WebLogic Server 5.1.0 API Reference: Class AclImpl

Overview

Package

Class

Use

Tree

Deprecated

Index

Help

BEA Systems, Inc.

PREV CLASS NEXT CLASS

FRAMES NO FRAMES

SUMMARY: INNER | FIELD | CONSTR | METHOD

DETAIL: FIELD | CONSTR | METHOD

WebLogic Server 5.1.0 API Reference

weblogic.security.acl
Class AclImpl

java.lang.Object
  |
  +--weblogic.security.acl.OwnerImpl
        |
        +--weblogic.security.acl.AclImpl

Direct Known Subclasses:: URLAcl

public class AclImpl
extends OwnerImpl
implements java.security.acl.Acl, java.io.Serializable

This class implements the java.security.acl.Acl interface with optimization for checking permissions.

The implementation manages permissions in groups of 32. Each group has separate hash tables mapping groups and users to pairs of bit masks representing granted and not denied permissions. Permission is checked by finding the right group, computing the bitmask corresponding to the specific permission, and doing the bit arithmetic.

The AclEntry objects used in the interfaces are not kept. They are analyzed on input and synthesized on demand.

An ACL is a data structure with multiple AclEntry objects. Each AclEntry object contains a set of permissions associated with a particular principal, which represents an entity such as an individual user or a group).

Additionally, each AclEntry is specified as either positive or negative. If positive, the permissions are to be granted to the associated principal. If negative, the permissions are to be denied.

Each AclEntry in each ACL observes the following rules:

Each principal can have at most one positive and one negative AclEntry; that is, multiple positive or negative ActEntries are not allowed for any principal. Each entry specifies the set of permissions that are to be granted (if positive) or denied (if negative).
If there is no entry for a particular principal, then the principal is considered to have a null (empty) permission set.
If there is a positive entry that grants a principal a particular permission, and a negative entry that denies the principal the same permission, the result is as though the permission was never granted or denied.
Individual permissions always override permissions of the group(s) to which the individual belongs. That is, individual negative permissions (specific denial of permissions) override the groups' positive permissions. Likewise individual positive permissions override the groups' negative permissions.

The java.security.acl package provides the interfaces to the ACL and related data structures (ACL entries, groups, permissions, etc.), and the sun.security.acl classes provide a default implementation of the interfaces. For example, java.security.acl.Acl provides the interface to an ACL and the sun.security.acl.AclImpl class provides the default implementation of the interface.

The java.security.acl.Acl interface extends the java.security.acl.Owner interface. The Owner interface is used to maintain a list of owners for each ACL. Only owners are allowed to modify an ACL. For example, only an owner can call the ACL's addEntry() method to add a new AclEntry to the ACL.

Author:: Copyright (c) 1997 by WebLogic, Inc. All Rights Reserved., Copyright (c) 1999 by BEA WebXpress. All Rights Reserved.
Copyright © 2000 BEA Systems, Inc. All Rights Reserved.
See Also:: AclEntry, Owner, Acl.getPermissions(java.security.Principal), Serialized Form

Constructor Summary
`AclImpl(java.security.Principal caller, java.lang.String name)` Sets the name of an ACL to the specified string.

Method Summary
`boolean`	`addEntry(java.security.Principal caller, java.security.acl.AclEntry entry)` Adds an AclEntry.
`boolean`	`checkPermission(java.security.Principal principal, java.security.acl.Permission permission)` Determines whether the specified principal has the specified permission.
`java.util.Enumeration`	`entries()` Returns an enumeration of the entries in an ACL.
`java.lang.String`	`getName()` Returns the name of this ACL as a string.
`protected int`	`getPermission(java.security.Principal principal, java.security.acl.Permission permission)`
`java.util.Enumeration`	`getPermissions(java.security.Principal user)` Returns an enumeration for the set of allowed permissions for the specified principal (representing an entity such as an individual or a group).
`boolean`	`removeEntry(java.security.Principal caller, java.security.acl.AclEntry entry)` Removes an AclEntry from an ACL.
`void`	`setName(java.security.Principal caller, java.lang.String name)` Sets the name of an ACL to the specified string.
`java.lang.String`	`toString()` Returns a string representation of the contents of an ACL.

Methods inherited from class weblogic.security.acl.OwnerImpl

addOwner, 
deleteOwner, 
isOwner

Methods inherited from class java.lang.Object

clone, 
equals, 
finalize, 
getClass, 
hashCode, 
notify, 
notifyAll, 
wait, 
wait, 
wait

Constructor Detail

AclImpl

public AclImpl(java.security.Principal caller,
               java.lang.String name)

Sets the name of an ACL to the specified string. The principal that owns the ACL must be supplied.

Parameters:: principal - Principal that owns the ACL; name - Name for the ACL

Method Detail

setName

public void setName(java.security.Principal caller,
                    java.lang.String name)
             throws java.security.acl.NotOwnerException

Sets the name of an ACL to the specified string. The principal that owns the ACL must be supplied.

Specified by:: setName in interface java.security.acl.Acl
Parameters:: principal - Principal that owns the ACL; name - Name for the ACL
Throws:: java.security.acl.NotOwnerException - if the caller principal does not own the ACL

getName

public java.lang.String getName()

Returns the name of this ACL as a string.

Specified by:: getName in interface java.security.acl.Acl
Returns:: ACL name

addEntry

public boolean addEntry(java.security.Principal caller,
                        java.security.acl.AclEntry entry)
                 throws java.security.acl.NotOwnerException

Adds an AclEntry. An AclEntry associates a principal (e.g., an individual or a group) with a set of permissions. Each principal can have at most one positive AclEntry (specifying permissions to be granted to the principal) and one negative AclEntry (specifying permissions to be denied). If there is already an AclEntry of the same type (negative or positive) already in the ACL, false is returned.

The principal that owns the ACL must be supplied.

Specified by:: addEntry in interface java.security.acl.Acl
Parameters:: caller - Principal that owns the ACL; entry - AclEntry to be added to an ACL
Returns:: false if an entry of the same type (positive or negative) for the same principal is already present
Throws:: java.security.acl.NotOwnerException - if the caller principal does not own the ACL

removeEntry

public boolean removeEntry(java.security.Principal caller,
                           java.security.acl.AclEntry entry)
                    throws java.security.acl.NotOwnerException

Removes an AclEntry from an ACL. The principal that owns the ACL must be supplied.

Specified by:: removeEntry in interface java.security.acl.Acl
Parameters:: caller - Principal that owns the ACL; entry - AclEntry to be removed from an ACL
Returns:: false if there is no entry
Throws:: java.security.acl.NotOwnerException - if the caller principal does not own the ACL

getPermissions

public java.util.Enumeration getPermissions(java.security.Principal user)

Returns an enumeration for the set of allowed permissions for the specified principal (representing an entity such as an individual or a group). This set of allowed permissions is calculated as follows:

If there is no entry in an ACL (access control list) for the specified principal, an empty permission set is returned.
Otherwise, the principal's group permission sets are determined. (A principal can belong to one or more groups, where a group is a group of principals, represented by the Group interface.) The group positive permission set is the union of all the positive permissions of each group that the principal belongs to. The group negative permission set is the union of all the negative permissions of each group that the principal belongs to. If there is a specific permission that occurs in both the positive permission set and the negative permission set, it is removed from both.
The individual positive and negative permission sets are also determined. The positive permission set contains the permissions specified in the positive AclEntry (if any) for the principal. Similarly, the negative permission set contains the permissions specified in the negative AclEntry (if any) for the principal. The individual positive (or negative) permission set is considered to be null if there is not a positive (negative) AclEntry for the principal in an ACL.
The set of permissions granted to the principal is then calculated using the simple rule that individual permissions always override the group permissions. That is, the principal's individual negative permission set (specific denial of permissions) overrides the group positive permission set, and the principal's individual positive permission set overrides the group negative permission set.

Specified by:: getPermissions in interface java.security.acl.Acl
Parameters:: user - Principal whose permission set is to be returned
Returns:: Enumeration of permissions the principal is allowed

entries

public java.util.Enumeration entries()

Returns an enumeration of the entries in an ACL. Each element in the enumeration is of type AclEntry.

Specified by:: entries in interface java.security.acl.Acl
Returns:: Enumeration of the entries in an ACL

checkPermission

public boolean checkPermission(java.security.Principal principal,
                               java.security.acl.Permission permission)

Determines whether the specified principal has the specified permission. True is returned if so; otherwise false is returned.

More specifically, this method checks whether the passed permission is a member of the allowed permission set of the specified principal. The allowed permission set is determined by the same algorithm as is used by the getPermissions() method.

Specified by:: checkPermission in interface java.security.acl.Acl
Parameters:: principal - Principal (assumed to be a valid authenticated Principal); permission - Permission to be checked for
Returns:: true if the principal has the specified permission
See Also:: getPermissions(java.security.Principal)

getPermission

protected int getPermission(java.security.Principal principal,
                            java.security.acl.Permission permission)

toString

public java.lang.String toString()

Returns a string representation of the contents of an ACL.

Specified by:: toString in interface java.security.acl.Acl
Returns:: String representation of the ACL contents
Overrides:: toString in class java.lang.Object