customisepermis.java

一个完整的XACML工程,学习XACML技术的好例子!

/*
 * Copyright (c) 2000-2005, University of Salford
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are met:
 *
 * Redistributions of source code must retain the above copyright notice, this
 * list of conditions and the following disclaimer.
 *
 * Redistributions in binary form must reproduce the above copyright notice,
 * this list of conditions and the following disclaimer in the documentation
 * and/or other materials provided with the distribution.
 *
 * Neither the name of the University of Salford nor the names of its
 * contributors may be used to endorse or promote products derived from this
 * software without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 * POSSIBILITY OF SUCH DAMAGE.
 */

package issrg.pba.rbac;

import issrg.pba.AuthTokenParser;
import java.lang.reflect.Method;
import issrg.pba.PbaException;
import issrg.pba.repository.UserEntry;
import issrg.pba.repository.AuthTokenRepository;

/**
 * This class should be used to customise the components PERMIS RBAC uses.
 *
 * <p>These include:
 * <ul>
 * <!-- p>Registration of interpreters for IF-statement -->
 * <li></li>Setting the system clock
 * <li></li>Setting the Auth Token Parser
 * <li></li>Registration of URL Handlers
 * <li></li>Setting the Auth Token attribute name used by repositories
 * <li></li>Setting the User Certificate attribute name used by repositories
 * <li></li>Registration of X.509 AC extensions
 * <li></li>Setting the Rule Comparator to select the highly relevant Role
 *    Assignment Rules first to optimize delegation chain validation
 * </ul>
 *
 * <p>CustomisePERMIS and the creation of PermisRBAC should be in a
 * synchronized block, so the other threads do not modify your settings.
 *
 * @author A.Otenko
 * @version 1.0
 */

public class CustomisePERMIS {
    /**
     * This is the class name of the AuthTokenParser used in X.509 flavour of
     * PERMIS.
     * @see issrg.pba.rbac.x509.RoleBasedACParser
     */
    private static String ACPermisParserClass = "issrg.pba.rbac.x509.RoleBasedACParser";
    
    /**
     * This is the secure source of time used by PERMIS.
     */
    public static Clock systemClock = new SystemClock();

    /**
     * The class of the default AuthTokenParser 
     * (issrg.simplePERMIS.SimplePERMISTokenParser).
     */
    protected static Class authTokenParser = issrg.simplePERMIS.SimplePERMISTokenParser.class;
    
    /**
     * This is how the LDAP X509 Attribute Certificate objects are called. The 
     * name
     * is "attributeCertificateAttribute;binary", but can be changed by any
     * configuration class to represent the LDAP attribute name as it is in your
     * directory (for example, i500 used to call it "attributeCertificate;binary", 
     * which
     * does not correspond to the X.509 v3 standard; other implementations do
     * not require ";binary" at the end).
     */
    private static String ATTRIBUTE_CERTIFICATE_ID = "attributeCertificateAttribute;binary";
    
    /**
     * This method returns the clock that will be used for calculating relative
     * validity periods and a time reference for decision-making. Replace it
     * using setSystemClock with your implementation,
     * if you find SystemClock is not secure enough.
     *
     * <p>Replacing the value does not affect any of the objects already created.
     */
    public static Clock getSystemClock(){
        return systemClock;
    }

    /**
     * This method returns an instance of a AuthTokenParser configured into 
     * PERMIS.
     */    
    public static AuthTokenParser getAuthTokenParser(){
        try{
            return (AuthTokenParser)authTokenParser.newInstance();
        }catch (IllegalAccessException ile){
            throw new IllegalArgumentException("Default constructor is unavailable for class "+authTokenParser.getName()+": "+ile.getMessage());
        }catch (InstantiationException e){
            throw new IllegalArgumentException("Can't instantiate abstract class "+authTokenParser.getName()+": "+e.getMessage());
        }
   }
    
    /**
     * Sets the default Auth Token Parser to be used by PERMIS. The default
     * is issrg.simplePERMIS.SimplePERMISTokenParser, but other implementations
     * may need a parser for a different token format.
     *
     * @param className - the name of the class to use as the authorisation
     * 		token parser
     * @see issrg.simplePERMIS.SimplePERMISTokenParser
     */
    public static void setAuthTokenParser(String className) throws ClassNotFoundException {
        authTokenParser = Class.forName(className);
        if (!AuthTokenParser.class.isAssignableFrom(authTokenParser)){
            throw new ClassCastException(className+" does not implement "+AuthTokenParser.class.getName());
        }
    }
    
    /**
     * Sets the default System Clock to be used by PERMIS. The default is
     * issrg.pba.rbac.SystemClock, but other implementations may need
     * a secure timestamping clock.
     *
     * @param className - the name of the class to use as the system clock
     *
     * @see issrg.pba.rbac.SystemClock
     */
    public static void setSystemClock(String className) throws ClassNotFoundException {
        Class clazz = Class.forName(className);
        if (!Clock.class.isAssignableFrom(clazz)){
            throw new ClassCastException(className+" does not extend "+Clock.class.getName());
        }
        
        try{
            systemClock = (Clock)clazz.newInstance();
        }catch (IllegalAccessException ile){
            throw new IllegalArgumentException("Default constructor is unavailable for class "+className+": "+ile.getMessage());
        }catch (InstantiationException e){
            throw new IllegalArgumentException("Can't instantiate abstract class "+className+": "+e.getMessage());
        }
    }
    
  
    
    /**
     * This method adds a URL Handler. This helps XMLParser to construct
     * the policy representation.
     *
     * @param className - the name of the class to be added as a URLHandler.
     *
     * @see URLHandler
     */
    public static void addURLHandler(String className) throws ClassNotFoundException {
        Class uh = Class.forName(className);
        try{
            URLHandler.addProtocol((URLHandler)uh.newInstance());
        }catch (IllegalAccessException ile){
            throw new IllegalArgumentException("Default constructor is unavailable for class "+className+": "+ile.getMessage());
        }catch (InstantiationException ie){
            throw new IllegalArgumentException("Can't instantiate abstract class "+className+": "+ie.getMessage());
        }
    }

    /**
     * This is the method to configure X.509 flavour into PERMIS: after this
     * PERMIS will accept X.509 ACs by default.
     *
     * <p>The method registers the default AuthTokenParser that supports X.509
     * Attribute Certificates and registers all the AC Extensions.
     */
    public static void configureX509Flavour() throws PbaException {
        try{
          setAuthTokenParser(ACPermisParserClass);
          registerACExtensions();
        }catch(Throwable th){
            throw new PbaException("Could not set up X.509 flavour of PERMIS: "+th.getMessage(), th);
        }
    }
    
    /**
     * This method returns the LDAP attribute name used to retrieve the
     * Attribute Certificates.
     */
    public static String getAttributeCertificateAttribute(){
        return ATTRIBUTE_CERTIFICATE_ID;
    }
    
    /**
     * This method sets the LDAP attribute name used to retrieve the
     * Attribute Certificates.
     */
    public static void setAttributeCertificateAttribute(String id){
        ATTRIBUTE_CERTIFICATE_ID=id;
    }
    
    /**
     * This method returns the LDAP attribute name used to retrieve the
     * Public Key Certificates.
     */
    public static String getUserCertificateAttribute(){
        return issrg.security.PKCRepository.USER_PKC_ATTRIBUTE;
    }
    
    /**
     * This method sets the LDAP attribute name used to retrieve the
     * Public Key Certificates.
     */
    public static void setUserCertificateAttribute(String id){
        issrg.security.PKCRepository.USER_PKC_ATTRIBUTE=id;
    }

    /**
     * This is a collection of extension class names to be registered by
     * default, when X.509 support is needed. It lists all the extensions
     * from issrg.ac.attributes package.
     *
     * @see issrg.ac.attributes
     */    
    private final static String[] extensions = {"issrg.ac.attributes.BasicAttConstraint", "issrg.ac.attributes.NoAssertion",
            "issrg.ac.attributes.IndirectIssuer", "issrg.ac.attributes.IssuedOnBehalfOf",
            "issrg.ac.attributes.AuthorityAttributeIdentifier", "issrg.ac.attributes.AttributeAuthorityInformationAccess"};
            
    /**
     * This method registers the default X.509 AC extension parsing classes.
     */
    public static void registerACExtensions() throws issrg.pba.PbaException {
      registerACExtensions(extensions);
    }
            
    /**
     * This method registers the X.509 AC extension parsing classes provided
     * in addition to already registered exntensions.
     */
    public static void registerACExtensions(String [] exts) throws issrg.pba.PbaException {
      int len = exts.length;
      String line;
      try {
        for (int i = 0; i < len; i++) {
          line = exts[i];
          Class extensionClass = Class.forName(line);
          Method method = extensionClass.getMethod("registerMe",null);
          method.invoke(null, null);
        }
      } catch (Exception e) {
        throw new issrg.pba.PbaException("Failed to register AC Extensions: "+e.getMessage(), e);
      }
    }

    /**
     * This is the default Role Assignment Rule Comparator, used to optimise the
     * delegation chain validation by applying the most relevant Role Assignment
     * Rules first.
     *
     * @see RuleComparator
     */            
    public static Class comparator = issrg.pba.rbac.xmlpolicy.DefaultRuleComparator.class;

    /**
     * This method returns an instance of the default Role Assignment Rule 
     * Comparator.
     *
     * @see RuleComparator
     */
    public static RuleComparator getComparator() {
      try {
        return (RuleComparator) comparator.newInstance();
      } catch (InstantiationException ie) {
        throw new IllegalArgumentException("Can't instantiate abstract class " + comparator.getName()+": " + ie.getMessage());
      } catch (IllegalAccessException ile){
        throw new IllegalArgumentException("Default constructor is unavailable for class " + comparator.getName()+": "+ile.getMessage());
      }
    }

    /**
     * This method sets the name of the class of the default Role Assignment
     * Rule Comparator. It checks that it implements the RuleComparator 
     * interface.
     *
     * @see RuleComparator
     */
    public static void setComparator(String className) throws ClassNotFoundException {
      comparator = Class.forName(className);
      if (!RuleComparator.class.isAssignableFrom(comparator)) {
        throw new ClassCastException(className + "does not implement " + RuleComparator.class.getName());
      }
    }
}