Overview  Package   Class  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD

com.sun.slamd.admin
Class AccessManager

java.lang.Object
  extended by com.sun.slamd.admin.AccessManager

public class AccessManager
extends java.lang.Object

This class provides a mechanism for restricting access to components of the administrative interface. It caches user access information for better performance, but also provides a mechanism for flushing that cache so that access can be re-evaluated. Note that this class does not actually restrict access or require authentication, because that must be configured in the Web server itself. Rather, this class will determine whether the authenticated user may access a particular resource, as well as which resources a given user may access (which are two different things).

Author:
Neil A. Wilson

Constructor Summary
AccessManager(java.lang.String userDirectoryHost, int userDirectoryPort, java.lang.String userDirectoryBindDN, java.lang.String userDirectoryBindPW, java.lang.String userBaseDN, java.lang.String userIDAttribute)
          Creates a new access manager to use for protecting access to the administrative interface.
AccessManager(java.lang.String userDirectoryHost, int userDirectoryPort, java.lang.String userDirectoryBindDN, java.lang.String userDirectoryBindPW, java.lang.String userBaseDN, java.lang.String userIDAttribute, boolean useSSL, boolean userDirBlindTrust, java.lang.String sslKeyStore, java.lang.String sslKeyPassword, java.lang.String sslTrustStore, java.lang.String sslTrustPassword)
          Creates a new access manager to use for protecting access to the administrative interface.
 
Method Summary
 int authenticateClient(java.lang.String authID, java.lang.String authCredentials, java.lang.StringBuffer msgBuffer)
          Attempts to authenticate the client based on the provided information.
 void deregister(java.lang.String resourceName, boolean flushUserCache)
          Removes the specified resource from the set of protected resources for this access manager, optionally flushing the user cache in the process.
 void flushUserCache()
          Flushes the user cache, which means that information about a user and what he/she may access will be re-read from the user directory the next time the user accesses a protected area of the administrative interface.
 java.lang.String[] getAccessibleResources(java.lang.String userIdentifier)
          Retrieves the names of all the protected resources that the specified user may access.
 java.lang.String[][] getProtectedResources()
          Retrieves the set of protected resources for this access manager.
 boolean managerIsStopped()
          Indicates whether this access manager has been stopped.
 boolean mayAccess(java.lang.String userIdentifier, java.lang.String resourceName)
          Indicates whether the specified user may access the indicated resource.
 void register(java.lang.String resourceName, java.lang.String resourceDN, boolean flushUserCache)
          Registers the specified resource as one that is protected by this access manager.
 void startAccessManager()
          Starts the access manager.
 void stopAccessManager()
          Closes the connection to the user directory and stops the access manager.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

AccessManager

public AccessManager(java.lang.String userDirectoryHost,
                     int userDirectoryPort,
                     java.lang.String userDirectoryBindDN,
                     java.lang.String userDirectoryBindPW,
                     java.lang.String userBaseDN,
                     java.lang.String userIDAttribute)
Creates a new access manager to use for protecting access to the administrative interface. Note that the manager will not be started, so it is necessary to call the startAccessMananager to start it.

Parameters:
userDirectoryHost - The address of the user directory.
userDirectoryPort - The port number of the user directory.
userDirectoryBindDN - The DN to use to bind to the user directory.
userDirectoryBindPW - The password for the user directory bind DN.
userBaseDN - The location in the user directory under which user entries may be found.
userIDAttribute - The name of the LDAP attribute that is used as the login ID.

AccessManager

public AccessManager(java.lang.String userDirectoryHost,
                     int userDirectoryPort,
                     java.lang.String userDirectoryBindDN,
                     java.lang.String userDirectoryBindPW,
                     java.lang.String userBaseDN,
                     java.lang.String userIDAttribute,
                     boolean useSSL,
                     boolean userDirBlindTrust,
                     java.lang.String sslKeyStore,
                     java.lang.String sslKeyPassword,
                     java.lang.String sslTrustStore,
                     java.lang.String sslTrustPassword)
Creates a new access manager to use for protecting access to the administrative interface. Note that the manager will not be started, so it is necessary to call the startAccessMananager to start it.

Parameters:
userDirectoryHost - The address of the user directory.
userDirectoryPort - The port number of the user directory.
userDirectoryBindDN - The DN to use to bind to the user directory.
userDirectoryBindPW - The password for the user directory bind DN.
userBaseDN - The location in the user directory under which user entries may be found.
userIDAttribute - The name of the LDAP attribute that is used as the login ID.
useSSL - Indicates whether the communication with the user directory should use SSL.
userDirBlindTrust - Indicates whether the SLAMD server should blindly trust any SSL certificate presented by the user directory.
sslKeyStore - The location of the JSSE key store to be used for SSL communication.
sslKeyPassword - The password to access the JSSE key store.
sslTrustStore - The location of the JSSE trust store to be used for SSL communication.
sslTrustPassword - The password to access the JSSE trust store.
Method Detail

startAccessManager

public void startAccessManager()
                        throws netscape.ldap.LDAPException
Starts the access manager. If it is already running, then this does nothing. Otherwise, it establishes the connection to the user directory and configures recreates the user cache.

Throws:
netscape.ldap.LDAPException - If there is a problem establishing the connection to the user directory.

stopAccessManager

public void stopAccessManager()
Closes the connection to the user directory and stops the access manager. Note that when the access manager is stopped, any requests to the access manager will indicate that no access is allowed to anything.

managerIsStopped

public boolean managerIsStopped()
Indicates whether this access manager has been stopped.

Returns:
true if the access manager is stopped, or false if it is running.

register

public void register(java.lang.String resourceName,
                     java.lang.String resourceDN,
                     boolean flushUserCache)
Registers the specified resource as one that is protected by this access manager. If the specified resource is already defined, then this will assign it to the new resource DN. If specified, it will also flush the user cache (which is necessary for users whose information is cached to be able to access this new protected resource).

Parameters:
resourceName - The name associated with this protected resource.
resourceDN - The DN of the entry in the user directory that will be used to determine whether users may access this resource.
flushUserCache - Indicates whether the user cache should be flushed in the process of adding this controlled resource.

deregister

public void deregister(java.lang.String resourceName,
                       boolean flushUserCache)
Removes the specified resource from the set of protected resources for this access manager, optionally flushing the user cache in the process.

Parameters:
resourceName - The name of the protected resource to be
flushUserCache - Indicates whether the user cache should be flushed in the process of removing the controlled resource.

getProtectedResources

public java.lang.String[][] getProtectedResources()
Retrieves the set of protected resources for this access manager. The first element of each set will be the resource name and the second will be the associated entry DN.

Returns:
The set of protected resources for this access manager.

flushUserCache

public void flushUserCache()
Flushes the user cache, which means that information about a user and what he/she may access will be re-read from the user directory the next time the user accesses a protected area of the administrative interface.

getAccessibleResources

public java.lang.String[] getAccessibleResources(java.lang.String userIdentifier)
                                          throws AccessDeniedException,
                                                 netscape.ldap.LDAPException
Retrieves the names of all the protected resources that the specified user may access.

Parameters:
userIdentifier - The ID of the user for which to retrieve the names of the accessible resources.
Returns:
The names of all the protected resources that the specified user may access. If no information is known about the specified user, then null is returned.
Throws:
AccessDeniedException - If it is necessary to go to the user directory to retrieve information for this user but the user entry could not be found.
netscape.ldap.LDAPException - If it is necessary to go to the user directory to retrieve the information for this user and a problem occurs while doing so.

mayAccess

public boolean mayAccess(java.lang.String userIdentifier,
                         java.lang.String resourceName)
                  throws AccessDeniedException,
                         netscape.ldap.LDAPException
Indicates whether the specified user may access the indicated resource.

Parameters:
userIdentifier - The ID of the user for which to make the determination.
resourceName - The name of the resource for which to check access permissions.
Returns:
true if the user may access the indicated resource, or false if not or if the manager is stopped.
Throws:
AccessDeniedException - If it is necessary to go to the user directory to retrieve information for this user but the user entry could not be found.
netscape.ldap.LDAPException - If it is necessary to go to the user directory to retrieve the information for this user and a problem occurs while doing so.

authenticateClient

public int authenticateClient(java.lang.String authID,
                              java.lang.String authCredentials,
                              java.lang.StringBuffer msgBuffer)
Attempts to authenticate the client based on the provided information.

Parameters:
authID - The authentication ID provided by the client.
authCredentials - The credentials provided by the client.
msgBuffer - The string buffer in which an explanation will be placed in the event of a failure.
Returns:
The result code from the authentication process.
Overview  Package   Class  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD