com.ibm.sec.authz.jaccplus.config.internal
Class RoleMappingImpl

java.lang.Object
  extended by com.ibm.sec.authz.jaccplus.config.internal.RoleMappingImpl
All Implemented Interfaces:
RoleMappingConfiguration

public class RoleMappingImpl
extends java.lang.Object
implements RoleMappingConfiguration

Application-server agnostic implementation for adding users and groups to roles. Any server-specific code will call this implementation.

Roles are mapped to users and groups using the Target of XACML rules. Policy deployed by JACCPlus has the following structure, which is aligned with the XACML v2.0 RBAC profile. ( -> are links between policy files)

 [root policy] -> RPS:[role1] -> PPS:[role1]
               -> RPS:[role2] -> PPS:[role2]
 

The "RPS" stand for "Role Policy Set" and contains the user & group mappings for each role. "PPS" stands for "Permission Policy Set" and contains the actual policy for that role.

The Target of the RPS is updated to contain subject-id and group-id checks, causing this policy to be applicable for the desired users and groups.

To map roles to roles, that is to enable hierarchical role mappings, we add additional links between the RPS and various PPS policies. For example, to ensure that 'role1' can do everything that 'role2' can do, we set up links as follows:

 [root policy] -> RPS:[role1] -> PPS:[role1]
                              -> PPS:[role2]
 


Field Summary
static java.lang.String ALL_AUTHENTICATED_USERS
           
 
Constructor Summary
RoleMappingImpl(java.lang.String contextId, boolean remove, java.util.Properties props)
           
 
Method Summary
 void addGroupsToRole(java.lang.String role, java.util.List<java.lang.String> groups)
          This method is used to add one or more groups to a given role.
 void addRoleToRole(java.lang.String role, java.lang.String mappedRole)
          This method is used to map a role to a specified role.
 void addUsersToRole(java.lang.String role, java.util.List<java.lang.String> users)
          This method is used to add one or more users to a given role.
 void commit()
          This method is used to commit all changes to the underlying policy.
 void delete()
          This method is used to delete the currently configured user/group to role mappings.
 java.lang.String getContextID()
          This method is used to get the context identifier that we are configuring policy for.
 java.util.List<java.lang.String> getGroupsInRole(java.lang.String role)
          This method is used to get a list of groups that are currently in the specified role.
 java.util.Set<java.lang.String> getRoles()
          This method gets the Set of all currently configured roles.
 java.util.List<java.lang.String> getRolesInRole(java.lang.String role)
          This method is used to get a list of roles that are currently mapped to the specified role.
 java.util.List<java.lang.String> getUsersInRole(java.lang.String role)
          This method is used to get a list of users that are currently in the specified role.
 boolean isAuthenticatedUsersInRole(java.lang.String role)
          This method is used to check if all authenticated users have access to the specified role.
 boolean isEveryoneInRole(java.lang.String role)
          This method is used to check if all users have access to the specified role.
 boolean isRequiredRole(java.lang.String role)
          This method is used to determine if a given role is required by other modules (such as in a J2EE application) and therefore cannot be removed using the removeRole method.
 void removeAuthenticatedUsersFromRole(java.lang.String role)
          This method is used to remove the all authenticated meta-user from a given role.
 void removeEveryoneFromRole(java.lang.String role)
          This method is to remove the everyone meta-user from a given role.
 void removeGroupsFromRole(java.lang.String role, java.util.List<java.lang.String> groups)
          This method is used to remove one or more groups from a given role.
 boolean removeRole(java.lang.String role)
          This method is used to remove a role.
 void removeRoleFromRole(java.lang.String role, java.lang.String mappedRole)
          This method is used to remove a mapped role from the specified role.
 void removeUsersFromRole(java.lang.String role, java.util.List<java.lang.String> users)
          This method is used to remove one or more users from a given role.
 void setAuthenticatedUsersToRole(java.lang.String role)
          This method is used to add all users that have been authenticated to a given role.
 void setEveryoneToRole(java.lang.String role)
          This method is used to add all users, authenticated or not, to a given role.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

ALL_AUTHENTICATED_USERS

public static final java.lang.String ALL_AUTHENTICATED_USERS
See Also:
Constant Field Values
Constructor Detail

RoleMappingImpl

public RoleMappingImpl(java.lang.String contextId,
                       boolean remove,
                       java.util.Properties props)
                throws javax.security.jacc.PolicyContextException
Throws:
javax.security.jacc.PolicyContextException
Method Detail

setAuthenticatedUsersToRole

public void setAuthenticatedUsersToRole(java.lang.String role)
                                 throws javax.security.jacc.PolicyContextException
Description copied from interface: RoleMappingConfiguration
This method is used to add all users that have been authenticated to a given role.

Specified by:
setAuthenticatedUsersToRole in interface RoleMappingConfiguration
Parameters:
role - The role to add all authenticated users to.
Throws:
javax.security.jacc.PolicyContextException

setEveryoneToRole

public void setEveryoneToRole(java.lang.String role)
                       throws javax.security.jacc.PolicyContextException
Description copied from interface: RoleMappingConfiguration
This method is used to add all users, authenticated or not, to a given role.

Specified by:
setEveryoneToRole in interface RoleMappingConfiguration
Parameters:
role - The role to add everyone to.
Throws:
javax.security.jacc.PolicyContextException

addGroupsToRole

public void addGroupsToRole(java.lang.String role,
                            java.util.List<java.lang.String> groups)
                     throws javax.security.jacc.PolicyContextException
Description copied from interface: RoleMappingConfiguration
This method is used to add one or more groups to a given role.

Specified by:
addGroupsToRole in interface RoleMappingConfiguration
Parameters:
role - The role to add groups to.
groups - A list containing the String names of groups to be added to the specified role.
Throws:
javax.security.jacc.PolicyContextException

addUsersToRole

public void addUsersToRole(java.lang.String role,
                           java.util.List<java.lang.String> users)
                    throws javax.security.jacc.PolicyContextException
Description copied from interface: RoleMappingConfiguration
This method is used to add one or more users to a given role.

Specified by:
addUsersToRole in interface RoleMappingConfiguration
Parameters:
role - The role to add users to.
users - A list containing the String names of users to be added to the specified role.
Throws:
javax.security.jacc.PolicyContextException

addRoleToRole

public void addRoleToRole(java.lang.String role,
                          java.lang.String mappedRole)
                   throws javax.security.jacc.PolicyContextException
Description copied from interface: RoleMappingConfiguration
This method is used to map a role to a specified role. Any users that are granted the mapped role will have all the permissions of the role it was mapped to.

For example, using two roles 'manager' and 'employee', calling addRoleToRole( 'employee', 'manager' ) will ensure that managers can do anything employees can do since they will have all the permissions associated with employees.

Specified by:
addRoleToRole in interface RoleMappingConfiguration
Parameters:
role - The role whose permissions we want to map to.
mappedRole - This is the role to be mapped to the specified role.
Throws:
javax.security.jacc.PolicyContextException

commit

public void commit()
            throws javax.security.jacc.PolicyContextException
Description copied from interface: RoleMappingConfiguration
This method is used to commit all changes to the underlying policy.

Specified by:
commit in interface RoleMappingConfiguration
Throws:
javax.security.jacc.PolicyContextException

delete

public void delete()
            throws javax.security.jacc.PolicyContextException
Description copied from interface: RoleMappingConfiguration
This method is used to delete the currently configured user/group to role mappings.

Specified by:
delete in interface RoleMappingConfiguration
Throws:
javax.security.jacc.PolicyContextException

getContextID

public java.lang.String getContextID()
Description copied from interface: RoleMappingConfiguration
This method is used to get the context identifier that we are configuring policy for.

Specified by:
getContextID in interface RoleMappingConfiguration
Returns:
context A string identifying a policy context.

removeAuthenticatedUsersFromRole

public void removeAuthenticatedUsersFromRole(java.lang.String role)
                                      throws javax.security.jacc.PolicyContextException
Description copied from interface: RoleMappingConfiguration
This method is used to remove the all authenticated meta-user from a given role.

Specified by:
removeAuthenticatedUsersFromRole in interface RoleMappingConfiguration
Parameters:
role - The specified role from which to remove the all authenticated meta-user.
Throws:
javax.security.jacc.PolicyContextException

removeEveryoneFromRole

public void removeEveryoneFromRole(java.lang.String role)
                            throws javax.security.jacc.PolicyContextException
Description copied from interface: RoleMappingConfiguration
This method is to remove the everyone meta-user from a given role.

Specified by:
removeEveryoneFromRole in interface RoleMappingConfiguration
Parameters:
role - The specified role from which to remove the everyone meta-user.
Throws:
javax.security.jacc.PolicyContextException

removeGroupsFromRole

public void removeGroupsFromRole(java.lang.String role,
                                 java.util.List<java.lang.String> groups)
                          throws javax.security.jacc.PolicyContextException
Description copied from interface: RoleMappingConfiguration
This method is used to remove one or more groups from a given role.

Specified by:
removeGroupsFromRole in interface RoleMappingConfiguration
Parameters:
role - The role from which to remove groups from.
groups - A list containing the String names of groups to be removed from the specified role.
Throws:
javax.security.jacc.PolicyContextException

removeUsersFromRole

public void removeUsersFromRole(java.lang.String role,
                                java.util.List<java.lang.String> users)
                         throws javax.security.jacc.PolicyContextException
Description copied from interface: RoleMappingConfiguration
This method is used to remove one or more users from a given role.

Specified by:
removeUsersFromRole in interface RoleMappingConfiguration
Parameters:
role - The role from which to remove users from.
users - A list containing the String names of users to be removed from the specified role.
Throws:
javax.security.jacc.PolicyContextException

removeRoleFromRole

public void removeRoleFromRole(java.lang.String role,
                               java.lang.String mappedRole)
                        throws javax.security.jacc.PolicyContextException
Description copied from interface: RoleMappingConfiguration
This method is used to remove a mapped role from the specified role.

Specified by:
removeRoleFromRole in interface RoleMappingConfiguration
Parameters:
role - The role to remove a mapped role from.
mappedRole - The mapped role to remove from the specified role.
Throws:
javax.security.jacc.PolicyContextException

getGroupsInRole

public java.util.List<java.lang.String> getGroupsInRole(java.lang.String role)
Description copied from interface: RoleMappingConfiguration
This method is used to get a list of groups that are currently in the specified role.

Specified by:
getGroupsInRole in interface RoleMappingConfiguration
Parameters:
role - The role to return a list of groups for.
Returns:
A List containing the String names of all groups found in the specified role.

getUsersInRole

public java.util.List<java.lang.String> getUsersInRole(java.lang.String role)
Description copied from interface: RoleMappingConfiguration
This method is used to get a list of users that are currently in the specified role.

Specified by:
getUsersInRole in interface RoleMappingConfiguration
Parameters:
role - The role to look up to return a list of users for.
Returns:
A List containing the String names of all users found in the specified role.

isAuthenticatedUsersInRole

public boolean isAuthenticatedUsersInRole(java.lang.String role)
Description copied from interface: RoleMappingConfiguration
This method is used to check if all authenticated users have access to the specified role.

Specified by:
isAuthenticatedUsersInRole in interface RoleMappingConfiguration
Parameters:
role - The role to check if all authenticated users have access to.
Returns:
true if all authenticated users have access to the specified role, false otherwise.

isEveryoneInRole

public boolean isEveryoneInRole(java.lang.String role)
Description copied from interface: RoleMappingConfiguration
This method is used to check if all users have access to the specified role.

Specified by:
isEveryoneInRole in interface RoleMappingConfiguration
Parameters:
role - The role to check if everyone has access to.
Returns:
true if everyone has access to the specified role, false otherwise.

getRoles

public java.util.Set<java.lang.String> getRoles()
This method gets the Set of all currently configured roles.

Specified by:
getRoles in interface RoleMappingConfiguration
Returns:
A Set containing the String names of all configured roles.

getRolesInRole

public java.util.List<java.lang.String> getRolesInRole(java.lang.String role)
Description copied from interface: RoleMappingConfiguration
This method is used to get a list of roles that are currently mapped to the specified role.

Specified by:
getRolesInRole in interface RoleMappingConfiguration
Parameters:
role - The role to look up to return a list of roles for.
Returns:
A List containing the String names of all roles found mapped to the specified role.

isRequiredRole

public boolean isRequiredRole(java.lang.String role)
Description copied from interface: RoleMappingConfiguration
This method is used to determine if a given role is required by other modules (such as in a J2EE application) and therefore cannot be removed using the removeRole method.

Specified by:
isRequiredRole in interface RoleMappingConfiguration
Parameters:
role - The role to check
Returns:
boolean true if the role is a required role else false

removeRole

public boolean removeRole(java.lang.String role)
                   throws javax.security.jacc.PolicyContextException
Description copied from interface: RoleMappingConfiguration
This method is used to remove a role. It cannot be used to remove J2EE deployed roles. Use the method isRequiredRole to determine if a role can be removed.

Specified by:
removeRole in interface RoleMappingConfiguration
Parameters:
role - The role to remove
Returns:
boolean true if the role existed and was removed or else false
Throws:
javax.security.jacc.PolicyContextException - If the role is a J2EE deployed and therefore required role


Copyright © 2009 IBM Corp. All Rights Reserved.