Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD

org.owasp.esapi.reference.accesscontrol
Class FileBasedACRs

java.lang.Object
  extended by org.owasp.esapi.reference.accesscontrol.FileBasedACRs

public class FileBasedACRs
extends Object

This class exists for backwards compatibility with the AccessController 1.0 reference implementation. This reference implementation uses a simple model for specifying a set of access control rules. Many organizations will want to create their own implementation of the methods provided in the AccessController interface.

This reference implementation uses a simple scheme for specifying the rules. The first step is to create a namespace for the resources being accessed. For files and URL's, this is easy as they already have a namespace. Be extremely careful about canonicalizing when relying on information from the user in an access control decision.

For functions, data, and services, you will have to come up with your own namespace for the resources being accessed. You might simply define a flat namespace with a list of category names. For example, you might specify 'FunctionA', 'FunctionB', and 'FunctionC'. Or you can create a richer namespace with a hierarchical structure, such as:

/functions

/admin Once you've defined your namespace, you have to work out the rules that govern access to the different parts of the namespace. This implementation allows you to attach a simple access control list (ACL) to any part of the namespace tree. The ACL lists a set of roles that are either allowed or denied access to a part of the tree. You specify these rules in a textfile with a simple format.

There is a single configuration file supporting each of the five methods in the AccessController interface. These files are located in the ESAPI resources directory as specified when the JVM was started. The use of a default deny rule is STRONGLY recommended. The file format is as follows: 

 path          | role,role   | allow/deny | comment
 ------------------------------------------------------------------------------------
 /banking/*    | user,admin  | allow      | authenticated users can access /banking
 /admin        | admin       | allow      | only admin role can access /admin
 /             | any         | deny       | default deny rule
To find the matching rules, this implementation follows the general approach used in Java EE when matching HTTP requests to servlets in web.xml. The four mapping rules are used in the following order:

Since:
June 1, 2007
Author:
Mike Fauzy ([email protected]), Jeff Williams ([email protected])

Constructor Summary
FileBasedACRs()
           
 
Method Summary
 boolean isAuthorizedForData(String action, Object data)
          TODO Javadoc
 boolean isAuthorizedForFile(String filepath)
          TODO Javadoc
 boolean isAuthorizedForFunction(String functionName)
          TODO Javadoc
 boolean isAuthorizedForService(String serviceName)
          TODO Javadoc
 boolean isAuthorizedForURL(String url)
          Check if URL is authorized.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

FileBasedACRs

public FileBasedACRs()
Method Detail

isAuthorizedForURL

public boolean isAuthorizedForURL(String url)
Check if URL is authorized.

Parameters:
url - The URL tested for authorization
Returns:
true if access is allowed, false otherwise.

isAuthorizedForFunction

public boolean isAuthorizedForFunction(String functionName)
                                throws AccessControlException
TODO Javadoc

Throws:
AccessControlException

isAuthorizedForData

public boolean isAuthorizedForData(String action,
                                   Object data)
                            throws AccessControlException
TODO Javadoc

Throws:
AccessControlException

isAuthorizedForFile

public boolean isAuthorizedForFile(String filepath)
                            throws AccessControlException
TODO Javadoc

Throws:
AccessControlException

isAuthorizedForService

public boolean isAuthorizedForService(String serviceName)
                               throws AccessControlException
TODO Javadoc

Throws:
AccessControlException
Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD
Copyright © 2011 The Open Web Application Security Project (OWASP). All Rights Reserved.