userentry.java

一个完整的XACML工程,学习XACML技术的好例子!

/*
* Copyright (c) 2000-2005, University of Salford
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without 
* modification, are permitted provided that the following conditions are met:
*
* Redistributions of source code must retain the above copyright notice, this 
* list of conditions and the following disclaimer.
* 
* Redistributions in binary form must reproduce the above copyright notice, 
* this list of conditions and the following disclaimer in the documentation 
* and/or other materials provided with the distribution. 
*
* Neither the name of the University of Salford nor the names of its 
* contributors may be used to endorse or promote products derived from this 
* software without specific prior written permission. 
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
* POSSIBILITY OF SUCH DAMAGE.
*/

package issrg.pba.repository;

import issrg.pba.rbac.LDAPDNPrincipal;
import issrg.utils.repository.Entry;
import issrg.utils.repository.TokenLocator;


/**
 * This is the implementation of the TokenLocator interface, where the entry
 * and the token locator are the same and are the Distinguished Name of the
 * entry. The
 * object is used for matching the Subject domain and for locating the
 * authorisation tokens of the user within the repository. Note that for the
 * purposes of the Permis project the subject domain is identified by the
 * entry the authorisation tokens are stored in, so this circumstance defines
 * the return results of the methods.
 *
 * @author A Otenko
 * @version 1.0
 */

public class UserEntry implements issrg.pba.rbac.policies.LDAPEntry, TokenLocator {
  private LDAPDNPrincipal subjectDN=null;
  private LDAPDNPrincipal issuerDN=null;
  private java.math.BigInteger sn=null;

  protected TokenLocator alternativeDN=null;



  /**
   * This method is used to initialise the object by different constructors.
   * The method automatically checks if the parameters are correct: that either
   * the subject or issuer DNs have been specified, and if the issuer DN has
   * been specified, that the SN has been specified as well.
   *
   * @param subject is the name of the holder
   * @param issuer is the name of the issuer for the alternate reference
   * @param serialNumber is the serial number of the PKC
   *
   * @throws IllegalArgumentException if the parameters are invalid: both of
   *    the references is null, or the serialNumber is null, when the issuer 
   *    name
   *    is specified
   */
  protected void _init_(java.security.Principal subject, java.security.Principal issuer,
                java.math.BigInteger serialNumber){
    try{
      if (subject==null && (issuer==null || serialNumber==null)){
        throw new IllegalArgumentException("Cannot instantiate: Subject DN and Issuer data are null");
      }

      if ((issuer==null) ^ (serialNumber==null)){
        throw new IllegalArgumentException("Cannot instantiate: Issuer data incomplete");
      }
 
      if (subject!=null){
        subjectDN=new LDAPDNPrincipal(subject.getName());
      }

      sn=serialNumber;

      if (issuer!=null){
        issuerDN=new LDAPDNPrincipal(issuer.getName());
        alternativeDN = new EntryLocator(this, new LDAPDNPrincipal(
                  issuerSerialToDN(issuerDN.getName(), sn)
                ), null, null);
      }
    }catch(issrg.utils.RFC2253ParsingException rpe){
      throw new IllegalArgumentException("Cannot instantiate: Error while parsing DN occured: "+rpe.getMessage());
    }
  }

  /**
   * This variable sets the attribute type for the serial number in the DN, when
   * constructing it for the IssuerSerial case.
   */
  final public static String SN_ATTRIBUTE_TYPE = "SN";
  
  /**
   * This is the universal way for constructing the LDAP DN for the entry, whose
   * name is constructed out of the PKC Issuer DN and PKC SN.
   */
  public static String issuerSerialToDN(String issuerDN, java.math.BigInteger serialNumber){
    if (issuerDN==null || serialNumber==null){
      // TODO: do I throw an exception instead?
      return null;
    }
    return SN_ATTRIBUTE_TYPE+"="+serialNumber.toString()+((issuerDN.intern()=="")?"":(","+issuerDN));
  }
  
  
  protected UserEntry(){}

  /**
   * This constructor builds an object by the name of the holder.
   *
   * @param subject is the name of the holder
   */
  public UserEntry(java.security.Principal subject){
    _init_(subject, null, null);
  }

  /**
   * This constructor builds an object by the name of the issuer and the
   * serialNumber of the PKC.
   *
   * @param issuer is the name of the issuer
   * @param serialNumber is the serial number of the PKC
   */
  public UserEntry(java.security.Principal issuer, java.math.BigInteger serialNumber){
    _init_(null, issuer, serialNumber);
  }

  /**
   * This constructor builds the object by specifying all of the parameters. Any
   * of them can be null, but not all of them.
   *
   * @param subject is the name of the holder
   * @param issuer is the name of the issuer
   * @param serialNumber is the serial number of the PKC
   */
  public UserEntry(java.security.Principal subject, java.security.Principal issuer,
                java.math.BigInteger serialNumber){
    _init_(subject, issuer, serialNumber);
  }

 
  /*
   * USER DN METHODS
   */

  /**
   * This method is used to retrieve the Subject DN.
   *
   * @return the DN of the Subject as a Principal object
   */
  public java.security.Principal getSubjectDN(){
    return subjectDN;
  }

  /**
   * This method is used to retrieve the Issuer DN.
   *
   * @return the DN of the Issuer as a Principal object
   */
  public java.security.Principal getIssuerDN(){
    return issuerDN;
  }

  /**
   * This method is used to retrieve the serial number of the relevant PKC
   *
   * @return the BigInteger, representing the serial number
   */
  public java.math.BigInteger getSerialNumber(){
    return sn;
  }


  /*
   * TOKEN LOCATOR METHODS
   */

  /**
   * This method returns the Subject DN as the main locator.
   *
   * @return the main locator DN
   */
  public java.security.Principal getLocator(){
    return getSubjectDN();
  }

  /**
   * This implementation assumes that since the DN of the entry is globally
   * unique, it makes sense in any repository, so null is returned.
   *
   * @return null to assume the default repository
   */
  public issrg.utils.repository.AttributeRepository getRepository(){
    return null;
  }


  /**
   * This method returns the Issuer DN combined with PKC Serial number as the
   * alternative token locator.
   *
   * @return the alternative locator
   */
  public TokenLocator getAlternativeLocator(){
    return alternativeDN;
  }

  public Entry getEntry(){
    return this;
  }

  /*
   * LDAP ENTRY METHODS
   */

  /**
   * This method returns the main locator, or the alternative locator, if the
   * former is null.
   *
   * @return a valid locator
   */
  public LDAPDNPrincipal getDN(){
    java.security.Principal s=null;
    TokenLocator t=this;

    while (s==null && t!=null){
      s=t.getLocator();
      t=t.getAlternativeLocator();
    }

    return (LDAPDNPrincipal)s;
  }

  /**
   * This method will return the Entry Name - it is the same as getSubjectDN();
   */
  public java.security.Principal getEntryName(){
    return getDN();
  }

  /**
   * This method always throws a SecurityException, since LDAP is not trusted to
   * return the object class for DNs (user entries).
   *
   * @param what is the object class to compare to
   *
   * @return does not return anything
   *
   * @throws SecurityException, since the User is not trusted to tell their
   *    object Class
   */
  public boolean isObjectClass(String what){
    throw new java.lang.SecurityException("LDAP is not trusted to retrieve objectClass for its entries");
  }


  /**
   * Equality is performed by calling equals method on the objects representing
   * Locator and Alternative Locator. These are LDAPDNPrincipal for UserEntry.
   */
  public boolean equals(Object o){
    if (o instanceof UserEntry){
      UserEntry u = (UserEntry) o;

      java.security.Principal l=null;
      TokenLocator t;

      for(t=this; t!=null; t=t.getAlternativeLocator()){
        l=t.getLocator();

        if (l==null) continue;

        TokenLocator u1;
        for (u1=u; u1!=null; u1=u1.getAlternativeLocator()){
          java.security.Principal l1=u1.getLocator();
          if (l.equals(l1)) return true;
        }
      }
    }

    return false;
  }
}