org.openpermis.repository.basic
Class LdapSubjectRepository

java.lang.Object
  extended by org.openpermis.repository.basic.AbstractSubjectRepository
      extended by org.openpermis.repository.basic.LdapSubjectRepository
All Implemented Interfaces:
SubjectRepository

public class LdapSubjectRepository
extends AbstractSubjectRepository

Loads certificate attributes from an LDAP directory and builds up a subject repository from them. This implementation of SubjectRepository connects to an LDAP directory (either anonymously or using username and password) and looks at all nodes of the specified search context (node or subtree). For each node, it looks for attributes containing role assignment attribute certificates. The subject repository is build from all found and successfully validated role assignment attribute certificates. Note that it is not relevant in what nodes a role assignment is found. This means that a role assignment does not necessarily have to be stored in role holders node. The search scope can be limited to the specified search context or to the whole subtree it defines. An arbitrary search filter can be specified in order to limit the number of nodes or in order to get better performance in large directories. This implementation keeps the subject repository in an internal cache. It is therefore not necessary to query the directory for every call to retrieveSubject(URI). The validity period of data in the cache can be controlled using method setCacheTimeout(long) and defaults to five seconds. The cache can be disabled leading to a potentially expensive LDAP query for every call to retrieveSubject(URI).

Since:
0.1.0

Constructor Summary
LdapSubjectRepository(CertificateVerifier certificateVerifier, String ldapUrl, String bindPrincipal, String bindPrincipalPassword, String ldapSearchBase, int ldapSearchScope)
          Creates an LDAP subject repository and internally stores the specified SOA certificate.
 
Method Summary
 void invalidateCache()
          Invalidates the internal data cache.
 Subject retrieveSubject(URI identity)
          Returns a subject whose identity matches the one specified.
 LdapSubjectRepository setCacheTimeout(long milliseconds)
          Sets the cache timeout in milliseconds.
 LdapSubjectRepository setInitialLdapContextFactory(String initialLdapContextFactory)
          Allows specifying the initial LDAP context factory that is used to search attribute certificates.
 LdapSubjectRepository setLdapFilter(String filterExpression, Object[] filterArguments)
          Allows specifying an LDAP filter expression that is used to search attribute certificates.
 LdapSubjectRepository setLdapSearchLimit(long maxResults)
          Sets the maximum number of results an LDAP directory may return in a search.
 
Methods inherited from class org.openpermis.repository.basic.AbstractSubjectRepository
updateSubjectMap
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

LdapSubjectRepository

public LdapSubjectRepository(CertificateVerifier certificateVerifier,
                             String ldapUrl,
                             String bindPrincipal,
                             String bindPrincipalPassword,
                             String ldapSearchBase,
                             int ldapSearchScope)
                      throws SubjectRepositoryException
Creates an LDAP subject repository and internally stores the specified SOA certificate. It is used for validating the attribute certificates of a subject.

The public key of the subject in the SOA certificate is considered to be authentic. It is the callers duty to ensure that it really is authentic. Further, by specifiying the SOA certificate, its subject is trusted.

Parameters:
certificateVerifier - The certificate verifier used to verify the attribute certificates. Must not be null.
ldapUrl - The LDAP URL. Example: "ldap://foo.host.com:389"
bindPrincipal - The distinguished name of the principal used to bind at the directory to perform the search. Use null as value to anonymously bind.
bindPrincipalPassword - The password of the principal to bind at the directory to perform the search. Use null as value to anonymously bind.
ldapSearchBase - The search base.
ldapSearchScope - The search level. Must be either SearchControls.ONELEVEL_SCOPE or SearchControls.SUBTREE_SCOPE.
Throws:
SubjectRepositoryException - Thrown if an error occurs reading or interpreting the SOA certificate.
Since:
0.1.0
Method Detail

setLdapFilter

public LdapSubjectRepository setLdapFilter(String filterExpression,
                                           Object[] filterArguments)
Allows specifying an LDAP filter expression that is used to search attribute certificates. Setting a filter also invalidates the cache such that data is re-read from the directory the next time retrieveSubject(URI) is called.

Parameters:
filterExpression - An LDAP filter expression (following RFC 2254).
filterArguments - A list of arguments for the filter expressions. May be null.
Returns:
Returns the object this method was called on (fluent interface).
Since:
0.1.0

setInitialLdapContextFactory

public LdapSubjectRepository setInitialLdapContextFactory(String initialLdapContextFactory)
Allows specifying the initial LDAP context factory that is used to search attribute certificates. Setting the factory also invalidates the cache such that data is re-read from the directory the next time retrieveSubject(URI) is called.

Parameters:
initialLdapContextFactory - The class name of the initial LDAP context factory.
Returns:
Returns the object this method was called on (fluent interface).
Since:
0.1.0

setLdapSearchLimit

public LdapSubjectRepository setLdapSearchLimit(long maxResults)
Sets the maximum number of results an LDAP directory may return in a search. Zero (0) means "no limit" which is the default. Note that there may be a server side limit that cannot be influenced by the client.

Parameters:
maxResults - The maximum number of results.
Returns:
Returns the object this method was called on (fluent interface).
Since:
0.1.0

setCacheTimeout

public LdapSubjectRepository setCacheTimeout(long milliseconds)
Sets the cache timeout in milliseconds. The cache timeout defines how long data loaded from the directory is considered valid before reloading it again. Use the value zero to disable caching and use Long.MAX_VALUE to cache the data for ever.

Parameters:
milliseconds - The number of milliseconds of the cache timeout.
Returns:
Returns the object this method was called on (fluent interface).
Since:
0.1.0

invalidateCache

public void invalidateCache()
Invalidates the internal data cache. Forces the data to be reload the next time retrieveSubject(URI) is called.

Since:
0.1.0

retrieveSubject

public Subject retrieveSubject(URI identity)
                        throws SubjectRepositoryException
Description copied from interface: SubjectRepository
Returns a subject whose identity matches the one specified.

Parameters:
identity - a URI that identifies a subject.
Returns:
a Subject associating a person with her assigned roles. The returned subject is never null, but will have no assigned roles for unknown identities.
Throws:
SubjectRepositoryException - when the repository fails to retrieve the roles for the specified identity.
Since:
0.1.0


PERMIS Role Based Access Control 0.3.0 (Build 14)
2009/05/08 09:06:10
Copyright (c) 2002-2007 Ergon Informatik AG