Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD

com.metamatrix.platform.security.authorization.service
Class AuthorizationServiceImpl

java.lang.Object
  extended by com.metamatrix.platform.service.controller.AbstractService
      extended by com.metamatrix.platform.security.authorization.service.AuthorizationServiceImpl
All Implemented Interfaces:
EventObjectListener, AuthorizationServiceInterface, ServiceInterface, java.util.EventListener
public class AuthorizationServiceImpl
extends AbstractService
implements AuthorizationServiceInterface

The Authorization Service is responsible for handling requests to determine whether a Principal is entitled to perform a given action on a given resource or set of resources.

Administration of the Authorization policies; creating/destroying Policies, adding/deleting Principals and Permissions is available to Principals that have the proper administrative role.

Field Summary
protected  AuthorizationCache authorizationCache
           
protected  MembershipServiceInterface membershipServiceProxy
           
 
Fields inherited from interface com.metamatrix.platform.security.api.service.AuthorizationServiceInterface
NAME
 
Fields inherited from interface com.metamatrix.platform.service.api.ServiceInterface
WAIT_TO_DIE_TIME
 
Constructor Summary
AuthorizationServiceImpl()
           
 
Method Summary
 boolean checkAccess(SessionToken sessionToken, java.lang.String contextName, AuthorizationPermission request)
          Return whether the specified account has authorization to access the specified resource.
 boolean checkAccess(SessionToken sessionToken, java.lang.String contextName, AuthorizationPermission request, boolean fetchDependants)
          Return whether the specified account has authorization to access the specified resource and all its dependant resources.
protected  void closeService()
          Close the service to new work if applicable.
 boolean containsPolicy(SessionToken caller, AuthorizationPolicyID policyID)
          Return whether there is an existing policy with the specified ID.
 java.util.Set executeTransaction(SessionToken administrator, java.util.List actions)
          Execute as a single transaction with the specified actions, and return the set of IDs for the objects that were affected/modified by the action.
 PermissionDataNode fillPermissionNodeTree(PermissionDataNode root, AuthorizationPolicyID policyID)
          Takes a tree of PermissionDataNodeImpls that have their Resources filled in and fills in all permissions on resources that are found in the given AuthorizationPolicyID.

If any permissions are found that have no corresponding data node, a AuthorizationMgmtException is thrown noting the missing resource name(s).
 java.util.Collection findAllPolicyIDs(SessionToken caller)
          Locate the IDs of all of the policies that are accessible by the caller.
 java.util.Collection findPolicyIDs(SessionToken caller, java.util.Collection principals)
          Locate the IDs of all of the policies that apply to the specified principals and that are accessible by the caller.
 java.util.List getElementEntitlements(AuthorizationRealm realm, java.util.Collection elementNames)
          Returns a List of entitlements to the given element pattern in the given realm.
 java.util.List getElementEntitlements(AuthorizationRealm realm, java.lang.String elementNamePattern)
          Returns a List of entitlements to the given element pattern in the given realm.
 java.util.List getGroupEntitlements(AuthorizationRealm realm, java.util.Collection groupNames)
          Returns a List of entitlements to the given fully qualified group name in the given realm.
 java.util.List getGroupEntitlements(AuthorizationRealm realm, java.lang.String fullyQualifiedGroupName)
          Returns a List of entitlements to the given fully qualified group name in the given realm.
 java.util.Collection getInaccessibleResources(SessionToken sessionToken, java.lang.String contextName, java.util.Collection requests)
          Of those resources specified, return the subset for which the specified account does NOT have authorization to access.
 java.util.Collection getPolicIDsForResourceInRealm(SessionToken caller, AuthorizationRealm realm, java.lang.String resourceName)
          Returns a Collection of AuthorizationPolicyIDs that have AuthorizationPermissionsImpl on the given resource that exists in the given AuthorizationRealm.
 java.util.Collection getPolicies(SessionToken caller, java.util.Collection policyIDs)
          Locate the policies that have the specified IDs.
 java.util.Collection getPoliciesInRealm(SessionToken caller, AuthorizationRealm realm)
          Returns a Collection of AuthorizationPolicys that have AuthorizationPermissionsImpl in the given AuthorizationRealm.
NOTE: It is the responsibility of the caller to determine which of the AuthorizationPolicy's AuthorizationPermissionsImpl are actually in the given AuthorizationRealm.
 AuthorizationPolicy getPolicy(SessionToken caller, AuthorizationPolicyID policyID)
          Locate the policy that has the specified ID.
 java.util.Collection getPolicyIDsInPartialRealm(SessionToken caller, AuthorizationRealm realm)
          Returns a Collection of AuthorizationPolicyIDs that have AuthorizationPermissionsImpl that exist in the given partial AuthorizationRealm.
The implementation is such that all AuthorizationPolicyIDs whose AuthorizationRealm starts with the given AuthorizationRealm are returned.
 java.util.Collection getPolicyIDsInRealm(SessionToken caller, AuthorizationRealm realm)
          Returns a Collection of AuthorizationPolicyIDs in the given AuthorizationRealm.
 java.util.Collection getPolicyIDsWithPermissionsInRealm(SessionToken caller, AuthorizationRealm realm)
          Returns a Collection of AuthorizationPolicyIDs that have AuthorizationPermissionsImpl in the given AuthorizationRealm.
NOTE: It is the responsibility of the caller to determine which of the AuthorizationPolicy's AuthorizationPermissionsImpl are actually in the given AuthorizationRealm.
 java.util.Collection getPrincipalsForRole(SessionToken caller, java.lang.String roleName)
          Returns a collection MetaMatrixPrincipalName objects containing the name of the principal along with its type which belong to the given role.
protected  AuthorizationSourceTransaction getReadTransaction()
           
 java.util.Collection getRealmNames(SessionToken caller)
          Obtain the names of all of the realms known to the system.
 java.util.Map getRoleDescriptions(SessionToken caller)
          Obtain the names of all of the roles and their descriptions known to the system.
 java.util.Collection getRoleNamesForPrincipal(SessionToken caller, MetaMatrixPrincipalName principal)
          Returns a Collection of String names of MetaMatrix roles to which the given principal is assigned.
protected  AuthorizationSourceTransaction getWriteTransaction()
           
 boolean hasPolicy(SessionToken caller, AuthorizationRealm realm, java.lang.String policyName)
           
protected  void initService(java.util.Properties env)
          Perform initialization and commence processing.
 boolean isCallerInRole(SessionToken caller, java.lang.String roleName)
          Verify that caller is in the specified logical role.
protected  boolean isEntitled(java.lang.String principal)
           
protected  void killService()
          Terminate all processing and reclaim resources.
 void migratePolicies(SessionToken token, EntitlementMigrationReport rpt, java.lang.String targetVDBName, java.lang.String targetVDBVersion, java.util.Set targetNodes, java.util.Collection sourcePolicies, AdminOptions options)
           
 boolean removePrincipalFromAllPolicies(SessionToken caller, MetaMatrixPrincipalName principal)
          Remove given Principal from ALL AuthorizationPolicies to which he belongs.
 java.lang.String toString()
          Outputs a String representation of this service - the class name followed by either the instance name or some indication of the state the service is in.
protected  void waitForServiceToClear()
          Wait until the service has completed all outstanding work.
 
Methods inherited from class com.metamatrix.platform.service.controller.AbstractService
checkState, die, dieNow, getConnectionPoolStats, getCurrentState, getHostname, getID, getInitException, getInstanceName, getProcessName, getProperties, getQueueStatistics, getQueueStatistics, getResourceName, getServiceData, getServiceName, getServiceType, getStartTime, getStateChangeTime, init, isAlive, isClosed, isInitialized, isOpen, processEvent, registerForEvents, setInitException, unregisterForEvents, updateState
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait
 
Methods inherited from interface com.metamatrix.platform.service.api.ServiceInterface
checkState, die, dieNow, getConnectionPoolStats, getCurrentState, getHostname, getID, getInitException, getProcessName, getProperties, getQueueStatistics, getQueueStatistics, getServiceData, getServiceType, getStartTime, getStateChangeTime, init, isAlive, setInitException, updateState
 

Field Detail

authorizationCache

protected AuthorizationCache authorizationCache

membershipServiceProxy

protected MembershipServiceInterface membershipServiceProxy
Constructor Detail

AuthorizationServiceImpl

public AuthorizationServiceImpl()
Method Detail

initService

protected void initService(java.util.Properties env)
Perform initialization and commence processing. This method is called only once.

Specified by:
initService in class AbstractService

getReadTransaction

protected AuthorizationSourceTransaction getReadTransaction()
                                                     throws ManagedConnectionException
Throws:
ManagedConnectionException

getWriteTransaction

protected AuthorizationSourceTransaction getWriteTransaction()
                                                      throws ManagedConnectionException
Throws:
ManagedConnectionException

closeService

protected void closeService()
                     throws java.lang.Exception
Close the service to new work if applicable. After this method is called the service should no longer accept new work to perform but should continue to process any outstanding work. This method is called by die().

Specified by:
closeService in class AbstractService
Throws:
java.lang.Exception

waitForServiceToClear

protected void waitForServiceToClear()
                              throws java.lang.Exception
Wait until the service has completed all outstanding work. This method is called by die() just before calling dieNow().

Specified by:
waitForServiceToClear in class AbstractService
Throws:
java.lang.Exception

killService

protected void killService()
Terminate all processing and reclaim resources. This method is called by dieNow() and is only called once.

Specified by:
killService in class AbstractService

checkAccess

public boolean checkAccess(SessionToken sessionToken,
                           java.lang.String contextName,
                           AuthorizationPermission request)
                    throws InvalidSessionException,
                           AuthorizationMgmtException
Return whether the specified account has authorization to access the specified resource.

Specified by:
checkAccess in interface AuthorizationServiceInterface
Parameters:
sessionToken - the session token of the principal whose access is being checked
contextName - the name of the context for the caller (@see AuditContext)
request - the permission that details the resource and the desired form of access
Returns:
true if the specified principal is granted access to the requested resource, or false otherwise
Throws:
InvalidSessionException - if the session token for this cache is not valid
AuthorizationMgmtException - if this service is unable to locate resources required for this operation

checkAccess

public boolean checkAccess(SessionToken sessionToken,
                           java.lang.String contextName,
                           AuthorizationPermission request,
                           boolean fetchDependants)
                    throws InvalidSessionException,
                           AuthorizationMgmtException
Return whether the specified account has authorization to access the specified resource and all its dependant resources.

Specified by:
checkAccess in interface AuthorizationServiceInterface
Parameters:
sessionToken - the session token of the principal whose access is being checked
contextName - the name of the context for the caller (@see AuditContext)
request - the permission that details the resource and the desired form of access
fetchDependants - If true, search authorization store for all dependant permisssions of the given request. Access is checked for all resources - the given request and all dependants.
Returns:
true if the specified principal is granted access to the requested resources, or false otherwise
Throws:
InvalidSessionException - if the session token for this cache is not valid
AuthorizationMgmtException - if this service is unable to locate resources required for this operation

getInaccessibleResources

public java.util.Collection getInaccessibleResources(SessionToken sessionToken,
                                                     java.lang.String contextName,
                                                     java.util.Collection requests)
                                              throws InvalidSessionException,
                                                     AuthorizationMgmtException
Of those resources specified, return the subset for which the specified account does NOT have authorization to access.

Specified by:
getInaccessibleResources in interface AuthorizationServiceInterface
Parameters:
sessionToken - the session token of the principal that is calling this method
contextName - the name of the context for the caller (@see AuditContext)
requests - the permissions that detail the resources and the desired form of access
Returns:
the subset of requests that the account does not have access to
Throws:
InvalidSessionException - if the session token for this cache is not valid
AuthorizationMgmtException - if this service is unable to locate resources required for this operation

getGroupEntitlements

public java.util.List getGroupEntitlements(AuthorizationRealm realm,
                                           java.util.Collection groupNames)
                                    throws AuthorizationMgmtException
Returns a List of entitlements to the given fully qualified group name in the given realm.

The list contains objects of type UserEntitlementInfo which will contain all user entitlement information for each group found. Each of these objects will contain 1 or more objects of type GranteeEntitlementEntry which contain the Grantee's name the entitlement Grantor or entity specifying the Grantee is entitled and the Allowed Actions the Grantee is entitled to perform on the group.

The attributes availible are:
  1. VDB Name
  2. VDB Version
  3. Group Name (fully qualified)
    • Grantee Name; Grantor Name; Allowed Actions (A String[] of one or more of {CREATE, READ, UPDATE, DELETE})
    • ...

Specified by:
getGroupEntitlements in interface AuthorizationServiceInterface
Parameters:
realm - The realm in which the element must live.
groupNames - the fully qualified group names - the resources - for which to look up permissions. Collection of String.
Returns:
The List of entitlements to the given element in the given realm - May be empty but never null.
Throws:
AuthorizationMgmtException - if this service is unable to locate resources required for this operation.

getGroupEntitlements

public java.util.List getGroupEntitlements(AuthorizationRealm realm,
                                           java.lang.String fullyQualifiedGroupName)
                                    throws AuthorizationMgmtException
Returns a List of entitlements to the given fully qualified group name in the given realm.

The list contains objects of type UserEntitlementInfo which will contain all user entitlement information for each group found. Each of these objects will contain 1 or more objects of type GranteeEntitlementEntry which contain the Grantee's name the entitlement Grantor or entity specifying the Grantee is entitled and the Allowed Actions the Grantee is entitled to perform on the group.

The attributes availible are:
  1. VDB Name
  2. VDB Version
  3. Group Name (fully qualified)
    • Grantee Name; Grantor Name; Allowed Actions (A String[] of one or more of {CREATE, READ, UPDATE, DELETE})
    • ...

Specified by:
getGroupEntitlements in interface AuthorizationServiceInterface
Parameters:
realm - The realm in which the element must live.
fullyQualifiedGroupName - The resource for which to look up permissions.
Returns:
The List of entitlements to the given element in the given realm - May be empty but never null.
Throws:
AuthorizationMgmtException - if this service is unable to locate resources required for this operation.
ServiceStateException - if the Authorization service is not taking requests.

getElementEntitlements

public java.util.List getElementEntitlements(AuthorizationRealm realm,
                                             java.util.Collection elementNames)
                                      throws AuthorizationMgmtException
Returns a List of entitlements to the given element pattern in the given realm.

The list contains objects of type UserEntitlementInfo which will contain all user entitlement information for each element found. Each of these objects will contain 1 or more objects of type GranteeEntitlementEntry which contain the Grantee's name the entitlement Grantor or entity specifying the Grantee is entitled and the Allowed Actions the Grantee is entitled to perform on the element.

The attributes availible are:
  1. VDB Name
  2. VDB Version
  3. Group Name (fully qualified)
  4. Element Name (fully qualified)
    • Grantee Name; Grantor Name; Allowed Actions (A String[] of one or more of {CREATE, READ, UPDATE, DELETE})
    • ...

Specified by:
getElementEntitlements in interface AuthorizationServiceInterface
Parameters:
realm - The realm in which the element must live.
elementNames - The fully qualified element resource for which to look up permissions. Collection of String.
Returns:
The List of entitlements to the given element in the given realm - May be empty but never null.
Throws:
AuthorizationMgmtException - if this service is unable to locate resources required for this operation.
ServiceStateException - if the Authorization service is not taking requests.

getElementEntitlements

public java.util.List getElementEntitlements(AuthorizationRealm realm,
                                             java.lang.String elementNamePattern)
                                      throws AuthorizationMgmtException
Returns a List of entitlements to the given element pattern in the given realm.

The list contains objects of type UserEntitlementInfo which will contain all user entitlement information for each element found. Each of these objects will contain 1 or more objects of type GranteeEntitlementEntry which contain the Grantee's name the entitlement Grantor or entity specifying the Grantee is entitled and the Allowed Actions the Grantee is entitled to perform on the element.

The attributes availible are:
  1. VDB Name
  2. VDB Version
  3. Group Name (fully qualified)
  4. Element Name (fully qualified)
    • Grantee Name; Grantor Name; Allowed Actions (A String[] of one or more of {CREATE, READ, UPDATE, DELETE})
    • ...

Specified by:
getElementEntitlements in interface AuthorizationServiceInterface
Parameters:
realm - The realm in which the element must live.
elementNamePattern - The resource for which to look up permissions. SQL '%' pattern matching may be used.
Returns:
The List of entitlements to the given element in the given realm - May be empty but never null.
Throws:
AuthorizationMgmtException - if this service is unable to locate resources required for this operation.
ServiceStateException - if the Authorization service is not taking requests.

getRealmNames

public java.util.Collection getRealmNames(SessionToken caller)
                                   throws InvalidSessionException,
                                          AuthorizationException,
                                          AuthorizationMgmtException
Obtain the names of all of the realms known to the system.

Specified by:
getRealmNames in interface AuthorizationServiceInterface
Parameters:
caller - the session token of the principal that is attempting to access the policies.
Returns:
the set of realm names
Throws:
InvalidSessionException - if the SessionToken is not valid or is expired
AuthorizationException - if the caller is unable to perform this operation
AuthorizationMgmtException - if this service has trouble connecting to services it uses.

containsPolicy

public boolean containsPolicy(SessionToken caller,
                              AuthorizationPolicyID policyID)
                       throws InvalidSessionException,
                              AuthorizationException,
                              AuthorizationMgmtException
Return whether there is an existing policy with the specified ID.

Specified by:
containsPolicy in interface AuthorizationServiceInterface
Parameters:
caller - the session token of the principal that is attempting to access the policies.
policyID - the ID that is to be checked
Returns:
true if a policy with the specified ID exists
Throws:
InvalidSessionException - if the SessionToken is not valid or is expired
AuthorizationException - if the caller is unable to perform this operation
AuthorizationMgmtException - if this service has trouble connecting to services it uses.
See Also:
AuthorizationDomain.containsPolicy

findAllPolicyIDs

public java.util.Collection findAllPolicyIDs(SessionToken caller)
                                      throws InvalidSessionException,
                                             AuthorizationException,
                                             AuthorizationMgmtException
Locate the IDs of all of the policies that are accessible by the caller.

Specified by:
findAllPolicyIDs in interface AuthorizationServiceInterface
Parameters:
caller - the session token of the principal that is attempting to access the policies.
Returns:
the set of all policy IDs; never null but possibly empty.
Throws:
InvalidSessionException - if the SessionToken is not valid or is expired
AuthorizationException - if the caller is unable to perform this operation
AuthorizationMgmtException - if this service has trouble connecting to services it uses.
See Also:
AuthorizationDomain.findAllPolicyIDs

findPolicyIDs

public java.util.Collection findPolicyIDs(SessionToken caller,
                                          java.util.Collection principals)
                                   throws InvalidSessionException,
                                          AuthorizationException,
                                          AuthorizationMgmtException
Locate the IDs of all of the policies that apply to the specified principals and that are accessible by the caller.

Unkown whether this method should return policyIds that apply to ALL (set intersection) or ANY (set union) principals in the collection. Currently returns ANY.

Specified by:
findPolicyIDs in interface AuthorizationServiceInterface
Parameters:
caller - the session token of the principal that is attempting to access the policies.
principals - the Set of MetaMatrixPrincipalNames to whom the returned policies should apply (may not null, empty or invalid, all of which would result in an empty result).
Returns:
the set of all policy IDs; never null but possibly empty.
Throws:
InvalidSessionException - if the SessionToken is not valid or is expired
AuthorizationException - if the caller is unable to perform this operation
AuthorizationMgmtException - if this service has trouble connecting to services it uses.
See Also:
AuthorizationModel.findAllPolicyIDs

getPolicies

public java.util.Collection getPolicies(SessionToken caller,
                                        java.util.Collection policyIDs)
                                 throws InvalidSessionException,
                                        AuthorizationException,
                                        AuthorizationMgmtException
Locate the policies that have the specified IDs. Any ID that is invalid is simply ignored.

Specified by:
getPolicies in interface AuthorizationServiceInterface
Parameters:
caller - the session token of the principal that is attempting to access the specified policies
policyIDs - the policy IDs for which the policies are to be obtained
Returns:
the set of entitlements that correspond to those specified IDs that are valid
Throws:
InvalidSessionException - if the SessionToken is not valid or is expired
AuthorizationException - if the caller is unable to perform this operation
AuthorizationMgmtException - if this service has trouble connecting to services it uses.
See Also:
AuthorizationDomain.getPolicies

getPolicy

public AuthorizationPolicy getPolicy(SessionToken caller,
                                     AuthorizationPolicyID policyID)
                              throws InvalidSessionException,
                                     AuthorizationException,
                                     AuthorizationMgmtException
Locate the policy that has the specified ID. An ID that is invalid is simply ignored.

Specified by:
getPolicy in interface AuthorizationServiceInterface
Parameters:
caller - the session token of the principal that is attempting to access the specified policies
policyID - the ID of the policy to be obtained
Returns:
the policy that correspond to the specified ID; may be null.
Throws:
InvalidSessionException - if the SessionToken is not valid or has expired.
AuthorizationException - if the caller is unable to perform this operation.
AuthorizationMgmtException - if there were errors with the SPI.
See Also:
AuthorizationDomain.getPolicy

isCallerInRole

public boolean isCallerInRole(SessionToken caller,
                              java.lang.String roleName)
                       throws AuthorizationMgmtException
Verify that caller is in the specified logical role.

Specified by:
isCallerInRole in interface AuthorizationServiceInterface
Parameters:
caller - The session token of the MetaMatrix principle involking an administrative method.
roleName - The name of the role in question.
Returns:
true if caller's session token is valid and he is a MetaMatrix administrator.
Throws:
AuthorizationMgmtException - if this service has trouble connecting to services it uses.

getRoleDescriptions

public java.util.Map getRoleDescriptions(SessionToken caller)
                                  throws InvalidSessionException,
                                         AuthorizationException,
                                         AuthorizationMgmtException
Obtain the names of all of the roles and their descriptions known to the system.

Specified by:
getRoleDescriptions in interface AuthorizationServiceInterface
Parameters:
caller - the session token of the principal that is attempting to access the roles.
Returns:
a Map of role descriptions key by the role's name.
Throws:
InvalidSessionException - if the SessionToken is not valid or is expired
AuthorizationException - if the caller is unable to perform this operation
AuthorizationMgmtException - if this service has trouble connecting to services it uses.

getPrincipalsForRole

public java.util.Collection getPrincipalsForRole(SessionToken caller,
                                                 java.lang.String roleName)
                                          throws InvalidSessionException,
                                                 AuthorizationException,
                                                 AuthorizationMgmtException
Returns a collection MetaMatrixPrincipalName objects containing the name of the principal along with its type which belong to the given role. MetaMatrixPrincipalName

Specified by:
getPrincipalsForRole in interface AuthorizationServiceInterface
Parameters:
caller - the session token of the principal that is attempting to access the roles.
roleName - String name of MetaMatrix role for which principals are sought
Returns:
The collection of MetaMatrixPrincipalNames who are in the given role, possibly enpty, never null.
Throws:
InvalidSessionException - if the administrative session is invalid
AuthorizationException - if admninistrator does not have the authority to see the requested information
AuthorizationMgmtException

getRoleNamesForPrincipal

public java.util.Collection getRoleNamesForPrincipal(SessionToken caller,
                                                     MetaMatrixPrincipalName principal)
                                              throws AuthorizationMgmtException
Returns a Collection of String names of MetaMatrix roles to which the given principal is assigned.

Specified by:
getRoleNamesForPrincipal in interface AuthorizationServiceInterface
Parameters:
caller - The SessionToken of the principal making the request.
principal - MetaMatrixPrincipalName for which roles are sought
explicitOnly - If true, only return roles assigned directly to given principal. If false, return all roles directly assigned and inherited.
Returns:
The collection of role names belonging to the given principal, possibly enpty, never null.
Throws:
InvalidSessionException - if the administrative session is invalid
AuthorizationMgmtException - if there is a problem internally with the MembershipService
AuthorizationException - if admninistrator does not have the authority to see the requested information

isEntitled

protected boolean isEntitled(java.lang.String principal)

removePrincipalFromAllPolicies

public boolean removePrincipalFromAllPolicies(SessionToken caller,
                                              MetaMatrixPrincipalName principal)
                                       throws AuthorizationException,
                                              AuthorizationMgmtException
Remove given Principal from ALL AuthorizationPolicies to which he belongs.

Specified by:
removePrincipalFromAllPolicies in interface AuthorizationServiceInterface
Parameters:
caller - the session token of the principal that is attempting to remove the Principal.
principal - MetaMatrixPrincipalName which should be deleted.
Returns:
true if at least one policy in which the principal had authorization was found and deleted, false otherwise.
Throws:
AuthorizationException - if admninistrator does not have the authority to preform the action.
AuthorizationMgmtException - if an error occurs in the Authorization store.
ServiceStateException - if the Authorization service is closed to client requests.
AuthorizationMgmtException - if an error occurs in the Authorization store.

getPolicyIDsWithPermissionsInRealm

public java.util.Collection getPolicyIDsWithPermissionsInRealm(SessionToken caller,
                                                               AuthorizationRealm realm)
                                                        throws AuthorizationException,
                                                               AuthorizationMgmtException
Returns a Collection of AuthorizationPolicyIDs that have AuthorizationPermissionsImpl in the given AuthorizationRealm.
NOTE: It is the responsibility of the caller to determine which of the AuthorizationPolicy's AuthorizationPermissionsImpl are actually in the given AuthorizationRealm. The AuthorizationPolicy may span AuthorizationRealms.

Specified by:
getPolicyIDsWithPermissionsInRealm in interface AuthorizationServiceInterface
Parameters:
caller - The session token of the principal that is attempting to retrieve the policies.
realm - The realm in which to search for AuthorizationPermissions.
Returns:
The collection of AuthorizationPolicyIDs that have permissions in the given realm - possibly empty but never null.
Throws:
AuthorizationException - if admninistrator does not have the authority to preform the action.
AuthorizationMgmtException - if an error occurs in the Authorization store.

getPolicyIDsInRealm

public java.util.Collection getPolicyIDsInRealm(SessionToken caller,
                                                AuthorizationRealm realm)
                                         throws AuthorizationException,
                                                AuthorizationMgmtException
Returns a Collection of AuthorizationPolicyIDs in the given AuthorizationRealm.
This method will only work for Data Access Authorizations because the realm is encoded in a Data Access policy name. NOTE: It is the responsibility of the caller to determine which of the AuthorizationPolicy's AuthorizationPermissionsImpl are actually in the given AuthorizationRealm. The AuthorizationPolicy may span AuthorizationRealms.

Specified by:
getPolicyIDsInRealm in interface AuthorizationServiceInterface
Parameters:
caller - The session token of the principal that is attempting to retrieve the policies.
realm - The realm in which to search for AuthorizationPermissions.
Returns:
The collection of AuthorizationPolicyIDs that have permissions in the given realm - possibly empty but never null.
Throws:
AuthorizationException - if admninistrator does not have the authority to preform the action.
AuthorizationMgmtException - if an error occurs in the Authorization store.

getPoliciesInRealm

public java.util.Collection getPoliciesInRealm(SessionToken caller,
                                               AuthorizationRealm realm)
                                        throws AuthorizationException,
                                               AuthorizationMgmtException
Returns a Collection of AuthorizationPolicys that have AuthorizationPermissionsImpl in the given AuthorizationRealm.
NOTE: It is the responsibility of the caller to determine which of the AuthorizationPolicy's AuthorizationPermissionsImpl are actually in the given AuthorizationRealm. The AuthorizationPolicy may span AuthorizationRealms.

Specified by:
getPoliciesInRealm in interface AuthorizationServiceInterface
Parameters:
caller - The session token of the principal that is attempting to retrieve the policies.
realm - The realm in which to search for AuthorizationPermissions.
Returns:
The collection of AuthorizationPolicys that have permissions in the given realm - possibly empty but never null.
Throws:
AuthorizationException - if admninistrator does not have the authority to preform the action.
AuthorizationMgmtException - if an error occurs in the Authorization store.

getPolicyIDsInPartialRealm

public java.util.Collection getPolicyIDsInPartialRealm(SessionToken caller,
                                                       AuthorizationRealm realm)
                                                throws AuthorizationException,
                                                       AuthorizationMgmtException
Returns a Collection of AuthorizationPolicyIDs that have AuthorizationPermissionsImpl that exist in the given partial AuthorizationRealm.
The implementation is such that all AuthorizationPolicyIDs whose AuthorizationRealm starts with the given AuthorizationRealm are returned.

Specified by:
getPolicyIDsInPartialRealm in interface AuthorizationServiceInterface
Parameters:
caller - The session token of the principal that is attempting to retrieve the policies.
realm - The partial realm in which to search for AuthorizationPermissions whose realm name starts with the given realm.
Returns:
The collection of AuthorizationPolicyIDs that have permissions in the given partial realm - possibly empty but never null.
Throws:
AuthorizationException - if admninistrator does not have the authority to preform the action.
AuthorizationMgmtException - if an error occurs in the Authorization store.

getPolicIDsForResourceInRealm

public java.util.Collection getPolicIDsForResourceInRealm(SessionToken caller,
                                                          AuthorizationRealm realm,
                                                          java.lang.String resourceName)
                                                   throws AuthorizationException,
                                                          AuthorizationMgmtException
Returns a Collection of AuthorizationPolicyIDs that have AuthorizationPermissionsImpl on the given resource that exists in the given AuthorizationRealm.

Specified by:
getPolicIDsForResourceInRealm in interface AuthorizationServiceInterface
Parameters:
caller - The session token of the principal that is attempting to retrieve the policies.
realm - The realm in which to search for AuthorizationPermissions.
resourceName - The resource for which to search for AuthorizationPermissions.
Returns:
The collection of AuthorizationPolicyIDs that have permissions on the given resource - possibly empty but never null.
Throws:
AuthorizationException - if admninistrator does not have the authority to preform the action.
AuthorizationMgmtException - if an error occurs in the Authorization store.

fillPermissionNodeTree

public PermissionDataNode fillPermissionNodeTree(PermissionDataNode root,
                                                 AuthorizationPolicyID policyID)
                                          throws AuthorizationMgmtException
Takes a tree of PermissionDataNodeImpls that have their Resources filled in and fills in all permissions on resources that are found in the given AuthorizationPolicyID.

If any permissions are found that have no corresponding data node, a AuthorizationMgmtException is thrown noting the missing resource name(s).

Specified by:
fillPermissionNodeTree in interface AuthorizationServiceInterface
Parameters:
root - The node containing the resource (group or element full name) for which to search for permission(s).
root - The root of the tree of PermissionDataNodes to fill in permissions for.
Returns:
The root of the filled in tree. If no permissions exist, the original is returned as the sole element in the list.
Throws:
AuthorizationMgmtException - if there is a connection or communication error with the data source, signifying that the method should be retried with a different connection; if there is an unspecified or unknown error with the data source; or one or more permissions were found but a corresponding PermissionDataNodeImpl could not be found.

executeTransaction

public java.util.Set executeTransaction(SessionToken administrator,
                                        java.util.List actions)
                                 throws InvalidSessionException,
                                        AuthorizationException,
                                        AuthorizationMgmtException
Execute as a single transaction with the specified actions, and return the set of IDs for the objects that were affected/modified by the action.

Specified by:
executeTransaction in interface AuthorizationServiceInterface
Parameters:
administrator - the session token of the principal that is attempting to access the policies.
actions - the ordered list of actions that are to be performed on metamodel within the repository.
Returns:
The set of objects that were affected by this transaction.
Throws:
InvalidSessionException - if the SessionToken is not valid or has expired.
AuthorizationException - if the administrator is unable to perform this operation.
AuthorizationMgmtException - if there were errors with the SPI. Causes rollback.
java.lang.IllegalArgumentException - if the action is null.

hasPolicy

public boolean hasPolicy(SessionToken caller,
                         AuthorizationRealm realm,
                         java.lang.String policyName)
                  throws AuthorizationMgmtException,
                         MembershipServiceException
Specified by:
hasPolicy in interface AuthorizationServiceInterface
Throws:
AuthorizationMgmtException
MembershipServiceException

toString

public java.lang.String toString()
Outputs a String representation of this service - the class name followed by either the instance name or some indication of the state the service is in.

Overrides:
toString in class java.lang.Object

migratePolicies

public void migratePolicies(SessionToken token,
                            EntitlementMigrationReport rpt,
                            java.lang.String targetVDBName,
                            java.lang.String targetVDBVersion,
                            java.util.Set targetNodes,
                            java.util.Collection sourcePolicies,
                            AdminOptions options)
                     throws MetaMatrixComponentException,
                            InvalidSessionException,
                            AuthorizationException,
                            AuthorizationMgmtException
Specified by:
migratePolicies in interface AuthorizationServiceInterface
Throws:
MetaMatrixComponentException
InvalidSessionException
AuthorizationException
AuthorizationMgmtException
Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD
Copyright © 2009. All Rights Reserved.