Class AccessControlHandler<T extends AccessControlHandlerCfg>

  • Type Parameters:
    T - The type of access control configuration handled by this access control provider implementation.
    Direct Known Subclasses:
    AciHandler, PolicyBasedAccessControlHandler

    @PublicAPI(stability=VOLATILE,
               mayExtend=true)
    public class AccessControlHandler<T extends AccessControlHandlerCfg>
    extends Object
    This class defines the set of methods and structures that must be implemented by a Directory Server access control handler. All methods in this class should take the entire request into account when making the determination, including any request controls that might have been provided.

    Default implementation in this class is to reject all requests not performed by a user which does not hold the bypass-acl privilege. The default implementation does not check whether a user holds the modify-acl privilege for a modify request because only specific implementations (i.e children classes) of this class can identify when an ACL is being modified.

    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      boolean canDiscloseInformation​(Entry entry, Dn entryDN, Operation operation)
      Checks whether the ACIs prevent sending information about the provided entry, or entryDN if entry is null.
      void filterEntry​(Operation operation, SearchResultEntry unfilteredEntry, AttributeFilter attributeFilter)
      Filter the contents of the provided entry such that it no longer contains any attributes or values that the client is not permitted to access.
      void finalizeAccessControlHandler()
      Performs any necessary finalization for the access control handler implementation.
      void initializeAccessControlHandler​(T configuration, ServerContext serverContext)
      Initializes the access control handler implementation based on the information in the provided configuration entry.
      boolean isAllowed​(Dn dn, Operation op, Control control)
      Indicates whether the provided control is allowed based on the access control configuration and the specified operation.
      boolean isAllowed​(AddOperation addOperation)
      Indicates whether the provided add operation is allowed based on the access control configuration.
      boolean isAllowed​(BindOperation bindOperation)
      Indicates whether the provided bind operation is allowed based on the access control configuration.
      boolean isAllowed​(CompareOperation compareOperation)
      Indicates whether the provided compare operation is allowed based on the access control configuration.
      boolean isAllowed​(DeleteOperation deleteOperation)
      Indicates whether the provided delete operation is allowed based on the access control configuration.
      boolean isAllowed​(ExtendedOperation extendedOperation)
      Indicates whether the provided extended operation is allowed based on the access control configuration.
      boolean isAllowed​(ModifyDnOperation modifyDnOperation)
      Indicates whether the provided modify DN operation is allowed based on the access control configuration.
      boolean isAllowed​(ModifyOperation modifyOperation)
      Indicates whether the provided modify operation is allowed based on the access control configuration.
      boolean isAllowed​(SearchOperation searchOperation)
      Indicates whether the provided search operation is allowed based on the access control configuration.
      boolean isAllowed​(Operation operation, Entry entry, Filter filter)
      Indicates whether the provided operation search filter is allowed based on the access control configuration.
      boolean isConfigurationAcceptable​(T configuration, List<LocalizableMessage> unacceptableReasons, ServerContext serverContext)
      Indicates whether the provided configuration is acceptable for this access control handler.
      boolean mayProxy​(Entry proxyUser, Entry proxiedUser, Operation operation, ServerContext serverContext)
      Indicates if the specified proxy user entry can proxy, or act on the behalf of the specified proxied user entry.
      boolean maySend​(Dn dn, Operation operation, SearchResultReference searchReference)
      Indicates whether the provided search result reference may be sent to the client based on the access control configuration.
      boolean maySend​(Operation operation, Entry unfilteredEntry)
      Indicates whether the provided search result entry may be sent to the client.
      protected boolean skipAccessCheck​(Operation operation)
      Check to see if the client entry has BYPASS_ACL privileges for this operation.
    • Constructor Detail

      • AccessControlHandler

        public AccessControlHandler()
    • Method Detail

      • initializeAccessControlHandler

        public void initializeAccessControlHandler​(T configuration,
                                                   ServerContext serverContext)
                                            throws ConfigException,
                                                   InitializationException
        Initializes the access control handler implementation based on the information in the provided configuration entry.
        Parameters:
        configuration - The configuration object that contains the information to use to initialize this access control handler.
        serverContext - the server context for this Directory Server instance.
        Throws:
        ConfigException - If an unrecoverable problem arises in the process of performing the initialization.
        InitializationException - If a problem occurs during initialization that is not related to the server configuration.
      • isConfigurationAcceptable

        public boolean isConfigurationAcceptable​(T configuration,
                                                 List<LocalizableMessage> unacceptableReasons,
                                                 ServerContext serverContext)
        Indicates whether the provided configuration is acceptable for this access control handler. It should be possible to call this method on an uninitialized access control handler instance in order to determine whether the handler would be able to use the provided configuration.
        Parameters:
        configuration - The access control handler configuration for which to make the determination.
        unacceptableReasons - A list that may be used to hold the reasons that the provided configuration is not acceptable.
        serverContext - the server context for this Directory Server instance.
        Returns:
        true if the provided configuration is acceptable for this access control handler, or false if not.
      • finalizeAccessControlHandler

        public void finalizeAccessControlHandler()
        Performs any necessary finalization for the access control handler implementation. This will be called just after the handler has been deregistered with the server but before it has been unloaded.
      • canDiscloseInformation

        public boolean canDiscloseInformation​(Entry entry,
                                              Dn entryDN,
                                              Operation operation)
                                       throws LdapException
        Checks whether the ACIs prevent sending information about the provided entry, or entryDN if entry is null.
        Parameters:
        entry - the entry for which to check if ACIs prevent information disclosure, if null, then a fake entry will be created from the entryDN parameter
        entryDN - the entry dn for which to check if ACIs prevent information disclosure. Only used if entry is null.
        operation - the operation for which to check if ACIs prevent information disclosure
        Returns:
        true if the information for this entry can be disclosed, false otherwise.
        Throws:
        LdapException - If an error occurred while performing the access control check.
      • isAllowed

        public boolean isAllowed​(AddOperation addOperation)
                          throws LdapException
        Indicates whether the provided add operation is allowed based on the access control configuration. This method should not alter the provided add operation in any way.
        Parameters:
        addOperation - The operation for which to make the determination.
        Returns:
        true if the operation should be allowed by the access control configuration, or false if not.
        Throws:
        LdapException - If an error occurred while performing the access control check. For example, if an attribute could not be decoded. Care must be taken not to expose any potentially sensitive information in the exception.
      • isAllowed

        public boolean isAllowed​(Dn dn,
                                 Operation op,
                                 Control control)
                          throws LdapException
        Indicates whether the provided control is allowed based on the access control configuration and the specified operation. This method should not alter the provided operation in any way.
        Parameters:
        dn - A DN that can be used in the access determination.
        op - The operation to use in the determination.
        control - The control for which to make the determination.
        Returns:
        true if the control should be allowed by the access control configuration, or false if not.
        Throws:
        LdapException - If an error occurred while performing the access control check. For example, if an attribute could not be decoded. Care must be taken not to expose any potentially sensitive information in the exception.
      • isAllowed

        public boolean isAllowed​(BindOperation bindOperation)
        Indicates whether the provided bind operation is allowed based on the access control configuration. This method should not alter the provided bind operation in any way.
        Parameters:
        bindOperation - The operation for which to make the determination.
        Returns:
        true if the operation should be allowed by the access control configuration, or false if not.
      • isAllowed

        public boolean isAllowed​(CompareOperation compareOperation)
        Indicates whether the provided compare operation is allowed based on the access control configuration. This method should not alter the provided compare operation in any way.
        Parameters:
        compareOperation - The operation for which to make the determination.
        Returns:
        true if the operation should be allowed by the access control configuration, or false if not.
      • isAllowed

        public boolean isAllowed​(DeleteOperation deleteOperation)
        Indicates whether the provided delete operation is allowed based on the access control configuration. This method should not alter the provided delete operation in any way.
        Parameters:
        deleteOperation - The operation for which to make the determination.
        Returns:
        true if the operation should be allowed by the access control configuration, or false if not.
      • isAllowed

        public boolean isAllowed​(ExtendedOperation extendedOperation)
        Indicates whether the provided extended operation is allowed based on the access control configuration. This method should not alter the provided extended operation in any way.
        Parameters:
        extendedOperation - The operation for which to make the determination.
        Returns:
        true if the operation should be allowed by the access control configuration, or false if not.
      • isAllowed

        public boolean isAllowed​(ModifyOperation modifyOperation)
                          throws LdapException
        Indicates whether the provided modify operation is allowed based on the access control configuration. This method should not alter the provided modify operation in any way.
        Parameters:
        modifyOperation - The operation for which to make the determination.
        Returns:
        true if the operation should be allowed by the access control configuration, or false if not.
        Throws:
        LdapException - If an error occurred while performing the access control check. For example, if an attribute could not be decoded. Care must be taken not to expose any potentially sensitive information in the exception.
      • isAllowed

        public boolean isAllowed​(ModifyDnOperation modifyDnOperation)
        Indicates whether the provided modify DN operation is allowed based on the access control configuration. This method should not alter the provided modify DN operation in any way.
        Parameters:
        modifyDnOperation - The operation for which to make the determination.
        Returns:
        true if the operation should be allowed by the access control configuration, or false if not.
      • isAllowed

        public boolean isAllowed​(SearchOperation searchOperation)
        Indicates whether the provided search operation is allowed based on the access control configuration. This method may only alter the provided search operation in order to add an opaque block of data to it that will be made available for use in determining whether matching search result entries or search result references may be allowed.
        Parameters:
        searchOperation - The operation for which to make the determination.
        Returns:
        true if the operation should be allowed by the access control configuration, or false if not.
      • isAllowed

        public boolean isAllowed​(Operation operation,
                                 Entry entry,
                                 Filter filter)
        Indicates whether the provided operation search filter is allowed based on the access control configuration. This method should not alter the provided operation in any way.
        Parameters:
        operation - The operation for which to make the determination.
        entry - The entry for which to make the determination.
        filter - The filter to check access on.
        Returns:
        true if the operation should be allowed by the access control configuration, or false if not.
      • maySend

        public boolean maySend​(Operation operation,
                               Entry unfilteredEntry)
        Indicates whether the provided search result entry may be sent to the client. Implementations must not under any circumstances modify the search entry in any way.
        Parameters:
        operation - The operation currently being processed (this will usually be a search, but may be other types of operation when pre/post read controls are used).
        unfilteredEntry - The result entry before any attribute filtering.
        Returns:
        true if the access control configuration allows the entry to be returned to the client, or false if not.
      • filterEntry

        public void filterEntry​(Operation operation,
                                SearchResultEntry unfilteredEntry,
                                AttributeFilter attributeFilter)
        Filter the contents of the provided entry such that it no longer contains any attributes or values that the client is not permitted to access.
        Parameters:
        operation - The operation currently being processed (this will usually be a search, but may be other types of operation when pre/post read controls are used).
        unfilteredEntry - The result entry before any attribute filtering.
        attributeFilter - The attribute filter which should be updated to include a predicate or mapping function for removing disallowed attributes.
      • maySend

        public boolean maySend​(Dn dn,
                               Operation operation,
                               SearchResultReference searchReference)
        Indicates whether the provided search result reference may be sent to the client based on the access control configuration.
        Parameters:
        dn - A DN that can be used in the access determination.
        operation - The operation with which the provided reference is associated.
        searchReference - The search result reference for which to make the determination.
        Returns:
        true if the access control configuration allows the reference to be returned to the client, or false if not.
      • mayProxy

        public boolean mayProxy​(Entry proxyUser,
                                Entry proxiedUser,
                                Operation operation,
                                ServerContext serverContext)
        Indicates if the specified proxy user entry can proxy, or act on the behalf of the specified proxied user entry. The operation parameter is used in the evaluation.
        Parameters:
        proxyUser - The entry to use as the proxy user.
        proxiedUser - The entry to be proxied by the proxy user.
        operation - The operation to use in the evaluation.
        serverContext - The server context.
        Returns:
        true if the access control configuration allows the proxy user to proxy the proxied user, or false if not.
      • skipAccessCheck

        protected boolean skipAccessCheck​(Operation operation)
        Check to see if the client entry has BYPASS_ACL privileges for this operation.
        Parameters:
        operation - The operation to check privileges on.
        Returns:
        True if access checking can be skipped because the operation client connection has BYPASS_ACL privileges.