WebLogic Server 5.1.0 API Reference

weblogic.security.acl
Class CachingRealm

java.lang.Object
  |
  +--weblogic.security.acl.CachingRealm

public class CachingRealm

extends java.lang.Object

implements ManageableRealm, DebuggableRealm

Caching realm.

Author:

Copyright (c) 2000 by BEA Systems, Inc. All Rights Reserved.

Inner Class Summary

protected static class	CachingRealm.CaseInsensitiveUserInfo This class is intended for use if the auth cache is not case-sensitive.
protected static class	CachingRealm.Entry Cache entry class.
protected static class	CachingRealm.UserEntry This is a special entry class, used only in the user positive cache.

Field Summary

protected TTLCache	aclNegCache ACL negative cache.
static java.lang.String	aclNegId
protected TTLCache	aclPosCache ACL positive cache.
static java.lang.String	aclPosId
protected java.lang.Object	aclSync ACL sync object.
protected TTLCache	authNegCache Authentication negative cache.
static java.lang.String	authNegId
protected TTLCache	authPosCache Authentication positive cache.
static java.lang.String	authPosId
protected boolean	caseSensitive Whether this cache is case-sensitive.
protected TTLCache	groupNegCache Group negative cache.
static java.lang.String	groupNegId
protected TTLCache	groupPosCache Group positive cache.
static java.lang.String	groupPosId
protected java.lang.Object	groupSync Group sync object.
protected weblogic.logging.LogOutputStream	log Debugging log.
protected TTLCache	permNegCache Permission negative cache.
static java.lang.String	permNegId
protected TTLCache	permPosCache Permission positive cache.
static java.lang.String	permPosId
protected java.lang.Object	permSync Permission sync object.
protected TTLCache	userNegCache User negative cache.
static java.lang.String	userNegId
protected TTLCache	userPosCache User positive cache.
static java.lang.String	userPosId
protected java.lang.Object	userSync User and authentication sync object.

Constructor Summary

CachingRealm(ListableRealm delegate)
Create a new caching realm instance.

CachingRealm(ListableRealm delegate, ManageableRealm backup, java.lang.Object credential)
Create a new caching realm instance.

Method Summary

User	authenticate(UserInfo userInfo) Attempt to authenticate the given user.
void	clearAclCaches() Clear the ACL positive and negative caches.
void	clearCaches() Clear all caches.
void	clearGroupCaches() Clear the group positive and negative caches.
void	clearPermCaches() Clear the permission positive and negative caches.
void	clearUserCaches() Clear all user-related caches.
static void	declareProperties(weblogic.t3.services.Config cfg) Set up the configuration parameters of this realm class.
void	deleteAcl(java.security.Principal owner, java.security.acl.Acl acl) Delete an ACL from both the delegate and backup realms.
void	deleteGroup(java.security.acl.Group group) Delete a group from both the delegate and backup realms.
void	deletePermission(java.security.acl.Permission perm) Delete a permission from both the delegate and backup realms.
void	deleteUser(User user) Delete a user from both the delegate and backup realms.
java.security.acl.Acl	getAcl(java.lang.String name)
java.security.acl.Acl	getAcl(java.lang.String name, char separator)
java.security.Principal	getAclOwner(java.lang.Object credential) This is a direct call through to getAclOwner in delegate and/or backup realms.
java.util.Enumeration	getAcls() Return all ACLs in both the delegate and backup realms.
static weblogic.t3.services.Property[]	getCacheProps()
java.lang.Object	getCacheValue(java.lang.Object propId)
weblogic.t3.services.Property[]	getCacheValues()
weblogic.logging.LogOutputStream	getDebugLog()
java.lang.Class	getDelegateClass() Return the class of the delegate realm.
java.security.acl.Group	getGroup(java.lang.String name)
java.util.Enumeration	getGroups() Return all groups in both the delegate and backup realms.
java.lang.String	getName() Return the name of this realm.
java.security.acl.Permission	getPermission(java.lang.String name)
java.util.Enumeration	getPermissions() Return all permissions in both the delegate and backup realms.
java.security.Principal	getPrincipal(java.lang.String name)
User	getUser(java.lang.String name) Return the User.
User	getUser(UserInfo userInfo) Call through to the authenticate method.
java.util.Enumeration	getUsers() Return all users in both the delegate and backup realms.
void	init(java.lang.String name, java.lang.Object ownerCredential) Call through to the init methods in the delegate and backup realms.
void	load(java.lang.String name, java.lang.Object credential) Call through to the load methods in the delegate and backup realms.
java.security.acl.Acl	lookupAcl(java.lang.String name) Look for the given ACL in the cache.
java.security.acl.Acl	lookupAcl(java.lang.String name, char separator)
java.security.acl.Group	lookupGroup(java.lang.String name) Look for the given group in the cache.
java.security.acl.Permission	lookupPermission(java.lang.String name) Perform a cache lookup for a permission.
java.security.Principal	lookupPrincipal(java.lang.String name) Look for the named principal in the user and group caches.
User	lookupUser(java.lang.String name) Look for the given user in the cache.
BasicRealm	masqueradeAs(java.lang.String realmName) Ensure that the given name in the set of realms points to this realm.
java.security.acl.Acl	newAcl(java.security.Principal owner, java.lang.String name) Create a new ACL in a realm-specific way.
java.security.acl.Group	newGroup(java.lang.String name) Create a new group in a realm-specific way.
java.security.acl.Permission	newPermission(java.lang.String name) Create a new permission in a realm-specific way.
User	newUser(java.lang.String name, java.lang.Object credential, java.lang.Object constraints) Create a new user in a realm-specific way.
void	save(java.lang.String name) Call through to the save methods in the delegate and backup realms.
void	setDebug(boolean enable)
void	setPermission(java.security.acl.Acl acl, java.security.Principal principal, java.security.acl.Permission permission, boolean allow) Sets or unsets a permission for a principal in an ACL.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

aclPosId

public static final java.lang.String aclPosId

aclNegId

public static final java.lang.String aclNegId

groupPosId

public static final java.lang.String groupPosId

groupNegId

public static final java.lang.String groupNegId

permPosId

public static final java.lang.String permPosId

permNegId

public static final java.lang.String permNegId

userPosId

public static final java.lang.String userPosId

userNegId

public static final java.lang.String userNegId

authPosId

public static final java.lang.String authPosId

authNegId

public static final java.lang.String authNegId

caseSensitive

protected boolean caseSensitive

Whether this cache is case-sensitive.

aclPosCache

protected TTLCache aclPosCache

ACL positive cache. You must synchronize on aclSync if you wish to perform any action on either ACL cache.

See Also:

aclNegCache, aclSync

aclNegCache

protected TTLCache aclNegCache

ACL negative cache. You must synchronize on aclSync if you wish to perform any action on either ACL cache.

See Also:

aclPosCache, aclSync

aclSync

protected final java.lang.Object aclSync

ACL sync object. You must synchronize on this if you wish to perform any action on either ACL cache.

See Also:

aclPosCache, aclNegCache

groupPosCache

protected TTLCache groupPosCache

Group positive cache. You must synchronize on groupSync if you wish to perform any action on either group cache.

See Also:

groupNegCache, groupSync

groupNegCache

protected TTLCache groupNegCache

Group negative cache. You must synchronize on groupSync if you wish to perform any action on either group cache.

See Also:

groupPosCache, groupSync

groupSync

protected final java.lang.Object groupSync

Group sync object. You must synchronize on this if you wish to perform any action on either group cache.

See Also:

groupPosCache, groupNegCache

permPosCache

protected TTLCache permPosCache

Permission positive cache. You must synchronize on permSync if you wish to perform any action on either permission cache.

See Also:

permNegCache, permSync

permNegCache

protected TTLCache permNegCache

Permission negative cache. You must synchronize on permSync if you wish to perform any action on either permission cache.

See Also:

permPosCache, permSync

permSync

protected final java.lang.Object permSync

Permission sync object. You must synchronize on this if you wish to perform any action on either permission cache.

See Also:

permPosCache, permNegCache

userPosCache

protected TTLCache userPosCache

User positive cache. You must synchronize on userSync if you wish to perform any action on any of the user or authentication caches.

See Also:

userNegCache, authPosCache, authNegCache, userSync

userNegCache

protected TTLCache userNegCache

User negative cache. You must synchronize on userSync if you wish to perform any action on any of the user or authentication caches.

See Also:

userPosCache, authPosCache, authNegCache, userSync

authPosCache

protected TTLCache authPosCache

Authentication positive cache. You must synchronize on userSync if you wish to perform any action on any of the user or authentication caches.

See Also:

userPosCache, userNegCache, authNegCache, userSync

authNegCache

protected TTLCache authNegCache

Authentication negative cache. You must synchronize on userSync if you wish to perform any action on any of the user or authentication caches.

See Also:

userPosCache, userNegCache, authPosCache, userSync

userSync

protected final java.lang.Object userSync

User and authentication sync object. You must synchronize on this if you wish to perform any action on any of the user or authentication caches.

See Also:

userPosCache, userNegCache, authPosCache, authNegCache

log

protected weblogic.logging.LogOutputStream log

Debugging log. May be null.

Constructor Detail

CachingRealm

public CachingRealm(ListableRealm delegate)

Create a new caching realm instance. We delegate to the given realm, and use no backup.

Parameters:

delegate - the realm to delegate to

CachingRealm

public CachingRealm(ListableRealm delegate,
                    ManageableRealm backup,
                    java.lang.Object credential)

Create a new caching realm instance. We delegate to the given primary and backup realms.

Parameters:

delegate - the realm to delegate to

backup - the backup realm to delegate to

credential - security credential

Method Detail

getCacheProps

public static weblogic.t3.services.Property[] getCacheProps()

masqueradeAs

public BasicRealm masqueradeAs(java.lang.String realmName)

Ensure that the given name in the set of realms points to this realm. This is useful for making sure that Realm.getRealm() will return this object for a particular name.

Returns:

the previous realm with this name, or null if there was none

See Also:

Realm.getRealm(java.lang.String)

declareProperties

public static void declareProperties(weblogic.t3.services.Config cfg)
                              throws weblogic.t3.services.ConfigurationException

Set up the configuration parameters of this realm class.

Parameters:

cfg -

Throws:

weblogic.t3.services.ConfigurationException -

init

public void init(java.lang.String name,
                 java.lang.Object ownerCredential)
          throws java.security.acl.NotOwnerException

Call through to the init methods in the delegate and backup realms.

See Also:

BasicRealm.init(java.lang.String, java.lang.Object)

getName

public java.lang.String getName()

Return the name of this realm.

Returns:

the name of this realm

getUser

public User getUser(java.lang.String name)

Return the User.

Parameters:

name - String name of user

Returns:

the User

lookupPrincipal

public java.security.Principal lookupPrincipal(java.lang.String name)

Look for the named principal in the user and group caches. If the principal is not in the cache, null is returned.

getPrincipal

public java.security.Principal getPrincipal(java.lang.String name)

lookupUser

public User lookupUser(java.lang.String name)

Look for the given user in the cache. If the user is not currently cached, null is returned.

getUser

public User getUser(UserInfo userInfo)

Call through to the authenticate method.

See Also:

authenticate(weblogic.security.acl.UserInfo)

authenticate

public User authenticate(UserInfo userInfo)

Attempt to authenticate the given user.

Parameters:

userInfo - authentication info associated with the user

Returns:

a User object, if authentication succeeded, otherwise null

getAclOwner

public java.security.Principal getAclOwner(java.lang.Object credential)

This is a direct call through to getAclOwner in delegate and/or backup realms. Its result is not cached.

See Also:

BasicRealm.getAclOwner(java.lang.Object)

lookupGroup

public java.security.acl.Group lookupGroup(java.lang.String name)

Look for the given group in the cache. If the group is not currently cached, null is returned.

getGroup

public java.security.acl.Group getGroup(java.lang.String name)

Parameters:

name - of the group to get

Returns:

Group or null if not found

lookupAcl

public java.security.acl.Acl lookupAcl(java.lang.String name)

Look for the given ACL in the cache. If the ACL is not currently cached, null is returned.

getAcl

public java.security.acl.Acl getAcl(java.lang.String name)

Parameters:

name - of the Acl to retrieve

Returns:

Acl requested or null

lookupAcl

public java.security.acl.Acl lookupAcl(java.lang.String name,
                                       char separator)

Parameters:

name - of Acl to look up

separator - character that separates segments in an Acl name, usually '.'

Returns:

Acl that is the best match

getAcl

public java.security.acl.Acl getAcl(java.lang.String name,
                                    char separator)

Parameters:

name - of the Acl to lookup

separator - character that separates segments in an Acl name

Returns:

Acl that is the best match

lookupPermission

public java.security.acl.Permission lookupPermission(java.lang.String name)

Perform a cache lookup for a permission. If the given permission is not in the cache, null is returned.

Parameters:

name - of permission to lookup

Returns:

Permission requested, or null if not cached

getPermission

public java.security.acl.Permission getPermission(java.lang.String name)

Parameters:

name - Permission to get

Returns:

Permission requested or null

load

public void load(java.lang.String name,
                 java.lang.Object credential)
          throws java.lang.ClassNotFoundException,
                 java.io.IOException,
                 java.security.acl.NotOwnerException

Call through to the load methods in the delegate and backup realms.

See Also:

BasicRealm.load(java.lang.String, java.lang.Object)

save

public void save(java.lang.String name)
          throws java.io.IOException

Call through to the save methods in the delegate and backup realms.

See Also:

BasicRealm.save(java.lang.String)

newUser

public User newUser(java.lang.String name,
                    java.lang.Object credential,
                    java.lang.Object constraints)
             throws java.lang.SecurityException

Create a new user in a realm-specific way. If the user could not be created in the delegate realm, it is created in the backup realm. If the create succeeds, any existing user negative cache entry is cleared to ensure that the new user appears immediately.

Note: we do not currently attempt to clear the negative authentication cache when a new user is created, because there may be several negative hits associated with a given user and keeping track of them is not practicable.

For this reason, you should keep the time-to-live value on the negative authentication cache low if you intend to add users to a realm, otherwise you risk denying them access because of negative cache entries that have not yet expired.

If you must ensure that the negative authentication cache is cleared when a user is created, simply extend this class and make sure that your implementation of this method traverses the negative authentication cache, clearing any entries whose names match the name of the new user. This may be an expensive operation, depending on cache size and frequency of user creation.

Specified by:

newUser in interface ManageableRealm

Throws:

java.lang.SecurityException - bad juju

weblogic.utils.UnsupportedOperationException - the delegate realm does not support this operation

See Also:

ManageableRealm.newUser(java.lang.String, java.lang.Object, java.lang.Object)

newGroup

public java.security.acl.Group newGroup(java.lang.String name)
                                 throws java.lang.SecurityException

Create a new group in a realm-specific way. If the group could not be created in the delegate realm, it is created in the backup realm. If the create succeeds, any existing group negative cache entry is cleared to ensure that the new group appears immediately.

Specified by:

newGroup in interface ManageableRealm

Throws:

java.lang.SecurityException - bad juju

weblogic.utils.UnsupportedOperationException - the delegate realm does not support this operation

See Also:

ManageableRealm.newGroup(java.lang.String)

newAcl

public java.security.acl.Acl newAcl(java.security.Principal owner,
                                    java.lang.String name)
                             throws java.lang.SecurityException

Create a new ACL in a realm-specific way. If the ACL could not be created in the delegate realm, it is created in the backup realm. If the create succeeds, any existing ACL negative cache entry is cleared to ensure that the new ACL appears immediately.

Specified by:

newAcl in interface ManageableRealm

Throws:

java.lang.SecurityException - bad juju

weblogic.utils.UnsupportedOperationException - the delegate realm does not support this operation

See Also:

ManageableRealm.newAcl(java.security.Principal, java.lang.String)

newPermission

public java.security.acl.Permission newPermission(java.lang.String name)
                                           throws java.lang.SecurityException

Create a new permission in a realm-specific way. If the permission could not be created in the delegate realm, it is created in the backup realm. If the create succeeds, any existing permission negative cache entry is cleared to ensure that the new permission appears immediately.

Specified by:

newPermission in interface ManageableRealm

Throws:

java.lang.SecurityException - bad juju

weblogic.utils.UnsupportedOperationException - the delegate realm does not support this operation

See Also:

ManageableRealm.newPermission(java.lang.String)

deleteUser

public void deleteUser(User user)
                throws java.lang.SecurityException

Delete a user from both the delegate and backup realms. If entries exist in either the user or auth positive caches, they are cleared so that the user disappears immediately.

Specified by:

deleteUser in interface ManageableRealm

Throws:

java.lang.SecurityException - bad juju

weblogic.utils.UnsupportedOperationException - the delegate realm does not support this operation

See Also:

ManageableRealm.deleteUser(weblogic.security.acl.User)

deleteGroup

public void deleteGroup(java.security.acl.Group group)
                 throws java.lang.SecurityException

Delete a group from both the delegate and backup realms. If an entry exists in the group positive cache, it is cleared so that the group disappears immediately.

Specified by:

deleteGroup in interface ManageableRealm

Throws:

java.lang.SecurityException - bad juju

weblogic.utils.UnsupportedOperationException - the delegate realm does not support this operation

See Also:

ManageableRealm.deleteGroup(java.security.acl.Group)

deletePermission

public void deletePermission(java.security.acl.Permission perm)
                      throws java.lang.SecurityException

Delete a permission from both the delegate and backup realms. If an entry exists in the permission positive cache, it is cleared so that the permission disappears immediately.

Specified by:

deletePermission in interface ManageableRealm

Throws:

java.lang.SecurityException - bad juju

weblogic.utils.UnsupportedOperationException - the delegate realm does not support this operation

See Also:

ManageableRealm.deletePermission(java.security.acl.Permission)

deleteAcl

public void deleteAcl(java.security.Principal owner,
                      java.security.acl.Acl acl)
               throws java.lang.SecurityException

Delete an ACL from both the delegate and backup realms. If an entry exists in the ACL positive cache, it is cleared so that the ACL disappears immediately.

Specified by:

deleteAcl in interface ManageableRealm

Throws:

java.lang.SecurityException - bad juju

weblogic.utils.UnsupportedOperationException - the delegate realm does not support this operation

See Also:

ManageableRealm.deleteAcl(java.security.Principal, java.security.acl.Acl)

setPermission

public void setPermission(java.security.acl.Acl acl,
                          java.security.Principal principal,
                          java.security.acl.Permission permission,
                          boolean allow)

Sets or unsets a permission for a principal in an ACL. If the call succeeds in either the delegate or backup realm, the ACL negative or positive cache is cleared, depending on whether or not the permission is to be allowed.

Specified by:

setPermission in interface ManageableRealm

Throws:

weblogic.utils.UnsupportedOperationException - the delegate realm does not support this operation

See Also:

ManageableRealm.setPermission(java.security.acl.Acl, java.security.Principal, java.security.acl.Permission, boolean)

getUsers

public java.util.Enumeration getUsers()

Return all users in both the delegate and backup realms.

Throws:

weblogic.utils.UnsupportedOperationException - the delegate realm does not support this operation

See Also:

ListableRealm.getUsers()

getGroups

public java.util.Enumeration getGroups()

Return all groups in both the delegate and backup realms.

Throws:

weblogic.utils.UnsupportedOperationException - the delegate realm does not support this operation

See Also:

ListableRealm.getGroups()

getAcls

public java.util.Enumeration getAcls()

Return all ACLs in both the delegate and backup realms.

Throws:

weblogic.utils.UnsupportedOperationException - the delegate realm does not support this operation

See Also:

ListableRealm.getAcls()

getPermissions

public java.util.Enumeration getPermissions()

Return all permissions in both the delegate and backup realms.

Throws:

weblogic.utils.UnsupportedOperationException - the delegate realm does not support this operation

See Also:

ListableRealm.getPermissions()

clearCaches

public void clearCaches()

Clear all caches.

clearUserCaches

public void clearUserCaches()

Clear all user-related caches. This method clears both the user and authentication positive and negative caches.

clearGroupCaches

public void clearGroupCaches()

Clear the group positive and negative caches.

clearAclCaches

public void clearAclCaches()

Clear the ACL positive and negative caches.

clearPermCaches

public void clearPermCaches()

Clear the permission positive and negative caches.

setDebug

public void setDebug(boolean enable)

Specified by:

setDebug in interface DebuggableRealm

getDebugLog

public weblogic.logging.LogOutputStream getDebugLog()

Specified by:

getDebugLog in interface DebuggableRealm

getDelegateClass

public java.lang.Class getDelegateClass()

Return the class of the delegate realm. You can use this for runtime type checking, to see what kind of realm this CachingRealm instance delegates to.

getCacheValues

public weblogic.t3.services.Property[] getCacheValues()

getCacheValue

public java.lang.Object getCacheValue(java.lang.Object propId)