ldapurlhandler.java

一个完整的XACML工程,学习XACML技术的好例子!

/*
* Copyright (c) 2000-2005, University of Salford
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without 
* modification, are permitted provided that the following conditions are met:
*
* Redistributions of source code must retain the above copyright notice, this 
* list of conditions and the following disclaimer.
* 
* Redistributions in binary form must reproduce the above copyright notice, 
* this list of conditions and the following disclaimer in the documentation 
* and/or other materials provided with the distribution. 
*
* Neither the name of the University of Salford nor the names of its 
* contributors may be used to endorse or promote products derived from this 
* software without specific prior written permission. 
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
* POSSIBILITY OF SUCH DAMAGE.
*/

package issrg.pba.rbac;

import java.security.Principal;
import issrg.utils.repository.Entry;
import issrg.pba.rbac.policies.Subtree;
import issrg.pba.repository.UserEntry;
import issrg.pba.rbac.policies.DITSubtree;
import javax.naming.Context;
import javax.naming.directory.InitialDirContext;

/**
 * This class handles LDAP URLs. It can create LDAPDNPrincipals, LDAPEntries
 * DITSubtrees and LDAPRepositories given a URL.
 */
public class LDAPURLHandler extends URLHandler {
  public static final String LDAP_PROTOCOL = "ldap";
  public static final int LDAP_PORT = 389;

  public LDAPURLHandler(){}

  public String getProtocol(){
    return LDAP_PROTOCOL;
  }

  public int getDefaultPort(){
    return LDAP_PORT;
  }

  /**
   * Not implemented yet. Always throws a BadURLException.
   */
  public Principal getPrincipal(String url) throws BadURLException {
    throw new BadURLException("A Principal cannot be instantiated from "+url+": method not implemented");
  }

  /**
   * This method builds an Entry object given a LDAP URL. The entry identifies
   * the LDAP entry by its name.
   *
   * @param url - the LDAP URL pointing to an entry in LDAP
   * @throws BadURLException, if it is a malformed LDAP URL.
   */
  public Entry getEntry(String url) throws BadURLException {
    return new UserEntry(getPrincipal(url));
  }

  /**
   * This method builds a LDAP subtree (DITSubtree) starting at the node 
   * specified 
   * by an LDAP URL, min and max, and an array of excluded subtrees. Note that 
   * the host part of the URL is ignored.
   *
   * <p>The LDAP URL points to the root entry of the subtree. The min and max
   * identify where the tree starts and ends, as defined in the subtree 
   * specification in X.500 standard: if the tree is represented as a collection
   * of paths from the root entry to the leaf nodes, then min tells how many
   * hops down the path the tree starts, and the max tells how many hops
   * down the path the tree ends. The excluded subtrees are the subtrees 
   * excluded from the root. The method does not check if the excluded subtrees
   * are actually contained in the subtree.
   *
   * <p>Example:
   * <br><pre>root="o=permis,c=gb", min=0, max=-1</pre>
   * <br>- any entry in the subtree starting at the entry "o=permis,c=gb" is
   * included, including the "o=permis,c=gb" entry itself.
   * <p><pre>root="o=permis,c=gb", min=1, max=2, excludes={root="ou=test,o=permis,c=gb", min=0, max=-1}</pre>
   * <br>- any entry in the subtree starting at the entry "o=permis,c=gb" (excluding
   * the entry itself, because min=1), and no deeper than 2 levels down from the
   * root entry (max=2) is included, except for any entries in 
   * "ou=test,o=permis,c=gb". So 
   * <br>"o=permis,c=gb" <b>is not</b> included (min=1), 
   * <br>"cn=David Chadwick,ou=test,o=permis,c=gb" <b>is not</b> included (it is in the 
   * excluded subtree), 
   * <br>"cn=Linying,ou=demo,ou=trustcom,o=permis,c=gb" <b>is not</b>
   * included (max=2), 
   * <br>"cn=Romain,ou=trustcom,o=permis,c=gb" and 
   * "cn=Sassa,o=permis,c=gb" <b>are</b>included
   * (between 1 and 2 hops from the root and not in the excluded subtree).
   *
   * @param url - the URL identifying the entry of the root of the subtree
   * @param min - the integer specifying how many hops down the tree from the
   *   root entry the subtree starts; must be non-negative
   * @param max - the integer specifying how many hops down the tree from the
   *   root entry the subtree ends; if less than zero, then no constraint on
   *   the maximum height of the tree is specified
   * @param exclude - an array of excluded Subtrees
   */
  public Subtree getSubtree(String url, int min, int max, Subtree [] exclude) throws BadURLException {
    return new DITSubtree((LDAPDNPrincipal)getPrincipal(url), min, max, null, exclude);
  }

  /**
   * This method builds a LDAPRepository from the given URL, if it is a 
   * LDAP URL. It specifies that the attributes for AttributeCertificateAttribute
   * and UserCertificate use binary transfer. The names of these attributes are
   * obtained from CustomisePERMIS.
   */
  public issrg.utils.repository.AttributeRepository getRepository(String url) throws BadURLException {
    if (getProtocolName(url).compareToIgnoreCase(LDAP_PROTOCOL)!=0){
      throw new BadURLException("Wrong URL Handler: "+url+" is not an LDAP URL");
    }

    try{
      java.util.Hashtable env = new java.util.Hashtable();
      env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
      env.put(Context.PROVIDER_URL, url);
      env.put("java.naming.ldap.version", "3");
      env.put("java.naming.ldap.attributes.binary", CustomisePERMIS.getAttributeCertificateAttribute()+" "+issrg.security.PKCRepository.USER_PKC_ATTRIBUTE);
      //env.put("java.naming.ldap.attributes.binary", issrg.pba.repository.ACRepository.ATTRIBUTE_CERTIFICATE_ID+" "+issrg.security.PKCRepository.USER_PKC_ATTRIBUTE);

      return new issrg.utils.repository.LDAPRepository(new InitialDirContext(env));
    }catch (javax.naming.NamingException ne){
      throw new BadURLException("Couldn't connect to the specified repository: "+url, ne);
    }
  }
}