com.ibm.sec.authz.jaccplus

Class ApplicationPolicy

  1. java.lang.Object
  2. extended byjava.security.Policy
  3. extended bycom.ibm.sec.authz.jaccplus.ApplicationPolicy

  1. public final class ApplicationPolicy
  2. extends java.security.Policy

The primary interface for invoking authorization decisions. It is an extension of the Java Policy class with additional methods to allow application context to be provided as input to the decision.

The manner by which this class is instantiated depends on the use case.

A singleton instance of this class is provided that is shared across the entire server or JVM. Tivoli Security Policy Manager customers should use this instance which is retrieved using the static getPolicy() method:

 ApplicationPolicy pol = ApplicationPolicy.getPolicy();
 

In other use cases, a new instance of ApplicationPolicy that is self-contained can be used by constructing an instance and passing down configuration properties:

  Properties props = new Properties();
  ApplicationPolicy pol = new ApplicationPolicy( props );
  
See Also:
ApplicationPermission, EvaluationContext

Nested Class Summary

Nested classes/interfaces inherited from class java.security.Policy
java.security.Policy.Parameters

Field Summary

Fields inherited from class java.security.Policy
UNSUPPORTED_EMPTY_COLLECTION

Constructor Summary

Constructor and Description
ApplicationPolicy()
Default Constructor.
ApplicationPolicy(java.util.Properties props)
Constructs a new instance of ApplicationPolicy using the passed configuration properties.

Method Summary

Modifier and Type Method and Description
  1. java.security.PermissionCollection
getPermissions(java.security.CodeSource codesource)
Implementation of the Policy getPermissions() implementation.
  1. java.security.PermissionCollection
getPermissions(java.lang.String contextID,EvaluationContext evalCtx,java.lang.Class<?> permissionClass)
Calculates the set of entitlements, in the form of Permission objects, to which the current user (as specified in the EvaluationContext) has access to.
  1. static
  2. ApplicationPolicy
getPolicy()
Gets the singleton instance of ApplicationPolicy.
  1. boolean
implies(java.security.ProtectionDomain domain,java.security.Permission permission)
Implementation of the Policy implies() method.
  1. boolean
implies(java.lang.String contextID,EvaluationContext evalCtx,java.security.Permission permission)
This method evaluates the passed Permission against the the policy for the passed in context identifier.
  1. boolean
implies(java.lang.String contextID,EvaluationContext evalCtx,java.security.PermissionCollection permCollection)
This method evaluates the given set of Permissions against the policy specified by the context identifier passed.
  1. void
lockPolicy(java.lang.String context)
Locks the policy underlying this context to ensure that multiple calls to implies() are evaluated against the same policy.
  1. void
refresh()
Refreshes, or reloads, the policy that makes access decisions.
  1. void
unlockPolicy(java.lang.String context)
Unlocks the policy underlying this context, so that the policy to be refreshed if any updates are pending.
Methods inherited from class java.security.Policy
getInstance, getInstance, getInstance, getParameters, getPermissions, getProvider, getType, setPolicy
Methods inherited from class java.lang.Object
equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

ApplicationPolicy

  1. public ApplicationPolicy(java.util.Properties props)
Constructs a new instance of ApplicationPolicy using the passed configuration properties.
Parameters:
props - A properties object that contains all of the required configuration.

ApplicationPolicy

  1. public ApplicationPolicy()
Default Constructor. This constructor initializes all required members using the CommonAuthzProperties class, including using System properties. This constructor is not recommended for most use cases.

Method Detail

getPolicy

  1. public static ApplicationPolicy getPolicy( )
Gets the singleton instance of ApplicationPolicy. This is the preferred way to obtain an instance of this class.
Returns:
ApplicationPolicy

implies

  1. public boolean implies(java.security.ProtectionDomain domain,
  2. java.security.Permission permission)
Implementation of the Policy implies() method. This is used by container code; do not directly invoke it.
Overrides:
implies in class java.security.Policy

implies

  1. public boolean implies(java.lang.String contextID,
  2. EvaluationContext evalCtx,
  3. java.security.Permission permission)
This method evaluates the passed Permission against the the policy for the passed in context identifier. The authenticated user and any other context information is retrieved from the EvaluationContext object.
Parameters:
contextID - The context identifier for the policy to evaluate against. For customers of Tivoli Security Policy Manager, this is the "Application ID" used when creating the service structure.
evalCtx - The EvaulationContext that has all of the attributes required for the evaluation.
permission - The permission object to evaluate. This will normally be an instance of ApplicationPermission.
Returns:
true if permission is granted, false otherwise.

implies

  1. public boolean implies(java.lang.String contextID,
  2. EvaluationContext evalCtx,
  3. java.security.PermissionCollection permCollection)
This method evaluates the given set of Permissions against the policy specified by the context identifier passed. The result is true only if all of the Permissions in the collection are implied.

If a DelegatedPermissionCollection is passed to to this method, the PermissionCollection is updated to contain only the Permissions that were implied.

Parameters:
contextID - The context identifier for the policy to evaluate against. For customers of Tivoli Security Policy Manager, this is the "Application ID" used when creating the service structure.
evalCtx - The EvaulationContext that has all of the attributes required for the evaluation.
permCollection - The collection of Permissions to evaluate. This should normally contain instances of ApplicationPermission.
Returns:
true if and only if all of the permissions in the collection are implied, false otherwise.

getPermissions

  1. public java.security.PermissionCollection getPermissions( java.security.CodeSource codesource)
Implementation of the Policy getPermissions() implementation. Delegates to the system-wide Policy.getPolicy() instance if available.
Overrides:
getPermissions in class java.security.Policy

getPermissions

  1. public java.security.PermissionCollection getPermissions( java.lang.String contextID,
  2. EvaluationContext evalCtx,
  3. java.lang.Class<?> permissionClass)

Calculates the set of entitlements, in the form of Permission objects, to which the current user (as specified in the EvaluationContext) has access to.

The type of Permission that should be constructed is specified by the permissionClass parameter. Only the ApplicationPermission class is supported. If another Permission class instance is passed, then an empty PermissionCollection is returned.

Parameters:
contextID - The context identifier to get permissions for. For customers of Tivoli Security Policy Manager this is the "Application ID" used when creating the service structure.
evalCtx - The EvaulationContext that has all of the attributes required.
permissionClass - The class specifying what type of Permission objects that should be returned.
Returns:
the collection of Permissions retrieved.

refresh

  1. public void refresh()
Refreshes, or reloads, the policy that makes access decisions. It also discards any cached authorization decisions.
Overrides:
refresh in class java.security.Policy

lockPolicy

  1. public void lockPolicy(java.lang.String context)
Locks the policy underlying this context to ensure that multiple calls to implies() are evaluated against the same policy.
Parameters:
context - The context identifier to lock. For customers of Tivoli Security Policy Manager, this is the "Application ID" used when creating the service structure.

unlockPolicy

  1. public void unlockPolicy(java.lang.String context)
Unlocks the policy underlying this context, so that the policy to be refreshed if any updates are pending.
Parameters:
context - The context identifier to unlock. For customers of Tivoli Security Policy Manager, this is the "Application ID" used when creating the service structure.