com.tivoli.mts
Class PDPermission
java.lang.Object
|
+--java.security.Permission
|
+--com.ibm.IBMPermission
|
+--com.tivoli.mts.PDPermission
- All Implemented Interfaces:
- java.security.Guard, java.io.Serializable
- public class PDPermission
- extends com.ibm.IBMPermission
This class represents an authorization permission for accessing a resource object in
the protected domain defined by Policy Director.
PDPermission
allows usage of Policy Director as the authorization backend for normal Java 2
permission checks. In PD 3.7, ivacld offers an SSL-based access mode for remote ACL checking.
Permission check is done by implies() method which sets up an SSL-based connection
to a remote ivacld server for the authorization check.
Permissions are created with resource name and actions. They are immutable once they are created.
The actions must correspond to one of the operations for
which a Policy Director permission has been defined. The actions strings use this format:
[]. Action group name is optional. Action list consists of
action names which are one character in length. Examples of valid actions strings are:
"[primary]rwc" "rw" "[java]rc[primary]rwx". The following is a list of action names defined
and used in Policy Director.
- A add
- B bypasstod operation
- C connect
- D chdir
- G surrogate
- I integrity
- K kill
- L login
- N create
- P privacy
- R rename
- T traverse operation
- U utime
- W password
- X alias
- a attach operation
- b browse operation
- c control operation
- d deletion
- f forward
- g delegation
- l list directory
- m modification
- o chown
- p chmod
- r read operation
- s server admintration
- v azn_operation_view
- w write
- x execution
The requested resource to query for must correspond to a resource that has been defined
as a protected object within Policy Director's protected object namespace.
- Version:
- 1.2, 05/31/2001
- Author:
- Yanni Zhang, Bruce A Rich
- See Also:
- Serialized Form
Constructor Summary |
PDPermission(java.lang.String rname,
java.lang.String actions)
Creates a new PDPermission object with the specified actions and resource. |
Method Summary |
boolean |
equals(java.lang.Object obj)
Checks two PDPermission objects for equality. |
java.lang.String |
getActions()
Returns the canonical string representation of the actions. |
int |
hashCode()
Returns the hash code value for this object. |
boolean |
implies(PDPrincipal princ)
Checks if Policy Director grants the specified permissions to the PDPrincipal. |
boolean |
implies(PDPrincipal princ,
PDAttrs inputList,
PDAttrs outputList)
Checks if Policy Director grants the specified permissions to the PDPrincipal. |
boolean |
implies(java.security.Permission p)
Checks to see if Policy Director grants the specified permission. |
Methods inherited from class java.security.Permission |
checkGuard, getName, newPermissionCollection, toString |
Methods inherited from class java.lang.Object |
clone, finalize, getClass, notify, notifyAll, wait, wait, wait |
PDPermission
public PDPermission(java.lang.String rname,
java.lang.String actions)
- Creates a new
PDPermission
object with the specified actions and resource.
Action names can only be one character in length. Policy Director 3.6 supported the following
actions:
- a attach
- B bypasstod
- b browse
- c control
- T traverse
- g delegation
- v view
- m modify
- d delete
- s server administration
- I integrity
- P privacy
- r read
- x execute
- l list_directory
- C connect
- f forward
- A add
Policy Director 3.7 adds some more extended operations:
- w write
- N create
- o chown
- p chmod
- D chdir
- R rename
- U utime
- K kill
- X alias
- L login
- G surrogate
- W password
Administrators may add additional action groups and additional permissions.
- Parameters:
rname
- name of the target resource object.actions
- name of the requested operations. The actions can be concatenated together
to form complex operation strings. The format is "[""]"<
action-name>.. "[""]"....
Example action strings for the AznAPI would be:
"[primary]rwc" "rw" "[java]rc[primary]rwx". "primary" is the default action group
if an action group name is not specified.
implies
public boolean implies(java.security.Permission p)
- Checks to see if Policy Director grants the specified permission.
More specifically, this method returns true if:
- p is an instanceof PDPermission,
- p's actions are a proper subset of this
object's action map, and
- p is a permission granted by pdacld to the PDPrincipal in the current Subject
- Overrides:
implies
in class com.ibm.IBMPermission
- Parameters:
p
- the permission to check.- Returns:
true
if the specified permission is granted
by Policy Director,false
if not.
implies
public boolean implies(PDPrincipal princ)
- Checks if Policy Director grants the specified permissions to the PDPrincipal.
More specifically, this method returns true if:
- princ is nonnull
- this
PDPermission
's actions are a proper subset of this
object's action map, and
- the specified actions are allowed by ivacld for the specified principal
- Parameters:
princ
- the PDPrincipal whose permissions will be checked.- Returns:
true
if the specified permission is implied by this object,
false
if not.
implies
public boolean implies(PDPrincipal princ,
PDAttrs inputList,
PDAttrs outputList)
- Checks if Policy Director grants the specified permissions to the PDPrincipal.
More specifically, this method returns true if:
- princ is nonnull
- this
PDPermission
's actions are a proper subset of this
object's action map, and
- the specified actions are allowed by Policy Director for the specified principal
- Parameters:
princ
- the PDPrincipal whose permissions will be checked.inputList
- the input attribute list.outputList
- the output attribute list.- Returns:
true
if the specified permission is implied by this object,
false
if not.
equals
public boolean equals(java.lang.Object obj)
- Checks two PDPermission objects for equality. Checks that obj is
a PDPermission, and has the same name and actions as this object.
- Overrides:
equals
in class com.ibm.IBMPermission
- Parameters:
obj
- the object we are testing for equality with this object.- Returns:
true
if obj is a PDPermission, and has the same name and
actions as this PDPermission object.
getActions
public java.lang.String getActions()
- Returns the canonical string representation of the actions.
- Overrides:
getActions
in class java.security.Permission
- Returns:
- the canonical string representation of the actions.
hashCode
public int hashCode()
- Returns the hash code value for this object.
- Overrides:
hashCode
in class com.ibm.IBMPermission
- Returns:
- a hash code value for this object.