AciHandler (OpenDJ Public API Javadoc 6.5.6 Documentation)

java.lang.Object
- org.opends.server.api.AccessControlHandler<DseeCompatAccessControlHandlerCfg>
- - org.opends.server.authorization.dseecompat.AciHandler

```
public final class AciHandler
extends AccessControlHandler<DseeCompatAccessControlHandlerCfg>
```
A DSEE-compatible access control handler. The AciHandler class performs the main processing for the dseecompat package.

Constructor Summary

Constructors
Constructor and Description

AciHandler()
Creates a new DSEE-compatible access control handler.

Constructors
Constructor and Description
`AciHandler()` Creates a new DSEE-compatible access control handler.

Method Summary

All Methods Instance Methods Concrete Methods
Modifier and Type	Method and Description
`boolean`	`canDiscloseInformation(Entry entry, Dn entryDN, Operation operation)` Checks whether the ACIs prevent sending information about the provided entry, or entryDN if entry is null.
`void`	`filterEntry(Operation operation, SearchResultEntry unfilteredEntry, AttributeFilter attributeFilter)` Filter the contents of the provided entry such that it no longer contains any attributes or values that the client is not permitted to access.
`void`	`finalizeAccessControlHandler()` Performs any necessary finalization for the access control handler implementation.
`void`	`initializeAccessControlHandler(DseeCompatAccessControlHandlerCfg configuration, ServerContext serverContext)` Initializes the access control handler implementation based on the information in the provided configuration entry.
`boolean`	`isAllowed(AddOperation operation)` Indicates whether the provided add operation is allowed based on the access control configuration.
`boolean`	`isAllowed(BindOperation bindOperation)` Indicates whether the provided bind operation is allowed based on the access control configuration.
`boolean`	`isAllowed(CompareOperation operation)` Check access on compare operations.
`boolean`	`isAllowed(DeleteOperation operation)` Check access on delete operations.
`boolean`	`isAllowed(Dn entryDN, Operation op, Control control)` Indicates whether the provided control is allowed based on the access control configuration and the specified operation.
`boolean`	`isAllowed(ExtendedOperation operation)` Indicates whether the provided extended operation is allowed based on the access control configuration.
`boolean`	`isAllowed(ModifyDnOperation operation)` Checks access on a modifyDN operation.
`boolean`	`isAllowed(ModifyOperation operation)` Indicates whether the provided modify operation is allowed based on the access control configuration.
`boolean`	`isAllowed(Operation operation, Entry entry, Filter filter)` Indicates whether the provided operation search filter is allowed based on the access control configuration.
`boolean`	`isAllowed(SearchOperation searchOperation)` Indicates whether the provided search operation is allowed based on the access control configuration.
`boolean`	`mayProxy(Entry proxyUser, Entry proxiedUser, Operation op)` Indicates if the specified proxy user entry can proxy, or act on the behalf of the specified proxied user entry.
`boolean`	`maySend(Dn dn, Operation operation, SearchResultReference reference)` Indicates whether the provided search result reference may be sent to the client based on the access control configuration.
`boolean`	`maySend(Operation operation, SearchResultEntry entry)` Indicates whether the provided search result entry may be sent to the client.

Methods inherited from class org.opends.server.api.AccessControlHandler
isConfigurationAcceptable

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

- Constructor Detail
  - AciHandler
```
public AciHandler()
```
    Creates a new DSEE-compatible access control handler.
- Method Detail
  - filterEntry
```
public void filterEntry(Operation operation,
                        SearchResultEntry unfilteredEntry,
                        AttributeFilter attributeFilter)
```
    Description copied from class: AccessControlHandler
    
    Filter the contents of the provided entry such that it no longer contains any attributes or values that the client is not permitted to access.
    
    Overrides:
    
    filterEntry in class AccessControlHandler<DseeCompatAccessControlHandlerCfg>
    
    Parameters:
    
    operation - The operation currently being processed (this will usually be a search, but may be other types of operation when pre/post read controls are used).
    
    unfilteredEntry - The result entry before any attribute filtering.
    
    attributeFilter - The attribute filter which should be updated to include a predicate or mapping function for removing disallowed attributes.
  - finalizeAccessControlHandler
```
public void finalizeAccessControlHandler()
```
    Description copied from class: AccessControlHandler
    
    Performs any necessary finalization for the access control handler implementation. This will be called just after the handler has been deregistered with the server but before it has been unloaded.
    
    Overrides:
    
    finalizeAccessControlHandler in class AccessControlHandler<DseeCompatAccessControlHandlerCfg>
  - initializeAccessControlHandler
```
public void initializeAccessControlHandler(DseeCompatAccessControlHandlerCfg configuration,
                                           ServerContext serverContext)
                                    throws InitializationException
```
    Description copied from class: AccessControlHandler
    
    Initializes the access control handler implementation based on the information in the provided configuration entry.
    
    Specified by:
    
    initializeAccessControlHandler in class AccessControlHandler<DseeCompatAccessControlHandlerCfg>
    
    Parameters:
    
    configuration - The configuration object that contains the information to use to initialize this access control handler.
    
    serverContext - the server context for this Directory Server instance.
    
    Throws:
    
    InitializationException - If a problem occurs during initialization that is not related to the server configuration.
  - canDiscloseInformation
```
public boolean canDiscloseInformation(Entry entry,
                                      Dn entryDN,
                                      Operation operation)
                               throws LdapException
```
    Description copied from class: AccessControlHandler
    
    Checks whether the ACIs prevent sending information about the provided entry, or entryDN if entry is null.
    
    Overrides:
    
    canDiscloseInformation in class AccessControlHandler<DseeCompatAccessControlHandlerCfg>
    
    Parameters:
    
    entry - the entry for which to check if ACIs prevent information disclosure, if null, then a fake entry will be created from the entryDN parameter
    
    entryDN - the entry dn for which to check if ACIs prevent information disclosure. Only used if entry is null.
    
    operation - the operation for which to check if ACIs prevent information disclosure
    
    Returns:
    
    true if the information for this entry can be disclosed, false otherwise.
    
    Throws:
    
    LdapException - If an error occurred while performing the access control check.
  - isAllowed
```
public boolean isAllowed(Dn entryDN,
                         Operation op,
                         Control control)
                  throws LdapException
```
    Description copied from class: AccessControlHandler
    
    Indicates whether the provided control is allowed based on the access control configuration and the specified operation. This method should not alter the provided operation in any way.
    
    Overrides:
    
    isAllowed in class AccessControlHandler<DseeCompatAccessControlHandlerCfg>
    
    Parameters:
    
    entryDN - A DN that can be used in the access determination.
    
    op - The operation to use in the determination.
    
    control - The control for which to make the determination.
    
    Returns:
    
    true if the control should be allowed by the access control configuration, or false if not.
    
    Throws:
    
    LdapException - If an error occurred while performing the access control check. For example, if an attribute could not be decoded. Care must be taken not to expose any potentially sensitive information in the exception.
  - isAllowed
```
public boolean isAllowed(ExtendedOperation operation)
```
    Description copied from class: AccessControlHandler
    
    Indicates whether the provided extended operation is allowed based on the access control configuration. This method should not alter the provided extended operation in any way.
    
    Overrides:
    
    isAllowed in class AccessControlHandler<DseeCompatAccessControlHandlerCfg>
    
    Parameters:
    
    operation - The operation for which to make the determination.
    
    Returns:
    
    true if the operation should be allowed by the access control configuration, or false if not.
  - isAllowed
```
public boolean isAllowed(AddOperation operation)
                  throws LdapException
```
    Description copied from class: AccessControlHandler
    
    Indicates whether the provided add operation is allowed based on the access control configuration. This method should not alter the provided add operation in any way.
    
    Overrides:
    
    isAllowed in class AccessControlHandler<DseeCompatAccessControlHandlerCfg>
    
    Parameters:
    
    operation - The operation for which to make the determination.
    
    Returns:
    
    true if the operation should be allowed by the access control configuration, or false if not.
    
    Throws:
    
    LdapException - If an error occurred while performing the access control check. For example, if an attribute could not be decoded. Care must be taken not to expose any potentially sensitive information in the exception.
  - isAllowed
```
public boolean isAllowed(BindOperation bindOperation)
```
    Description copied from class: AccessControlHandler
    
    Indicates whether the provided bind operation is allowed based on the access control configuration. This method should not alter the provided bind operation in any way.
    
    Overrides:
    
    isAllowed in class AccessControlHandler<DseeCompatAccessControlHandlerCfg>
    
    Parameters:
    
    bindOperation - The operation for which to make the determination.
    
    Returns:
    
    true if the operation should be allowed by the access control configuration, or false if not.
  - isAllowed
```
public boolean isAllowed(CompareOperation operation)
```
    Check access on compare operations. Note that the attribute type is unavailable at this time, so this method partially parses the raw attribute string to get the base attribute type. Options are ignored.
    
    Overrides:
    
    isAllowed in class AccessControlHandler<DseeCompatAccessControlHandlerCfg>
    
    Parameters:
    
    operation - The compare operation to check access on.
    
    Returns:
    
    True if access is allowed.
  - isAllowed
```
public boolean isAllowed(DeleteOperation operation)
```
    Check access on delete operations.
    
    Overrides:
    
    isAllowed in class AccessControlHandler<DseeCompatAccessControlHandlerCfg>
    
    Parameters:
    
    operation - The delete operation to check access on.
    
    Returns:
    
    True if access is allowed.
  - isAllowed
```
public boolean isAllowed(ModifyDnOperation operation)
```
    Checks access on a modifyDN operation.
    
    Overrides:
    
    isAllowed in class AccessControlHandler<DseeCompatAccessControlHandlerCfg>
    
    Parameters:
    
    operation - The modifyDN operation to check access on.
    
    Returns:
    
    True if access is allowed.
  - isAllowed
```
public boolean isAllowed(ModifyOperation operation)
                  throws LdapException
```
    Description copied from class: AccessControlHandler
    
    Indicates whether the provided modify operation is allowed based on the access control configuration. This method should not alter the provided modify operation in any way.
    
    Overrides:
    
    isAllowed in class AccessControlHandler<DseeCompatAccessControlHandlerCfg>
    
    Parameters:
    
    operation - The operation for which to make the determination.
    
    Returns:
    
    true if the operation should be allowed by the access control configuration, or false if not.
    
    Throws:
    
    LdapException - If an error occurred while performing the access control check. For example, if an attribute could not be decoded. Care must be taken not to expose any potentially sensitive information in the exception.
  - isAllowed
```
public boolean isAllowed(SearchOperation searchOperation)
```
    Description copied from class: AccessControlHandler
    
    Indicates whether the provided search operation is allowed based on the access control configuration. This method may only alter the provided search operation in order to add an opaque block of data to it that will be made available for use in determining whether matching search result entries or search result references may be allowed.
    
    Overrides:
    
    isAllowed in class AccessControlHandler<DseeCompatAccessControlHandlerCfg>
    
    Parameters:
    
    searchOperation - The operation for which to make the determination.
    
    Returns:
    
    true if the operation should be allowed by the access control configuration, or false if not.
  - isAllowed
```
public boolean isAllowed(Operation operation,
                         Entry entry,
                         Filter filter)
```
    Description copied from class: AccessControlHandler
    
    Indicates whether the provided operation search filter is allowed based on the access control configuration. This method should not alter the provided operation in any way.
    
    Overrides:
    
    isAllowed in class AccessControlHandler<DseeCompatAccessControlHandlerCfg>
    
    Parameters:
    
    operation - The operation for which to make the determination.
    
    entry - The entry for which to make the determination.
    
    filter - The filter to check access on.
    
    Returns:
    
    true if the operation should be allowed by the access control configuration, or false if not.
  - mayProxy
```
public boolean mayProxy(Entry proxyUser,
                        Entry proxiedUser,
                        Operation op)
```
    Description copied from class: AccessControlHandler
    
    Indicates if the specified proxy user entry can proxy, or act on the behalf of the specified proxied user entry. The operation parameter is used in the evaluation.
    
    Overrides:
    
    mayProxy in class AccessControlHandler<DseeCompatAccessControlHandlerCfg>
    
    Parameters:
    
    proxyUser - The entry to use as the proxy user.
    
    proxiedUser - The entry to be proxied by the proxy user.
    
    op - The operation to use in the evaluation.
    
    Returns:
    
    true if the access control configuration allows the proxy user to proxy the proxied user, or false if not.
  - maySend
```
public boolean maySend(Dn dn,
                       Operation operation,
                       SearchResultReference reference)
```
    Description copied from class: AccessControlHandler
    
    Indicates whether the provided search result reference may be sent to the client based on the access control configuration.
    
    Overrides:
    
    maySend in class AccessControlHandler<DseeCompatAccessControlHandlerCfg>
    
    Parameters:
    
    dn - A DN that can be used in the access determination.
    
    operation - The operation with which the provided reference is associated.
    
    reference - The search result reference for which to make the determination.
    
    Returns:
    
    true if the access control configuration allows the reference to be returned to the client, or false if not.
  - maySend
```
public boolean maySend(Operation operation,
                       SearchResultEntry entry)
```
    Description copied from class: AccessControlHandler
    
    Indicates whether the provided search result entry may be sent to the client. Implementations must not under any circumstances modify the search entry in any way.
    
    Overrides:
    
    maySend in class AccessControlHandler<DseeCompatAccessControlHandlerCfg>
    
    Parameters:
    
    operation - The operation currently being processed (this will usually be a search, but may be other types of operation when pre/post read controls are used).
    
    entry - The result entry before any attribute filtering.
    
    Returns:
    
    true if the access control configuration allows the entry to be returned to the client, or false if not.

Class AciHandler

Constructor Summary

Method Summary

Methods inherited from class org.opends.server.api.AccessControlHandler

Methods inherited from class java.lang.Object

Constructor Detail

AciHandler

Method Detail

filterEntry

finalizeAccessControlHandler

initializeAccessControlHandler

canDiscloseInformation

isAllowed

isAllowed

isAllowed

isAllowed

isAllowed

isAllowed

isAllowed

isAllowed

isAllowed

isAllowed

mayProxy

maySend

maySend