org.mycore.access.mcrimpl
Class MCRAccessControlSystem

java.lang.Object
  org.mycore.access.MCRAccessBaseImpl
      org.mycore.access.mcrimpl.MCRAccessControlSystem

All Implemented Interfaces:

MCRAccessInterface

public class MCRAccessControlSystem
extends MCRAccessBaseImpl

MyCoRe-Standard Implementation of the MCRAccessInterface Maps object ids to rules

Author:

Matthias Kramm, Heiko Helmbrecht

Field Summary

(package private) MCRAccessStore	accessStore
(package private) static MCRCache	cache
(package private) boolean	disabled
(package private) MCRAccessRule	dummyRule
static String	lexicographicalPattern
static String	poolPrivilegeID
(package private) static Hashtable<String,String>	ruleIDTable
(package private) MCRRuleStore	ruleStore
(package private) static String	superuserID
static String	systemRulePrefix

Fields inherited from class org.mycore.access.MCRAccessBaseImpl

AccessPermissions, LOGGER

Method Summary

void	addRule(String permission, Element rule, String description) adds an access rule for an "a priori-permission" like "create-document"
void	addRule(String id, String pool, Element rule, String description) adds an access rule for an ID to an access system.
boolean	checkAccess(String objID, String permission, MCRUser user, MCRIPAddress ip) Validator methods to validate access definition for given object and pool
boolean	checkPermission(Element rule) determines whether the current user has the permission to perform a certain action.
boolean	checkPermission(String permission) determines whether the current user has the permission to perform a certain action.
boolean	checkPermission(String permission, MCRUser user) determines whether a given user has the permission to perform a certain action.
boolean	checkPermission(String id, String permission) determines whether the current user has the permission to perform a certain action.
boolean	checkPermission(String id, String permission, MCRUser user) determines whether a given user has the permission to perform a certain action.
void	createRule(Element rule, String creator, String description) create an access rule in the rulestore using an rule string in plain text
void	createRule(String ruleString, String creator, String description) create an access rule in the rulestore using an rule string in plain text
MCRAccessRule	getAccess(String objID, String pool)
Collection<String>	getAllControlledIDs() lists all String IDs, a permission is assigned to.
MCRRuleMapping	getAutoGeneratedRuleMapping(Element rule, String creator, String pool, String id, String description) returns a auto-generated MCRRuleMapping, needed to create Access Definitions
static MCRCache	getCache()
String	getNextFreeRuleID(String prefix) method that delivers the next free ruleID for a given Prefix and sets the counter to counter + 1
String	getNormalizedRuleString(Element rule) delivers the rule as string, after normalizing it via sorting with MCRAccessConditionsComparator
Collection<String>	getPermissions() lists all a-priori permissions like "create-document".
Collection<String>	getPermissionsForID(String objid) lists all permissions defined for the id.
Element	getRule(String permission) exports a access rule for a "a priori permission" as JDOM element.
Element	getRule(String objID, String permission) exports a access rule as JDOM element.
String	getRuleDescription(String permission) returns the prosa description of a defined rule for a "a priori" permission like "create-document".
String	getRuleDescription(String objID, String permission) returns the prosa description of a defined rule.
boolean	hasRule(String id) checks wether a rule with the id is defined.
boolean	hasRule(String id, String permission) checks wether a rule with the id and permission is defined.
static MCRAccessInterface	instance()
boolean	isDisabled()
Element	normalize(Element rule) method, that normalizes the jdom-representation of a mycore access condition
void	removeAllRules(String id) removes all rules of the id.
void	removeRule(String permission) removes a rule for an "a priori permission" like "create-document"
void	removeRule(String id, String pool) removes a rule.
void	updateRule(String permission, Element rule, String description) updates an access rule for an "a priori permission" of an access system like "create-document".
void	updateRule(String id, String pool, Element rule, String description) updates an access rule for an ID to an access system.

Methods inherited from class org.mycore.access.MCRAccessBaseImpl

getAccessPermissionsFromConfiguration

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

systemRulePrefix

public static final String systemRulePrefix

See Also:

Constant Field Values

poolPrivilegeID

public static final String poolPrivilegeID

See Also:

Constant Field Values

lexicographicalPattern

public static final String lexicographicalPattern

See Also:

Constant Field Values

superuserID

static String superuserID

cache

static MCRCache cache

accessStore

MCRAccessStore accessStore

ruleStore

MCRRuleStore ruleStore

dummyRule

MCRAccessRule dummyRule

disabled

boolean disabled

ruleIDTable

static Hashtable<String,String> ruleIDTable

Method Detail

instance

public static MCRAccessInterface instance()

createRule

public void createRule(String ruleString,
                       String creator,
                       String description)

Description copied from interface: MCRAccessInterface

create an access rule in the rulestore using an rule string in plain text

Specified by:

createRule in interface MCRAccessInterface

Overrides:

createRule in class MCRAccessBaseImpl

Parameters:

ruleString - the rule string in plain text

description - a String description of the rule in prosa

createRule

public void createRule(Element rule,
                       String creator,
                       String description)

Description copied from interface: MCRAccessInterface

create an access rule in the rulestore using an rule string in plain text

Specified by:

createRule in interface MCRAccessInterface

Overrides:

createRule in class MCRAccessBaseImpl

Parameters:

rule - the rule string as xml

description - a String description of the rule in prosa

addRule

public void addRule(String id,
                    String pool,
                    Element rule,
                    String description)
             throws MCRException

Description copied from interface: MCRAccessInterface

adds an access rule for an ID to an access system. The parameter id serves as an identifier for the concrete underlying rule, e.g. a MCRObjectID.

Specified by:

addRule in interface MCRAccessInterface

Overrides:

addRule in class MCRAccessBaseImpl

Parameters:

id - the ID-String of the object

pool - the access permission for the rule

rule - the access rule

description - a String description of the rule in prosa

Throws:

MCRException - if an error occured

addRule

public void addRule(String permission,
                    Element rule,
                    String description)

Description copied from interface: MCRAccessInterface

adds an access rule for an "a priori-permission" like "create-document"

Specified by:

addRule in interface MCRAccessInterface

Overrides:

addRule in class MCRAccessBaseImpl

Parameters:

permission - the access permission for the rule (e.g. "create-document")

rule - the access rule

description - a String description of the rule in prosa

removeRule

public void removeRule(String id,
                       String pool)
                throws MCRException

Description copied from interface: MCRAccessInterface

removes a rule. The parameter id serves as an identifier for the concrete underlying rule, e.g. a MCRObjectID.

Specified by:

removeRule in interface MCRAccessInterface

Overrides:

removeRule in class MCRAccessBaseImpl

Parameters:

id - the ID-String of the object

pool - the access permission for the rule

Throws:

MCRException - if an error occured

removeRule

public void removeRule(String permission)
                throws MCRException

Description copied from interface: MCRAccessInterface

removes a rule for an "a priori permission" like "create-document"

Specified by:

removeRule in interface MCRAccessInterface

Overrides:

removeRule in class MCRAccessBaseImpl

Parameters:

permission - the access permission for the rule

Throws:

MCRException - if an error occured

removeAllRules

public void removeAllRules(String id)
                    throws MCRException

Description copied from interface: MCRAccessInterface

removes all rules of the id. The parameter id serves as an identifier for the concrete underlying rule, e.g. a MCRObjectID.

Specified by:

removeAllRules in interface MCRAccessInterface

Overrides:

removeAllRules in class MCRAccessBaseImpl

Parameters:

id - the ID-String of the object

Throws:

MCRException - if an errow was occured

updateRule

public void updateRule(String id,
                       String pool,
                       Element rule,
                       String description)
                throws MCRException

Description copied from interface: MCRAccessInterface

updates an access rule for an ID to an access system. The parameter id serves as an identifier for the concrete underlying rule, e.g. a MCRObjectID.

Specified by:

updateRule in interface MCRAccessInterface

Overrides:

updateRule in class MCRAccessBaseImpl

Parameters:

id - the ID-String of the object

pool - the access permission for the rule

rule - the access rule

description - a String description of the rule in prosa

Throws:

MCRException - if an errow was occured

updateRule

public void updateRule(String permission,
                       Element rule,
                       String description)
                throws MCRException

Description copied from interface: MCRAccessInterface

updates an access rule for an "a priori permission" of an access system like "create-document".

Specified by:

updateRule in interface MCRAccessInterface

Overrides:

updateRule in class MCRAccessBaseImpl

Parameters:

permission - the access permission for the rule

rule - the access rule

description - a String description of the rule in prosa

Throws:

MCRException - if an errow was occured

checkPermission

public boolean checkPermission(String id,
                               String permission)

Description copied from interface: MCRAccessInterface

determines whether the current user has the permission to perform a certain action. All information regarding the current user is capsulated by a MCRSession instance which can be retrieved by

 MCRSession currentSession = MCRSessionMgr.getCurrentSession();
 

The parameter id serves as an identifier for the concrete underlying rule, e.g. a MCRObjectID.

Specified by:

checkPermission in interface MCRAccessInterface

Overrides:

checkPermission in class MCRAccessBaseImpl

Parameters:

id - the ID-String of the object

permission - the permission/action to be granted, e.g. "read"

Returns:

true if the permission is granted, else false

See Also:

MCRSessionMgr.getCurrentSession(), MCRSession

checkPermission

public boolean checkPermission(String id,
                               String permission,
                               MCRUser user)

Description copied from interface: MCRAccessInterface

determines whether a given user has the permission to perform a certain action. no session data will be checked here. The parameter id serves as an identifier for the concrete underlying rule, e.g. a MCRObjectID.

Specified by:

checkPermission in interface MCRAccessInterface

Overrides:

checkPermission in class MCRAccessBaseImpl

Parameters:

id - the ID-String of the object

permission - the permission/action to be granted, e.g. "read"

user - the MCRUser, whose permissions are checked

Returns:

true if the permission is granted, else false

See Also:

MCRSessionMgr.getCurrentSession(), MCRSession

checkPermission

public boolean checkPermission(String permission)

Description copied from interface: MCRAccessInterface

determines whether the current user has the permission to perform a certain action. All information regarding the current user is capsulated by a MCRSession instance which can be retrieved by

 MCRSession currentSession = MCRSessionMgr.getCurrentSession();
 

This method is used for checking "a priori permissions" like "create-document" where a String ID does not exist yet

Specified by:

checkPermission in interface MCRAccessInterface

Overrides:

checkPermission in class MCRAccessBaseImpl

Parameters:

permission - the permission/action to be granted, e.g. "create-document"

Returns:

true if the permission is granted, else false

See Also:

MCRSessionMgr.getCurrentSession(), MCRSession

checkPermission

public boolean checkPermission(String permission,
                               MCRUser user)

Description copied from interface: MCRAccessInterface

determines whether a given user has the permission to perform a certain action. no session data will be checked here. This method is used for checking "a priori permissions" like "create-document" where a String ID does not exist yet

Specified by:

checkPermission in interface MCRAccessInterface

Overrides:

checkPermission in class MCRAccessBaseImpl

Parameters:

permission - the permission/action to be granted, e.g. "create-document"

user - the MCRUser, whose permissions are checked

Returns:

true if the permission is granted, else false

See Also:

MCRSessionMgr.getCurrentSession(), MCRSession

checkPermission

public boolean checkPermission(Element rule)

Description copied from interface: MCRAccessInterface

determines whether the current user has the permission to perform a certain action. All information regarding the current user is capsulated by a MCRSession instance which can be retrieved by

 MCRSession currentSession = MCRSessionMgr.getCurrentSession();
 

Specified by:

checkPermission in interface MCRAccessInterface

Overrides:

checkPermission in class MCRAccessBaseImpl

Parameters:

rule - the jdom-representation of a mycore access rule

Returns:

true if the permission is granted, else false

See Also:

MCRSessionMgr.getCurrentSession(), MCRSession

getRule

public Element getRule(String objID,
                       String permission)

Description copied from interface: MCRAccessInterface

exports a access rule as JDOM element.

Specified by:

getRule in interface MCRAccessInterface

Overrides:

getRule in class MCRAccessBaseImpl

Parameters:

objID - the ID-String of the object

permission - the access permission for the rule

Returns:

the rule as jdom element, or null if no rule is defined

getRule

public Element getRule(String permission)

Description copied from interface: MCRAccessInterface

exports a access rule for a "a priori permission" as JDOM element.

Specified by:

getRule in interface MCRAccessInterface

Overrides:

getRule in class MCRAccessBaseImpl

Parameters:

permission - the access permission for the rule

Returns:

the rule as jdom element, or null if no rule is defined

getRuleDescription

public String getRuleDescription(String permission)

Description copied from interface: MCRAccessInterface

returns the prosa description of a defined rule for a "a priori" permission like "create-document".

Specified by:

getRuleDescription in interface MCRAccessInterface

Overrides:

getRuleDescription in class MCRAccessBaseImpl

Parameters:

permission - the access permission for the rule

Returns:

the String of the description

getRuleDescription

public String getRuleDescription(String objID,
                                 String permission)

Description copied from interface: MCRAccessInterface

returns the prosa description of a defined rule.

Specified by:

getRuleDescription in interface MCRAccessInterface

Overrides:

getRuleDescription in class MCRAccessBaseImpl

Parameters:

objID - the ID-String of the object

permission - the access permission for the rule

Returns:

the String of the description

getPermissionsForID

public Collection<String> getPermissionsForID(String objid)

Description copied from interface: MCRAccessInterface

lists all permissions defined for the id. The parameter id serves as an identifier for the concrete underlying rule, e.g. a MCRObjectID.

Specified by:

getPermissionsForID in interface MCRAccessInterface

Overrides:

getPermissionsForID in class MCRAccessBaseImpl

Returns:

a List of all for id defined permission

getPermissions

public Collection<String> getPermissions()

Description copied from interface: MCRAccessInterface

lists all a-priori permissions like "create-document".

Specified by:

getPermissions in interface MCRAccessInterface

Overrides:

getPermissions in class MCRAccessBaseImpl

Returns:

a List of all defined permissions

hasRule

public boolean hasRule(String id,
                       String permission)

Description copied from class: MCRAccessBaseImpl

checks wether a rule with the id and permission is defined. It's the same as calling

    (getRule(id, permission)!=null);
 

Specified by:

hasRule in interface MCRAccessInterface

Overrides:

hasRule in class MCRAccessBaseImpl

Parameters:

id - the ID-String of the object

permission - the access permission for the rule

Returns:

false, if getRule(id, permission) would return null, else true

See Also:

MCRAccessBaseImpl.getRule(String, String)

hasRule

public boolean hasRule(String id)

Description copied from class: MCRAccessBaseImpl

checks wether a rule with the id is defined. It's the same as calling

    (getPermissionsForID(id).size()>0);
 

Specified by:

hasRule in interface MCRAccessInterface

Overrides:

hasRule in class MCRAccessBaseImpl

Parameters:

id - the ID-String of the object

Returns:

false, if getPermissionsForID(id) would return an empty list, else true

See Also:

MCRAccessBaseImpl.getRule(String, String)

getAllControlledIDs

public Collection<String> getAllControlledIDs()

Description copied from interface: MCRAccessInterface

lists all String IDs, a permission is assigned to. The parameter id serves as an identifier for the concrete underlying rule, e.g. a MCRObjectID.

Specified by:

getAllControlledIDs in interface MCRAccessInterface

Overrides:

getAllControlledIDs in class MCRAccessBaseImpl

Returns:

a sorted and distinct List of all String IDs

isDisabled

public boolean isDisabled()

getAccess

public MCRAccessRule getAccess(String objID,
                               String pool)

checkAccess

public boolean checkAccess(String objID,
                           String permission,
                           MCRUser user,
                           MCRIPAddress ip)

Validator methods to validate access definition for given object and pool

Parameters:

permission - poolname as string

objID - MCRObjectID as string

user - MCRUser

ip - ip-Address

Returns:

true if access is granted according to defined access rules

getNextFreeRuleID

public String getNextFreeRuleID(String prefix)

method that delivers the next free ruleID for a given Prefix and sets the counter to counter + 1

Parameters:

prefix - String

Returns:

String

getNormalizedRuleString

public String getNormalizedRuleString(Element rule)

delivers the rule as string, after normalizing it via sorting with MCRAccessConditionsComparator

Specified by:

getNormalizedRuleString in interface MCRAccessInterface

Overrides:

getNormalizedRuleString in class MCRAccessBaseImpl

Parameters:

rule - Jdom-Element

Returns:

String

getAutoGeneratedRuleMapping

public MCRRuleMapping getAutoGeneratedRuleMapping(Element rule,
                                                  String creator,
                                                  String pool,
                                                  String id,
                                                  String description)

returns a auto-generated MCRRuleMapping, needed to create Access Definitions

Parameters:

rule - JDOM-Representation of a MCRAccess Rule

creator - String

pool - String

id - String

Returns:

MCRRuleMapping

normalize

public Element normalize(Element rule)

method, that normalizes the jdom-representation of a mycore access condition

Parameters:

rule - condition-JDOM of an access-rule

Returns:

the normalized JDOM-Rule

getCache

public static MCRCache getCache()