wt.access
Class StandardAccessControlManager

java.lang.Object
  wt.services.StandardManager
      wt.access.StandardAccessControlManager

All Implemented Interfaces:

AccessControlManager, AccessControlManagerSvr, Manager, NetFactor, Serializable

public class StandardAccessControlManager

extends StandardManager

implements AccessControlManager, AccessControlManagerSvr, Serializable

The StandardAccessControlManager provides the standard implementation of a manager for access control. In addition to containing implementations for the methods in the AccessControlManager interface, it contains methods for maintenance of the ACL cache and auxiliary methods for ACL creation and maintenance.

Use the newStandardAccessControlManager static factory method(s), not the StandardAccessControlManager constructor, to construct instances of this class. Instances must be constructed using the static factory(s), in order to ensure proper initialization of the instance.

Supported API: true

Extendable: false

See Also:

Serialized Form

Nested Class Summary

(package private) class	StandardAccessControlManager.EventListener
(package private) class	StandardAccessControlManager.MultiEventListener

Field Summary

private static AclCache	aclCache
private static String	ADMIN_RESOURCE
private static String	CLASSNAME
private static boolean	enforce
private static String	ENTRY_KEY_SEQUENCE Name of the entry key sequence.
private static int[]	FROM_INDEX
private static String	POLICY_KEY
private static long	READ_MASK
private static String	RESOURCE
private static boolean	VALIDATE_ACCESS_CHECKS
private static boolean	VALIDATE_TRANSACTION
private static boolean	VERBOSE_EVENT
private static boolean	VERBOSE_EXECUTION
private static boolean	VERBOSE_POLICY

Fields inherited from class wt.services.StandardManager

Fields inherited from interface wt.services.Manager

MANAGER_SERVICE, STARTUP_AUTOMATIC, STARTUP_MANUAL, STATUS_EMERGENCY_SHUTDOWN, STATUS_EMERGENCY_SHUTTING_DOWN, STATUS_SHUTDOWN, STATUS_SHUTDOWN_ERRORS, STATUS_SHUTDOWN_FAILURE, STATUS_SHUTTING_DOWN, STATUS_STARTED, STATUS_STARTED_ERRORS, STATUS_STARTING_UP, STATUS_STARTUP_FAILURE

Constructor Summary

StandardAccessControlManager()

Method Summary

AdHocControlled	addPermission(AdHocControlled obj, WTPrincipalReference principal_ref, AccessPermission permission, AdHocAccessKey owner_key) Adds an ad hoc access control rule granting a principal the specified permission to an object.
AdHocControlled	addPermission(AdHocControlled obj, WTPrincipalReference principal_ref, AccessPermission permission, AdHocAccessKey owner_key, long owner_id) Adds an ad hoc access control rule granting a principal the specified permission to an object.
void	addPermission(WTCollection objects, WTPrincipalReference principal_ref, AccessPermission permission, AdHocAccessKey owner_key) Adds an ad hoc access control rule for each of the objects in a collection, granting a principal the specified permission to the objects.
void	addPermission(WTCollection objects, WTPrincipalReference principal_ref, AccessPermission permission, AdHocAccessKey owner_key, long owner_id) Adds an ad hoc access control rule for each of the objects in a collection, granting a principal the specified permission to the objects.
AdHocControlled	addPermissions(AdHocControlled obj, WTPrincipalReference principal_ref, Vector permissions, AdHocAccessKey owner_key) Adds an ad hoc access control rule granting a principal the specified permissions to an object.
AdHocControlled	addPermissions(AdHocControlled obj, WTPrincipalReference principal_ref, Vector permissions, AdHocAccessKey owner_key, long owner_id) Adds an ad hoc access control rule granting a principal the specified permissions to an object.
private AdHocControlled	addPermissions(AdHocControlled obj, WTPrincipalReference principal_ref, Vector permissions, String owner)
void	addPermissions(WTCollection objects, WTPrincipalReference principal_ref, Collection permissions, AdHocAccessKey owner_key) Adds an ad hoc access control rule for each of the objects in a collection, granting a principal the specified permissions to the objects.
void	addPermissions(WTCollection objects, WTPrincipalReference principal_ref, Collection permissions, AdHocAccessKey owner_key, long owner_id) Adds an ad hoc access control rule for each of the objects in a collection, granting a principal the specified permissions to the objects.
private void	addPermissions(WTCollection objects, WTPrincipalReference principal_ref, Collection permissions, String owner)
void	checkAccess(AdminDomainRef domain_ref, String type_id, AccessPermission permission) Checks if the current principal has the given access permission over a given type in a given domain (irrespective of state).
boolean	checkAccess(Object object, AccessPermission permission) Determines whether the current principal has a given permission on a given object.
boolean	checkAccess(Object object, String permission) Deprecated.
void	checkAccess(WTCollection objects, AccessPermission permission) Determines whether the current principal has a given permission on a collection of objects.
private void	checkChangePermissions(WTCollection objects, long permission_mask)
private AclEntrySet	constructAclEntrySet(AccessSelector selector)
AdHocControlled	copyPermissions(AdHocControlled source, AdHocControlled target) Copies permissions from a source object to a target object.
AdHocControlled	copyPermissions(AdHocControlled source, AdHocControlled target, AdHocAccessKey owner_key) Copies permissions from a source object to a target object.
AdHocControlled	copyPermissions(AdHocControlled source, AdHocControlled target, AdHocAccessKey owner_key, long owner_id) Copies permissions from a source object to a target object.
private AdHocControlled	copyPermissions(AdHocControlled source, AdHocControlled target, String owner)
void	copyPermissions(AdHocControlled source, WTCollection targets, AdHocAccessKey owner_key) Copies permissions from a source object to a collection of target objects.
void	copyPermissions(AdHocControlled source, WTCollection targets, AdHocAccessKey owner_key, long owner_id) Copies permissions from a source object to a collection of target objects.
private void	copyPermissions(AdHocControlled source, WTCollection targets, String owner)
void	createAccessControlRule(AdminDomainRef domain_ref, String type_id, String state_key, WTPrincipalReference principal_ref, boolean grant, Vector permissions) Creates an access control rule defining the rights of a principal to access objects of a specified type and state, within a domain.
void	createAccessControlRule(AdminDomainRef domain_ref, String type_id, String state_key, WTPrincipalReference principal_ref, Vector grant_permissions, Vector deny_permissions) Creates an access control rule defining the rights of a principal to access objects of a specified type and state, within a domain.
void	createAllRule(AdminDomainRef domain_ref, String type_id, WTPrincipalReference principal_ref) To be used only by wt.admin.Install Supported API: false
private WTAclEntry	createPolicyEntry(boolean negative, WTPrincipalReference principal_ref, Vector permissions)
void	deleteAccessControlRule(AdminDomainRef domain_ref, String type_id, String state_key, WTPrincipalReference principal_ref) Deletes an access control rule defining the rights of a principal to access objects of a specified type and state, within a domain.
void	deleteAccessControlRules(AdminDomainRef domain_ref) Deletes all access control rules within a domain.
private void	deletePolicyAcls(AdminDomainRef domain_ref)
void	emitAccessEvent(String event_type, Object target, AccessPermission permission, WTMessage message) Emits an access control event of a given type.
ObjectVectorIfc	filterObjects(ObjectVectorIfc objects, AccessPermission permission) Given a set of objects, this method constructs and returns a new set containing only objects where the current principal is granted the permission to these objects.
QueryResult	filterObjects(QueryResult objects, AccessPermission permission) Given a set of objects (stored as a QueryResult), this method constructs and returns a new set containing only objects where the current principal is granted the permission to these objects.
QueryResult	filterObjects(QueryResult objects, String permission) Deprecated.
EnumeratorVector[]	getAccessControlRule(AdminDomainRef domain_ref, String type_id, String state_key, WTPrincipalReference principal_ref) Gets an access control rule defining the rights of a principal to access objects of a specified type and state, within a domain.
AccessPolicyRule	getAccessPolicyRule(AccessSelector selector) Returns the access policy rule for the specified selector.
Enumeration	getAccessPolicyRules(AdminDomainRef domain_ref) Returns all the access policy rules for the specified domain in the form of an enumeration.
private static AclCache	getAclCache()
private QueryResult	getAdHocEntries(AdHocControlled obj, WTPrincipalReference principal_ref)
private HashMap	getAdHocEntries(WTCollection objects, String owner)
private HashMap	getAdHocEntries(WTCollection objects, WTPrincipalReference principal_ref)
private HashMap	getAdHocEntries(WTCollection objects, WTPrincipalReference principal_ref, String owner)
private WTAclEntry	getAdHocEntry(AdHocControlled obj, WTPrincipalReference principal_ref, String owner)
String	getConceptualClassname() Deprecated.
private WTPrincipal	getCurrentPrincipal()
Enumeration	getEntries(AccessControlList obj) Returns an Enumeration of access control entries for an wt.access.AccessControlLink object.
private String	getObjectString(Object obj)
private HashMap	getPermissionMap(AdHocAclSpec specification, Map principalMap)
private HashMap	getPermissionMap(AdHocAclSpec specification, Map principalMap, String owner)
private long	getPermissionMask(WTPrincipal principal, AccessControlled object)
EnumeratorVector	getPermissions(AdHocControlled obj, WTPrincipalReference principal_ref, AdHocAccessKey owner_key) Returns the permissions (EnumeratorVector of AccessPermission) granted to a principal for an object, by an ad hoc access control rule with a specified owner.
EnumeratorVector	getPermissions(AdHocControlled obj, WTPrincipalReference principal_ref, AdHocAccessKey owner_key, long owner_id) Returns the permissions (EnumeratorVector of AccessPermission) granted to a principal for an object, by an ad hoc access control rule with a specified owner.
private EnumeratorVector	getPermissions(AdHocControlled obj, WTPrincipalReference principal_ref, String owner)
PolicyAcl	getPolicyAcl(AccessSelector selector) Returns the policy acl for the given selector.
private QueryResult	getPolicyEntries(AccessPolicyRule rule, WTPrincipalReference principal_ref)
private AclEntrySet	getPolicyEntrySet(AccessControlled object)
private AccessSelector	getRuleSelector(AdminDomainRef domain_ref, String type_id, String state_key)
Hashtable	getSurrogateAttributes(Class a_targetClass) Indicates which attributes are necessary for making the access control decision on an object of the given class.
boolean	hasAccess(Object object, AccessPermission permission) Determines whether the current principal has the given access permission over the object passed as argument.
boolean	hasAccess(Object object, String permission) Deprecated.
boolean	hasAccess(WTCollection objects, AccessPermission permission) Determines whether the current principal has the given access permission over the collection of objects passed as argument.
boolean	hasAccess(WTPrincipal user, Object object, AccessPermission permission) Determines whether the given principal has the given access permission over the object passed as argument.
boolean	hasAccess(WTPrincipal user, Object object, String permission) Deprecated.
boolean	hasAccess(WTPrincipal user, String type_id, AdminDomainRef domain_ref, State state, AccessPermission permission) Determines whether the given principal has the given access permission over a given type in a given domain and state.
boolean	hasAccess(WTPrincipal user, String type_id, AdminDomainRef domain_ref, State state, String permission) Deprecated.
boolean	hasAccess(WTPrincipal principal, WTCollection objects, AccessPermission permission) Determines whether the given principal has the given access permission over the collection of objects passed as argument.
private boolean	hasAccess(WTPrincipal principal, WTCollection objects, AccessPermission permission, boolean check_all)
private boolean	hasSurrogateAccess(WTPrincipal user, AccessControlSurrogate surrogate, AccessPermission permission)
private void	logNotAuthorized(AdHocControlled object, WTPrincipal principal, long principal_permissions, long change_permissions)
private void	logNotAuthorized(Object object, WTPrincipal principal, AccessPermission permission)
static StandardAccessControlManager	newStandardAccessControlManager() Default factory for the class.
protected void	performStartupProcess() Dummy method to be overridden by subclasses.
void	reassignPermissions(AdHocControlled obj, WTPrincipalReference old_principal_ref, WTPrincipalReference new_principal_ref, AdHocAccessKey owner_key) Reassigns permissions a principal has for an object to another principal, for all ad hoc access control rules with the specified owner.
void	reassignPermissions(AdHocControlled obj, WTPrincipalReference old_principal_ref, WTPrincipalReference new_principal_ref, AdHocAccessKey owner_key, long owner_id) Reassigns permissions a principal has for an object to another principal, for all ad hoc access control rules with the specified owner.
private void	reassignPermissions(AdHocControlled obj, WTPrincipalReference old_principal_ref, WTPrincipalReference new_principal_ref, String owner)
AdHocControlled	removePermission(AdHocControlled obj, WTPrincipalReference principal_ref, AccessPermission permission, AdHocAccessKey owner_key) Removes the specified permission from the set of permissions granted to a principal for an object.
AdHocControlled	removePermission(AdHocControlled obj, WTPrincipalReference principal_ref, AccessPermission permission, AdHocAccessKey owner_key, long owner_id) Removes the specified permission from the set of permissions granted to a principal for an object.
void	removePermission(WTCollection objects, WTPrincipalReference principal_ref, AccessPermission permission, AdHocAccessKey owner_key) Removes the specified permission from the set of permissions granted to a principal for each of the objects in a collection.
void	removePermission(WTCollection objects, WTPrincipalReference principal_ref, AccessPermission permission, AdHocAccessKey owner_key, long owner_id) Removes the specified permission from the set of permissions granted to a principal for each of the objects in a collection.
AdHocControlled	removePermissions(AdHocControlled obj, AdHocAccessKey owner_key) Removes all ad hoc access control rules with the specified owner.
AdHocControlled	removePermissions(AdHocControlled obj, AdHocAccessKey owner_key, long owner_id) Removes all ad hoc access control rules with the specified owner.
private AdHocControlled	removePermissions(AdHocControlled obj, String owner)
AdHocControlled	removePermissions(AdHocControlled obj, WTPrincipalReference principal_ref, Vector permissions, AdHocAccessKey owner_key) Removes the specified permissions from the set of permissions granted to a principal for an object.
AdHocControlled	removePermissions(AdHocControlled obj, WTPrincipalReference principal_ref, Vector permissions, AdHocAccessKey owner_key, long owner_id) Removes the specified permissions from the set of permissions granted to a principal for an object.
private AdHocControlled	removePermissions(AdHocControlled obj, WTPrincipalReference principal_ref, Vector permissions, String owner)
void	removePermissions(WTCollection objects, WTPrincipalReference principal_ref, Collection permissions, AdHocAccessKey owner_key) Removes the specified permissions from the set of permissions granted to a principal for an object.
void	removePermissions(WTCollection objects, WTPrincipalReference principal_ref, Collection permissions, AdHocAccessKey owner_key, long owner_id) Removes the specified permissions from the set of permissions granted to a principal for each of the objects in a collection.
private void	removePermissions(WTCollection objects, WTPrincipalReference principal_ref, Collection permissions, String owner)
private AdHocControlled	replacePermissions(AdHocControlled obj, WTPrincipalReference principal_ref, Vector permissions, String owner)
AdHocControlled	setPermission(AdHocControlled obj, WTPrincipalReference principal_ref, AccessPermission permission, AdHocAccessKey owner_key) Adds an ad hoc access control rule granting a principal the specified permission to an object.
AdHocControlled	setPermission(AdHocControlled obj, WTPrincipalReference principal_ref, AccessPermission permission, AdHocAccessKey owner_key, long owner_id) Adds an ad hoc access control rule granting a principal the specified permission to an object.
void	setPermissions(AdHocControlled obj, AdHocAclSpec specification, WTRoleHolder2 role_holder, AdHocAccessKey owner_key) Creates ad hoc access control rules granting principals permissions to an object, based on an ad hoc access specification (AdHocAclSpec).
AdHocControlled	setPermissions(AdHocControlled obj, WTPrincipalReference principal_ref, Vector permissions, AdHocAccessKey owner_key) Deprecated.
AdHocControlled	setPermissions(AdHocControlled obj, WTPrincipalReference principal_ref, Vector permissions, AdHocAccessKey owner_key, long owner_id) Adds an ad hoc access control rule granting a principal the specified permissions to an object.
void	setPermissions(List objects, List specifications, List principal_maps, AdHocAccessKey owner_key) Creates ad hoc access control rules granting principals permissions to objects, based on an ad hoc access specification (AdHocAclSpec) and a role to principal mapping.
String	showPermissions(AdHocControlled obj) Returns a string representation of the ad hoc access control rules for the specified object.
void	updateAccessControlRule(AdminDomainRef domain_ref, String type_id, String state_key, WTPrincipalReference principal_ref, boolean grant, Vector permissions) Updates an access control rule defining the rights of a principal to access objects of a specified type and state, within a domain.
void	updateAccessControlRule(AdminDomainRef domain_ref, String type_id, String state_key, WTPrincipalReference principal_ref, Vector grant_permissions, Vector deny_permissions) Updates an access control rule defining the rights of a principal to access objects of a specified type and state, within a domain.
private void	updateAdHocAcl(AdHocControlled persisted_object)
private void	updateAdHocAcl(AdHocControlled obj, WTPrincipalReference principal_ref)
private void	updateAdHocAcls(WTCollection objects, WTPrincipalReference principal_ref)
private void	updateAdHocAcls(WTSet persisted_objects)
private void	updatePolicyAcl(PolicyAcl acl)
private void	updatePolicyAcls(AccessSelector selector)
private void	updatePolicyAcls(AdminDomainRef domain_ref)

Methods inherited from class wt.services.StandardManager

emergencyShutdown, emergencyShutdownComplete, emergencyShuttingDown, getClassInfo, getManagerService, getManagerStatus, getName, getStartupType, init, initialize, initialize, isStarted, newStandardManager, newStandardManager, performEmergencyShutdownProcess, performShutdownProcess, registerEvents, setManagerService, shutdown, shutdownFailure, shutdownSuccess, shuttingDown, started, startedErrors, startingUp, startup, startupFailure, toString

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Field Detail

RESOURCE

private static final String RESOURCE

See Also:

Constant Field Values

CLASSNAME

private static final String CLASSNAME

aclCache

private static AclCache aclCache

enforce

private static boolean enforce

ENTRY_KEY_SEQUENCE

private static final String ENTRY_KEY_SEQUENCE

Name of the entry key sequence.

See Also:

Constant Field Values

POLICY_KEY

private static final String POLICY_KEY

See Also:

Constant Field Values

ADMIN_RESOURCE

private static final String ADMIN_RESOURCE

See Also:

Constant Field Values

READ_MASK

private static final long READ_MASK

FROM_INDEX

private static final int[] FROM_INDEX

VERBOSE_POLICY

private static boolean VERBOSE_POLICY

VERBOSE_EVENT

private static boolean VERBOSE_EVENT

VERBOSE_EXECUTION

private static boolean VERBOSE_EXECUTION

VALIDATE_ACCESS_CHECKS

private static boolean VALIDATE_ACCESS_CHECKS

VALIDATE_TRANSACTION

private static boolean VALIDATE_TRANSACTION

Constructor Detail

StandardAccessControlManager

public StandardAccessControlManager()

Method Detail

getConceptualClassname

public String getConceptualClassname()

Deprecated.

Returns the conceptual (modeled) name for the class.

Supported API: false

Specified by:

getConceptualClassname in interface NetFactor

Overrides:

getConceptualClassname in class StandardManager

Returns:

String

newStandardAccessControlManager

public static StandardAccessControlManager newStandardAccessControlManager()
                                                                    throws WTException

Default factory for the class.

Supported API: false

Returns:

StandardAccessControlManager

Throws:

WTException

checkAccess

public boolean checkAccess(Object object,
                           AccessPermission permission)
                    throws WTException

Determines whether the current principal has a given permission on a given object. Emits the AccessControlEvent.NOT_AUTHORIZED event for auditing purposes and throws a NotAuthorizedException if this is not the case.

Supported API: true

Specified by:

checkAccess in interface AccessControlManager

Parameters:

object -

permission -

Returns:

boolean

Throws:

WTException

checkAccess

public void checkAccess(WTCollection objects,
                        AccessPermission permission)
                 throws WTException

Determines whether the current principal has a given permission on a collection of objects. Emits the AccessControlEvent.NOT_AUTHORIZED event for auditing purposes and throws a NotAuthorizedException if this is not the case.

Supported API: false

Specified by:

checkAccess in interface AccessControlManager

Parameters:

objects -

permission -

Throws:

WTException

checkAccess

public boolean checkAccess(Object object,
                           String permission)
                    throws WTException

Deprecated.

Determines whether the current principal has a given permission on a given object. Emits the AccessControlEvent.NOT_AUTHORIZED event for auditing purposes and throws a NotAuthorizedException if this is not the case.

Supported API: true

Specified by:

checkAccess in interface AccessControlManager

Parameters:

object -

permission -

Returns:

boolean

Throws:

WTException

See Also:

checkAccess(Object object, AccessPermission permission)

checkAccess

public void checkAccess(AdminDomainRef domain_ref,
                        String type_id,
                        AccessPermission permission)
                 throws WTException

Checks if the current principal has the given access permission over a given type in a given domain (irrespective of state). Emits the AccessControlEvent.NOT_AUTHORIZED event for auditing purposes and throws a NotAuthorizedException if this is not the case.

The access is evaluated only taking into account access policies. For a specific object this is only part of the answer as the object may be ad hoc controlled and have an ad hoc ACL that provides additional access rights.

Supported API: false

Specified by:

checkAccess in interface AccessControlManager

Parameters:

domain_ref -

type_id -

permission -

Throws:

WTException

hasAccess

public boolean hasAccess(Object object,
                         AccessPermission permission)
                  throws WTException

Determines whether the current principal has the given access permission over the object passed as argument. Returns true if this is the case, false otherwise.

Supported API: true

Specified by:

hasAccess in interface AccessControlManager

Parameters:

object -

permission -

Returns:

boolean

Throws:

WTException

hasAccess

public boolean hasAccess(WTCollection objects,
                         AccessPermission permission)
                  throws WTException

Determines whether the current principal has the given access permission over the collection of objects passed as argument. Returns true if this is the case, false otherwise.

Supported API: false

Specified by:

hasAccess in interface AccessControlManager

Parameters:

objects -

permission -

Returns:

boolean

Throws:

WTException

hasAccess

public boolean hasAccess(Object object,
                         String permission)
                  throws WTException

Deprecated.

Determines whether the current principal has the given access permission over the object passed as argument. Returns true if this is the case, false otherwise.

Supported API: true

Specified by:

hasAccess in interface AccessControlManager

Parameters:

object -

permission -

Returns:

boolean

Throws:

WTException

See Also:

hasAccess(Object object, AccessPermission permission)

hasAccess

public boolean hasAccess(WTPrincipal user,
                         Object object,
                         AccessPermission permission)
                  throws WTException

Determines whether the given principal has the given access permission over the object passed as argument. Returns true if this is the case, false otherwise.

Supported API: true

Specified by:

hasAccess in interface AccessControlManager

Parameters:

user -

object -

permission -

Returns:

boolean

Throws:

WTException

hasAccess

public boolean hasAccess(WTPrincipal principal,
                         WTCollection objects,
                         AccessPermission permission)
                  throws WTException

Determines whether the given principal has the given access permission over the collection of objects passed as argument. Returns true if this is the case, false otherwise.

Supported API: false

Specified by:

hasAccess in interface AccessControlManager

Parameters:

principal -

objects -

permission -

Returns:

boolean

Throws:

WTException

hasAccess

public boolean hasAccess(WTPrincipal user,
                         Object object,
                         String permission)
                  throws WTException

Deprecated.

Determines whether the given principal has the given access permission over the object passed as argument. Returns true if this is the case, false otherwise.

Supported API: true

Specified by:

hasAccess in interface AccessControlManager

Parameters:

user -

object -

permission -

Returns:

boolean

Throws:

WTException

See Also:

hasAccess(WTPrincipal user, Object object, AccessPermission permission)

hasAccess

public boolean hasAccess(WTPrincipal user,
                         String type_id,
                         AdminDomainRef domain_ref,
                         State state,
                         AccessPermission permission)
                  throws WTException

Determines whether the given principal has the given access permission over a given type in a given domain and state. Returns true if this is the case, false otherwise. The access is evaluated only taking into account access policies. For a specific object this is only part of the answer as the object may be ad hoc controlled and have an ad hoc ACL that provides additional access rights.

Supported API: true

Specified by:

hasAccess in interface AccessControlManager

Parameters:

user -

type_id -

domain_ref -

state -

permission -

Returns:

boolean

Throws:

WTException

hasAccess

public boolean hasAccess(WTPrincipal user,
                         String type_id,
                         AdminDomainRef domain_ref,
                         State state,
                         String permission)
                  throws WTException

Deprecated.

Determines whether the given principal has the given access permission over a given type in a given domain and state. Returns true if this is the case, false otherwise. The access is evaluated only taking into account access policies. For a specific object this is only part of the answer as the object may be ad hoc controlled and have an ad hoc ACL that provides additional access rights.

Supported API: true

Specified by:

hasAccess in interface AccessControlManager

Parameters:

user -

type_id -

domain_ref -

state -

permission -

Returns:

boolean

Throws:

WTException

See Also:

hasAccess(WTPrincipal user, String type_id, AdminDomainRef domain_ref, State state, AccessPermission permission)

filterObjects

public ObjectVectorIfc filterObjects(ObjectVectorIfc objects,
                                     AccessPermission permission)
                              throws WTException

Given a set of objects, this method constructs and returns a new set containing only objects where the current principal is granted the permission to these objects.

This method can be used to filter out objects for which the user has no read access after a query is performed.

Supported API: true

Specified by:

filterObjects in interface AccessControlManager

Parameters:

objects -

permission -

Returns:

ObjectVectorIfc

Throws:

WTException

filterObjects

public QueryResult filterObjects(QueryResult objects,
                                 AccessPermission permission)
                          throws WTException

Given a set of objects (stored as a QueryResult), this method constructs and returns a new set containing only objects where the current principal is granted the permission to these objects.

This method can be used to filter out objects for which the user has no read access after a database query is performed.

Supported API: true

Specified by:

filterObjects in interface AccessControlManager

Parameters:

objects -

permission -

Returns:

QueryResult

Throws:

WTException

filterObjects

public QueryResult filterObjects(QueryResult objects,
                                 String permission)
                          throws WTException

Deprecated.

Given a set of objects (stored as a QueryResult), this method constructs and returns a new set containing only objects where the current principal is granted the permission to these objects.

This method can be used to filter out objects for which the user has no read access after a database query is performed.

Supported API: true

Specified by:

filterObjects in interface AccessControlManager

Parameters:

objects -

permission -

Returns:

QueryResult

Throws:

WTException

See Also:

filterObjects(QueryResult objects, AccessPermission permission)

createAccessControlRule

public void createAccessControlRule(AdminDomainRef domain_ref,
                                    String type_id,
                                    String state_key,
                                    WTPrincipalReference principal_ref,
                                    Vector grant_permissions,
                                    Vector deny_permissions)
                             throws WTException

Creates an access control rule defining the rights of a principal to access objects of a specified type and state, within a domain.

Supported API: false

Specified by:

createAccessControlRule in interface AccessControlManager

Parameters:

domain_ref - reference to the domain the rule is for

type_id - logical or persisted type identifier

state_key - life cycle state key (State.toString() value, or null for all states)

principal_ref - reference to a principal

grant_permissions - Vector of permissions (AccessPermission) to grant

deny_permissions - Vector of permissions (AccessPermission) to deny

Throws:

WTException

See Also:

AccessPermission

createAccessControlRule

public void createAccessControlRule(AdminDomainRef domain_ref,
                                    String type_id,
                                    String state_key,
                                    WTPrincipalReference principal_ref,
                                    boolean grant,
                                    Vector permissions)
                             throws WTException

Creates an access control rule defining the rights of a principal to access objects of a specified type and state, within a domain.

Supported API: false

Specified by:

createAccessControlRule in interface AccessControlManager

Parameters:

domain_ref - reference to the domain the rule is for

type_id - logical or persisted type identifier

state_key - life cycle state key (State.toString() value, or null for all states)

principal_ref - reference to a principal

grant - true = grant, false = deny

permissions - Vector of permissions (AccessPermission)

Throws:

WTException

See Also:

AccessPermission

deleteAccessControlRule

public void deleteAccessControlRule(AdminDomainRef domain_ref,
                                    String type_id,
                                    String state_key,
                                    WTPrincipalReference principal_ref)
                             throws WTException

Deletes an access control rule defining the rights of a principal to access objects of a specified type and state, within a domain. Deletes any permissions granted and any permissions denied to the principal.

Supported API: false

Specified by:

deleteAccessControlRule in interface AccessControlManager

Parameters:

domain_ref - reference to the domain the rule is for

type_id - logical or persisted type identifier

state_key - life cycle state key (State.toString() value, or null for all states)

principal_ref - reference to a principal

Throws:

WTException

deleteAccessControlRules

public void deleteAccessControlRules(AdminDomainRef domain_ref)
                              throws WTException

Deletes all access control rules within a domain.

This method is intended for testing purposes only, to support automated tests that need to reinitialize the testing environment.

Supported API: false

Specified by:

deleteAccessControlRules in interface AccessControlManager

Parameters:

domain_ref - reference to the domain the rule is for

Throws:

WTException

getAccessControlRule

public EnumeratorVector[] getAccessControlRule(AdminDomainRef domain_ref,
                                               String type_id,
                                               String state_key,
                                               WTPrincipalReference principal_ref)
                                        throws WTException

Gets an access control rule defining the rights of a principal to access objects of a specified type and state, within a domain. Returns an EnumeratorVector array where the first element contains any permissions granted and the second element contains any permissions denied to the principal.

Supported API: false

Specified by:

getAccessControlRule in interface AccessControlManager

Parameters:

domain_ref - reference to the domain the rule is for

type_id - logical or persisted type identifier

state_key - life cycle state key (State.toString() value, or null for all states)

principal_ref - reference to a principal

Returns:

EnumeratorVector[]

Throws:

WTException

updateAccessControlRule

public void updateAccessControlRule(AdminDomainRef domain_ref,
                                    String type_id,
                                    String state_key,
                                    WTPrincipalReference principal_ref,
                                    Vector grant_permissions,
                                    Vector deny_permissions)
                             throws WTException

Updates an access control rule defining the rights of a principal to access objects of a specified type and state, within a domain.

Supported API: false

Specified by:

updateAccessControlRule in interface AccessControlManager

Parameters:

domain_ref - reference to the domain the rule is for

type_id - logical or persisted type identifier

state_key - life cycle state key (State.toString() value, or null for all states)

principal_ref - reference to a principal

grant_permissions - Vector of permissions (AccessPermission) to grant

deny_permissions - Vector of permissions (AccessPermission) to deny

Throws:

WTException

See Also:

AccessPermission

updateAccessControlRule

public void updateAccessControlRule(AdminDomainRef domain_ref,
                                    String type_id,
                                    String state_key,
                                    WTPrincipalReference principal_ref,
                                    boolean grant,
                                    Vector permissions)
                             throws WTException

Updates an access control rule defining the rights of a principal to access objects of a specified type and state, within a domain.

Supported API: false

Specified by:

updateAccessControlRule in interface AccessControlManager

Parameters:

domain_ref - reference to the domain the rule is for

type_id - logical or persisted type identifier

state_key - life cycle state key (State.toString() value, or null for all states)

principal_ref - reference to a principal

grant - true = grant, false = deny

permissions - Vector of permissions (AccessPermission)

Throws:

WTException

See Also:

AccessPermission

getPolicyAcl

public PolicyAcl getPolicyAcl(AccessSelector selector)
                       throws WTException

Returns the policy acl for the given selector.

Supported API: false

Specified by:

getPolicyAcl in interface AccessControlManager

Parameters:

selector -

Returns:

PolicyAcl

Throws:

WTException

getAccessPolicyRule

public AccessPolicyRule getAccessPolicyRule(AccessSelector selector)
                                     throws WTException

Returns the access policy rule for the specified selector. Returns null if the rule doesn't exist.

Supported API: false

Specified by:

getAccessPolicyRule in interface AccessControlManager

Parameters:

selector -

Returns:

AccessPolicyRule

Throws:

WTException

getAccessPolicyRules

public Enumeration getAccessPolicyRules(AdminDomainRef domain_ref)
                                 throws WTException

Returns all the access policy rules for the specified domain in the form of an enumeration.

Supported API: false

Specified by:

getAccessPolicyRules in interface AccessControlManager

Parameters:

domain_ref -

Returns:

Enumeration

Throws:

WTException

getSurrogateAttributes

public Hashtable getSurrogateAttributes(Class a_targetClass)
                                 throws WTException

Indicates which attributes are necessary for making the access control decision on an object of the given class. For example, when making a policy access control decision for a LifeCycleManaged object, the object's state attribute must be checked. The returned attributes are in the form of a Hashtable where the keys are the surrogate column descriptor names and the values are the associated target class column descriptor names.

Supported API: false

Specified by:

getSurrogateAttributes in interface AccessControlManager

Parameters:

a_targetClass -

Returns:

Hashtable

Throws:

WTException

addPermission

public AdHocControlled addPermission(AdHocControlled obj,
                                     WTPrincipalReference principal_ref,
                                     AccessPermission permission,
                                     AdHocAccessKey owner_key)
                              throws WTException

Adds an ad hoc access control rule granting a principal the specified permission to an object. If a rule with the specified owner already exists for the principal, the permission is added to the set of permissions already granted. If the principal already has the specified permission, this method returns without making any changes.

Note: If the object is persistent, this method must be called from within a transaction that includes an update to the object.

Supported API: false

Specified by:

addPermission in interface AccessControlManager

Parameters:

obj - object the rule is for

principal_ref - principal the permission applies to

permission - permission to be granted

owner_key - key identifying the rule's owner

Returns:

AdHocControlled

Throws:

WTException

addPermission

public AdHocControlled addPermission(AdHocControlled obj,
                                     WTPrincipalReference principal_ref,
                                     AccessPermission permission,
                                     AdHocAccessKey owner_key,
                                     long owner_id)
                              throws WTException

Adds an ad hoc access control rule granting a principal the specified permission to an object. If a rule with the specified owner already exists for the principal, the permission is added to the set of permissions already granted. If the principal already has the specified permission, this method returns without making any changes.

Note: If the object is persistent, this method must be called from within a transaction that includes an update to the object.

Supported API: false

Specified by:

addPermission in interface AccessControlManager

Parameters:

obj - object the rule is for

principal_ref - principal the permission applies to

permission - permission to be granted

owner_key - key identifying the rule's owner

owner_id - identifier used by the rule's owner to qualify the key

Returns:

AdHocControlled

Throws:

WTException

addPermissions

public AdHocControlled addPermissions(AdHocControlled obj,
                                      WTPrincipalReference principal_ref,
                                      Vector permissions,
                                      AdHocAccessKey owner_key)
                               throws WTException

Adds an ad hoc access control rule granting a principal the specified permissions to an object. If a rule with the specified owner already exists for the principal, the permissions are added to the set of permissions already granted. If the principal already has the specified permissions, this method returns without making any changes.

Note: If the object is persistent, this method must be called from within a transaction that includes an update to the object.

Supported API: false

Specified by:

addPermissions in interface AccessControlManager

Parameters:

obj - object the rule is for

principal_ref - principal the permission applies to

permissions - permissions to be granted (Vector of AccessPermission)

owner_key - key identifying the rule's owner

Returns:

AdHocControlled

Throws:

WTException

addPermissions

public AdHocControlled addPermissions(AdHocControlled obj,
                                      WTPrincipalReference principal_ref,
                                      Vector permissions,
                                      AdHocAccessKey owner_key,
                                      long owner_id)
                               throws WTException

Adds an ad hoc access control rule granting a principal the specified permissions to an object. If a rule with the specified owner already exists for the principal, the permissions are added to the set of permissions already granted. If the principal already has the specified permissions, this method returns without making any changes.

Note: If the object is persistent, this method must be called from within a transaction that includes an update to the object.

Supported API: false

Specified by:

addPermissions in interface AccessControlManager

Parameters:

obj - object the rule is for

principal_ref - principal the permission applies to

permissions - permissions to be granted (Vector of AccessPermission)

owner_key - key identifying the rule's owner

owner_id - identifier used by the rule's owner to qualify the key

Returns:

AdHocControlled

Throws:

WTException

copyPermissions

public AdHocControlled copyPermissions(AdHocControlled source,
                                       AdHocControlled target,
                                       AdHocAccessKey owner_key)
                                throws WTException

Copies permissions from a source object to a target object. Only those enabled ad hoc access control rules with the specified owner are copied. If rules with the owner already exist for the target object, the copied permissions replace any previously granted. If the source and target objects have no ad hoc rules, this method returns without making any changes.

Note: The source object must be persistent. If the target object is persistent, this method must be called from within a transaction that includes an update to the target object.

Supported API: false

Specified by:

copyPermissions in interface AccessControlManager

Parameters:

source - source object

target - target object

owner_key - key identifying the rule's owner

Returns:

AdHocControlled

Throws:

WTException

copyPermissions

public AdHocControlled copyPermissions(AdHocControlled source,
                                       AdHocControlled target,
                                       AdHocAccessKey owner_key,
                                       long owner_id)
                                throws WTException

Copies permissions from a source object to a target object. Only those enabled ad hoc access control rules with the specified owner are copied. If rules with the owner already exist for the target object, the copied permissions replace any previously granted. If the source and target objects have no ad hoc rules, this method returns without making any changes.

Note: The source object must be persistent. If the target object is persistent, this method must be called from within a transaction that includes an update to the target object.

Supported API: false

Specified by:

copyPermissions in interface AccessControlManager

Parameters:

source - source object

target - target object

owner_key - key identifying the rule's owner

owner_id - identifier used by the rule's owner to qualify the key

Returns:

AdHocControlled

Throws:

WTException

getPermissions

public EnumeratorVector getPermissions(AdHocControlled obj,
                                       WTPrincipalReference principal_ref,
                                       AdHocAccessKey owner_key)
                                throws WTException

Returns the permissions (EnumeratorVector of AccessPermission) granted to a principal for an object, by an ad hoc access control rule with a specified owner.

Supported API: false

Specified by:

getPermissions in interface AccessControlManager

Parameters:

obj - object the rule is for

principal_ref - principal whose permissions are to be returned

owner_key - key identifying the rule's owner

Returns:

EnumeratorVector

Throws:

WTException

getPermissions

public EnumeratorVector getPermissions(AdHocControlled obj,
                                       WTPrincipalReference principal_ref,
                                       AdHocAccessKey owner_key,
                                       long owner_id)
                                throws WTException

Returns the permissions (EnumeratorVector of AccessPermission) granted to a principal for an object, by an ad hoc access control rule with a specified owner.

Supported API: false

Specified by:

getPermissions in interface AccessControlManager

Parameters:

obj - object the rule is for

principal_ref - principal whose permissions are to be returned

owner_key - key identifying the rule's owner

owner_id - identifier used by the rule's owner to qualify the key

Returns:

EnumeratorVector

Throws:

WTException

removePermission

public AdHocControlled removePermission(AdHocControlled obj,
                                        WTPrincipalReference principal_ref,
                                        AccessPermission permission,
                                        AdHocAccessKey owner_key)
                                 throws WTException

Removes the specified permission from the set of permissions granted to a principal for an object. If AccessPermission.ALL is specified, all permissions are removed. If no permissions remain, the ad hoc access control rule for the principal is removed. The permission is only removed from a rule with the specified owner. If there is no matching rule, this method returns without making any changes.

Note: If the object is persistent, this method must be called from within a transaction that includes an update to the object.

Supported API: false

Specified by:

removePermission in interface AccessControlManager

Parameters:

obj - object the rule is for

principal_ref - principal the permission applies to

permission - permission to be removed

owner_key - key identifying the rule's owner

Returns:

AdHocControlled

Throws:

WTException

removePermission

public AdHocControlled removePermission(AdHocControlled obj,
                                        WTPrincipalReference principal_ref,
                                        AccessPermission permission,
                                        AdHocAccessKey owner_key,
                                        long owner_id)
                                 throws WTException

Removes the specified permission from the set of permissions granted to a principal for an object. If AccessPermission.ALL is specified, all permissions are removed. If no permissions remain, the ad hoc access control rule for the principal is removed. The permission is only removed from a rule with the specified owner. If there is no matching rule, this method returns without making any changes.

Note: If the object is persistent, this method must be called from within a transaction that includes an update to the object.

Supported API: false

Specified by:

removePermission in interface AccessControlManager

Parameters:

obj - object the rule is for

principal_ref - principal the permission applies to

permission - permission to be removed

owner_key - key identifying the rule's owner

owner_id - identifier used by the rule's owner to qualify the key

Returns:

AdHocControlled

Throws:

WTException

removePermissions

public AdHocControlled removePermissions(AdHocControlled obj,
                                         WTPrincipalReference principal_ref,
                                         Vector permissions,
                                         AdHocAccessKey owner_key)
                                  throws WTException

Removes the specified permissions from the set of permissions granted to a principal for an object. If AccessPermission.ALL is specified, all permissions are removed. If no permissions remain, the ad hoc access control rule for the principal is removed. The permissions are only removed from a rule with the specified owner. If there is no matching rule, this method returns without making any changes.

Note: If the object is persistent, this method must be called from within a transaction that includes an update to the object.

Supported API: false

Specified by:

removePermissions in interface AccessControlManager

Parameters:

obj - object the rule is for

principal_ref - principal the permission applies to

permissions - permissions to be removed (Vector of AccessPermission)

owner_key - key identifying the rule's owner

Returns:

AdHocControlled

Throws:

WTException

removePermissions

public AdHocControlled removePermissions(AdHocControlled obj,
                                         WTPrincipalReference principal_ref,
                                         Vector permissions,
                                         AdHocAccessKey owner_key,
                                         long owner_id)
                                  throws WTException

Removes the specified permissions from the set of permissions granted to a principal for an object. If AccessPermission.ALL is specified, all permissions are removed. If no permissions remain, the ad hoc access control rule for the principal is removed. The permissions are only removed from a rule with the specified owner. If there is no matching rule, this method returns without making any changes.

Note: If the object is persistent, this method must be called from within a transaction that includes an update to the object.

Supported API: false

Specified by:

removePermissions in interface AccessControlManager

Parameters:

obj - object the rule is for

principal_ref - principal the permission applies to

permissions - permissions to be removed (Vector of AccessPermission)

owner_key - key identifying the rule's owner

owner_id - identifier used by the rule's owner to qualify the key

Returns:

AdHocControlled

Throws:

WTException

removePermissions

public AdHocControlled removePermissions(AdHocControlled obj,
                                         AdHocAccessKey owner_key)
                                  throws WTException

Removes all ad hoc access control rules with the specified owner. If there is no matching rule, this method returns without making any changes.

Note: If the object is persistent, this method must be called from within a transaction that includes an update to the object.

Supported API: false

Specified by:

removePermissions in interface AccessControlManager

Parameters:

obj - object the rules are for

owner_key - key identifying the rules' owner

Returns:

AdHocControlled

Throws:

WTException

removePermissions

public AdHocControlled removePermissions(AdHocControlled obj,
                                         AdHocAccessKey owner_key,
                                         long owner_id)
                                  throws WTException

Removes all ad hoc access control rules with the specified owner. If there is no matching rule, this method returns without making any changes.

Note: If the object is persistent, this method must be called from within a transaction that includes an update to the object.

Supported API: false

Specified by:

removePermissions in interface AccessControlManager

Parameters:

obj - object the rules are for

owner_key - key identifying the rules' owner

owner_id - identifier used by the rules' owner to qualify the key

Returns:

AdHocControlled

Throws:

WTException

setPermission

public AdHocControlled setPermission(AdHocControlled obj,
                                     WTPrincipalReference principal_ref,
                                     AccessPermission permission,
                                     AdHocAccessKey owner_key)
                              throws WTException

Adds an ad hoc access control rule granting a principal the specified permission to an object. If a rule with the specified owner already exists for the principal, the permission replaces the set of permissions previously granted. If the principal already has the specified permission and only that permission, this method returns without making any changes.

Note: If the object is persistent, this method must be called from within a transaction that includes an update to the object.

Supported API: false

Specified by:

setPermission in interface AccessControlManager

Parameters:

obj - object the rule is for

principal_ref - principal the permission applies to

permission - permission to be granted

owner_key - key identifying the rule's owner

Returns:

AdHocControlled

Throws:

WTException

setPermission

public AdHocControlled setPermission(AdHocControlled obj,
                                     WTPrincipalReference principal_ref,
                                     AccessPermission permission,
                                     AdHocAccessKey owner_key,
                                     long owner_id)
                              throws WTException

Adds an ad hoc access control rule granting a principal the specified permission to an object. If a rule with the specified owner already exists for the principal, the permission replaces the set of permissions previously granted. If the principal already has the specified permission and only that permission, this method returns without making any changes.

Note: If the object is persistent, this method must be called from within a transaction that includes an update to the object.

Supported API: false

Specified by:

setPermission in interface AccessControlManager

Parameters:

obj - object the rule is for

principal_ref - principal the permission applies to

permission - permission to be granted

owner_key - key identifying the rule's owner

owner_id - identifier used by the rule's owner to qualify the key

Returns:

AdHocControlled

Throws:

WTException

setPermissions

public AdHocControlled setPermissions(AdHocControlled obj,
                                      WTPrincipalReference principal_ref,
                                      Vector permissions,
                                      AdHocAccessKey owner_key)
                               throws WTException

Deprecated.

Adds an ad hoc access control rule granting a principal the specified permissions to an object. If a rule with the specified owner already exists for the principal, the permissions replace the set of permissions previously granted. If the principal already has the specified permissions and only those permissions, this method returns without making any changes.

Note: If the object is persistent, this method must be called from within a transaction that includes an update to the object.

Supported API: false

Specified by:

setPermissions in interface AccessControlManager

Parameters:

obj - object the rule is for

principal_ref - principal the permission applies to

permissions - permissions to be granted (Vector of AccessPermission)

owner_key - key identifying the rule's owner

Returns:

AdHocControlled

Throws:

WTException

See Also:

setPermissions(List objects, List specifications, List principal_maps, AdHocAccessKey owner_key)

setPermissions

public AdHocControlled setPermissions(AdHocControlled obj,
                                      WTPrincipalReference principal_ref,
                                      Vector permissions,
                                      AdHocAccessKey owner_key,
                                      long owner_id)
                               throws WTException

Adds an ad hoc access control rule granting a principal the specified permissions to an object. If a rule with the specified owner already exists for the principal, the permissions are added to the set of permissions already granted. If the principal already has the specified permissions, this method returns without making any changes.

Note: If the object is persistent, this method must be called from within a transaction that includes an update to the object.

Supported API: false

Specified by:

setPermissions in interface AccessControlManager

Parameters:

obj - object the rule is for

principal_ref - principal the permission applies to

permissions - permissions to be granted (Vector of AccessPermission)

owner_key - key identifying the rule's owner

owner_id - identifier used by the rule's owner to qualify the key

Returns:

AdHocControlled

Throws:

WTException

showPermissions

public String showPermissions(AdHocControlled obj)
                       throws WTException

Returns a string representation of the ad hoc access control rules for the specified object.

Supported API: false

Specified by:

showPermissions in interface AccessControlManager

Parameters:

obj - object to return rules for

Returns:

String

Throws:

WTException

getEntries

public Enumeration getEntries(AccessControlList obj)
                       throws WTException

Returns an Enumeration of access control entries for an wt.access.AccessControlLink object. All enabled entries are returned.

Supported API: false

Specified by:

getEntries in interface AccessControlManager

Parameters:

obj - object with a list of WTAclEntry objects

Returns:

Enumeration

Throws:

WTException

emitAccessEvent

public void emitAccessEvent(String event_type,
                            Object target,
                            AccessPermission permission,
                            WTMessage message)
                     throws WTException

Emits an access control event of a given type. Also passed as argument are the target object, the permisison and the message issued in case of not authorized events.

Supported API: false

Specified by:

emitAccessEvent in interface AccessControlManager

Parameters:

event_type -

target -

permission -

message -

Throws:

WTException

createAllRule

public void createAllRule(AdminDomainRef domain_ref,
                          String type_id,
                          WTPrincipalReference principal_ref)
                   throws WTException

To be used only by wt.admin.Install

Supported API: false

Specified by:

createAllRule in interface AccessControlManagerSvr

Parameters:

domain_ref -

type_id -

principal_ref -

Throws:

WTException

addPermission

public void addPermission(WTCollection objects,
                          WTPrincipalReference principal_ref,
                          AccessPermission permission,
                          AdHocAccessKey owner_key)
                   throws WTException

Adds an ad hoc access control rule for each of the objects in a collection, granting a principal the specified permission to the objects. If a rule with the specified owner already exists for the principal, the permission is added to the set of permissions already granted to the object. If the principal already has the specified permission to an object in the collection, this method returns without making any changes to the object.

Note: If the objects in the collection are persistent, this method must be called from within a transaction that includes an update to the objects.

Supported API: false

Specified by:

addPermission in interface AccessControlManagerSvr

Parameters:

objects - objects the rules are for

principal_ref - principal the permission applies to

permission - permission to be granted

owner_key - key identifying the rule's owner

Throws:

WTException

addPermission

public void addPermission(WTCollection objects,
                          WTPrincipalReference principal_ref,
                          AccessPermission permission,
                          AdHocAccessKey owner_key,
                          long owner_id)
                   throws WTException

Adds an ad hoc access control rule for each of the objects in a collection, granting a principal the specified permission to the objects. If a rule with the specified owner already exists for the principal, the permission is added to the set of permissions already granted to the object. If the principal already has the specified permission to an object in the collection, this method returns without making any changes to the object.

Note: If the objects in the collection are persistent, this method must be called from within a transaction that includes an update to the objects.

Supported API: false

Specified by:

addPermission in interface AccessControlManagerSvr

Parameters:

objects - objects the rules are for

principal_ref - principal the permission applies to

permission - permission to be granted

owner_key - key identifying the rule's owner

owner_id - identifier used by the rule's owner to qualify the key

Throws:

WTException

addPermissions

public void addPermissions(WTCollection objects,
                           WTPrincipalReference principal_ref,
                           Collection permissions,
                           AdHocAccessKey owner_key)
                    throws WTException

Adds an ad hoc access control rule for each of the objects in a collection, granting a principal the specified permissions to the objects. If a rule with the specified owner already exists for the principal, the permissions are added to the set of permissions already granted to the object. If the principal already has the specified permissions to an object in the collection, this method returns without making any changes to the object.

Note: If the objects in the collection are persistent, this method must be called from within a transaction that includes an update to the objects.

Supported API: false

Specified by:

addPermissions in interface AccessControlManagerSvr

Parameters:

objects - objects the rules are for

principal_ref - principal the permission applies to

permissions - permissions to be granted (Collection of AccessPermission)

owner_key - key identifying the rule's owner

Throws:

WTException

addPermissions

public void addPermissions(WTCollection objects,
                           WTPrincipalReference principal_ref,
                           Collection permissions,
                           AdHocAccessKey owner_key,
                           long owner_id)
                    throws WTException

Adds an ad hoc access control rule for each of the objects in a collection, granting a principal the specified permissions to the objects. If a rule with the specified owner already exists for the principal, the permissions are added to the set of permissions already granted to the object. If the principal already has the specified permissions to an object in the collection, this method returns without making any changes to the object.

Note: If the objects in the collection are persistent, this method must be called from within a transaction that includes an update to the objects.

Supported API: false

Specified by:

addPermissions in interface AccessControlManagerSvr

Parameters:

objects - objects the rules are for

principal_ref - principal the permission applies to

permissions - permissions to be granted (Collection of AccessPermission)

owner_key - key identifying the rule's owner

owner_id - identifier used by the rule's owner to qualify the key

Throws:

WTException

copyPermissions

public AdHocControlled copyPermissions(AdHocControlled source,
                                       AdHocControlled target)
                                throws WTException

Copies permissions from a source object to a target object. The source object must be persistent. All ad hoc access control rules granting principals permissions are copied (that is, rules with all owners). If rules already exist for the target object, the copied permissions replace any previously granted. If the source object has no ad hoc rules, this method returns without making any changes. This method bypasses access control checks.

Note: This method is to be used for duplicating permissions when creating a new object based on another object (for example, checking in a new iteration of a RevisionControlled object). It must be called from within a transaction that includes an update to the target object.

Supported API: false

Specified by:

copyPermissions in interface AccessControlManagerSvr

Parameters:

source - source object

target - target object

Returns:

AdHocControlled

Throws:

WTException

copyPermissions

public void copyPermissions(AdHocControlled source,
                            WTCollection targets,
                            AdHocAccessKey owner_key)
                     throws WTException

Copies permissions from a source object to a collection of target objects. Only those enabled ad hoc access control rules with the specified owner are copied. If rules with the owner already exist for the target objects, the copied permissions replace any previously granted. If the source object has no ad hoc rules, this method returns without making any changes.

Note: The source object must be persistent. If the target objects are persistent, this method must be called from within a transaction that includes an update to the target objects.

Supported API: false

Specified by:

copyPermissions in interface AccessControlManagerSvr

Parameters:

source - source object

targets - target objects

owner_key - key identifying the rule's owner

Throws:

WTException

copyPermissions

public void copyPermissions(AdHocControlled source,
                            WTCollection targets,
                            AdHocAccessKey owner_key,
                            long owner_id)
                     throws WTException

Copies permissions from a source object to a collection of target objects. Only those enabled ad hoc access control rules with the specified owner are copied. If rules with the owner already exist for the target objects, the copied permissions replace any previously granted. If the source object has no ad hoc rules, this method returns without making any changes.

Note: The source object must be persistent. If the target objects are persistent, this method must be called from within a transaction that includes an update to the target objects.

Supported API: false

Specified by:

copyPermissions in interface AccessControlManagerSvr

Parameters:

source - source object

targets - target objects

owner_key - key identifying the rule's owner

owner_id - identifier used by the rule's owner to qualify the key

Throws:

WTException

reassignPermissions

public void reassignPermissions(AdHocControlled obj,
                                WTPrincipalReference old_principal_ref,
                                WTPrincipalReference new_principal_ref,
                                AdHocAccessKey owner_key)
                         throws WTException

Reassigns permissions a principal has for an object to another principal, for all ad hoc access control rules with the specified owner. This method bypasses access control checks.

Supported API: false

Specified by:

reassignPermissions in interface AccessControlManagerSvr

Parameters:

obj - object the rules are for

old_principal_ref - principal whose permissions are to be reassigned

new_principal_ref - principal to reassign permissions to

owner_key - key identifying the rules' owner

Throws:

WTException

reassignPermissions

public void reassignPermissions(AdHocControlled obj,
                                WTPrincipalReference old_principal_ref,
                                WTPrincipalReference new_principal_ref,
                                AdHocAccessKey owner_key,
                                long owner_id)
                         throws WTException

Reassigns permissions a principal has for an object to another principal, for all ad hoc access control rules with the specified owner. This method bypasses access control checks.

Supported API: false

Specified by:

reassignPermissions in interface AccessControlManagerSvr

Parameters:

obj - object the rules are for

old_principal_ref - principal whose permissions are to be reassigned

new_principal_ref - principal to reassign permissions to

owner_key - key identifying the rules' owner

owner_id - identifier used by the rule's owner to qualify the key

Throws:

WTException

removePermission

public void removePermission(WTCollection objects,
                             WTPrincipalReference principal_ref,
                             AccessPermission permission,
                             AdHocAccessKey owner_key)
                      throws WTException

Removes the specified permission from the set of permissions granted to a principal for each of the objects in a collection. If AccessPermission.ALL is specified, all permissions are removed. If no permissions remain, the ad hoc access control rule for the principal is removed. The permission is only removed from a rule with the specified owner. If there is no matching rule, this method returns without making any changes to the object.

Note: If the objects are persistent, this method must be called from within a transaction that includes an update to the objects.

Supported API: false

Specified by:

removePermission in interface AccessControlManagerSvr

Parameters:

objects - objects the rules are for

principal_ref - principal the permission applies to

permission - permission to be removed

owner_key - key identifying the rule's owner

Throws:

WTException

removePermission

public void removePermission(WTCollection objects,
                             WTPrincipalReference principal_ref,
                             AccessPermission permission,
                             AdHocAccessKey owner_key,
                             long owner_id)
                      throws WTException

Removes the specified permission from the set of permissions granted to a principal for each of the objects in a collection. If AccessPermission.ALL is specified, all permissions are removed. If no permissions remain, the ad hoc access control rule for the principal is removed. The permission is only removed from a rule with the specified owner. If there is no matching rule, this method returns without making any changes to the object.

Note: If the objects are persistent, this method must be called from within a transaction that includes an update to the objects.

Supported API: false

Specified by:

removePermission in interface AccessControlManagerSvr

Parameters:

objects - objects the rules are for

principal_ref - principal the permission applies to

permission - permission to be removed

owner_key - key identifying the rule's owner

owner_id - identifier used by the rule's owner to qualify the key

Throws:

WTException

removePermissions

public void removePermissions(WTCollection objects,
                              WTPrincipalReference principal_ref,
                              Collection permissions,
                              AdHocAccessKey owner_key)
                       throws WTException

Removes the specified permissions from the set of permissions granted to a principal for an object. If AccessPermission.ALL is specified, all permissions are removed. If no permissions remain, the ad hoc access control rule for the principal is removed. The permissions are only removed from a rule with the specified owner. If there is no matching rule, this method returns without making any changes.

Note: If the object is persistent, this method must be called from within a transaction that includes an update to the object.

Supported API: false

Specified by:

removePermissions in interface AccessControlManagerSvr

Parameters:

objects - objects the rules are for

principal_ref - principal the permission applies to

permissions - permissions to be removed (Collection of AccessPermission)

owner_key - key identifying the rule's owner

Throws:

WTException

removePermissions

public void removePermissions(WTCollection objects,
                              WTPrincipalReference principal_ref,
                              Collection permissions,
                              AdHocAccessKey owner_key,
                              long owner_id)
                       throws WTException

Removes the specified permissions from the set of permissions granted to a principal for each of the objects in a collection. If AccessPermission.ALL is specified, all permissions are removed. If no permissions remain, the ad hoc access control rule for the principal is removed. The permissions are only removed from a rule with the specified owner. If there is no matching rule, this method returns without making any changes to the object.

Note: If the objects are persistent, this method must be called from within a transaction that includes an update to the objects.

Supported API: false

Specified by:

removePermissions in interface AccessControlManagerSvr

Parameters:

objects - objects the rules are for

principal_ref - principal the permission applies to

permissions - permissions to be removed (Collection of AccessPermission)

owner_key - key identifying the rule's owner

owner_id - identifier used by the rule's owner to qualify the key

Throws:

WTException

setPermissions

public void setPermissions(AdHocControlled obj,
                           AdHocAclSpec specification,
                           WTRoleHolder2 role_holder,
                           AdHocAccessKey owner_key)
                    throws WTException

Creates ad hoc access control rules granting principals permissions to an object, based on an ad hoc access specification (AdHocAclSpec). If rules with the specified owner already exist, the new rules replace the existing rules. Changes to the entrySet attribute of the object are persisted. This method bypasses access control checks.

Supported API: false

Specified by:

setPermissions in interface AccessControlManagerSvr

Parameters:

obj - object the rules are for

specification - ad hoc access specification

role_holder - role to principal mapping

owner_key - key identifying the rules' owner

Throws:

WTException

setPermissions

public void setPermissions(List objects,
                           List specifications,
                           List principal_maps,
                           AdHocAccessKey owner_key)
                    throws WTException

Creates ad hoc access control rules granting principals permissions to objects, based on an ad hoc access specification (AdHocAclSpec) and a role to principal mapping. If rules with the specified owner already exist for the principals, the new rules replace the existing rules. Changes to the entrySet attribute of the objects are persisted. This method bypasses access control checks.

The objects parameter is a list where the elements are each a WTList of objects to be associated with the ad hoc access specification and role to principal mapping at the same index in the specifications and principal_map lists.

Supported API: false

Specified by:

setPermissions in interface AccessControlManagerSvr

Parameters:

objects - list of objects the rules are for

specifications - list of ad hoc access specifications

principal_maps - list of role to principal mappings

owner_key - key identifying the rules' owner

Throws:

WTException

performStartupProcess

protected void performStartupProcess()
                              throws ManagerException

Description copied from class: StandardManager

Dummy method to be overridden by subclasses. Subclasses should override this method and provide startup processing.

Supported API: false

Overrides:

performStartupProcess in class StandardManager

Throws:

ManagerException

addPermissions

private AdHocControlled addPermissions(AdHocControlled obj,
                                       WTPrincipalReference principal_ref,
                                       Vector permissions,
                                       String owner)
                                throws WTException

Throws:

WTException

addPermissions

private void addPermissions(WTCollection objects,
                            WTPrincipalReference principal_ref,
                            Collection permissions,
                            String owner)
                     throws WTException

Throws:

WTException

checkChangePermissions

private void checkChangePermissions(WTCollection objects,
                                    long permission_mask)
                             throws WTException

Throws:

WTException

constructAclEntrySet

private AclEntrySet constructAclEntrySet(AccessSelector selector)
                                  throws WTException

Throws:

WTException

copyPermissions

private AdHocControlled copyPermissions(AdHocControlled source,
                                        AdHocControlled target,
                                        String owner)
                                 throws WTException

Throws:

WTException

copyPermissions

private void copyPermissions(AdHocControlled source,
                             WTCollection targets,
                             String owner)
                      throws WTException

Throws:

WTException

createPolicyEntry

private WTAclEntry createPolicyEntry(boolean negative,
                                     WTPrincipalReference principal_ref,
                                     Vector permissions)
                              throws WTException

Throws:

WTException

deletePolicyAcls

private void deletePolicyAcls(AdminDomainRef domain_ref)
                       throws WTException

Throws:

WTException

getAclCache

private static AclCache getAclCache()

getAdHocEntries

private QueryResult getAdHocEntries(AdHocControlled obj,
                                    WTPrincipalReference principal_ref)
                             throws WTException

Throws:

WTException

getAdHocEntries

private HashMap getAdHocEntries(WTCollection objects,
                                WTPrincipalReference principal_ref)
                         throws WTException

Throws:

WTException

getAdHocEntries

private HashMap getAdHocEntries(WTCollection objects,
                                String owner)
                         throws WTException

Throws:

WTException

getAdHocEntries

private HashMap getAdHocEntries(WTCollection objects,
                                WTPrincipalReference principal_ref,
                                String owner)
                         throws WTException

Throws:

WTException

getAdHocEntry

private WTAclEntry getAdHocEntry(AdHocControlled obj,
                                 WTPrincipalReference principal_ref,
                                 String owner)
                          throws WTException

Throws:

WTException

getCurrentPrincipal

private WTPrincipal getCurrentPrincipal()
                                 throws WTException

Throws:

WTException

getObjectString

private String getObjectString(Object obj)

getPermissionMap

private HashMap getPermissionMap(AdHocAclSpec specification,
                                 Map principalMap)

getPermissionMap

private HashMap getPermissionMap(AdHocAclSpec specification,
                                 Map principalMap,
                                 String owner)
                          throws WTException

Throws:

WTException

getPermissionMask

private long getPermissionMask(WTPrincipal principal,
                               AccessControlled object)
                        throws WTException

Throws:

WTException

getPermissions

private EnumeratorVector getPermissions(AdHocControlled obj,
                                        WTPrincipalReference principal_ref,
                                        String owner)
                                 throws WTException

Throws:

WTException

getPolicyEntries

private QueryResult getPolicyEntries(AccessPolicyRule rule,
                                     WTPrincipalReference principal_ref)
                              throws WTException

Throws:

WTException

getPolicyEntrySet

private AclEntrySet getPolicyEntrySet(AccessControlled object)
                               throws WTException

Throws:

WTException

getRuleSelector

private AccessSelector getRuleSelector(AdminDomainRef domain_ref,
                                       String type_id,
                                       String state_key)
                                throws WTException

Throws:

WTException

hasAccess

private boolean hasAccess(WTPrincipal principal,
                          WTCollection objects,
                          AccessPermission permission,
                          boolean check_all)
                   throws WTException

Throws:

WTException

hasSurrogateAccess

private boolean hasSurrogateAccess(WTPrincipal user,
                                   AccessControlSurrogate surrogate,
                                   AccessPermission permission)
                            throws WTException

Throws:

WTException

logNotAuthorized

private void logNotAuthorized(AdHocControlled object,
                              WTPrincipal principal,
                              long principal_permissions,
                              long change_permissions)

logNotAuthorized

private void logNotAuthorized(Object object,
                              WTPrincipal principal,
                              AccessPermission permission)
                       throws WTException

Throws:

WTException

reassignPermissions

private void reassignPermissions(AdHocControlled obj,
                                 WTPrincipalReference old_principal_ref,
                                 WTPrincipalReference new_principal_ref,
                                 String owner)
                          throws WTException

Throws:

WTException

removePermissions

private AdHocControlled removePermissions(AdHocControlled obj,
                                          WTPrincipalReference principal_ref,
                                          Vector permissions,
                                          String owner)
                                   throws WTException

Throws:

WTException

removePermissions

private void removePermissions(WTCollection objects,
                               WTPrincipalReference principal_ref,
                               Collection permissions,
                               String owner)
                        throws WTException

Throws:

WTException

removePermissions

private AdHocControlled removePermissions(AdHocControlled obj,
                                          String owner)
                                   throws WTException

Throws:

WTException

replacePermissions

private AdHocControlled replacePermissions(AdHocControlled obj,
                                           WTPrincipalReference principal_ref,
                                           Vector permissions,
                                           String owner)
                                    throws WTException

Throws:

WTException

updateAdHocAcl

private void updateAdHocAcl(AdHocControlled persisted_object)
                     throws WTException

Throws:

WTException

updateAdHocAcls

private void updateAdHocAcls(WTSet persisted_objects)
                      throws WTException

Throws:

WTException

updateAdHocAcl

private void updateAdHocAcl(AdHocControlled obj,
                            WTPrincipalReference principal_ref)
                     throws WTException

Throws:

WTException

updateAdHocAcls

private void updateAdHocAcls(WTCollection objects,
                             WTPrincipalReference principal_ref)
                      throws WTException

Throws:

WTException

updatePolicyAcl

private void updatePolicyAcl(PolicyAcl acl)
                      throws WTException

Throws:

WTException

updatePolicyAcls

private void updatePolicyAcls(AccessSelector selector)
                       throws WTException

Throws:

WTException

updatePolicyAcls

private void updatePolicyAcls(AdminDomainRef domain_ref)
                       throws WTException

Throws:

WTException