|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Object org.owasp.esapi.reference.DefaultAccessController
public class DefaultAccessController
Field Summary | |
---|---|
protected Logger |
logger
|
Method Summary | |
---|---|
void |
assertAuthorized(java.lang.Object key,
java.lang.Object runtimeParameter)
assertAuthorized executes the AccessControlRule
that is identified by key and listed in the
resources/ESAPI-AccessControlPolicy.xml file. |
void |
assertAuthorizedForData(java.lang.String action,
java.lang.Object data)
Checks if the current user is authorized to access the referenced data. |
void |
assertAuthorizedForFile(java.lang.String filepath)
Deprecated. |
void |
assertAuthorizedForFunction(java.lang.String functionName)
Checks if the current user is authorized to access the referenced function. |
void |
assertAuthorizedForService(java.lang.String serviceName)
Checks if the current user is authorized to access the referenced service. |
void |
assertAuthorizedForURL(java.lang.String url)
Checks if the current user is authorized to access the referenced URL. |
static AccessController |
getInstance()
|
boolean |
isAuthorized(java.lang.Object key,
java.lang.Object runtimeParameter)
isAuthorized executes the AccessControlRule
that is identified by key and listed in the
resources/ESAPI-AccessControlPolicy.xml file. |
boolean |
isAuthorizedForData(java.lang.String action,
java.lang.Object data)
Checks if the current user is authorized to access the referenced data, represented as an Object. |
boolean |
isAuthorizedForFile(java.lang.String filepath)
Checks if the current user is authorized to access the referenced file. |
boolean |
isAuthorizedForFunction(java.lang.String functionName)
Checks if the current user is authorized to access the referenced function. |
boolean |
isAuthorizedForService(java.lang.String serviceName)
Checks if the current user is authorized to access the referenced service. |
boolean |
isAuthorizedForURL(java.lang.String url)
Checks if the current user is authorized to access the referenced URL. |
Methods inherited from class java.lang.Object |
---|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
Field Detail |
---|
protected final Logger logger
Method Detail |
---|
public static AccessController getInstance() throws AccessControlException
AccessControlException
public boolean isAuthorized(java.lang.Object key, java.lang.Object runtimeParameter)
isAuthorized
executes the AccessControlRule
that is identified by key
and listed in the
resources/ESAPI-AccessControlPolicy.xml
file. It returns
true if the AccessControlRule
decides that the operation
should be allowed. Otherwise, it returns false. Any exception thrown by
the AccessControlRule
must result in false. If
key
does not map to an AccessControlRule
, then
false is returned.
Developers should call isAuthorized to control execution flow. For
example, if you want to decide whether to display a UI widget in the
browser using the same logic that you will use to enforce permissions
on the server, then isAuthorized is the method that you want to use.
Typically, assertAuthorized should be used to enforce permissions on the
server.
isAuthorized
in interface AccessController
key
- key
maps to
<AccessControlPolicy><AccessControlRules>
<AccessControlRule name="key"
runtimeParameter
- runtimeParameter can contain anything that
the AccessControlRule needs from the runtime system.
true
if and only if the AccessControlRule specified
by key
exists and returned true
.
Otherwise returns false
public void assertAuthorized(java.lang.Object key, java.lang.Object runtimeParameter) throws AccessControlException
assertAuthorized
executes the AccessControlRule
that is identified by key
and listed in the
resources/ESAPI-AccessControlPolicy.xml
file. It does
nothing if the AccessControlRule
decides that the operation
should be allowed. Otherwise, it throws an
org.owasp.esapi.errors.AccessControlException
. Any exception
thrown by the AccessControlRule
will also result in an
AccesControlException
. If key
does not map to
an AccessControlRule
, then an AccessControlException
is thrown.
Developers should call assertAuthorized
to enforce privileged access to
the system. It should be used to answer the question: "Should execution
continue." Ideally, the call to assertAuthorized
should
be integrated into the application framework so that it is called
automatically.
assertAuthorized
in interface AccessController
key
- key
maps to
<AccessControlPolicy><AccessControlRules>
<AccessControlRule name="key"runtimeParameter
- runtimeParameter can contain anything that
the AccessControlRule needs from the runtime system.
AccessControlException
public void assertAuthorizedForData(java.lang.String action, java.lang.Object data) throws AccessControlException
Specification: The implementation should do the following:
assertAuthorizedForData
in interface AccessController
action
- The action to verify for an access control decision, such as a role, or an action being performed on the object
(e.g., Read, Write, etc.), or the name of the function the data is being passed to.data
- The actual object or object identifier being accessed or a reference to the object being accessed.
AccessControlException
- if access is not permittedpublic void assertAuthorizedForFile(java.lang.String filepath) throws AccessControlException
This method throws an AccessControlException if access is not authorized, or if the referenced File does not exist. If the User is authorized, this method simply returns.
Specification: The implementation should do the following:
assertAuthorizedForFile
in interface AccessController
filepath
- Path to the file to be checked
AccessControlException
- if access is deniedpublic void assertAuthorizedForFunction(java.lang.String functionName) throws AccessControlException
This method throws an AccessControlException if access is not authorized, or if the referenced function does not exist. If the User is authorized, this method simply returns.
Specification: The implementation should do the following:
assertAuthorizedForFunction
in interface AccessController
functionName
- the function name
AccessControlException
- if access is not permittedpublic void assertAuthorizedForService(java.lang.String serviceName) throws AccessControlException
This method throws an AccessControlException if access is not authorized, or if the referenced service does not exist. If the User is authorized, this method simply returns.
Specification: The implementation should do the following:
assertAuthorizedForService
in interface AccessController
serviceName
- the service name
AccessControlException
- if access is not permittedpublic void assertAuthorizedForURL(java.lang.String url) throws AccessControlException
ESAPI.accessController().assertAuthorizedForURL(request.getRequestURI().toString());This method throws an AccessControlException if access is not authorized, or if the referenced URL does not exist. If the User is authorized, this method simply returns.
Specification: The implementation should do the following:
assertAuthorizedForURL
in interface AccessController
url
- the URL as returned by request.getRequestURI().toString()
AccessControlException
- if access is not permittedpublic boolean isAuthorizedForData(java.lang.String action, java.lang.Object data)
isAuthorizedForData
in interface AccessController
action
- The action to verify for an access control decision, such as a role, or an action being performed on the object
(e.g., Read, Write, etc.), or the name of the function the data is being passed to.data
- The actual object or object identifier being accessed or a reference to the object being accessed.
public boolean isAuthorizedForFile(java.lang.String filepath)
isAuthorizedForFile
in interface AccessController
filepath
- the path of the file to be checked, including filename
public boolean isAuthorizedForFunction(java.lang.String functionName)
isAuthorizedForFunction
in interface AccessController
functionName
- the name of the function
public boolean isAuthorizedForService(java.lang.String serviceName)
isAuthorizedForService
in interface AccessController
serviceName
- the service name
public boolean isAuthorizedForURL(java.lang.String url)
ESAPI.accessController().isAuthorizedForURL(request.getRequestURI().toString());The implementation of this method should call assertAuthorizedForURL(String url), and if an AccessControlException is not thrown, this method should return true. This way, if the user is not authorized, false would be returned, and the exception would be logged.
isAuthorizedForURL
in interface AccessController
url
- the URL as returned by request.getRequestURI().toString()
|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |