Package org.forgerock.opendj.ldap.controls

Class GetEffectiveRightsRequestControl

  • All Implemented Interfaces:
    Control
    public final class GetEffectiveRightsRequestControl
extends Object
implements Control
    A partial implementation of the get effective rights request control as defined in draft-ietf-ldapext-acl-model. The main differences are:
    • The response control is not supported. Instead the OpenDJ implementation creates attributes containing effective rights information with the entry being returned.
    • The attribute type names are dynamically created.
    • The set of attributes for which effective rights information is to be requested can be included in the control.
    The get effective rights request control value has the following BER encoding: 
      GetRightsControl ::= SEQUENCE {
    authzId    authzId  -- Only the "dn:DN" form is supported.
    attributes  SEQUENCE OF AttributeType
  }
    You can use the control to retrieve effective rights during a search: 
     String authDN = ...;

 SearchRequest request =
         Requests.newSearchRequest(
                     "dc=example,dc=com", SearchScope.WHOLE_SUBTREE,
                     "(uid=bjensen)", "cn", "aclRights", "aclRightsInfo")
                     .addControl(GetEffectiveRightsRequestControl.newControl(
                             true, authDN, "cn"));

 ConnectionEntryReader reader = connection.search(request);
 while (reader.hasNext()) {
      if (!reader.isReference()) {
          SearchResultEntry entry = reader.readEntry();
          // Interpret aclRights and aclRightsInfo
      }
 }
    The entries returned by the search hold the aclRights and aclRightsInfo attributes with the effective rights information. You must parse the attribute options and values to interpret the information.
    See Also:
    draft-ietf-ldapext-acl-model - Access Control Model for LDAPv3

    • Method Detail

      • newControl

        public static GetEffectiveRightsRequestControl newControl​(boolean isCritical,
                                                          Dn authorizationName,
                                                          Collection<AttributeType> attributes)
        Creates a new get effective rights request control with the provided criticality, optional authorization name and attribute list.
        Parameters:
        isCritical - true if it is unacceptable to perform the operation without applying the semantics of this control, or false if it can be ignored.
        authorizationName - The distinguished name of the user for which effective rights are to be returned, or null if the client's authentication ID is to be used.
        attributes - The list of attributes for which effective rights are to be returned, which may be empty indicating that no attribute rights are to be returned.
        Returns:
        The new control.
        Throws:
        NullPointerException - If attributes was null.

      • newControl

        public static GetEffectiveRightsRequestControl newControl​(boolean isCritical,
                                                          String authorizationName,
                                                          String... attributes)
        Creates a new get effective rights request control with the provided criticality, optional authorization name and attribute list. The authorization name and attributes, if provided, will be decoded using the default schema.
        Parameters:
        isCritical - true if it is unacceptable to perform the operation without applying the semantics of this control, or false if it can be ignored.
        authorizationName - The distinguished name of the user for which effective rights are to be returned, or null if the client's authentication ID is to be used.
        attributes - The list of attributes for which effective rights are to be returned, which may be empty indicating that no attribute rights are to be returned.
        Returns:
        The new control.
        Throws:
        UnknownSchemaElementException - If the default schema is a strict schema and one or more of the requested attribute types were not recognized.
        LocalizedIllegalArgumentException - If authorizationName is not a valid LDAP string representation of a DN.
        NullPointerException - If attributes was null.

      • getAttributes

        public Collection<AttributeType> getAttributes()
        Returns an unmodifiable list of attributes for which effective rights are to be returned, which may be empty indicating that no attribute rights are to be returned.
        Returns:
        The unmodifiable list of attributes for which effective rights are to be returned.

      • getAuthorizationName

        public Dn getAuthorizationName()
        Returns the distinguished name of the user for which effective rights are to be returned, or null if the client's authentication ID is to be used.
        Returns:
        The distinguished name of the user for which effective rights are to be returned.

      • getOid

        public String getOid()
        Description copied from interface: Control
        Returns the numeric OID associated with this control.
        Specified by:
        getOid in interface Control
        Returns:
        The numeric OID associated with this control.

      • getValue

        public ByteString getValue()
        Description copied from interface: Control
        Returns the value, if any, associated with this control. Its format is defined by the specification of this control.
        Specified by:
        getValue in interface Control
        Returns:
        The value associated with this control, or null if there is no value.

      • hasValue

        public boolean hasValue()
        Description copied from interface: Control
        Returns true if this control has a value. In some circumstances it may be useful to determine if a control has a value, without actually calculating the value and incurring any performance costs.
        Specified by:
        hasValue in interface Control
        Returns:
        true if this control has a value, or false if there is no value.

      • isCritical

        public boolean isCritical()
        Description copied from interface: Control
        Returns true if it is unacceptable to perform the operation without applying the semantics of this control.

        The criticality field only has meaning in controls attached to request messages (except UnbindRequest). For controls attached to response messages and the UnbindRequest, the criticality field SHOULD be false, and MUST be ignored by the receiving protocol peer. A value of true indicates that it is unacceptable to perform the operation without applying the semantics of the control.

        Specified by:
        isCritical in interface Control
        Returns:
        true if this control must be processed by the Directory Server, or false if it can be ignored.