ldaprepository.java

一个完整的XACML工程,学习XACML技术的好例子!

/*
* Copyright (c) 2000-2005, University of Salford
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without 
* modification, are permitted provided that the following conditions are met:
*
* Redistributions of source code must retain the above copyright notice, this 
* list of conditions and the following disclaimer.
* 
* Redistributions in binary form must reproduce the above copyright notice, 
* this list of conditions and the following disclaimer in the documentation 
* and/or other materials provided with the distribution. 
*
* Neither the name of the University of Salford nor the names of its 
* contributors may be used to endorse or promote products derived from this 
* software without specific prior written permission. 
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
* POSSIBILITY OF SUCH DAMAGE.
*/
/*
* Copyright (c) 2006, University of Kent
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without 
* modification, are permitted provided that the following conditions are met:
*
* Redistributions of source code must retain the above copyright notice, this 
* list of conditions and the following disclaimer.
* 
* Redistributions in binary form must reproduce the above copyright notice, 
* this list of conditions and the following disclaimer in the documentation 
* and/or other materials provided with the distribution. 
*
* 1. Neither the name of the University of Kent nor the names of its 
* contributors may be used to endorse or promote products derived from this 
* software without specific prior written permission. 
*
* 2. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS  
* IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
* THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 
* PURPOSE ARE DISCLAIMED. 
*
* 3. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
* POSSIBILITY OF SUCH DAMAGE.
*
* 4. YOU AGREE THAT THE EXCLUSIONS IN PARAGRAPHS 2 AND 3 ABOVE ARE REASONABLE
* IN THE CIRCUMSTANCES.  IN PARTICULAR, YOU ACKNOWLEDGE (1) THAT THIS
* SOFTWARE HAS BEEN MADE AVAILABLE TO YOU FREE OF CHARGE, (2) THAT THIS
* SOFTWARE IS NOT "PRODUCT" QUALITY, BUT HAS BEEN PRODUCED BY A RESEARCH
* GROUP WHO DESIRE TO MAKE THIS SOFTWARE FREELY AVAILABLE TO PEOPLE WHO WISH
* TO USE IT, AND (3) THAT BECAUSE THIS SOFTWARE IS NOT OF "PRODUCT" QUALITY
* IT IS INEVITABLE THAT THERE WILL BE BUGS AND ERRORS, AND POSSIBLY MORE
* SERIOUS FAULTS, IN THIS SOFTWARE.
*
* 5. This license is governed, except to the extent that local laws
* necessarily apply, by the laws of England and Wales.
*/

package issrg.utils.repository;

import javax.naming.directory.DirContext;
import javax.naming.directory.Attributes;
import javax.naming.NamingException;
import javax.naming.NamingEnumeration;
import javax.naming.NameParser;
import javax.naming.Name;
import java.security.Principal;

/**
 * This class is the implementation of the Attribute Repository for LDAP.
 * It can be built out of an array of DirContext. Each of these contexts
 * constitutes a root for LDAP searches. Each DirContext is obtained by
 * establishing an LDAP connection with the directory concerned.
 *
 * <p>The object can be used for retrieving similar information from multiple
 * directories simultaneously. For example, it is useful when retrieving X.509
 * Attribute Certificates for PMI entities that possess ACs issued by different
 * issuers (therefore, stored in different directories available to these 
 * issuers).
 *
 * <p>The object uses MultiRepository to create multiple threads, and acts as
 * a proxy object for backwards compatibility (earlier versions of this object
 * had a constructor with an array of DirContext). It is better to use 
 * MultiRepository for multi-root clusters of LDAP repositories to be more
 * efficient.
 *
 * @author A Otenko
 * @version 0.2
 */
public class LDAPRepository extends DefaultRepository{
  private MultiRepository mr=null;
  private DirContext ctx=null;

  private int status;                           // status of the Repository
  private Throwable diagnosis;                  // the ultimate status: the stack frame in it, the error message to deliver, etc

  protected LDAPRepository(){}

  /**
   * This constructor builds the LDAPRepository with a number of roots.
   *
   * @param Contexts - An array of DirContexts to use as the roots of LDAP 
   *   searches
   */
  public LDAPRepository(DirContext [] Contexts) {
    LDAPRepository [] ldaps=new LDAPRepository[Contexts.length];
    for (int i=0; i<ldaps.length; i++){
      ldaps[i]=new LDAPRepository(Contexts[i]);
    }

    mr=new MultiRepository(ldaps);
  }

  /**
   * This creates an LDAPRepository with a single root context
   *
   * @param Context - A DirContext to be used as the root of LDAP searches
   */
  public LDAPRepository(DirContext Context) {
    ctx=Context;
  }

  /**
   * This method gets the set of named attributes from the entry with the DN.
   * It searches all ldap contexts simultaneously. If the DN and named attribute
   * exist in more than one of the named contexts, then multiple attribute
   * values will be returned.
   *
   * <p>Note that all attribute retrieval methods call this method, and they do
   * not update the status or diagnosis set by this method, and they propagate
   * the exceptions thrown by this method.
   *
   * <p>After calling the method the repository will be set into one of the
   * states: FAILURE_STATUS, SUCCESS_STATUS or PARTIAL_SUCCESS_STATUS. Failure
   * means there were no roots that succeeded. Success means that all of the
   * roots succeeded (the entries were found and some or no attributes were
   * retrieved). Partial success means that some of the roots failed, but some
   * have succeeded, which may be in case some of the roots do not contain
   * the required entry. The caller must find out himself what the cause is, and
   * decide if the results are sufficiently successful.
   *
   * @param DN The distinguished name of the entry from which the attributes
   *    are requested
   * @param AttributeNames The array of LDAP names for the attributes; can be
   *    null, if all available attributes and their values are to be retrieved
   *
   * @return the requested attributes; the Repository status reflects the status
   *    of retrieval, the diagnosis contains exceptions the underlying objects
   *    threw, if they failed
   *
   * @throws RepositoryException, if all of the repositories failed, in which 
   *    case the
   *    embedded exception will be the Throwable returned by <code>getDiagnosis</code>
   *    method; FAILURE_STATUS will also be set
   */

  public Attributes getAttributes(java.security.Principal DN, String [] AttributeNames) throws RepositoryException{
		//System.err.print("retrieving attributes: "); for(int i=0; i<AttributeNames.length; i++){ if (i!=0) System.err.print(","); System.err.print(AttributeNames[i]);} System.err.println(); //***********
    if (mr==null){
      try{
        diagnosis=null;
		//String attrs=""; for(int i=0; AttributeNames!=null && i<AttributeNames.length; i++) if (i==0) attrs=AttributeNames[i]; else attrs+=", "+AttributeNames[i]; //******************
		//System.err.println("getting ["+attrs+"] attributes for "+DN.getName()); //************
        return ctx.getAttributes(dnWithoutBaseDN(ctx, DN.getName()), AttributeNames);
      }catch(javax.naming.NameNotFoundException nnfe){
	//System.err.println(nnfe.getClass().getName()+" exception occured while retrieving attributes");//*************
	//nnfe.printStackTrace(); //*************

        diagnosis=nnfe; // set this as a diagnosis, so partial success can be signalled
        return null; // return null, i.e. no attributes were found
      }catch(Throwable th){

	//System.err.println(th.getClass().getName()+" exception occured while retrieving attributes");//*************
	//th.printStackTrace(); //*************

        diagnosis=new RepositoryException("Failed to get attributes", th);
	throw (RepositoryException)diagnosis;

      }finally{
        status=diagnosis==null?SUCCESS_STATUS:FAILURE_STATUS;
      }
    }else{
	//System.err.println("using MultiRepository to retrieve the attributes"); //************
      return mr.getAttributes(DN, AttributeNames);
    }
  }

  /**
   * This method returns the status of the repository. It is set when returning
   * attributes.
   *
   * @return the integer value corresponding to the status
   *
   * @see getAttributes(java.security.Principal,String[])
   */
  public int getStatus(){
    return mr==null?status:mr.getStatus();
  }

  /**
   * This method returns the Throwable, representing the error, or null, if no
   * error has been encountered (only if the repository is in SUCCESS_STATUS).
   * The Throwable contains an error message and the stack trace of the error.
   *
   * @return Throwable object, representing the error, or null if there was no
   *   error during the last call
   */
  public Throwable getDiagnosis(){
    return mr==null?diagnosis:mr.getDiagnosis();
  }

  /**
   * This is a utility method that strips off the base DN from the DN, if it
   * is present there. Sometimes the DN is relative to the root, sometimes it is
   * an absolute DN and includes the DN of the root DirContext. It is important
   * to stranslate the DN into the DN without the base DN for successful 
   * searches.
   *
   * @param root - the DirContext of the search root
   * @param dn - a DN with or without the base DN (the DN of the search root) 
   *
   * @return a LDAP DN relative to the base DN (the DN of the search root)
   *
   * @throws NamingException, if the DN is not a valid DN
   */
  public static String dnWithoutBaseDN(DirContext root, String dn) throws NamingException {
    String baseDN = root.getNameInNamespace();
    NameParser np = root.getNameParser("");
    Name baseDNName = np.parse(baseDN);
    Name dnName = np.parse(dn);
    //System.out.println("BaseDN: "+baseDNName+",\nDN: "+dnName);//****************
    //Name dnWithoutBaseDN = dnName.getSuffix(baseDNName.size());
    //System.out.println("DN w/o base DN: "+dnWithoutBaseDN);//****************

    if (dnName.startsWith(baseDNName)){
      //System.out.println("DN starts with the Base DN");//*************
      dnName = dnName.getSuffix(baseDNName.size());

      //System.out.println("We've got "+dnName.toString());//*************
    }else{
      // well... it should not come here!
    }
    return dnName.toString();
  }
}