Skip navigation links

Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
Oracle Fusion Middleware Management Java API Reference for Oracle Entitlements Server
11g Release 2 (11.1.2)
E27155-03
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD

oracle.security.jps.util
Class JpsAuth

java.lang.Object
  extended by oracle.security.jps.util.JpsAuth

public final class JpsAuth
extends java.lang.Object

An Authorization related utility class

Nested Class Summary
static interface JpsAuth.Authorizer
           

 

Constructor Summary
JpsAuth()
           

 

Method Summary
static java.util.Set<ResourceActionsEntry> checkBulkAuthorization(javax.security.auth.Subject subject, java.util.Set<ResourceActionsEntry> requestedResources)
          Determines whether the subject has access one or more Resource Actions.
static void checkPermission(java.security.Permission perm)
          Utility method to perform checkPermission.
static java.util.Set<JpsApplicationRole> getAllGrantedAppRoles(javax.security.auth.Subject subject, java.util.Set<java.lang.String> applications)
          Returns a set of application roles that have been granted to a subject, directly or indirectly, for the specified application stripes.
static java.util.Set<ResourceActionsEntry> getGrantedResources(javax.security.auth.Subject subject, boolean isAuthorized)
          Returns resource-actions that have been granted to a Subject.
static JpsAuth.Authorizer getSystemAuthorizer()
          Returns the system-level Authorizer
static boolean hasPermission(javax.security.auth.Subject subject, java.security.Permission perm)
           

 

Methods inherited from class java.lang.Object
equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

 

Constructor Detail

JpsAuth

public JpsAuth()

Method Detail

getSystemAuthorizer

public static JpsAuth.Authorizer getSystemAuthorizer()
Returns the system-level Authorizer
Returns:
the system-level Authorizer

checkPermission

public static void checkPermission(java.security.Permission perm)
                            throws java.security.AccessControlException
Utility method to perform checkPermission.

The check proceeds as follows:

  1. If SecurityManager is set, call SecurityManager.checkPermission
  2. [else] If system property "java.security.policy" is set, call AccessController.checkPermission
  3. [else] do nothing
Parameters:
perm - permission to be checked
Throws:
java.security.AccessControlException - if the specified permission is not permitted, based on the current security policy.

hasPermission

public static boolean hasPermission(javax.security.auth.Subject subject,
                                    java.security.Permission perm)

getGrantedResources

public static java.util.Set<ResourceActionsEntry> getGrantedResources(javax.security.auth.Subject subject,
                                                                      boolean isAuthorized)
                                                               throws JpsRuntimeException
Returns resource-actions that have been granted to a Subject.

This utility method is to provide a runtime authorization query to fetch all granted resources on a given Subject instance. The return type is a Set of ResourceActionsEntry.

Please note that only permissions associated with resource types (directly or indirectly through permission sets) will be returned by this method.

If the subject is given java.security.AllPermission permission, then the returned resource actions entry will contain "<all actions>" action and "<all permissions>" resource where the resource type is "AllPermission".
Parameters:
subject - The Subject instance. This Subject instance can contain user identity, enterprise roles, or application roles. This method will compute application roles for the given subject. The subject must be read-only.
isAuthorized - A boolean flag to indicate if it also needs to perform checkPermission for the subject on all the granted resources. Set to true to perform a checkPermission for the subject on the resource actions entries. If set to false, no checkPermission is performed. Please note that in certain cases, a subject is granted for a permission does not necessary mean that the subject is authorized.

An example would be, say, we have a custom permission which implements its own implies method, and it adds one more condition to return imply true only if the access time is between 9 AM and 5 PM. In this case, a subject is granted the permission, but will only be authorized during 9 AM and 5 PM. If authorize is set to false, we will not evaluate the permissions and just return the entire set of permissions in ResourceActionsEntry.

Throws:
JpsRuntimeException - If the policy provider does not implement getGrantedResources.

checkBulkAuthorization

public static java.util.Set<ResourceActionsEntry> checkBulkAuthorization(javax.security.auth.Subject subject,
                                                                         java.util.Set<ResourceActionsEntry> requestedResources)
                                                                  throws PolicyStoreException
Determines whether the subject has access one or more Resource Actions.

Following example illustrates how to invoke this method


     import oracle.security.jps.*;
     import oracle.security.jps.util.*;
     import oracle.security.jps.service.policystore.*;
     import oracle.security.jps.service.policystore.info.*;
     import oracle.security.jps.service.policystore.info.common.*;
     import oracle.security.jps.service.policystore.info.resource.*;
     import oracle.security.jps.service.policystore.search.*;
     import java.util.*;
     import java.security.*;
     import javax.security.auth.*;

     ...

     PolicyStore ps;  // the current PolicyStore

      // Construct the requested Resource-Actions
     Set<ResourceActionsEntry> requestedResources = new HashSet<ResourceActionsEntry>();
     ResourceActionsEntry aResourceActionsEntry;
     Set<String> allowedActions;

     // actions for this resource
     allowedActions = new HashSet<String>();
     allowedActions.add("read");
     allowedActions.add("write");


     // Build one resource-actions
     // Assuming FILE is a pre-existing resource type defined in the application 'application_1'
     aResourceActionsEntry = InfoFactory.newResourceActionsEntry("FILE", "/tmp", allowedActions, "application_1");

     // and add it to the request
     requestedResources.add ( aResourceActionsEntry );

     // build one more resource-actions
     allowedActions = new HashSet<String>();
     allowedActions.add("connect");
     // Assuming SOCKET is a pre-existing resource type defined in the application 'application2'
     aResourceActionsEntry = InfoFactory.newResourceActionsEntry("SOCKET", "somehost:9999", allowedActions, "application_2");
     requestedResources.add ( aResourceActionsEntry );

     // Create a Subject (not shown here)
     Subject jdoe;
     Set<ResourceActionsEntry> allowedResources;

     // Return result has the allowed resource-actions
     allowedResources = ps.checkBulkAuthorization(jdoe, requestedResources);
Parameters:
subject - the Subject to authorize
requestedResources - a Set of resource actions the caller is requesting access to.
NOTE: Multiple actions in the ResourceActionsEntry correspond to action1 AND action2 ... AND action_n.
Returns:
the set of resource actions the caller is authorized to access from the supplied requestedResources. Resource Actions the caller cannot access are not included in the return result.

If the Subject is not authorized to all the resoure-actions, an empty Set is returned.

Throws:
PolicyStoreException - if an error occurs while evaluating the request.
See Also:
InfoFactory.newResourceActionsEntry(String,String,Set,String)

getAllGrantedAppRoles

public static java.util.Set<JpsApplicationRole> getAllGrantedAppRoles(javax.security.auth.Subject subject,
                                                                      java.util.Set<java.lang.String> applications)
                                                               throws PolicyStoreException
Returns a set of application roles that have been granted to a subject, directly or indirectly, for the specified application stripes.

The method queries all the granted application roles on a given subject instance for multiple application policies.

Parameters:
subject - The Subject instance. This Subject instance can contain user identity, enterprise roles, or application roles. The subject must be read-only. If there are application roles in the incoming subject, and the application name associated with the application roles is not null, then the application role computation for that particular application will be skipped.

To ensure all the application roles granted to the Subject are computed by this method, do not include any application role in the Subject.

applications - names to compute the granted application roles in for the given Subject.
Returns:
a set of oracle.security.jps.principals.JpsApplicationRole. This set will contain all application roles (including direct or indirect application roles) in flat structure across all specified applications.
Throws:
PolicyStoreException - if an error occurs while evaluating the request.

Skip navigation links

Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
Oracle Fusion Middleware Management Java API Reference for Oracle Entitlements Server
11g Release 2 (11.1.2)
E27155-03
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD

Copyright © 2011, 2013 Oracle. All rights reserved.