org.exist.security.xacml
Class ExistPDP

java.lang.Object
  org.exist.security.xacml.ExistPDP

public class ExistPDP
extends Object

This class is responsible for creating the XACML Policy Decision Point (PDP) for a database instance. The PDP is the entity that accepts access requests and makes a decision whether the access is allowed. The PDP returns a decision to the requesting entity (called a Policy Enforcement Point, or PEP). This decision is either Permit, Deny, Indeterminate, or Not Applicable. Not Applicable occurs if no policy could be found that applied to the request. Indeterminate occurs if there was an error processing the request or the request was invalid.

This class also provides convenience methods for most uses. The main method is evaluate, which will throw a PermissionDeniedException unless the decision was Permit and no Obligations were required. An Obligation is a conditional access decision. If the PEP cannot perform the Obligation, then it cannot accept the decision.

RequestHelper provides methods for creating a RequestCtx, which is then passed to the PDP either indirectly by calling evaluate or directly by calling getPDP().evaluate(). The first method can probably be used in most cases, while the second one allows more flexibility in handling the response.

See Also:

XACMLConstants, ExistPolicyModule, RequestHelper

Constructor Summary

ExistPDP(BrokerPool pool)

Method Summary

void	close() Performs any necessary cleanup operations.
void	evaluate(RequestCtx request) The method that will be used most of the time.
BrokerPool	getBrokerPool() Obtains the BrokerPool with which this instance is associated.
PDP	getPDP() For use when evaluate is not flexible enough.
PDPConfig	getPDPConfig() Returns the PDPConfig used to initialize the underlying PDP.
RequestHelper	getRequestHelper() Gets a RequestHelper
XACMLUtil	getUtil() Obtains the XACML utility instance for this database instance.
void	handleResponse(ResponseCtx response) This method handles a ResponseCtx generated by a PDP request by doing nothing if the ResponseCtx includes Results that have no Obligations and only have the decision Permit.
void	handleResult(Result result) This method handles a single Result generated by a PDP request by doing nothing if the Result has no Obligations and only has the decision Permit.
void	initializePolicyCollection()

Methods inherited from class java.lang.Object

equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

ExistPDP

public ExistPDP(BrokerPool pool)

Parameters:

pool - A BrokerPool used to obtain an instance of a DBBroker in order to read policies from the database.

Method Detail

initializePolicyCollection

public void initializePolicyCollection()

getPDPConfig

public PDPConfig getPDPConfig()

Returns the PDPConfig used to initialize the underlying PDP.

Returns:

the PDPConfig

getBrokerPool

public BrokerPool getBrokerPool()

Obtains the BrokerPool with which this instance is associated.

Returns:

This instance's associated BrokerPool

getUtil

public XACMLUtil getUtil()

Obtains the XACML utility instance for this database instance.

Returns:

the associated XACML utility object

close

public void close()

Performs any necessary cleanup operations. Generally only called if XACML has been disabled.

evaluate

public void evaluate(RequestCtx request)
              throws PermissionDeniedException

The method that will be used most of the time. It provides the simplest interface to the underlying PDP by permitting the request only if the ResponseCtx includes Results that have no Obligations and only have the decision Permit. Other cases result in a PermissionDeniedException. The other cases include when an applicable policy cannot be found and when an error occurs.

Parameters:

request - the access request

Throws:

PermissionDeniedException - if the request is not allowed

handleResponse

public void handleResponse(ResponseCtx response)
                    throws PermissionDeniedException

This method handles a ResponseCtx generated by a PDP request by doing nothing if the ResponseCtx includes Results that have no Obligations and only have the decision Permit. Other cases result in a PermissionDeniedException. The other cases include the Deny, Indeterminate, and Not Applicable decisions.

Parameters:

response - the PDP response to an access request

Throws:

PermissionDeniedException - if the response does not have a decsion of Permit or it has any Obligations.

handleResult

public void handleResult(Result result)
                  throws PermissionDeniedException

This method handles a single Result generated by a PDP request by doing nothing if the Result has no Obligations and only has the decision Permit. Other cases result in a PermissionDeniedException. The other cases include a decision of Deny, Indeterminate, or Not Applicable.

Parameters:

result - a Result in a ResponseCtx generated by a PDP in response to an access request

Throws:

PermissionDeniedException - if the result does not have a decsion of Permit or it has any Obligations.

getPDP

public PDP getPDP()

For use when evaluate is not flexible enough. That is, use this method when you want direct access to the PDP. This allows you to use an EvaluationCtx instead of a RequestCtx and direct access to the ResponseCtx to allow for handling of Obligations or decisions other than Permit.

The basic usage is then:

ResponseCtx response = getPDP().evaluate(RequestCtx ctx)

or

ResponseCtx response = getPDP().evaluate(EvaluationCtx ctx)

The response should then be checked for Obligations and the PDP's decision.

Returns:

the actual PDP wrapped by this class

getRequestHelper

public RequestHelper getRequestHelper()

Gets a RequestHelper

Returns:

The RequestHelper for this database instance