Overview  Package   Class  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD

org.opends.server.api
Class AccessControlHandler<T extends AccessControlHandlerCfg>

java.lang.Object
  extended by org.opends.server.api.AccessControlHandler<T>
Type Parameters:
T - The type of access control configuration handled by this access control provider implementation.
Direct Known Subclasses:
AciHandler
@PublicAPI(stability=VOLATILE,
           mayInstantiate=false,
           mayExtend=true,
           mayInvoke=false)
public abstract class AccessControlHandler<T extends AccessControlHandlerCfg>
extends java.lang.Object

This class defines the set of methods and structures that must be implemented by a Directory Server access control handler. All methods in this class should take the entire request into account when making the determination, including any request controls that might have been provided.

Constructor Summary
AccessControlHandler()
           
 
Method Summary
abstract  SearchResultEntry filterEntry(Operation operation, Entry entry)
          Filter the contents of the provided entry such that it no longer contains any attributes or values that the client is not permitted to access.
abstract  SearchResultEntry filterEntry(SearchOperation searchOperation, SearchResultEntry searchEntry)
          Filter the contents of the provided entry such that it no longer contains any attributes or values that the client is not permitted to access.
abstract  void finalizeAccessControlHandler()
          Performs any necessary finalization for the access control handler implementation.
abstract  void initializeAccessControlHandler(T configuration)
          Initializes the access control handler implementation based on the information in the provided configuration entry.
abstract  boolean isAllowed(DN dn, Operation op, Control control)
          Indicates whether the provided control is allowed based on the access control configuration and the specified operation.
abstract  boolean isAllowed(ExtendedOperation extendedOperation)
          Indicates whether the provided extended operation is allowed based on the access control configuration.
abstract  boolean isAllowed(LocalBackendAddOperation addOperation)
          Indicates whether the provided add operation is allowed based on the access control configuration.
abstract  boolean isAllowed(LocalBackendBindOperation bindOperation)
          Indicates whether the provided bind operation is allowed based on the access control configuration.
abstract  boolean isAllowed(LocalBackendCompareOperation compareOperation)
          Indicates whether the provided compare operation is allowed based on the access control configuration.
abstract  boolean isAllowed(LocalBackendDeleteOperation deleteOperation)
          Indicates whether the provided delete operation is allowed based on the access control configuration.
abstract  boolean isAllowed(LocalBackendModifyDNOperation modifyDNOperation)
          Indicates whether the provided modify DN operation is allowed based on the access control configuration.
abstract  boolean isAllowed(LocalBackendModifyOperation modifyOperation)
          Indicates whether the provided modify operation is allowed based on the access control configuration.
abstract  boolean isAllowed(LocalBackendSearchOperation searchOperation)
          Indicates whether the provided search operation is allowed based on the access control configuration.
abstract  boolean isAllowed(Operation operation, Entry entry, SearchFilter filter)
          Indicates whether the provided operation search filter is allowed based on the access control configuration.
 boolean isConfigurationAcceptable(AccessControlHandlerCfg configuration, java.util.List<Message> unacceptableReasons)
          Indicates whether the provided configuration is acceptable for this access control handler.
abstract  boolean mayProxy(Entry proxyUser, Entry proxiedUser, Operation operation)
          Indicates if the specified proxy user entry can proxy, or act on the behalf of the specified proxied user entry.
abstract  boolean maySend(DN dn, SearchOperation searchOperation, SearchResultReference searchReference)
          Indicates whether the provided search result reference may be sent to the client based on the access control configuration.
abstract  boolean maySend(SearchOperation searchOperation, SearchResultEntry searchEntry)
          Indicates whether the provided search result entry may be sent to the client.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

AccessControlHandler

public AccessControlHandler()
Method Detail

initializeAccessControlHandler

public abstract void initializeAccessControlHandler(T configuration)
                                             throws ConfigException,
                                                    InitializationException
Initializes the access control handler implementation based on the information in the provided configuration entry.

Parameters:
configuration - The configuration object that contains the information to use to initialize this access control handler.
Throws:
ConfigException - If an unrecoverable problem arises in the process of performing the initialization.
InitializationException - If a problem occurs during initialization that is not related to the server configuration.

isConfigurationAcceptable

public boolean isConfigurationAcceptable(AccessControlHandlerCfg configuration,
                                         java.util.List<Message> unacceptableReasons)
Indicates whether the provided configuration is acceptable for this access control handler. It should be possible to call this method on an uninitialized access control handler instance in order to determine whether the handler would be able to use the provided configuration.

Note that implementations which use a subclass of the provided configuration class will likely need to cast the configuration to the appropriate subclass type.

Parameters:
configuration - The access control handler configuration for which to make the determination.
unacceptableReasons - A list that may be used to hold the reasons that the provided configuration is not acceptable.
Returns:
true if the provided configuration is acceptable for this access control handler, or false if not.

finalizeAccessControlHandler

public abstract void finalizeAccessControlHandler()
Performs any necessary finalization for the access control handler implementation. This will be called just after the handler has been deregistered with the server but before it has been unloaded.

isAllowed

public abstract boolean isAllowed(LocalBackendAddOperation addOperation)
                           throws DirectoryException
Indicates whether the provided add operation is allowed based on the access control configuration. This method should not alter the provided add operation in any way.

Parameters:
addOperation - The operation for which to make the determination.
Returns:
true if the operation should be allowed by the access control configuration, or false if not.
Throws:
DirectoryException - If an error occurred while performing the access control check. For example, if an attribute could not be decoded. Care must be taken not to expose any potentially sensitive information in the exception.

isAllowed

public abstract boolean isAllowed(DN dn,
                                  Operation op,
                                  Control control)
                           throws DirectoryException
Indicates whether the provided control is allowed based on the access control configuration and the specified operation. This method should not alter the provided operation in any way.

Parameters:
dn - A DN that can be used in the access determination.
op - The operation to use in the determination.
control - The control for which to make the determination.
Returns:
true if the control should be allowed by the access control configuration, or false if not.
Throws:
DirectoryException - If an error occurred while performing the access control check. For example, if an attribute could not be decoded. Care must be taken not to expose any potentially sensitive information in the exception.

isAllowed

public abstract boolean isAllowed(LocalBackendBindOperation bindOperation)
                           throws DirectoryException
Indicates whether the provided bind operation is allowed based on the access control configuration. This method should not alter the provided bind operation in any way.

Parameters:
bindOperation - The operation for which to make the determination.
Returns:
true if the operation should be allowed by the access control configuration, or false if not.
Throws:
DirectoryException - If an error occurred while performing the access control check. For example, if an attribute could not be decoded. Care must be taken not to expose any potentially sensitive information in the exception.

isAllowed

public abstract boolean isAllowed(LocalBackendCompareOperation compareOperation)
                           throws DirectoryException
Indicates whether the provided compare operation is allowed based on the access control configuration. This method should not alter the provided compare operation in any way.

Parameters:
compareOperation - The operation for which to make the determination.
Returns:
true if the operation should be allowed by the access control configuration, or false if not.
Throws:
DirectoryException - If an error occurred while performing the access control check. For example, if an attribute could not be decoded. Care must be taken not to expose any potentially sensitive information in the exception.

isAllowed

public abstract boolean isAllowed(LocalBackendDeleteOperation deleteOperation)
                           throws DirectoryException
Indicates whether the provided delete operation is allowed based on the access control configuration. This method should not alter the provided delete operation in any way.

Parameters:
deleteOperation - The operation for which to make the determination.
Returns:
true if the operation should be allowed by the access control configuration, or false if not.
Throws:
DirectoryException - If an error occurred while performing the access control check. For example, if an attribute could not be decoded. Care must be taken not to expose any potentially sensitive information in the exception.

isAllowed

public abstract boolean isAllowed(ExtendedOperation extendedOperation)
                           throws DirectoryException
Indicates whether the provided extended operation is allowed based on the access control configuration. This method should not alter the provided extended operation in any way.

Parameters:
extendedOperation - The operation for which to make the determination.
Returns:
true if the operation should be allowed by the access control configuration, or false if not.
Throws:
DirectoryException - If an error occurred while performing the access control check. For example, if an attribute could not be decoded. Care must be taken not to expose any potentially sensitive information in the exception.

isAllowed

public abstract boolean isAllowed(LocalBackendModifyOperation modifyOperation)
                           throws DirectoryException
Indicates whether the provided modify operation is allowed based on the access control configuration. This method should not alter the provided modify operation in any way.

Parameters:
modifyOperation - The operation for which to make the determination.
Returns:
true if the operation should be allowed by the access control configuration, or false if not.
Throws:
DirectoryException - If an error occurred while performing the access control check. For example, if an attribute could not be decoded. Care must be taken not to expose any potentially sensitive information in the exception.

isAllowed

public abstract boolean isAllowed(LocalBackendModifyDNOperation modifyDNOperation)
                           throws DirectoryException
Indicates whether the provided modify DN operation is allowed based on the access control configuration. This method should not alter the provided modify DN operation in any way.

Parameters:
modifyDNOperation - The operation for which to make the determination.
Returns:
true if the operation should be allowed by the access control configuration, or false if not.
Throws:
DirectoryException - If an error occurred while performing the access control check. For example, if an attribute could not be decoded. Care must be taken not to expose any potentially sensitive information in the exception.

isAllowed

public abstract boolean isAllowed(LocalBackendSearchOperation searchOperation)
                           throws DirectoryException
Indicates whether the provided search operation is allowed based on the access control configuration. This method may only alter the provided search operation in order to add an opaque block of data to it that will be made available for use in determining whether matching search result entries or search result references may be allowed.

Parameters:
searchOperation - The operation for which to make the determination.
Returns:
true if the operation should be allowed by the access control configuration, or false if not.
Throws:
DirectoryException - If an error occurred while performing the access control check. For example, if an attribute could not be decoded. Care must be taken not to expose any potentially sensitive information in the exception.

isAllowed

public abstract boolean isAllowed(Operation operation,
                                  Entry entry,
                                  SearchFilter filter)
                           throws DirectoryException
Indicates whether the provided operation search filter is allowed based on the access control configuration. This method should not alter the provided operation in any way.

Parameters:
operation - The operation for which to make the determination.
entry - The entry for which to make the determination.
filter - The filter to check access on.
Returns:
true if the operation should be allowed by the access control configuration, or false if not.
Throws:
DirectoryException - If an error occurred while performing the access control check. For example, if an attribute could not be decoded. Care must be taken not to expose any potentially sensitive information in the exception.

maySend

public abstract boolean maySend(SearchOperation searchOperation,
                                SearchResultEntry searchEntry)
Indicates whether the provided search result entry may be sent to the client. Implementations must not under any circumstances modify the search entry in any way.

Parameters:
searchOperation - The search operation with which the provided entry is associated.
searchEntry - The search result entry for which to make the determination.
Returns:
true if the access control configuration allows the entry to be returned to the client, or false if not.

filterEntry

public abstract SearchResultEntry filterEntry(SearchOperation searchOperation,
                                              SearchResultEntry searchEntry)
Filter the contents of the provided entry such that it no longer contains any attributes or values that the client is not permitted to access.

Parameters:
searchOperation - The search operation with which the provided entry is associated.
searchEntry - The search result entry to be filtered.
Returns:
Returns the entry with filtered attributes and values removed.

filterEntry

public abstract SearchResultEntry filterEntry(Operation operation,
                                              Entry entry)
Filter the contents of the provided entry such that it no longer contains any attributes or values that the client is not permitted to access.

Parameters:
operation - The operation with which the provided entry is associated.
entry - The entry to be filtered.
Returns:
Returns the entry with filtered attributes and values removed.

maySend

public abstract boolean maySend(DN dn,
                                SearchOperation searchOperation,
                                SearchResultReference searchReference)
Indicates whether the provided search result reference may be sent to the client based on the access control configuration.

Parameters:
dn - A DN that can be used in the access determination.
searchOperation - The search operation with which the provided reference is associated.
searchReference - The search result reference for which to make the determination.
Returns:
true if the access control configuration allows the reference to be returned to the client, or false if not.

mayProxy

public abstract boolean mayProxy(Entry proxyUser,
                                 Entry proxiedUser,
                                 Operation operation)
Indicates if the specified proxy user entry can proxy, or act on the behalf of the specified proxied user entry. The operation parameter is used in the evaluation.

Parameters:
proxyUser - The entry to use as the proxy user.
proxiedUser - The entry to be proxied by the proxy user.
operation - The operation to use in the evaluation.
Returns:
true if the access control configuration allows the proxy user to proxy the proxied user, or false if not.
Overview  Package   Class  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD