📄 permiscredentials.java
字号:
/*
* Copyright (c) 2000-2005, University of Salford
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* Redistributions of source code must retain the above copyright notice, this
* list of conditions and the following disclaimer.
*
* Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
*
* Neither the name of the University of Salford nor the names of its
* contributors may be used to endorse or promote products derived from this
* software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
package issrg.pba.rbac;
import issrg.pba.Credentials;
/**
* This is the implementation of the credential for a role based scheme with a
* hierarchy. It combines a roleType and a roleValue. The roleType is a string,
* and will be the LDAP name of the AC attribute type. The roleValue will be a
* RoleHierarchyNode (containing the actual role value) and will be the
* attribute value.
*
* @author A. Otenko
* @author E. Ball
* @author D. Chadwick
* @version 0.2
*/
public class PermisCredentials extends RoleBasedCredentials {
/*
* TODO: there is ambiguity in joining "Any Value" PermisCredentials with other PermisCredentials
* in the way it is done at the moment by the SetOfSubsetsCredentials. the result will depend
* on the sequence of operands. this is due to ambiguity of the "Any Value": when
* delegating, it is the most superior (union with it always gives "Any value"); when
* making decision, it is the most inferior (any role value is greater than this one).
*
* currently there is no security breach, since i always do union _after_ intersecting
* credentials, and there is no problem with intersections (SetOfSubsets calls intersection
* on each credential in the set).
*/
private RoleHierarchyNode roleValue;
protected PermisCredentials(){}
/**
* This is the constructor that builds the object by specifying its RoleType
* (the name, used in the Policy XML). This constructor should be used only
* for building
* the "ANY VALUE" role, which is used in the Policy, and can never be
* granted to a user.
*
* @param roleType is the type of the Role
*/
public PermisCredentials(String roleType) {
//System.out.println("\t\t*** BUILDING A PERMIS CREDENTIAL ***\n\t"+roleType+" = "+(roleValue==null? "null":roleValue.getValue())); //*******
this.roleType=roleType;
}
/**
* This is the constructor that builds the object by specifying its
* RoleHierarchyNode
* (the node that is aware of the hierarchy structure). Note that
* RoleHierarchyNodes are constructed by XMLPolicyParser. The role based
* AuthTokenParsers should use the hierarchy defined by XMLPolicyParser,
* when constructing PermisCredentials; without this the PermisCredentials
* cannot discover hierarchical relationships between the roles.
*
* @param roleValue is the node, representing the value of the Role; cannot
* be null
*/
public PermisCredentials(RoleHierarchyNode roleValue) {
//System.out.println("\t\t*** BUILDING A PERMIS CREDENTIAL ***\n\t"+roleType+" = "+(roleValue==null? "null":roleValue.getValue())); //*******
if (roleValue!=null){
this.roleType=roleValue.getRoleType();
this.roleValue=roleValue;
}
}
/**
* This method returns the role value as a String.
*
* @return the String representation of the Role value (Permis Roles have
* only string values), as specified in the Policy XML, or null, if
* any value is matched by this object
*/
public String getRoleValueAsString(){
return roleValue==null? null: (String)roleValue.getRoleValue();
}
/**
* This method returns the attribute value of the Role. It is inherited from
* the RoleBasedCredential, and its use is limited, like that of
* <code>getRoleValueAsString</code>. In fact, it does the same.
*
* @return the String that is the value of the Role
*
* @see getRoleValueAsString()
*/
public Object getRoleValue(){
return getRoleValueAsString();
}
/**
* This method returns the result of comparing these credentials to the given
* credentials.
*
* @param c is the credentials to compare to
*
* @return true if the given Credentials is castable to PermisCredentials, and
* the Role, allocated to this object is superior or equal to the Role of
* the given Credentials, as specified by the Role Hierarchy in the Policy
* XML
*/
public boolean contains(issrg.pba.Credentials c){
// System.err.println("\t\t*** COMPARING A PERMIS CREDENTIAL ***\n\t"+"This role: " + this.toString()+" vs "+ "The required Role: " + c.toString()); //*******
if (c instanceof PermisCredentials && c!=null){
/**
* TODO: add Validity verification here, or create ExpirablePermisCredential
*/
RoleHierarchyNode rv=((PermisCredentials)c).roleValue;
boolean b;
if (roleValue==null || rv==null){ // the rule for comparing "ANY VALUE" role
// "ANY VALUE" matches any roleValue, if the role type is the same
// note that "ANY VALUE" credentials can be contained only in the sets of credentials
// connected to the policy rules. they can never be assigned to a user
b=getRoleType()!=null &&
((PermisCredentials)c).getRoleType()!=null &&
this.getRoleType().intern()==((PermisCredentials)c).getRoleType().intern() && // only if role types are the same
roleValue==null; // and the roleValue is "ANY VALUE" - any other value cannot contain "ANY VALUE" (e.g. if rv==null)
}else{
b=roleValue!=null && roleValue.isSuperiorTo(rv);
}
//System.out.println("\t"+b); //*******
return b;
}
return super.contains(c);
}
/**
* This method overrides the inherited intersection method to optimise the
* intersection of two PermisCredentials, one of which is "ANY VALUE".
*/
public Credentials intersection(Credentials what){
//System.out.println("\t\t*** INTERSECTION ***"); //*************
Credentials c = null;
if (getRoleValue()==null && contains(what)){ // non-null intersection
c=what; // let the intersection be smaller (avoid returning "any value")
}else if (what instanceof PermisCredentials &&
((PermisCredentials)what).getRoleValue()==null &&
what.contains(this)){ // it will contain this if they are of the same type
c=this; // avoid returning "any value"
}else{
c=super.intersection(what);
}
//System.out.println("\t"+toString()+" vs "+what.toString()+"="+c.toString()); //*************
return c;
}
/**
* This method overrides the inherited union method to optimise the
* union of two PermisCredentials, one of which is "ANY VALUE".
*/
public Credentials union(Credentials what){
//System.out.println("\t\t*** UNION ***"); //*************
Credentials c = null;
if (getRoleValue()==null && contains(what)){ // let the union be not too big (avoid returning "any value")
c=this;
}else if (what instanceof PermisCredentials &&
((PermisCredentials)what).getRoleValue()==null && what.contains(this)){
c=what;
}else{
c=super.union(what);
}
//System.out.println("\t"+toString()+" vs "+what.toString()+"="+c.toString()); //*************
return c;
}
/**
* This method creates a copy of the object.
*
* @return a PermisCredential object with the same properties as this object
*/
public Object clone(){
return roleValue==null? new PermisCredentials(roleType) : new PermisCredentials(roleValue);
}
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -