }
-
-
- public static final Collection USER_LOOKUP_BYPASS;
- static
- {
- Collection c = new HashSet();
- c.add( "normalizationService" );
- c.add( "authenticationService" );
- c.add( "authorizationService" );
- c.add( "oldAuthorizationService" );
- c.add( "schemaService" );
- c.add( "subentryService" );
- c.add( "operationalAttributeService" );
- c.add( "eventService" );
- USER_LOOKUP_BYPASS = Collections.unmodifiableCollection( c );
- }
-
-
- /**
- * Returns <tt>true</tt> if the user with the specified name can access the specified resource
- * (entry, attribute type, or attribute value) and throws {@link LdapNoPermissionException}
- * if the user doesn't have any permission to perform the specified grants.
- *
- * @param proxy the proxy to the partition nexus
- * @param userGroupNames the collection of the group DNs the user who is trying to access the resource belongs
- * @param userName the DN of the user who is trying to access the resource
- * @param entryName the DN of the entry the user is trying to access
- * @param attrId the attribute type of the attribute the user is trying to access.
- * <tt>null</tt> if the user is not accessing a specific attribute type.
- * @param attrValue the attribute value of the attribute the user is trying to access.
- * <tt>null</tt> if the user is not accessing a specific attribute value.
- * @param microOperations the {@link MicroOperation}s to perform
- * @param aciTuples {@link ACITuple}s translated from {@link ACIItem}s in the subtree entries
- */
- public boolean hasPermission(
- DirectoryPartitionNexusProxy proxy,
- Collection userGroupNames, Name userName, AuthenticationLevel authenticationLevel,
- Name entryName, String attrId, Object attrValue,
- Collection microOperations, Collection aciTuples, Attributes entry ) throws NamingException
- {
- if( entryName == null )
- {
- throw new NullPointerException( "entryName" );
- }
-
- Attributes userEntry = proxy.lookup( userName, USER_LOOKUP_BYPASS );
-
- // Determine the scope of the requested operation.
- OperationScope scope;
- if( attrId == null )
- {
- scope = OperationScope.ENTRY;
- }
- else if( attrValue == null )
- {
- scope = OperationScope.ATTRIBUTE_TYPE;
- }
- else
- {
- scope = OperationScope.ATTRIBUTE_TYPE_AND_VALUE;
- }
-
- // Clone aciTuples in case it is unmodifiable.
- aciTuples = new ArrayList( aciTuples );
-
- // Filter unrelated and invalid tuples
- for( int i = 0; i < filters.length; i++ )
- {
- ACITupleFilter filter = filters[ i ];
- aciTuples = filter.filter(
- aciTuples, scope, proxy,
- userGroupNames, userName, userEntry, authenticationLevel,
- entryName, attrId, attrValue, entry, microOperations );
- }
-
- // Deny access if no tuples left.
- if( aciTuples.size() == 0 )
- {
- return false;
- }
-
- // Grant access if and only if one or more tuples remain and
- // all grant access. Otherwise deny access.
- for( Iterator i = aciTuples.iterator(); i.hasNext(); )
- {
- ACITuple tuple = ( ACITuple ) i.next();
- if( !tuple.isGrant() )
- {
- return false;
- }
- }
-
- return true;
- }
-}
+/*
+ * @(#) $Id$
+ *
+ * Copyright 2004 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+package org.apache.directory.server.core.authz.support;
+
+
+import java.util.*;
+
+import javax.naming.Name;
+import javax.naming.NamingException;
+import javax.naming.directory.Attributes;
+
+import org.apache.directory.server.core.event.Evaluator;
+import org.apache.directory.server.core.event.ExpressionEvaluator;
+import org.apache.directory.server.core.partition.DirectoryPartitionNexusProxy;
+import org.apache.directory.server.core.schema.AttributeTypeRegistry;
+import org.apache.directory.server.core.schema.OidRegistry;
+import org.apache.directory.server.core.subtree.RefinementEvaluator;
+import org.apache.directory.server.core.subtree.RefinementLeafEvaluator;
+import org.apache.directory.server.core.subtree.SubtreeEvaluator;
+import org.apache.directory.shared.ldap.aci.ACIItem;
+import org.apache.directory.shared.ldap.aci.ACITuple;
+import org.apache.directory.shared.ldap.aci.AuthenticationLevel;
+import org.apache.directory.shared.ldap.aci.MicroOperation;
+import org.apache.directory.shared.ldap.exception.LdapNoPermissionException;
+
+
+/**
+ * An implementation of Access Control Decision Function (18.8, X.501).
+ * <p>
+ * This engine simply filters the collection of tuples using the following
+ * {@link ACITupleFilter}s sequentially:
+ * <ol>
+ * <li>{@link RelatedUserClassFilter}</li>
+ * <li>{@link RelatedProtectedItemFilter}</li>
+ * <li>{@link MaxValueCountFilter}</li>
+ * <li>{@link MaxImmSubFilter}</li>
+ * <li>{@link RestrictedByFilter}</li>
+ * <li>{@link MicroOperationFilter}</li>
+ * <li>{@link HighestPrecedenceFilter}</li>
+ * <li>{@link MostSpecificUserClassFilter}</li>
+ * <li>{@link MostSpecificProtectedItemFilter}</li>
+ * </ol>
+ * <p>
+ * Operation is determined to be permitted if and only if there is at least one
+ * tuple left and all of them grants the access. (18.8.4. X.501)
+ *
+ * @author The Apache Directory Project
+ * @version $Rev$, $Date$
+ */
+public class ACDFEngine
+{
+ private final ACITupleFilter[] filters;
+
+
+ /**
+ * Creates a new instance.
+ *
+ * @param oidRegistry an OID registry to be used by internal components
+ * @param attrTypeRegistry an attribute type registry to be used by internal components
+ *
+ * @throws NamingException if failed to initialize internal components
+ */
+ public ACDFEngine(OidRegistry oidRegistry, AttributeTypeRegistry attrTypeRegistry) throws NamingException
+ {
+ Evaluator entryEvaluator = new ExpressionEvaluator( oidRegistry, attrTypeRegistry );
+ SubtreeEvaluator subtreeEvaluator = new SubtreeEvaluator( oidRegistry );
+ RefinementEvaluator refinementEvaluator = new RefinementEvaluator( new RefinementLeafEvaluator( oidRegistry ) );
+
+ filters = new ACITupleFilter[]
+ { new RelatedUserClassFilter( subtreeEvaluator ),
+ new RelatedProtectedItemFilter( refinementEvaluator, entryEvaluator ), new MaxValueCountFilter(),
+ new MaxImmSubFilter(), new RestrictedByFilter(), new MicroOperationFilter(),
+ new HighestPrecedenceFilter(), new MostSpecificUserClassFilter(),
+ new MostSpecificProtectedItemFilter(), };
+ }
+
+
+ /**
+ * Checks the user with the specified name can access the specified resource
+ * (entry, attribute type, or attribute value) and throws {@link LdapNoPermissionException}
+ * if the user doesn't have any permission to perform the specified grants.
+ *
+ * @param proxy the proxy to the partition nexus
+ * @param userGroupNames the collection of the group DNs the user who is trying to access the resource belongs
+ * @param username the DN of the user who is trying to access the resource
+ * @param entryName the DN of the entry the user is trying to access
+ * @param attrId the attribute type of the attribute the user is trying to access.
+ * <tt>null</tt> if the user is not accessing a specific attribute type.
+ * @param attrValue the attribute value of the attribute the user is trying to access.
+ * <tt>null</tt> if the user is not accessing a specific attribute value.
+ * @param microOperations the {@link MicroOperation}s to perform
+ * @param aciTuples {@link ACITuple}s translated from {@link ACIItem}s in the subtree entries
+ * @throws NamingException if failed to evaluate ACI items
+ */
+ public void checkPermission( DirectoryPartitionNexusProxy proxy, Collection userGroupNames, Name username,
+ AuthenticationLevel authenticationLevel, Name entryName, String attrId, Object attrValue,
+ Collection microOperations, Collection aciTuples, Attributes entry ) throws NamingException
+ {
+ if ( !hasPermission( proxy, userGroupNames, username, authenticationLevel, entryName, attrId, attrValue,
+ microOperations, aciTuples, entry ) )
+ {
+ throw new LdapNoPermissionException();
+ }
+ }
+
+ public static final Collection USER_LOOKUP_BYPASS;
+ static
+ {
+ Collection c = new HashSet();
+ c.add( "normalizationService" );
+ c.add( "authenticationService" );
+ c.add( "authorizationService" );
+ c.add( "oldAuthorizationService" );
+ c.add( "schemaService" );
+ c.add( "subentryService" );
+ c.add( "operationalAttributeService" );
+ c.add( "eventService" );
+ USER_LOOKUP_BYPASS = Collections.unmodifiableCollection( c );
+ }
+
+
+ /**
+ * Returns <tt>true</tt> if the user with the specified name can access the specified resource
+ * (entry, attribute type, or attribute value) and throws {@link LdapNoPermissionException}
+ * if the user doesn't have any permission to perform the specified grants.
+ *
+ * @param proxy the proxy to the partition nexus
+ * @param userGroupNames the collection of the group DNs the user who is trying to access the resource belongs
+ * @param userName the DN of the user who is trying to access the resource
+ * @param entryName the DN of the entry the user is trying to access
+ * @param attrId the attribute type of the attribute the user is trying to access.
+ * <tt>null</tt> if the user is not accessing a specific attribute type.
+ * @param attrValue the attribute value of the attribute the user is trying to access.
+ * <tt>null</tt> if the user is not accessing a specific attribute value.
+ * @param microOperations the {@link MicroOperation}s to perform
+ * @param aciTuples {@link ACITuple}s translated from {@link ACIItem}s in the subtree entries
+ */
+ public boolean hasPermission( DirectoryPartitionNexusProxy proxy, Collection userGroupNames, Name userName,
+ AuthenticationLevel authenticationLevel, Name entryName, String attrId, Object attrValue,
+ Collection microOperations, Collection aciTuples, Attributes entry ) throws NamingException
+ {
+ if ( entryName == null )
+ {
+ throw new NullPointerException( "entryName" );
+ }
+
+ Attributes userEntry = proxy.lookup( userName, USER_LOOKUP_BYPASS );
+
+ // Determine the scope of the requested operation.
+ OperationScope scope;
+ if ( attrId == null )
+ {
+ scope = OperationScope.ENTRY;
+ }
+ else if ( attrValue == null )
+ {
+ scope = OperationScope.ATTRIBUTE_TYPE;
+ }
+ else
+ {
+ scope = OperationScope.ATTRIBUTE_TYPE_AND_VALUE;
+ }
+
+ // Clone aciTuples in case it is unmodifiable.
+ aciTuples = new ArrayList( aciTuples );
+
+ // Filter unrelated and invalid tuples
+ for ( int i = 0; i < filters.length; i++ )
+ {
+ ACITupleFilter filter = filters[i];
+ aciTuples = filter.filter( aciTuples, scope, proxy, userGroupNames, userName, userEntry,
+ authenticationLevel, entryName, attrId, attrValue, entry, microOperations );
+ }
+
+ // Deny access if no tuples left.
+ if ( aciTuples.size() == 0 )
+ {
+ return false;
+ }
+
+ // Grant access if and only if one or more tuples remain and
+ // all grant access. Otherwise deny access.
+ for ( Iterator i = aciTuples.iterator(); i.hasNext(); )
+ {
+ ACITuple tuple = ( ACITuple ) i.next();
+ if ( !tuple.isGrant() )
+ {
+ return false;
+ }
+ }
+
+ return true;
+ }
+}
Propchange: directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/ACDFEngine.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/ACDFEngine.java
------------------------------------------------------------------------------
--- svn:keywords (original)
+++ svn:keywords Sun Feb 19 19:57:02 2006
@@ -1 +1,4 @@
-HeadURL Id LastChangedBy LastChangedDate LastChangedRevision
+Rev
+Revision
+Date
+Id
Modified: directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/ACITupleFilter.java
URL: http://svn.apache.org/viewcvs/directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/ACITupleFilter.java?rev=379013&r1=379012&r2=379013&view=diff
==============================================================================
--- directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/ACITupleFilter.java (original)
+++ directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/ACITupleFilter.java Sun Feb 19 19:57:02 2006
@@ -18,6 +18,7 @@
*/
package org.apache.directory.server.core.authz.support;
+
import java.util.Collection;
import javax.naming.Name;
@@ -59,10 +60,8 @@
* @return the collection of filtered tuples
* @throws NamingException if failed to filter the specifiec tuples
*/
- Collection filter(
- Collection tuples, OperationScope scope, DirectoryPartitionNexusProxy proxy,
- Collection userGroupNames, Name userName, Attributes userEntry,
- AuthenticationLevel authenticationLevel,
- Name entryName, String attrId, Object attrValue, Attributes entry,
- Collection microOperations ) throws NamingException;
+ Collection filter( Collection tuples, OperationScope scope, DirectoryPartitionNexusProxy proxy,
+ Collection userGroupNames, Name userName, Attributes userEntry, AuthenticationLevel authenticationLevel,
+ Name entryName, String attrId, Object attrValue, Attributes entry, Collection microOperations )
+ throws NamingException;
}
Propchange: directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/ACITupleFilter.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/ACITupleFilter.java
------------------------------------------------------------------------------
--- svn:keywords (original)
+++ svn:keywords Sun Feb 19 19:57:02 2006
@@ -1 +1,4 @@
-HeadURL Id LastChangedBy LastChangedDate LastChangedRevision
+Rev
+Revision
+Date
+Id
Modified: directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/HighestPrecedenceFilter.java
URL: http://svn.apache.org/viewcvs/directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/HighestPrecedenceFilter.java?rev=379013&r1=379012&r2=379013&view=diff
==============================================================================
--- directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/HighestPrecedenceFilter.java (original)
+++ directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/HighestPrecedenceFilter.java Sun Feb 19 19:57:02 2006
@@ -18,6 +18,7 @@
*/
package org.apache.directory.server.core.authz.support;
+
import java.util.Collection;
import java.util.Iterator;
@@ -39,9 +40,12 @@
*/
public class HighestPrecedenceFilter implements ACITupleFilter
{
- public Collection filter( Collection tuples, OperationScope scope, DirectoryPartitionNexusProxy proxy, Collection userGroupNames, Name userName, Attributes userEntry, AuthenticationLevel authenticationLevel, Name entryName, String attrId, Object attrValue, Attributes entry, Collection microOperations ) throws NamingException
+ public Collection filter( Collection tuples, OperationScope scope, DirectoryPartitionNexusProxy proxy,
+ Collection userGroupNames, Name userName, Attributes userEntry, AuthenticationLevel authenticationLevel,
+ Name entryName, String attrId, Object attrValue, Attributes entry, Collection microOperations )
+ throws NamingException
{
- if( tuples.size() <= 1 )
+ if ( tuples.size() <= 1 )
{
return tuples;
}
@@ -49,20 +53,20 @@
int maxPrecedence = -1;
// Find the maximum precedence for all tuples.
- for( Iterator i = tuples.iterator(); i.hasNext(); )
+ for ( Iterator i = tuples.iterator(); i.hasNext(); )
{
ACITuple tuple = ( ACITuple ) i.next();
- if( tuple.getPrecedence() > maxPrecedence )
+ if ( tuple.getPrecedence() > maxPrecedence )
{
maxPrecedence = tuple.getPrecedence();
}
}
// Remove all tuples whose precedences are not the maximum one.
- for( Iterator i = tuples.iterator(); i.hasNext(); )
+ for ( Iterator i = tuples.iterator(); i.hasNext(); )
{
ACITuple tuple = ( ACITuple ) i.next();
- if( tuple.getPrecedence() != maxPrecedence )
+ if ( tuple.getPrecedence() != maxPrecedence )
{
i.remove();
}
Propchange: directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/HighestPrecedenceFilter.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/HighestPrecedenceFilter.java
------------------------------------------------------------------------------
--- svn:keywords (original)
+++ svn:keywords Sun Feb 19 19:57:02 2006
@@ -1 +1,4 @@
-HeadURL Id LastChangedBy LastChangedDate LastChangedRevision
+Rev
+Revision
+Date
+Id
Modified: directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/MaxImmSubFilter.java
URL: http://svn.apache.org/viewcvs/directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/MaxImmSubFilter.java?rev=379013&r1=379012&r2=379013&view=diff
==============================================================================
--- directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/MaxImmSubFilter.java (original)
+++ directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/MaxImmSubFilter.java Sun Feb 19 19:57:02 2006
@@ -18,6 +18,7 @@
*/
package org.apache.directory.server.core.authz.support;
+
import java.util.*;
import javax.naming.Name;
@@ -46,6 +47,7 @@
private final ExprNode childrenFilter;
private final SearchControls childrenSearchControls;
+
public MaxImmSubFilter()
{
childrenFilter = new PresenceNode( "objectClass" );
@@ -53,45 +55,49 @@
childrenSearchControls.setSearchScope( SearchControls.ONELEVEL_SCOPE );
}
- public Collection filter( Collection tuples, OperationScope scope, DirectoryPartitionNexusProxy proxy, Collection userGroupNames, Name userName, Attributes userEntry, AuthenticationLevel authenticationLevel, Name entryName, String attrId, Object attrValue, Attributes entry, Collection microOperations ) throws NamingException
+
+ public Collection filter( Collection tuples, OperationScope scope, DirectoryPartitionNexusProxy proxy,
+ Collection userGroupNames, Name userName, Attributes userEntry, AuthenticationLevel authenticationLevel,
+ Name entryName, String attrId, Object attrValue, Attributes entry, Collection microOperations )
+ throws NamingException
{
- if( entryName.size() == 0 )
+ if ( entryName.size() == 0 )
{
return tuples;
}
- if( tuples.size() == 0 )
+ if ( tuples.size() == 0 )
{
return tuples;
}
- if( scope != OperationScope.ENTRY )
+ if ( scope != OperationScope.ENTRY )
{
return tuples;
}
int immSubCount = -1;
- for( Iterator i = tuples.iterator(); i.hasNext(); )
+ for ( Iterator i = tuples.iterator(); i.hasNext(); )
{
ACITuple tuple = ( ACITuple ) i.next();
- if( !tuple.isGrant() )
+ if ( !tuple.isGrant() )
{
continue;
}
- for( Iterator j = tuple.getProtectedItems().iterator(); j.hasNext(); )
+ for ( Iterator j = tuple.getProtectedItems().iterator(); j.hasNext(); )
{
ProtectedItem item = ( ProtectedItem ) j.next();
- if( item instanceof ProtectedItem.MaxImmSub )
+ if ( item instanceof ProtectedItem.MaxImmSub )
{
- if( immSubCount < 0 )
+ if ( immSubCount < 0 )
{
immSubCount = getImmSubCount( proxy, entryName );
}
ProtectedItem.MaxImmSub mis = ( ProtectedItem.MaxImmSub ) item;
- if( immSubCount >= mis.getValue() )
+ if ( immSubCount >= mis.getValue() )
{
i.remove();
break;
@@ -103,7 +109,6 @@
return tuples;
}
-
public static final Collection SEARCH_BYPASS;
static
{
@@ -126,20 +131,19 @@
NamingEnumeration e = null;
try
{
- e = proxy.search(
- entryName.getPrefix( 1 ), new HashMap(),
- childrenFilter, childrenSearchControls, SEARCH_BYPASS );
+ e = proxy.search( entryName.getPrefix( 1 ), new HashMap(), childrenFilter, childrenSearchControls,
+ SEARCH_BYPASS );
- while( e.hasMore() )
+ while ( e.hasMore() )
{
e.next();
- cnt ++;
+ cnt++;
}
}
finally
{
- if( e != null )
+ if ( e != null )
{
e.close();
}
Propchange: directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/MaxImmSubFilter.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/MaxImmSubFilter.java
------------------------------------------------------------------------------
--- svn:keywords (original)
+++ svn:keywords Sun Feb 19 19:57:02 2006
@@ -1 +1,4 @@
-HeadURL Id LastChangedBy LastChangedDate LastChangedRevision
+Rev
+Revision
+Date
+Id
Modified: directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/MaxValueCountFilter.java
URL: http://svn.apache.org/viewcvs/directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/MaxValueCountFilter.java?rev=379013&r1=379012&r2=379013&view=diff
==============================================================================
--- directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/MaxValueCountFilter.java (original)
+++ directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/MaxValueCountFilter.java Sun Feb 19 19:57:02 2006
@@ -18,6 +18,7 @@
*/
package org.apache.directory.server.core.authz.support;
+
import java.util.Collection;
import java.util.Iterator;
@@ -42,33 +43,36 @@
*/
public class MaxValueCountFilter implements ACITupleFilter
{
- public Collection filter( Collection tuples, OperationScope scope, DirectoryPartitionNexusProxy proxy, Collection userGroupNames, Name userName, Attributes userEntry, AuthenticationLevel authenticationLevel, Name entryName, String attrId, Object attrValue, Attributes entry, Collection microOperations ) throws NamingException
+ public Collection filter( Collection tuples, OperationScope scope, DirectoryPartitionNexusProxy proxy,
+ Collection userGroupNames, Name userName, Attributes userEntry, AuthenticationLevel authenticationLevel,
+ Name entryName, String attrId, Object attrValue, Attributes entry, Collection microOperations )
+ throws NamingException
{
- if( scope != OperationScope.ATTRIBUTE_TYPE_AND_VALUE )
+ if ( scope != OperationScope.ATTRIBUTE_TYPE_AND_VALUE )
{
return tuples;
}
- if( tuples.size() == 0 )
+ if ( tuples.size() == 0 )
{
return tuples;
}
- for( Iterator i = tuples.iterator(); i.hasNext(); )
+ for ( Iterator i = tuples.iterator(); i.hasNext(); )
{
ACITuple tuple = ( ACITuple ) i.next();
- if( !tuple.isGrant() )
+ if ( !tuple.isGrant() )
{
continue;
}
- for( Iterator j = tuple.getProtectedItems().iterator(); j.hasNext(); )
+ for ( Iterator j = tuple.getProtectedItems().iterator(); j.hasNext(); )
{
ProtectedItem item = ( ProtectedItem ) j.next();
- if( item instanceof ProtectedItem.MaxValueCount )
+ if ( item instanceof ProtectedItem.MaxValueCount )
{
ProtectedItem.MaxValueCount mvc = ( ProtectedItem.MaxValueCount ) item;
- if( isRemovable( mvc, attrId, entry ) )
+ if ( isRemovable( mvc, attrId, entry ) )
{
i.remove();
break;
@@ -80,16 +84,17 @@
return tuples;
}
+
private boolean isRemovable( ProtectedItem.MaxValueCount mvc, String attrId, Attributes entry )
{
- for( Iterator k = mvc.iterator(); k.hasNext(); )
+ for ( Iterator k = mvc.iterator(); k.hasNext(); )
{
MaxValueCountItem mvcItem = ( MaxValueCountItem ) k.next();
- if( attrId.equalsIgnoreCase( mvcItem.getAttributeType() ) )
+ if ( attrId.equalsIgnoreCase( mvcItem.getAttributeType() ) )
{
Attribute attr = entry.get( attrId );
- int attrCount = attr == null? 0 : attr.size();
- if( attrCount >= mvcItem.getMaxCount() )
+ int attrCount = attr == null ? 0 : attr.size();
+ if ( attrCount >= mvcItem.getMaxCount() )
{
return true;
}
Propchange: directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/MaxValueCountFilter.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/MaxValueCountFilter.java
------------------------------------------------------------------------------
--- svn:keywords (original)
+++ svn:keywords Sun Feb 19 19:57:02 2006
@@ -1 +1,4 @@
-HeadURL Id LastChangedBy LastChangedDate LastChangedRevision
+Rev
+Revision
+Date
+Id
Modified: directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/MicroOperationFilter.java
URL: http://svn.apache.org/viewcvs/directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/MicroOperationFilter.java?rev=379013&r1=379012&r2=379013&view=diff
==============================================================================
--- directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/MicroOperationFilter.java (original)
+++ directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/MicroOperationFilter.java Sun Feb 19 19:57:02 2006
@@ -18,6 +18,7 @@
*/
package org.apache.directory.server.core.authz.support;
+
import java.util.Collection;
import java.util.Iterator;
@@ -42,17 +43,16 @@
public class MicroOperationFilter implements ACITupleFilter
{
public Collection filter( Collection tuples, OperationScope scope, DirectoryPartitionNexusProxy proxy,
- Collection userGroupNames, Name userName, Attributes userEntry,
- AuthenticationLevel authenticationLevel, Name entryName, String attrId,
- Object attrValue, Attributes entry, Collection microOperations )
- throws NamingException
+ Collection userGroupNames, Name userName, Attributes userEntry, AuthenticationLevel authenticationLevel,
+ Name entryName, String attrId, Object attrValue, Attributes entry, Collection microOperations )
+ throws NamingException
{
- if( tuples.size() == 0 )
+ if ( tuples.size() == 0 )
{
return tuples;
}
- for( Iterator i = tuples.iterator(); i.hasNext(); )
+ for ( Iterator i = tuples.iterator(); i.hasNext(); )
{
ACITuple tuple = ( ACITuple ) i.next();
@@ -63,17 +63,17 @@
*/
boolean retain = true;
- for( Iterator j = microOperations.iterator(); j.hasNext(); )
+ for ( Iterator j = microOperations.iterator(); j.hasNext(); )
{
MicroOperation microOp = ( MicroOperation ) j.next();
- if( ! tuple.getMicroOperations().contains( microOp ) )
+ if ( !tuple.getMicroOperations().contains( microOp ) )
{
retain = false;
break;
}
}
- if( !retain )
+ if ( !retain )
{
i.remove();
}
Propchange: directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/MicroOperationFilter.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/MicroOperationFilter.java
------------------------------------------------------------------------------
--- svn:keywords (original)
+++ svn:keywords Sun Feb 19 19:57:02 2006
@@ -1 +1,4 @@
-HeadURL Id LastChangedBy LastChangedDate LastChangedRevision
+Rev
+Revision
+Date
+Id