Skip navigation links

Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
Oracle Fusion Middleware Java API Reference for Oracle Platform Security Services
11g Release 1 (11.1.1)
E14650-03
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD

oracle.security.jps.service.policystore
Interface PolicyMgmt

All Known Subinterfaces:
ApplicationPolicy, PolicyStore
public interface PolicyMgmt

This interface defines policy provisioning APIs

Method Summary
 java.util.List getGrantEntries()
          Get all the grants defined in this scope (system or application).
 void grant(java.util.List principalEntries, CodeSourceEntry csEntry, java.util.List permissionEntries)
          Grant a set of permissions to this group of principals and code source, or otherwise collectively known as the grantee.
 void grant(java.security.Principal[] principals, java.security.CodeSource cs, java.security.Permission[] perms)
          Grant a set of permissions to this group of principals and code source, or otherwise collectively known as the grantee.
 void modifyGrant(java.util.List principalEntries, CodeSourceEntry csEntry, PermissionEntry oldpermissionEntry, PermissionEntry newPermissionEntry)
          Modifies a grant by replacing the permission in an existing grant with a given permission if not already present.
 void revoke(java.util.List principalEntries, CodeSourceEntry csEntry, java.util.List permissionEntries)
          Revoke a grant of permissions from this set of principals and codesource combination
 void revoke(java.security.Principal[] principals, java.security.CodeSource cs, java.security.Permission[] perms)
          Revoke a grant of permissions from this set of principals and codesource combination.

 

Method Detail

grant

void grant(java.security.Principal[] principals,
           java.security.CodeSource cs,
           java.security.Permission[] perms)
           throws PolicyObjectAlreadyExistsException,
                  PolicyStoreException
Grant a set of permissions to this group of principals and code source, or otherwise collectively known as the grantee.

Permissions created with valid resource types will be validated for matcher class and allowed actions against their resource type. Validations will not be done for invalid (non-existent) resource types.

Based on the algorithm in JpsAuth this checks for PolicyStoreAccessPermission( "context=APPLICATION,name=application stripe" , "grant"). OR for PolicyStoreAccessPermission("context=SYSTEM", "grant" This may result in an AccessControlException or SecurityException

Parameters:
principals - the set of principals to grant the permission(s) for
cs - the code source
perms - the set of permissions
Throws:
PolicyObjectAlreadyExistsException - if the grantee is already granted the requested permissions.
PolicyStoreException - if an error occured during this grant operation <p/>
Cause Explanation
Permission Class validation fails (if resource type is defined in the policy store) Permission class of Permission differs from the matcher class of the resource type. (see ResourceTypeEntry.getResourceMatcherClassName())
Action validation fails (if resource type is defined in the policy store) Action of the Permission is not a subset of actions for the given Resource Type. (see ResourceTypeEntry.getActions())
java.lang.NullPointerException - if permissions is empty, or if a principal in the principals array is empty.
PolicyObjectAlreadyExistsException - if all the permissions are granted to the grantee. If any one permission is not granted previously, then the permission is now granted.

grant

void grant(java.util.List principalEntries,
           CodeSourceEntry csEntry,
           java.util.List permissionEntries)
           throws PolicyObjectAlreadyExistsException,
                  PolicyStoreException
Grant a set of permissions to this group of principals and code source, or otherwise collectively known as the grantee.

Use this method only the if the grantee or PermissionEntries cannot be instantiated. Sometimes, the class that implements the principal, or the permission may not be available in the classloader. In such situations, this method can be used to perform a grant.

This method searches for an existing grantee by comparing the corresponding string values of the grantee, which are the principal classname, principal name and the code source URL. Therefore, the grantee search is not exact and may not be entirely accurate since the Principal objects are not compared.

Similarly, when the permissions are granted, the check for duplicate permissions is performed by string comparisons of the permission attributes - namely the permission classname, permissions name and the permission action. Also since the Permission object is not created, it is not possible to verify if the PermissionEntry is valid or not.

Permissions created with valid resource types will be validated for matcher class and allowed actions against their resource type. Validations will not be done for invalid (non-existent) resource types.

The caller is responsible for the grantee and permissions values supplied as parameters in this method.

Based on the algorithm in JpsAuth this checks for PolicyStoreAccessPermission( "context=APPLICATION,name=application stripe" , "grant"). OR for PolicyStoreAccessPermission("context=SYSTEM", "grant" This may result in an AccessControlException or SecurityException

Parameters:
principalEntries - principal entries that constitute the grantee
csEntry - codesource entry that constitute the grantee
permissionEntries - permissions to grant.
Throws:
PolicyObjectAlreadyExistsException - - if the grantee is already granted the requested permissions.
PolicyStoreException - if an error occured during this grant operation. <p/>
Cause Explanation
Permission Class validation fails (if resource type exists in policy store) Permission class of Permission differs from the matcher class of the Resource type. (see ResourceTypeEntry.getResourceMatcherClassName())
Action validation fails (if resource type exists in policy store) Action of the Permission is not a subset of actions for the given Resource Type. (see ResourceTypeEntry.getActions())
java.lang.NullPointerException - if permissions is empty, or if a principal in the principals array is empty.
PolicyObjectAlreadyExistsException - if all the permissions are granted to the grantee. If any one permission is not granted previously, then the permission is now granted.

revoke

void revoke(java.security.Principal[] principals,
            java.security.CodeSource cs,
            java.security.Permission[] perms)
            throws PolicyObjectNotFoundException,
                   PolicyStoreException
Revoke a grant of permissions from this set of principals and codesource combination. The revoke aplies to all global/system policies or just one particular application's policy based on whether this API is invoked on a PolicyStore or invoked on ApplicationPolicy.

Based on the algorithm in JpsAuth this checks for PolicyStoreAccessPermission( "context=APPLICATION,name=application stripe" , "revoke"). OR for PolicyStoreAccessPermission("context=SYSTEM", "revoke" This may result in an AccessControlException or SecurityException

Permissions created with valid resource types will be validated for matcher class and allowed actions against their resource type. Validations will not be done for invalid (non-existent) resource types.

Parameters:
principals - - the set of principals to revoke the permission(s) from
cs - - the code source
perms - - the set of permissions
Throws:
PolicyObjectNotFoundException - - if this object is not found
PolicyStoreException - - if an error occured during this revoke operation <p/>
Cause Explanation
Permission Class validation fails (if resource type is defined in the policy store) Permission class of Permission differs from the matcher class of the Resource type. (see ResourceTypeEntry.getResourceMatcherClassName())
Action validation fails (if resource type is defined in the policy store) Action of the Permission is not a subset of actions for the given Resource Type (see ResourceTypeEntry.getActions())
java.lang.NullPointerException - if permissions is empty, or if a principal in the principals array is empty.

revoke

void revoke(java.util.List principalEntries,
            CodeSourceEntry csEntry,
            java.util.List permissionEntries)
            throws PolicyObjectNotFoundException,
                   PolicyStoreException
Revoke a grant of permissions from this set of principals and codesource combination

Use this method only the if the grantee or PermissionEntries cannot be instantiated. Sometimes, the class that implements the principal, or the permission may not be available in the classloader. In such situations, this method can be used to perform a grant.

This method searches for an existing grantee by comparing the corresponding string values of the grantee, which are the principal classname, principal name and the code source URL. Therefore, the grantee search is not exact and may not be entirely accurate since the Principal objects are not compared.

Similarly, when the permissions are revoked, the check for an existing permissions is performed by string comparisons of the permission attributes - namely the permission classname, permissions name and the permission action. Also since the Permission object is not created, it is not possible to verify if the PermissionEntry is valid or not.

Permissions created with valid resource types will be validated for matcher class and allowed actions against their resource type. Validations will not be done for invalid (non-existent) resource types.

The caller is responsible for the grantee and permissions values supplied as parameters in this method.

Based on the algorithm in JpsAuth this checks for PolicyStoreAccessPermission( "context=APPLICATION,name=application stripe" , "revoke"). OR for PolicyStoreAccessPermission("context=SYSTEM", "revoke" This may result in an AccessControlException or SecurityException

Parameters:
principalEntries - principal entries that constitute the grantee
csEntry - codesource entry that constitute the grantee
permissionEntries - permissions to grant.
Throws:
PolicyObjectNotFoundException - if the grantee or permissions are not found.
PolicyStoreException - if an error occured during this revoke operation. <p/>
Cause Explanation
Permission Class validation fails (if resource type is defined in the policy store) Permission class of Permission differs from the matcher class of the Resource type. (see ResourceTypeEntry.getResourceMatcherClassName())
Action validation fails (if resource type is defined in the policy store) Action of the Permission is not a subset of actions for the given Resource Type (see ResourceTypeEntry.getActions())
java.lang.NullPointerException - if permissions is empty, or if a principal in the principals array is empty.

getGrantEntries

java.util.List getGrantEntries()
                               throws PolicyStoreException
Get all the grants defined in this scope (system or application).
Returns:
The GrantEntry list
Throws:
PolicyStoreException - if an error occured during this operation

modifyGrant

void modifyGrant(java.util.List principalEntries,
                 CodeSourceEntry csEntry,
                 PermissionEntry oldpermissionEntry,
                 PermissionEntry newPermissionEntry)
                 throws PolicyObjectNotFoundException,
                        PolicyStoreException
Modifies a grant by replacing the permission in an existing grant with a given permission if not already present. The implementation for the file based xml policystore should ensure that that the change to the underlying persisted XML File is minimal after this api is invoked This checks for PolicyStoreAccessPermission( "context=APPLICATION,name=application stripe" , "revoke"). OR for PolicyStoreAccessPermission("context=SYSTEM", "revoke" AND for PolicyStoreAccessPermission( "context=APPLICATION,name=application stripe" , "grant"). OR for PolicyStoreAccessPermission("context=SYSTEM", "grant" This may result in an AccessControlException or SecurityException
Parameters:
principalEntries - List of principal entries that defines the grant
csEntry - codesource entry that defines the grant
oldpermissionEntry - old permission entry to be replaced
newPermissionEntry - new permission entry to be put in
Throws:
PolicyObjectNotFoundException - thrown if the grant or old permission is not found
PolicyStoreException - internal policy store error
java.lang.IllegalArgumentException - if principalEntries list is empty or oldpermissionEntry or newPermissionEntry is null.

Skip navigation links

Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
Oracle Fusion Middleware Java API Reference for Oracle Platform Security Services
11g Release 1 (11.1.1)
E14650-03
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD

Copyright © 2010, Oracle. All rights reserved.