Skip navigation links

Oracle Fusion Middleware Management Java API Reference for Oracle Entitlements Server
11g Release 2 (11.1.2)

E27155-01 ESAPI


oracle.security.jps.service.policystore
Interface PolicyMgmt

All Known Subinterfaces:
ApplicationPolicy, BindingPolicyStore, PolicyStore

public interface PolicyMgmt

This interface defines policy provisioning APIs


Method Summary
 java.util.List<GrantEntry> getGrantEntries()
          Get all the grants defined in this scope (system or application).
 void grant(java.util.List<PrincipalEntry> principalEntries, CodeSourceEntry csEntry, java.util.List<PermissionEntry> permissionEntries)
          Grant a set of permissions to this group of principals and code source, or otherwise collectively known as the grantee.
 void grant(java.security.Principal[] principals, java.security.CodeSource cs, java.security.Permission[] perms)
          Grant a set of permissions to this group of principals and code source, or otherwise collectively known as the grantee.
 void modifyGrant(java.util.List<PrincipalEntry> principalEntries, CodeSourceEntry csEntry, PermissionEntry oldpermissionEntry, PermissionEntry newPermissionEntry)
          Modifies a grant by replacing the permission in an existing grant with a given permission if not already present.
 void revoke(java.util.List<PrincipalEntry> principalEntries, CodeSourceEntry csEntry, java.util.List<PermissionEntry> permissionEntries)
          Revoke a grant of permissions from this set of principals and codesource combination
 void revoke(java.security.Principal[] principals, java.security.CodeSource cs, java.security.Permission[] perms)
          Revoke a grant of permissions from this set of principals and codesource combination.

 

Method Detail

grant

void grant(java.security.Principal[] principals,
           java.security.CodeSource cs,
           java.security.Permission[] perms)
           throws PolicyObjectAlreadyExistsException,
                  PolicyStoreException,
                  InvalidArgumentException
Grant a set of permissions to this group of principals and code source, or otherwise collectively known as the grantee.

Permissions created with valid resource types will be validated for matcher class and allowed actions against their resource type. Validations will not be done for invalid (non-existent) resource types.

Based on the algorithm in JpsAuth this checks for PolicyStoreAccessPermission( "context=APPLICATION,name=application stripe" , "grant"). OR for PolicyStoreAccessPermission("context=SYSTEM", "grant" This may result in an AccessControlException or SecurityException

Parameters:
principals - the set of principals to grant the permission(s) for
cs - the code source
perms - the set of permissions
Throws:
PolicyObjectAlreadyExistsException - if the grantee is already granted all the requested permissions. If any one permission was not granted previously, then this permission is now granted.
InvalidArgumentException - if the supplied perms array is null or empty, or any entry in the principals or perms arrays is null, or the name of a Principal is null or empty; if duplicate Principal objects are found in the principals array or if duplicate Permission objects are found in the perms array; if a given Principal is an AdminRole principal; if a given Permission is not an instanceof oracle.security.jps.ResourcePermission or oracle.security.jps.AbstractTypedPermission when the oracle.security.jps.policystore.resourcetypeenforcementmode property is set to Strict.
PolicyStoreException - if an error occurred during this grant operation.
Cause Explanation
Permission Class validation fails (if resource type is defined in the policy store) Permission class of Permission differs from the matcher class of the resource type. (see ResourceTypeEntry.getResourceMatcherClassName())
Action validation fails (if resource type is defined in the policy store) Action of the Permission is not a subset of actions for the given Resource Type. (see ResourceTypeEntry.getActions())

grant

void grant(java.util.List<PrincipalEntry> principalEntries,
           CodeSourceEntry csEntry,
           java.util.List<PermissionEntry> permissionEntries)
           throws PolicyObjectAlreadyExistsException,
                  PolicyStoreException,
                  InvalidArgumentException
Grant a set of permissions to this group of principals and code source, or otherwise collectively known as the grantee.

Use this method only the if the grantee or PermissionEntries cannot be instantiated. Sometimes, the class that implements the principal, or the permission may not be available in the classloader. In such situations, this method can be used to perform a grant.

This method searches for an existing grantee by comparing the corresponding string values of the grantee, which are the principal classname, principal name and the code source URL. Therefore, the grantee search is not exact and may not be entirely accurate since the Principal objects are not compared.

Similarly, when the permissions are granted, the check for duplicate permissions is performed by string comparisons of the permission attributes - namely the permission classname, permissions name and the permission action. Also since the Permission object is not created, it is not possible to verify if the PermissionEntry is valid or not.

Permissions created with valid resource types will be validated for matcher class and allowed actions against their resource type. Validations will not be done for invalid (non-existent) resource types.

The caller is responsible for the grantee and permissions values supplied as parameters in this method.

Based on the algorithm in JpsAuth this checks for PolicyStoreAccessPermission( "context=APPLICATION,name=application stripe" , "grant"). OR for PolicyStoreAccessPermission("context=SYSTEM", "grant" This may result in an AccessControlException or SecurityException

Parameters:
principalEntries - principal entries that constitute the grantee
csEntry - codesource entry that constitute the grantee
permissionEntries - permissions to grant.
Throws:
PolicyObjectAlreadyExistsException - if the grantee is already granted all the requested permissions. If any one permission was not granted previously, then the permission is now granted.
InvalidArgumentException - if the supplied permissionEntries list is null or empty, or any entry in the principalEntries or permissionEntries lists is null or has a null or empty classname, or the principal name of a PrincipalEntry is null or empty; if duplicate PrincipalEntry objects are found in the principalEntries list or if duplicate PermissionEntry objects are found in the permissionEntries list; if a given PrincipalEntry corresponds to an AdminRole principal; if a given PrincipalEntry is not associated with a Resource Type when the oracle.security.jps.policystore.resourcetypeenforcementmode property is set to Strict.
PolicyStoreException - if an error occurred during this grant operation.
Cause Explanation
Permission Class validation fails (if resource type exists in policy store) Permission class of Permission differs from the matcher class of the Resource type. (see ResourceTypeEntry.getResourceMatcherClassName())
Action validation fails (if resource type exists in policy store) Action of the Permission is not a subset of actions for the given Resource Type. (see ResourceTypeEntry.getActions())

revoke

void revoke(java.security.Principal[] principals,
            java.security.CodeSource cs,
            java.security.Permission[] perms)
            throws PolicyObjectNotFoundException,
                   PolicyStoreException,
                   InvalidArgumentException
Revoke a grant of permissions from this set of principals and codesource combination. The revoke applies to all global/system policies or just one particular application's policy based on whether this API is invoked on a PolicyStore or invoked on ApplicationPolicy.

Based on the algorithm in JpsAuth this checks for PolicyStoreAccessPermission( "context=APPLICATION,name=application stripe" , "revoke"). OR for PolicyStoreAccessPermission("context=SYSTEM", "revoke" This may result in an AccessControlException or SecurityException

Permissions created with valid resource types will be validated for matcher class and allowed actions against their resource type. Validations will not be done for invalid (non-existent) resource types.

Parameters:
principals - the set of principals to revoke the permission(s) from
cs - the code source
perms - the set of permissions
Throws:
PolicyObjectNotFoundException - if this object is not found.
InvalidArgumentException - if the supplied perms array is null or empty, or any entry in the principals or perms arrays is null, or the name of a Principal is null or empty; if duplicate Principal objects are found in the principals array; if a given Principal is an AdminRole principal.
PolicyStoreException - if an error occurred during this revoke operation.
Cause Explanation
Permission Class validation fails (if resource type is defined in the policy store) Permission class of Permission differs from the matcher class of the Resource type. (see ResourceTypeEntry.getResourceMatcherClassName())
Action validation fails (if resource type is defined in the policy store) Action of the Permission is not a subset of actions for the given Resource Type (see ResourceTypeEntry.getActions())

revoke

void revoke(java.util.List<PrincipalEntry> principalEntries,
            CodeSourceEntry csEntry,
            java.util.List<PermissionEntry> permissionEntries)
            throws PolicyObjectNotFoundException,
                   PolicyStoreException,
                   InvalidArgumentException
Revoke a grant of permissions from this set of principals and codesource combination

Use this method only the if the grantee or PermissionEntries cannot be instantiated. Sometimes, the class that implements the principal, or the permission may not be available in the classloader. In such situations, this method can be used to perform a grant.

This method searches for an existing grantee by comparing the corresponding string values of the grantee, which are the principal classname, principal name and the code source URL. Therefore, the grantee search is not exact and may not be entirely accurate since the Principal objects are not compared.

Similarly, when the permissions are revoked, the check for an existing permissions is performed by string comparisons of the permission attributes - namely the permission classname, permissions name and the permission action. Also since the Permission object is not created, it is not possible to verify if the PermissionEntry is valid or not.

Permissions created with valid resource types will be validated for matcher class and allowed actions against their resource type. Validations will not be done for invalid (non-existent) resource types.

The caller is responsible for the grantee and permissions values supplied as parameters in this method.

Based on the algorithm in JpsAuth this checks for PolicyStoreAccessPermission( "context=APPLICATION,name=application stripe" , "revoke"). OR for PolicyStoreAccessPermission("context=SYSTEM", "revoke" This may result in an AccessControlException or SecurityException

Parameters:
principalEntries - principal entries that constitute the grantee
csEntry - codesource entry that constitute the grantee
permissionEntries - permissions to grant.
Throws:
PolicyObjectNotFoundException - if the grantee or permissions are not found.
InvalidArgumentException - if the supplied permissionEntries list is null or empty, or any entry in the principalEntries or permissionEntries lists is null or has a null or empty classname, or the principal name of a PrincipalEntry object is null or empty; if duplicate PrincipalEntry objects are found in the principalEntries list; if a given PrincipalEntry corresponds to an AdminRole principal.
PolicyStoreException - if an error occurred during this revoke operation.
Cause Explanation
Permission Class validation fails (if resource type is defined in the policy store) Permission class of Permission differs from the matcher class of the Resource type. (see ResourceTypeEntry.getResourceMatcherClassName())
Action validation fails (if resource type is defined in the policy store) Action of the Permission is not a subset of actions for the given Resource Type (see ResourceTypeEntry.getActions())

getGrantEntries

java.util.List<GrantEntry> getGrantEntries()
                                           throws PolicyStoreException
Get all the grants defined in this scope (system or application).
Returns:
The GrantEntry list
Throws:
PolicyStoreException - if an error occurred during this operation

modifyGrant

void modifyGrant(java.util.List<PrincipalEntry> principalEntries,
                 CodeSourceEntry csEntry,
                 PermissionEntry oldpermissionEntry,
                 PermissionEntry newPermissionEntry)
                 throws PolicyObjectNotFoundException,
                        PolicyStoreException,
                        InvalidArgumentException
Modifies a grant by replacing the permission in an existing grant with a given permission if not already present. The implementation for the file based xml policystore should ensure that that the change to the underlying persisted XML File is minimal after this api is invoked This checks for PolicyStoreAccessPermission( "context=APPLICATION,name=application stripe" , "revoke"). OR for PolicyStoreAccessPermission("context=SYSTEM", "revoke" AND for PolicyStoreAccessPermission( "context=APPLICATION,name=application stripe" , "grant"). OR for PolicyStoreAccessPermission("context=SYSTEM", "grant" This may result in an AccessControlException or SecurityException
Parameters:
principalEntries - List of principal entries that defines the grant
csEntry - codesource entry that defines the grant
oldpermissionEntry - old permission entry to be replaced
newPermissionEntry - new permission entry to be put in
Throws:
PolicyObjectNotFoundException - thrown if the grant or old permission is not found.
InvalidArgumentException - if the supplied oldpermissionEntry or newPermissionEntry objects or any entries in the principalEntries list are null, or the principal name of a PrincipalEntry object is null or empty; if duplicate PrincipalEntry objects are found in the principalEntries list; if a given PrincipalEntry corresponds to an AdminRole principal.
PolicyStoreException - internal policy store error.

Skip navigation links

Oracle Fusion Middleware Management Java API Reference for Oracle Entitlements Server
11g Release 2 (11.1.2)

E27155-01 ESAPI


Copyright © 2011,2012, Oracle and/or its affiliates. All rights reserved.