ClassicGridShibPDPImpl (GridShib for GT Java API)

Overview

Package

Class

Use

Tree

Deprecated

Index

Help

PREV CLASS NEXT CLASS

FRAMES NO FRAMES

SUMMARY: NESTED | FIELD | CONSTR | METHOD

DETAIL: FIELD | CONSTR | METHOD

org.globus.gridshib.gt.authorization
Class ClassicGridShibPDPImpl

java.lang.Object
  org.globus.gridshib.gt.authorization.BasePDP
      org.globus.gridshib.gt.authorization.ClassicGridShibPDPImpl

All Implemented Interfaces:: GridShibConfigParams, PDP, ShibbolethConstants

public class ClassicGridShibPDPImpl
extends BasePDP
implements ShibbolethConstants
extends BasePDP
implements ShibbolethConstants

Field Summary

Fields inherited from interface org.globus.gridshib.gt.authorization.ShibbolethConstants
`ATTRIBUTE_MAP, ATTRIBUTE_MAP_KEY, CACHE_DEFAULT, DEFAULT_IDP_PROVIDER_ID, DEFAULT_SP_PROVIDER_ID, SAMLP_1_0, SAMLP_1_0_RESPONDER, SAMLP_1_0_SUCCESS, SAMLP_1_1, SAMLP_1_1_RESPONDER, SAMLP_1_1_SUCCESS, VOMS_PDP, VOMS_PIP`

Fields inherited from interface org.globus.gridshib.gt.authorization.GridShibConfigParams
`AA_INSTANCE_KEY, ALL_CONFIG_KEYS, ATTR_FILE_KEY, AUTHZ_HOST_KEY, BLACKLIST_IP_ADDRESSES_FILE_KEY, BLACKLIST_NAME_IDS_FILE_KEY, CACHE_KEY, CONSULT_GRIDMAP_KEY, DEFAULT_GRIDMAP, ENABLE_ATTRIBUTE_AUTHZ_KEY, ENABLE_ATTRIBUTE_MAPPING_KEY, ENABLE_ATTRIBUTE_QUERY_KEY, ENABLE_BLACKLISTING_KEY, IDP_PROVIDER_ID_KEY, MAP_FILE_KEY, METADATA_PATH_KEY, RESPECT_KEY, SAML_MAP_POLICY_KEY, SHIB_PDP_POLICY_KEY, SP_PROVIDER_ID_KEY, USE_VOMS`

Fields inherited from interface org.globus.gridshib.gt.authorization.GridShibConfigParams

AA_INSTANCE_KEY, ALL_CONFIG_KEYS, ATTR_FILE_KEY, AUTHZ_HOST_KEY, BLACKLIST_IP_ADDRESSES_FILE_KEY, BLACKLIST_NAME_IDS_FILE_KEY, CACHE_KEY, CONSULT_GRIDMAP_KEY, DEFAULT_GRIDMAP, ENABLE_ATTRIBUTE_AUTHZ_KEY, ENABLE_ATTRIBUTE_MAPPING_KEY, ENABLE_ATTRIBUTE_QUERY_KEY, ENABLE_BLACKLISTING_KEY, IDP_PROVIDER_ID_KEY, MAP_FILE_KEY, METADATA_PATH_KEY, RESPECT_KEY, SAML_MAP_POLICY_KEY, SHIB_PDP_POLICY_KEY, SP_PROVIDER_ID_KEY, USE_VOMS

Constructor Summary
`ClassicGridShibPDPImpl()`

Method Summary
`void`	`initialize(HashMap configs, String name)` Loads policies, configures caching and initializes PIP.
`int`	`isPermitted(Subject peerSubject, javax.xml.rpc.handler.MessageContext context, javax.xml.namespace.QName operation)` Runs the masterPDP logic, which: 1.

Methods inherited from class org.globus.gridshib.gt.authorization.BasePDP
`isInitialized`

Methods inherited from class java.lang.Object
`clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait`

Constructor Detail

ClassicGridShibPDPImpl

public ClassicGridShibPDPImpl()

Method Detail

initialize

public void initialize(HashMap configs,
                       String name)
                throws Exception

Loads policies, configures caching and initializes PIP.

If configuration object contains a ShibbolethPDPPolicy, keyed by ShibbolethConstants.SHIB_PDP_POLICY_KEY, DN and attribute ACLs are not considered (even if settings for them are in the configuration). The policy is either managed by ACLs or in memory (for instance, managed by a service that configures custom policies for itself or particular resources).

The configuration object is also used by the PIP that this PDP insantiates and initializes. See the PIP documentation for what is required to initialize the PIP correctly SAMLQueryPIPImpl

Required configurations:

When using ACL based policy, ShibbolethConstants.ATTR_FILE_KEY is required.
When using in memory policy, ShibbolethConstants.SHIB_PDP_POLICY_KEY is required.

Optional configurations:

When using ACL based policy, ShibbolethConstants.DN_FILE_KEY can be configured.
When using either kind of policy, the ShibbolethConstants.CACHE_KEY can be set to "true" to enable attribute caching.

Specified by:: initialize in interface PDP
Overrides:: initialize in class BasePDP

Parameters:: configs - object containing configuration parameters; name - String differentiates cache
Throws:: Exception - problem
See Also:: SAMLQueryPIPImpl.initialize(java.util.HashMap, String), ShibbolethPDPPolicy, ShibbolethConstants

isPermitted

public int isPermitted(Subject peerSubject,
                       javax.xml.rpc.handler.MessageContext context,
                       javax.xml.namespace.QName operation)
                throws Exception

Runs the masterPDP logic, which: 1. optionally checks the DN ACL 2. optionally makes an AA query 3. checks the Attribute ACL Exceptions are only thrown in extreme circumstances. If misconfigured or if there are problems with the callout, exceptions are NOT generally thrown. 0. init 1. If a DN ACL is configured, the PDP first checks if the caller?s DN is in the ACL. If so, it returns PERMIT to the container and the PDP is done. 2. If the DN ACL is not applicable, the cache flag is checked. If the cache flag is set to TRUE (the default is FALSE), assertions about the caller are queried. 3. If caching, if there are previously obtained assertions, a validity check is made on all assertions. If any single one is invalid, they are all discarded. 4. If caching and there are valid assertions, use these attributes instead of calling the PIP. 5. If 'respecting metadata attributes' and the attributes in ACL can not be returned from the IdP, do not call the PIP. 6. If calling the PIP, do it now. If successful and valid assertions come back, parse out the attributes. 7. Compare the current information about the subject to the attribute ACL and return PERMIT/DENY accordingly.

Specified by:: isPermitted in interface PDP

Parameters:: peerSubject - subject object; context - msgCtx; operation - operation
Returns:: PDPDecision constant (int)
Throws:: Exception