org.globus.gridshib.gt.authorization
Class SAMLBlacklistPDPImpl
java.lang.Object
org.globus.gridshib.gt.authorization.BasePDP
org.globus.gridshib.gt.authorization.SAMLBlacklistPDPImpl
- All Implemented Interfaces:
- GridShibConfigParams, PDP
public class SAMLBlacklistPDPImpl
- extends BasePDP
- implements GridShibConfigParams
A blacklisting PDP implementation that backs
SAMLBlacklistPDP.
- See Also:
SAMLBlacklistPDP
| Fields inherited from interface org.globus.gridshib.gt.authorization.GridShibConfigParams |
AA_INSTANCE_KEY, ALL_CONFIG_KEYS, ATTR_FILE_KEY, AUTHZ_HOST_KEY, BLACKLIST_IP_ADDRESSES_FILE_KEY, BLACKLIST_NAME_IDS_FILE_KEY, CACHE_KEY, CONSULT_GRIDMAP_KEY, DEFAULT_GRIDMAP, ENABLE_ATTRIBUTE_AUTHZ_KEY, ENABLE_ATTRIBUTE_MAPPING_KEY, ENABLE_ATTRIBUTE_QUERY_KEY, ENABLE_BLACKLISTING_KEY, IDP_PROVIDER_ID_KEY, MAP_FILE_KEY, METADATA_PATH_KEY, RESPECT_KEY, SAML_MAP_POLICY_KEY, SHIB_PDP_POLICY_KEY, SP_PROVIDER_ID_KEY, USE_VOMS |
|
Method Summary |
void |
initialize(HashMap configs,
String name)
Loads one or more blacklists. |
int |
isPermitted(Subject peerSubject,
javax.xml.rpc.handler.MessageContext context,
javax.xml.namespace.QName operation)
If blacklisting is not enabled, this method short circuits
and returns PDPDecision.NOT_APPLICABLE. |
| Methods inherited from class java.lang.Object |
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
SAMLBlacklistPDPImpl
public SAMLBlacklistPDPImpl()
initialize
public void initialize(HashMap configs,
String name)
throws Exception
- Loads one or more blacklists. If no blacklist
is configured, this method disables blacklisting.
- Specified by:
initialize in interface PDP- Overrides:
initialize in class BasePDP
- Parameters:
configs - a (non-null) map of configuration
parametersname - the scope prefix associated with this
PDP implementation
- Throws:
IllegalArgumentException - If the configs argument is null
RuntimeException - If blacklisting is enabled but no blacklist
is configured or the path to the blacklist
is not an absolute path
org.globus.gridshib.common.LoadException - If unable to get a StringSetFile
instance, presumably because the file resource
could not be loaded
Exception
isPermitted
public int isPermitted(Subject peerSubject,
javax.xml.rpc.handler.MessageContext context,
javax.xml.namespace.QName operation)
throws Exception
- If blacklisting is not enabled, this method short circuits
and returns
PDPDecision.NOT_APPLICABLE.
If blacklisting is enabled, this method returns
PDPDecision.DENY if any of the following
conditions are met:
- the subject's security context contains a
SAMLAuthnContext instance that asserts an
IP address that is on the blacklist of IP addresses
- the subject's security context contains a
SAMLPrincipal instance
that is on the blacklist of name identifiers
- the subject's security context contains a
GlobusPrincipal instance
that is on the blacklist of name identifiers
If none of the above conditions is satisfied, this
method returns PDPDecision.INDETERMINATE.
Note that this method never returns
PDPDecision.PERMIT.
A blacklist is a dynamic file-based resource.
Every time the file is accessed, this method determines
if the file was modified since it was last loaded.
If the file is dirty, this method reloads the file
before accessing it. If the file can not be reloaded
(because of a syntax error, e.g.), this method logs
an error message and returns
PDPDecision.INDETERMINATE.
- Specified by:
isPermitted in interface PDP
- Parameters:
peerSubject - the authenticated subjectcontext - the message contextoperation - the requested operation
- Throws:
IllegalArgumentException - If either the peerSubject argument
or the context argument is null
Exception
Copyright © 2007-2008 University of Illinois. All Rights Reserved.