T
- The type of access control configuration handled by this
access control provider implementation.@PublicAPI(stability=VOLATILE, mayExtend=true) public abstract class AccessControlHandler<T extends org.forgerock.opendj.server.config.server.AccessControlHandlerCfg> extends Object
Constructor and Description |
---|
AccessControlHandler() |
Modifier and Type | Method and Description |
---|---|
boolean |
canDiscloseInformation(Entry entry,
org.forgerock.opendj.ldap.Dn entryDN,
Operation operation)
Checks whether the ACIs prevent sending information about the provided
entry, or entryDN if entry is null.
|
void |
filterEntry(Operation operation,
SearchResultEntry unfilteredEntry,
SearchResultEntry filteredEntry)
Filter the contents of the provided entry such that it no longer
contains any attributes or values that the client is not
permitted to access.
|
void |
finalizeAccessControlHandler()
Performs any necessary finalization for the access control
handler implementation.
|
abstract void |
initializeAccessControlHandler(T configuration,
ServerContext serverContext)
Initializes the access control handler implementation based on
the information in the provided configuration entry.
|
boolean |
isAllowed(BindOperation bindOperation)
Indicates whether the provided bind operation is allowed based on
the access control configuration.
|
boolean |
isAllowed(org.forgerock.opendj.ldap.Dn dn,
Operation op,
Control control)
Indicates whether the provided control is allowed based on the
access control configuration and the specified operation.
|
boolean |
isAllowed(ExtendedOperation extendedOperation)
Indicates whether the provided extended operation is allowed
based on the access control configuration.
|
boolean |
isAllowed(LocalBackendAddOperation addOperation)
Indicates whether the provided add operation is allowed based on
the access control configuration.
|
boolean |
isAllowed(LocalBackendCompareOperation compareOperation)
Indicates whether the provided compare operation is allowed based
on the access control configuration.
|
boolean |
isAllowed(LocalBackendDeleteOperation deleteOperation)
Indicates whether the provided delete operation is allowed based
on the access control configuration.
|
boolean |
isAllowed(LocalBackendModifyOperation modifyOperation)
Indicates whether the provided modify operation is allowed based
on the access control configuration.
|
boolean |
isAllowed(ModifyDNOperation modifyDNOperation)
Indicates whether the provided modify DN operation is allowed
based on the access control configuration.
|
boolean |
isAllowed(Operation operation,
Entry entry,
SearchFilter filter)
Indicates whether the provided operation search filter is allowed
based on the access control configuration.
|
boolean |
isAllowed(SearchOperation searchOperation)
Indicates whether the provided search operation is allowed based
on the access control configuration.
|
boolean |
isConfigurationAcceptable(org.forgerock.opendj.server.config.server.AccessControlHandlerCfg configuration,
List<LocalizableMessage> unacceptableReasons,
ServerContext serverContext)
Indicates whether the provided configuration is acceptable for
this access control handler.
|
boolean |
mayProxy(Entry proxyUser,
Entry proxiedUser,
Operation operation)
Indicates if the specified proxy user entry can proxy, or act on
the behalf of the specified proxied user entry.
|
boolean |
maySend(org.forgerock.opendj.ldap.Dn dn,
Operation operation,
SearchResultReference searchReference)
Indicates whether the provided search result reference may be
sent to the client based on the access control configuration.
|
boolean |
maySend(Operation operation,
SearchResultEntry unfilteredEntry)
Indicates whether the provided search result entry may be sent to
the client.
|
public AccessControlHandler()
public abstract void initializeAccessControlHandler(T configuration, ServerContext serverContext) throws org.forgerock.opendj.config.server.ConfigException, InitializationException
configuration
- The configuration object that contains the information
to use to initialize this access control handler.serverContext
- the server context for this Directory Server instance.org.forgerock.opendj.config.server.ConfigException
- If an unrecoverable problem arises in the process of
performing the initialization.InitializationException
- If a problem occurs during initialization that is not
related to the server configuration.public boolean isConfigurationAcceptable(org.forgerock.opendj.server.config.server.AccessControlHandlerCfg configuration, List<LocalizableMessage> unacceptableReasons, ServerContext serverContext)
configuration
- The access control handler configuration for which to
make the determination.unacceptableReasons
- A list that may be used to hold the reasons that the
provided configuration is not acceptable.serverContext
- the server context for this Directory Server instance.true
if the provided configuration is acceptable
for this access control handler, or false
if not.public void finalizeAccessControlHandler()
public boolean canDiscloseInformation(Entry entry, org.forgerock.opendj.ldap.Dn entryDN, Operation operation) throws DirectoryException
entry
- the entry for which to check if ACIs prevent information
disclosure, if null, then a fake entry will be created from the
entryDN parameterentryDN
- the entry dn for which to check if ACIs prevent information
disclosure. Only used if entry is null.operation
- the operation for which to check if ACIs prevent information
disclosureDirectoryException
- If an error occurred while performing the access control check.public boolean isAllowed(LocalBackendAddOperation addOperation) throws DirectoryException
addOperation
- The operation for which to make the determination.true
if the operation should be allowed by the
access control configuration, or false
if not.DirectoryException
- If an error occurred while performing the access
control check. For example, if an attribute could not
be decoded. Care must be taken not to expose any
potentially sensitive information in the exception.public boolean isAllowed(org.forgerock.opendj.ldap.Dn dn, Operation op, Control control) throws DirectoryException
dn
- A DN that can be used in the access determination.op
- The operation to use in the determination.control
- The control for which to make the determination.true
if the control should be allowed by the
access control configuration, or false
if not.DirectoryException
- If an error occurred while performing the access
control check. For example, if an attribute could not
be decoded. Care must be taken not to expose any
potentially sensitive information in the exception.public boolean isAllowed(BindOperation bindOperation) throws DirectoryException
bindOperation
- The operation for which to make the determination.true
if the operation should be allowed by the
access control configuration, or false
if not.DirectoryException
- If an error occurred while performing the access
control check. For example, if an attribute could not
be decoded. Care must be taken not to expose any
potentially sensitive information in the exception.public boolean isAllowed(LocalBackendCompareOperation compareOperation) throws DirectoryException
compareOperation
- The operation for which to make the determination.true
if the operation should be allowed by the
access control configuration, or false
if not.DirectoryException
- If an error occurred while performing the access
control check. For example, if an attribute could not
be decoded. Care must be taken not to expose any
potentially sensitive information in the exception.public boolean isAllowed(LocalBackendDeleteOperation deleteOperation) throws DirectoryException
deleteOperation
- The operation for which to make the determination.true
if the operation should be allowed by the
access control configuration, or false
if not.DirectoryException
- If an error occurred while performing the access
control check. For example, if an attribute could not
be decoded. Care must be taken not to expose any
potentially sensitive information in the exception.public boolean isAllowed(ExtendedOperation extendedOperation) throws DirectoryException
extendedOperation
- The operation for which to make the determination.true
if the operation should be allowed by the
access control configuration, or false
if not.DirectoryException
- If an error occurred while performing the access
control check. For example, if an attribute could not
be decoded. Care must be taken not to expose any
potentially sensitive information in the exception.public boolean isAllowed(LocalBackendModifyOperation modifyOperation) throws DirectoryException
modifyOperation
- The operation for which to make the determination.true
if the operation should be allowed by the
access control configuration, or false
if not.DirectoryException
- If an error occurred while performing the access
control check. For example, if an attribute could not
be decoded. Care must be taken not to expose any
potentially sensitive information in the exception.public boolean isAllowed(ModifyDNOperation modifyDNOperation) throws DirectoryException
modifyDNOperation
- The operation for which to make the determination.true
if the operation should be allowed by the
access control configuration, or false
if not.DirectoryException
- If an error occurred while performing the access
control check. For example, if an attribute could not
be decoded. Care must be taken not to expose any
potentially sensitive information in the exception.public boolean isAllowed(SearchOperation searchOperation)
searchOperation
- The operation for which to make the determination.true
if the operation should be allowed by the
access control configuration, or false
if not.public boolean isAllowed(Operation operation, Entry entry, SearchFilter filter) throws DirectoryException
operation
- The operation for which to make the determination.entry
- The entry for which to make the determination.filter
- The filter to check access on.true
if the operation should be allowed by the
access control configuration, or false
if not.DirectoryException
- If an error occurred while performing the access
control check. For example, if an attribute could not
be decoded. Care must be taken not to expose any
potentially sensitive information in the exception.public boolean maySend(Operation operation, SearchResultEntry unfilteredEntry)
operation
- The operation currently being processed (this will
usually be a search, but may be other types of operation
when pre/post read controls are used).unfilteredEntry
- The result entry before any attribute filtering.true
if the access control configuration allows
the entry to be returned to the client, or false
if not.public void filterEntry(Operation operation, SearchResultEntry unfilteredEntry, SearchResultEntry filteredEntry)
operation
- The operation currently being processed (this will
usually be a search, but may be other types of operation
when pre/post read controls are used).unfilteredEntry
- The result entry before any attribute filtering.filteredEntry
- The partially filtered result entry being returned to
the client.public boolean maySend(org.forgerock.opendj.ldap.Dn dn, Operation operation, SearchResultReference searchReference)
dn
- A DN that can be used in the access determination.operation
- The operation with which the provided reference
is associated.searchReference
- The search result reference for which to make the
determination.true
if the access control configuration allows
the reference to be returned to the client, or false
if not.public boolean mayProxy(Entry proxyUser, Entry proxiedUser, Operation operation)
proxyUser
- The entry to use as the proxy user.proxiedUser
- The entry to be proxied by the proxy user.operation
- The operation to use in the evaluation.true
if the access control configuration allows
the proxy user to proxy the proxied user, or false
if not.Copyright © 2010-2017 ForgeRock AS. All Rights Reserved.