Class Permission
- java.lang.Object
-
- org.apache.directory.fortress.core.model.FortEntity
-
- org.apache.directory.fortress.core.model.Permission
-
- All Implemented Interfaces:
Serializable
- Direct Known Subclasses:
PermAnt
public class Permission extends FortEntity implements Serializable
All entities (User
,Role
,Permission
,PwPolicy
SDSet
etc...) are used to carry data between three Fortress layers, starting with the (1) Manager layer down thru middle (2) Process layer and it's processing rules into (3) DAO layer where persistence with the LDAP server occurs.Fortress Processing Layers
-
Manager layer:
AdminMgrImpl
,AccessMgrImpl
,ReviewMgrImpl
,... - Process layer: org.apache.directory.fortress.core.impl.UserP, org.apache.directory.fortress.core.impl.RoleP, org.apache.directory.fortress.core.impl.PermP,...
- DAO layer: org.apache.directory.fortress.core.impl.UserDAO, org.apache.directory.fortress.core.impl.RoleDAO, org.apache.directory.fortress.core.impl.PermDAO,...
For example, this entity requiressetObjName(java.lang.String)
andsetOpName(java.lang.String)
attributes set before passing intoAccessMgrImpl
APIs. Create methods usually require more attributes (than Read) due to constraints enforced between entities.Permission entity attribute usages include
-
setObjName(java.lang.String)
andsetOpName(java.lang.String)
attributes set before callingAccessMgrImpl.checkAccess(Session, Permission)
. -
getRoles()
may be set after callingReviewMgrImpl.readPermission(Permission)
orAccessMgrImpl.sessionPermissions(Session)
. -
getUsers()
may be set after callingReviewMgrImpl.readPermission(Permission)
orAccessMgrImpl.sessionPermissions(Session)
.
More Permission entity notes
-
The unique key to locate a Permission entity (which is required for all authZ requests) is
objName
andopName
.
-
The Permission entity is used to target function points within computer programs needing authorization. This
permission model allows a one-to-many relationship between the objects
PermObj
and operationsPermission
. - The object to operation pairings enable application resources to be mapped to Fortress permissions in a way that is natural for object oriented programming.
- Permissions = Object
PermObj
1-* OperationsPermission
- Permissions in Fortress may also be assigned directly to
users
. -
Objects
objName
, OperationsopName
, Rolesroles
, Usersusers
are not case sensitive for reads or searches.
The application entity that requires authorization will be mapped to the
PermObj
entity and the application's methods or operation names will be mapped toPermission
entities. For example, the application entity 'ShoppingCart' has 5 operations - 'create', 'read', 'update', 'delete' and 'checkout'. The following code will create the permissions and perform the necessary grants.try { // Instantiate the AdminMgr first AdminMgr adminMgr = AdminMgrFactory.createInstance(); // Now Instantiate the Object PermObj shoppingCart = new PermObj("ShoppingCart", "KillerBikes.com"); // Add it to the directory adminMgr.addPermObj(shoppingCart); // Now create the permission operations and grant to applicable roles: Permission create = new Permission(shoppingCart.getObjName(), "create"); adminMgr.addPermission(create); adminMgr.grantPermission(create, new Role("Customer")); Permission read = new Permission(shoppingCart.getObjName(), "read"); adminMgr.addPermission(read); adminMgr.grantPermission(read, new Role("Customer")); Permission update = new Permission(shoppingCart.getObjName(), "update"); adminMgr.addPermission(update); adminMgr.grantPermission(update, new Role("Admin")); Permission delete = new Permission(shoppingCart.getObjName(), "delete"); adminMgr.addPermission(delete); adminMgr.grantPermission(delete, new Role("Manager")); Permission checkout = new Permission(shoppingCart.getObjName(), "checkout"); adminMgr.addPermission(checkout); adminMgr.grantPermission(delete, new Role("Customer")); } catch (SecurityException ex) { // log or throw }
Notes on the shopping cart example
-
User
that activate 'Manager' role into their Sessions will be allowed access to 'ShoppingCart.delete' permission. User
that activate 'Admin' role may perform 'ShoppingCart.update'.-
User
with 'Customer' role may perform the 'ShoppingCart.create' 'ShoppingCart.read and 'ShoppingCart.checkout'. Role
s must exist in ldap before assignment here, see javadocRole
for details.
Permission Schema
This Permission entity extends a single standard ldap structural object class,organizationalRole
with one extension structural class,ftOperation
, and two auxiliary object classes,ftProperties
,ftMods
. The following 3 LDAP object classes will be mapped into this entity:1.
ftOperation
STRUCTURAL Object Class is assigned roles and/or users which grants permissions which can be later checked using either 'checkAccess' or 'sessionPermissions APIs both methods that reside in the 'AccessMgrImpl' class.------------------------------------------ Fortress Operation Structural Object Class objectclass ( 1.3.6.1.4.1.38088.2.3 NAME 'ftOperation' DESC 'Fortress Permission Operation Structural Object Class' SUP organizationalrole STRUCTURAL MUST ( ftId $ ftPermName $ ftObjNm $ ftOpNm ) MAY ( ftObjId $ ftRoles $ ftUsers $ ftType ) ) ------------------------------------------
2.ftProperties
AUXILIARY Object Class is used to store optional client or otherwise custom name/value pairs on target entity.
# This aux object class can be used to store custom attributes.
# The properties collections consist of name/value pairs and are not constrainted by Fortress.
------------------------------------------ AC2: Fortress Properties Auxiliary Object Class objectclass ( 1.3.6.1.4.1.38088.3.2 NAME 'ftProperties' DESC 'Fortress Properties AUX Object Class' AUXILIARY MAY ( ftProps ) ) ------------------------------------------
3.ftMods
AUXILIARY Object Class is used to store Fortress audit variables on target entity.------------------------------------------ Fortress Audit Modification Auxiliary Object Class objectclass ( 1.3.6.1.4.1.38088.3.4 NAME 'ftMods' DESC 'Fortress Modifiers AUX Object Class' AUXILIARY MAY ( ftModifier $ ftModCode $ ftModId ) ) ------------------------------------------
- Author:
- Apache Directory Project
- See Also:
- Serialized Form
-
-
Field Summary
-
Fields inherited from class org.apache.directory.fortress.core.model.FortEntity
adminSession, contextId, modCode, modId, sequenceId
-
-
Constructor Summary
Constructors Constructor Description Permission()
Default constructor is used by internal Fortress classes and not intended for external use.Permission(String objName)
Constructor is used for APIs that do not require opName for example ARBAC canGrant/canRevoke.Permission(String objName, String opName)
This constructor is commonly used to create Permission that is a target for authorization API.Permission(String objName, String opName, boolean admin)
This constructor adds the admin flag which is used to process as Administrative permission.Permission(String objName, String opName, String objId)
This constructor adds the objId which is used for creating Permissions that have an identity.
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description void
addProperties(Properties props)
Add new collection of name/value pairs to attributes associated with Permission.void
addProperty(String key, String value)
Add name/value pair to list of properties associated with Permission.void
delRole(String role)
Delete a Role name from list of Roles that are valid for this Permission.boolean
equals(Object o)
Matches the objName, opName and objId from two Permission entities.String
getAbstractName()
Return the Permission's abstract name which is the value of objName concatenated with OpName, i.e.String
getDescription()
Return the description field on this entity.String
getDn()
String
getInternalId()
Return the internal id that is associated with Permission.String
getObjId()
Get optional objId attribute which can be used to tag a Permission object with an identity, i.e.String
getObjName()
Get the authorization target's object name.String
getOpName()
Get the Permission operation name.Set<String>
getPaSets()
Properties
getProperties()
Return the collection of name/value pairs to attributes associated with Permission.String
getProperty(String key)
Get a name/value pair attribute from list of properties associated with Permission.Props
getProps()
Gets the value of the Props property.Set<String>
getRoles()
Return the collection of optional Roles that have been loaded into this entity.String
getType()
Get the optional type name which is an unconstrained attribute on Permission entity.Set<String>
getUsers()
Return the collection of optional Users that have been loaded into this entity.int
hashCode()
boolean
isAdmin()
Determine if this Permission is for RBAC or ARBAC processing.void
setAbstractName(String abstractName)
Set the Permission's abstract name which is the value of objName concatenated with OpName, i.e.void
setAdmin(boolean admin)
Set will determine if this Permission is for RBAC or ARBAC processing.void
setDescription(String description)
Set the optional description field on this entity.void
setDn(String dn)
void
setInternalId()
This attribute is required but is set automatically by Fortress DAO class before object is persisted to ldap.void
setInternalId(String internalId)
Set the internal id that is associated with Permission.void
setObjId(String objId)
Set optional objId which can be used to tag a Permission object with an identity, i.e.void
setObjName(String objName)
This attribute is required and sets the authorization target object name.void
setOpName(String opName)
Set the Permission operation name.void
setPaSetName(String paSet)
void
setPaSets(Set<String> paSets)
void
setProps(Props value)
Sets the value of the Props property.void
setRole(String role)
Add a Role name to list of Roles that are valid for this Permission.void
setRoles(Set<String> roles)
Set the collection of optional Roles that have been loaded into this entity.void
setType(String type)
Set the optional type name which is an unconstrained attribute on Permission entity.void
setUser(String user)
Add a UserId to list of Users that are valid for this Permission.void
setUsers(Set<String> users)
Set the collection of optional Users that have been loaded into this entity.String
toString()
-
Methods inherited from class org.apache.directory.fortress.core.model.FortEntity
getAdminSession, getContextId, getModCode, getModId, getSequenceId, setAdminSession, setContextId, setModCode, setSequenceId
-
-
-
-
Constructor Detail
-
Permission
public Permission(String objName, String opName)
This constructor is commonly used to create Permission that is a target for authorization API.- Parameters:
objName
- maps to 'ftObjNm' attribute in 'ftOperation' object class.opName
- maps to 'ftOpNm' attribute in 'ftOperation' object class.
-
Permission
public Permission()
Default constructor is used by internal Fortress classes and not intended for external use.
-
Permission
public Permission(String objName)
Constructor is used for APIs that do not require opName for example ARBAC canGrant/canRevoke.- Parameters:
objName
- maps to 'ftObjNm' attribute in 'ftOperation' object class.
-
Permission
public Permission(String objName, String opName, String objId)
This constructor adds the objId which is used for creating Permissions that have an identity.- Parameters:
objName
- maps to 'ftObjNm' attribute in 'ftOperation' object class.opName
- maps to 'ftOpNm' attribute in 'ftOperation' object class.objId
- maps to 'ftObjId' attribute in 'ftOperation' object class.
-
Permission
public Permission(String objName, String opName, boolean admin)
This constructor adds the admin flag which is used to process as Administrative permission.- Parameters:
objName
- maps to 'ftObjNm' attribute in 'ftOperation' object class.opName
- maps to 'ftOpNm' attribute in 'ftOperation' object class.admin
- attribute is used to specify the Permission is to be stored and processed in the Administrative RBAC data sets.
-
-
Method Detail
-
isAdmin
public boolean isAdmin()
Determine if this Permission is for RBAC or ARBAC processing.- Returns:
- 'true' indicates administrative permission.
-
setAdmin
public void setAdmin(boolean admin)
Set will determine if this Permission is for RBAC or ARBAC processing.- Parameters:
admin
- contains is 'true' if ARBAC permission..
-
setInternalId
public void setInternalId()
This attribute is required but is set automatically by Fortress DAO class before object is persisted to ldap. This generated internal id is associated with Permission. This method is used by DAO class and is not available to outside classes. The generated attribute maps to 'ftId' in 'ftOperation' object class.
-
setInternalId
public void setInternalId(String internalId)
Set the internal id that is associated with Permission. This method is used by DAO class and is generated automatically by Fortress. Attribute stored in LDAP cannot be changed by external caller. This method can be used by client for search purposes only.- Parameters:
internalId
- maps to 'ftId' in 'ftObject' object class.
-
getInternalId
public String getInternalId()
Return the internal id that is associated with Permission. This attribute is generated automatically by Fortress when new PermObj is added to directory and is not known or changeable by external client.- Returns:
- attribute maps to 'ftId' in 'ftOperation' object class.
-
getOpName
public String getOpName()
Get the Permission operation name. This is used to specify method name - i.e. Create, Read, Update, Delete, ...- Returns:
- opName maps to 'ftOpNm' attribute in 'ftOperation' object class.
-
setOpName
public void setOpName(String opName)
Set the Permission operation name. This is used to specify method name - i.e. Create, Read, Update, Delete, ...- Parameters:
opName
- maps to 'ftOpNm' attribute in 'ftOperation' object class.
-
getObjName
public String getObjName()
Get the authorization target's object name. This is typically mapped to the class name for component that is the target for Fortress authorization check. For example 'PatientRelationshipInquire'.- Returns:
- the name of the object which maps to 'ftObjNm' attribute in 'ftOperation' object class.
-
setObjName
public void setObjName(String objName)
This attribute is required and sets the authorization target object name. This name is typically derived from the class name for component that is the target for Fortress authorization check. For example 'CustomerCheckOutPage'.- Parameters:
objName
- The target object name
-
getAbstractName
public String getAbstractName()
Return the Permission's abstract name which is the value of objName concatenated with OpName, i.e. 'Patient.checkin' This value is automatically generated by the Fortress DAO class.- Returns:
- abstractName maps to 'ftPermName' attribute in 'ftOperation' object class.
-
setAbstractName
public void setAbstractName(String abstractName)
Set the Permission's abstract name which is the value of objName concatenated with OpName, i.e. 'Patient.checkin' This value is automatically generated by the Fortress DAO class and value will be ignored if set by external client.- Parameters:
abstractName
- maps to 'ftPermName' attribute in 'ftOperation' object class.
-
getType
public String getType()
Get the optional type name which is an unconstrained attribute on Permission entity.- Returns:
- type maps to 'ftType' attribute in 'ftOperation' object class.
-
setType
public void setType(String type)
Set the optional type name which is an unconstrained attribute on Permission entity.- Parameters:
type
- maps to 'ftType' attribute in 'ftOperation' object class.
-
getObjId
public String getObjId()
Get optional objId attribute which can be used to tag a Permission object with an identity, i.e. objName='Customer', objId='12345'. This value is not constrained by any other object.- Returns:
- maps to 'ftObjectId' attribute in 'ftOperation' object class.
-
setObjId
public void setObjId(String objId)
Set optional objId which can be used to tag a Permission object with an identity, i.e. objName='Account', objId='09876543'. This value is not constrained by any other object.- Parameters:
objId
- maps to 'ftObjectId' attribute in 'ftOperation' object class.
-
setRole
public void setRole(String role)
Add a Role name to list of Roles that are valid for this Permission. This is optional attribute.- Parameters:
role
- maps to 'ftRoles' attribute in 'ftOperation' object class.
-
delRole
public void delRole(String role)
Delete a Role name from list of Roles that are valid for this Permission.- Parameters:
role
- maps to 'ftRoles' attribute in 'ftOperation' object class.
-
getRoles
public Set<String> getRoles()
Return the collection of optional Roles that have been loaded into this entity. This is stored as a multi-occurring attribute of Role names on the 'ftOperation' object class.- Returns:
- Set containing the roles which maps to 'ftRoles' attribute in 'ftOperation' object class.
-
setRoles
public void setRoles(Set<String> roles)
Set the collection of optional Roles that have been loaded into this entity. This is stored as a multi-occurring attribute of Role names on the 'ftOperation' object class.- Parameters:
roles
- maps to 'ftRoles' attribute in 'ftOperation' object class.
-
setUser
public void setUser(String user)
Add a UserId to list of Users that are valid for this Permission. This is optional attribute.- Parameters:
user
- maps to 'ftUsers' attribute in 'ftOperation' object class.
-
getUsers
public Set<String> getUsers()
Return the collection of optional Users that have been loaded into this entity. This is stored as a multi-occurring attribute of ftUsers on the 'ftOperation' object class.- Returns:
- Set containing the Users which maps to 'ftUsers' attribute in 'ftOperation' object class.
-
setUsers
public void setUsers(Set<String> users)
Set the collection of optional Users that have been loaded into this entity. This is stored as a multi-occurring attribute of userIds on the 'ftOperation' object class.- Parameters:
users
- maps to 'ftUsers' attribute in 'ftOperation' object class.
-
getDn
public String getDn()
-
setDn
public void setDn(String dn)
-
getDescription
public String getDescription()
Return the description field on this entity. The description is often used as a human readable label for the permission.- Returns:
- String containing the description.
-
setDescription
public void setDescription(String description)
Set the optional description field on this entity. The description is used as a human readable label for the permission.- Parameters:
description
- String contains the description.
-
getProps
public Props getProps()
Gets the value of the Props property. This method is used by Fortress Core and Rest and should not be called by external programs.- Returns:
- possible object is
Props
-
setProps
public void setProps(Props value)
Sets the value of the Props property. This method is used by Fortress Core and Rest and should not be called by external programs.- Parameters:
value
- allowed object isProps
-
addProperty
public void addProperty(String key, String value)
Add name/value pair to list of properties associated with Permission. These values are not constrained by Fortress. Properties are optional.- Parameters:
key
- contains property name and maps to 'ftProps' attribute in 'ftProperties' aux object class.value
- The property value
-
getProperty
public String getProperty(String key)
Get a name/value pair attribute from list of properties associated with Permission. These values are not constrained by Fortress. Properties are optional.- Parameters:
key
- contains property name and maps to 'ftProps' attribute in 'ftProperties' aux object class.- Returns:
- value containing name/value pair that maps to 'ftProps' attribute in 'ftProperties' aux object class.
-
addProperties
public void addProperties(Properties props)
Add new collection of name/value pairs to attributes associated with Permission. These values are not constrained by Fortress. Properties are optional.- Parameters:
props
- contains collection of name/value pairs and maps to 'ftProps' attribute in 'ftProperties' aux object class.
-
getProperties
public Properties getProperties()
Return the collection of name/value pairs to attributes associated with Permission. These values are not constrained by Fortress. Properties are optional.- Returns:
- Properties contains collection of name/value pairs and maps to 'ftProps' attribute in 'ftProperties' aux object class.
-
equals
public boolean equals(Object o)
Matches the objName, opName and objId from two Permission entities.
-
setPaSetName
public void setPaSetName(String paSet)
-
-