|
|||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Objectcom.ibm.sec.authz.jaccplus.config.internal.RoleMappingImpl
public class RoleMappingImpl
Application-server agnostic implementation for adding users and groups to roles. Any server-specific code will call this implementation.
Roles are mapped to users and groups using the Target of XACML rules. Policy deployed by JACCPlus has the following structure, which is aligned with the XACML v2.0 RBAC profile. ( -> are links between policy files)
[root policy] -> RPS:[role1] -> PPS:[role1] -> RPS:[role2] -> PPS:[role2]
The "RPS" stand for "Role Policy Set" and contains the user & group mappings for each role. "PPS" stands for "Permission Policy Set" and contains the actual policy for that role.
The Target of the RPS is updated to contain subject-id and group-id checks, causing this policy to be applicable for the desired users and groups.
To map roles to roles, that is to enable hierarchical role mappings, we add additional links between the RPS and various PPS policies. For example, to ensure that 'role1' can do everything that 'role2' can do, we set up links as follows:
[root policy] -> RPS:[role1] -> PPS:[role1] -> PPS:[role2]
Field Summary | |
---|---|
static java.lang.String |
ALL_AUTHENTICATED_USERS
|
Constructor Summary | |
---|---|
RoleMappingImpl(java.lang.String contextId,
boolean remove,
java.util.Properties props)
|
Method Summary | |
---|---|
void |
addGroupsToRole(java.lang.String role,
java.util.List<java.lang.String> groups)
This method is used to add one or more groups to a given role. |
void |
addRoleToRole(java.lang.String role,
java.lang.String mappedRole)
This method is used to map a role to a specified role. |
void |
addUsersToRole(java.lang.String role,
java.util.List<java.lang.String> users)
This method is used to add one or more users to a given role. |
void |
commit()
This method is used to commit all changes to the underlying policy. |
void |
delete()
This method is used to delete the currently configured user/group to role mappings. |
java.lang.String |
getContextID()
This method is used to get the context identifier that we are configuring policy for. |
java.util.List<java.lang.String> |
getGroupsInRole(java.lang.String role)
This method is used to get a list of groups that are currently in the specified role. |
java.util.Set<java.lang.String> |
getRoles()
This method gets the Set of all currently configured roles. |
java.util.List<java.lang.String> |
getRolesInRole(java.lang.String role)
This method is used to get a list of roles that are currently mapped to the specified role. |
java.util.List<java.lang.String> |
getUsersInRole(java.lang.String role)
This method is used to get a list of users that are currently in the specified role. |
boolean |
isAuthenticatedUsersInRole(java.lang.String role)
This method is used to check if all authenticated users have access to the specified role. |
boolean |
isEveryoneInRole(java.lang.String role)
This method is used to check if all users have access to the specified role. |
boolean |
isRequiredRole(java.lang.String role)
This method is used to determine if a given role is required by other modules (such as in a J2EE application) and therefore cannot be removed using the removeRole method. |
void |
removeAuthenticatedUsersFromRole(java.lang.String role)
This method is used to remove the all authenticated meta-user from a given role. |
void |
removeEveryoneFromRole(java.lang.String role)
This method is to remove the everyone meta-user from a given role. |
void |
removeGroupsFromRole(java.lang.String role,
java.util.List<java.lang.String> groups)
This method is used to remove one or more groups from a given role. |
boolean |
removeRole(java.lang.String role)
This method is used to remove a role. |
void |
removeRoleFromRole(java.lang.String role,
java.lang.String mappedRole)
This method is used to remove a mapped role from the specified role. |
void |
removeUsersFromRole(java.lang.String role,
java.util.List<java.lang.String> users)
This method is used to remove one or more users from a given role. |
void |
setAuthenticatedUsersToRole(java.lang.String role)
This method is used to add all users that have been authenticated to a given role. |
void |
setEveryoneToRole(java.lang.String role)
This method is used to add all users, authenticated or not, to a given role. |
Methods inherited from class java.lang.Object |
---|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
Field Detail |
---|
public static final java.lang.String ALL_AUTHENTICATED_USERS
Constructor Detail |
---|
public RoleMappingImpl(java.lang.String contextId, boolean remove, java.util.Properties props) throws javax.security.jacc.PolicyContextException
javax.security.jacc.PolicyContextException
Method Detail |
---|
public void setAuthenticatedUsersToRole(java.lang.String role) throws javax.security.jacc.PolicyContextException
RoleMappingConfiguration
setAuthenticatedUsersToRole
in interface RoleMappingConfiguration
role
- The role to add all authenticated users to.
javax.security.jacc.PolicyContextException
public void setEveryoneToRole(java.lang.String role) throws javax.security.jacc.PolicyContextException
RoleMappingConfiguration
setEveryoneToRole
in interface RoleMappingConfiguration
role
- The role to add everyone to.
javax.security.jacc.PolicyContextException
public void addGroupsToRole(java.lang.String role, java.util.List<java.lang.String> groups) throws javax.security.jacc.PolicyContextException
RoleMappingConfiguration
addGroupsToRole
in interface RoleMappingConfiguration
role
- The role to add groups to.groups
- A list containing the String names of groups to be added to the
specified role.
javax.security.jacc.PolicyContextException
public void addUsersToRole(java.lang.String role, java.util.List<java.lang.String> users) throws javax.security.jacc.PolicyContextException
RoleMappingConfiguration
addUsersToRole
in interface RoleMappingConfiguration
role
- The role to add users to.users
- A list containing the String names of users to be added to the
specified role.
javax.security.jacc.PolicyContextException
public void addRoleToRole(java.lang.String role, java.lang.String mappedRole) throws javax.security.jacc.PolicyContextException
RoleMappingConfiguration
For example, using two roles 'manager' and 'employee', calling addRoleToRole( 'employee', 'manager' ) will ensure that managers can do anything employees can do since they will have all the permissions associated with employees.
addRoleToRole
in interface RoleMappingConfiguration
role
- The role whose permissions we want to map to.mappedRole
- This is the role to be mapped to the specified role.
javax.security.jacc.PolicyContextException
public void commit() throws javax.security.jacc.PolicyContextException
RoleMappingConfiguration
commit
in interface RoleMappingConfiguration
javax.security.jacc.PolicyContextException
public void delete() throws javax.security.jacc.PolicyContextException
RoleMappingConfiguration
delete
in interface RoleMappingConfiguration
javax.security.jacc.PolicyContextException
public java.lang.String getContextID()
RoleMappingConfiguration
getContextID
in interface RoleMappingConfiguration
public void removeAuthenticatedUsersFromRole(java.lang.String role) throws javax.security.jacc.PolicyContextException
RoleMappingConfiguration
removeAuthenticatedUsersFromRole
in interface RoleMappingConfiguration
role
- The specified role from which to remove the all authenticated meta-user.
javax.security.jacc.PolicyContextException
public void removeEveryoneFromRole(java.lang.String role) throws javax.security.jacc.PolicyContextException
RoleMappingConfiguration
removeEveryoneFromRole
in interface RoleMappingConfiguration
role
- The specified role from which to remove the everyone meta-user.
javax.security.jacc.PolicyContextException
public void removeGroupsFromRole(java.lang.String role, java.util.List<java.lang.String> groups) throws javax.security.jacc.PolicyContextException
RoleMappingConfiguration
removeGroupsFromRole
in interface RoleMappingConfiguration
role
- The role from which to remove groups from.groups
- A list containing the String names of groups to be removed from
the specified role.
javax.security.jacc.PolicyContextException
public void removeUsersFromRole(java.lang.String role, java.util.List<java.lang.String> users) throws javax.security.jacc.PolicyContextException
RoleMappingConfiguration
removeUsersFromRole
in interface RoleMappingConfiguration
role
- The role from which to remove users from.users
- A list containing the String names of users to be removed
from the specified role.
javax.security.jacc.PolicyContextException
public void removeRoleFromRole(java.lang.String role, java.lang.String mappedRole) throws javax.security.jacc.PolicyContextException
RoleMappingConfiguration
removeRoleFromRole
in interface RoleMappingConfiguration
role
- The role to remove a mapped role from.mappedRole
- The mapped role to remove from the specified role.
javax.security.jacc.PolicyContextException
public java.util.List<java.lang.String> getGroupsInRole(java.lang.String role)
RoleMappingConfiguration
getGroupsInRole
in interface RoleMappingConfiguration
role
- The role to return a list of groups for.
public java.util.List<java.lang.String> getUsersInRole(java.lang.String role)
RoleMappingConfiguration
getUsersInRole
in interface RoleMappingConfiguration
role
- The role to look up to return a list of users for.
public boolean isAuthenticatedUsersInRole(java.lang.String role)
RoleMappingConfiguration
isAuthenticatedUsersInRole
in interface RoleMappingConfiguration
role
- The role to check if all authenticated users have access to.
public boolean isEveryoneInRole(java.lang.String role)
RoleMappingConfiguration
isEveryoneInRole
in interface RoleMappingConfiguration
role
- The role to check if everyone has access to.
public java.util.Set<java.lang.String> getRoles()
getRoles
in interface RoleMappingConfiguration
public java.util.List<java.lang.String> getRolesInRole(java.lang.String role)
RoleMappingConfiguration
getRolesInRole
in interface RoleMappingConfiguration
role
- The role to look up to return a list of roles for.
public boolean isRequiredRole(java.lang.String role)
RoleMappingConfiguration
isRequiredRole
in interface RoleMappingConfiguration
role
- The role to check
public boolean removeRole(java.lang.String role) throws javax.security.jacc.PolicyContextException
RoleMappingConfiguration
removeRole
in interface RoleMappingConfiguration
role
- The role to remove
javax.security.jacc.PolicyContextException
- If the role is a J2EE deployed and therefore required role
|
|||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |