|
![]() |
||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Objectorg.openpermis.repository.basic.AbstractSubjectRepository
org.openpermis.repository.basic.LdapSubjectRepository
public class LdapSubjectRepository
Loads certificate attributes from an LDAP directory and builds up a subject repository from
them.
This implementation of SubjectRepository
connects to an LDAP directory
(either anonymously or using username and password) and looks at all nodes of the specified
search context (node or subtree). For each node, it looks for attributes containing role
assignment attribute certificates. The subject repository is build from all found and
successfully validated role assignment attribute certificates.
Note that it is not relevant in what nodes a role assignment is found. This means that a role
assignment does not necessarily have to be stored in role holders node.
The search scope can be limited to the specified search context or to the whole subtree it
defines. An arbitrary search filter can be specified in order to limit the number of nodes or
in order to get better performance in large directories.
This implementation keeps the subject repository in an internal cache. It is therefore not
necessary to query the directory for every call to retrieveSubject(URI)
. The validity
period of data in the cache can be controlled using method setCacheTimeout(long)
and
defaults to five seconds. The cache can be disabled leading to a potentially expensive LDAP
query for every call to retrieveSubject(URI)
.
Constructor Summary | |
---|---|
LdapSubjectRepository(CertificateVerifier certificateVerifier,
String ldapUrl,
String bindPrincipal,
String bindPrincipalPassword,
String ldapSearchBase,
int ldapSearchScope)
Creates an LDAP subject repository and internally stores the specified SOA certificate. |
Method Summary | |
---|---|
void |
invalidateCache()
Invalidates the internal data cache. |
Subject |
retrieveSubject(URI identity)
Returns a subject whose identity matches the one specified. |
LdapSubjectRepository |
setCacheTimeout(long milliseconds)
Sets the cache timeout in milliseconds. |
LdapSubjectRepository |
setInitialLdapContextFactory(String initialLdapContextFactory)
Allows specifying the initial LDAP context factory that is used to search attribute certificates. |
LdapSubjectRepository |
setLdapFilter(String filterExpression,
Object[] filterArguments)
Allows specifying an LDAP filter expression that is used to search attribute certificates. |
LdapSubjectRepository |
setLdapSearchLimit(long maxResults)
Sets the maximum number of results an LDAP directory may return in a search. |
Methods inherited from class org.openpermis.repository.basic.AbstractSubjectRepository |
---|
updateSubjectMap |
Methods inherited from class java.lang.Object |
---|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
Constructor Detail |
---|
public LdapSubjectRepository(CertificateVerifier certificateVerifier, String ldapUrl, String bindPrincipal, String bindPrincipalPassword, String ldapSearchBase, int ldapSearchScope) throws SubjectRepositoryException
The public key of the subject in the SOA certificate is considered to be authentic. It is the callers duty to ensure that it really is authentic. Further, by specifiying the SOA certificate, its subject is trusted.
certificateVerifier
- The certificate verifier used to verify the attribute
certificates.
Must not be null
.ldapUrl
- The LDAP URL. Example: "ldap://foo.host.com:389"bindPrincipal
- The distinguished name of the principal used to bind at the directory
to perform the search. Use null
as value to anonymously bind.bindPrincipalPassword
- The password of the principal to bind at the directory to
perform the search. Use null
as value to anonymously bind.ldapSearchBase
- The search base.ldapSearchScope
- The search level. Must be either SearchControls.ONELEVEL_SCOPE
or SearchControls.SUBTREE_SCOPE
.
SubjectRepositoryException
- Thrown if an error occurs reading or interpreting the
SOA certificate.Method Detail |
---|
public LdapSubjectRepository setLdapFilter(String filterExpression, Object[] filterArguments)
retrieveSubject(URI)
is called.
filterExpression
- An LDAP filter expression (following RFC 2254).filterArguments
- A list of arguments for the filter expressions. May be null.
public LdapSubjectRepository setInitialLdapContextFactory(String initialLdapContextFactory)
retrieveSubject(URI)
is called.
initialLdapContextFactory
- The class name of the initial LDAP context factory.
public LdapSubjectRepository setLdapSearchLimit(long maxResults)
maxResults
- The maximum number of results.
public LdapSubjectRepository setCacheTimeout(long milliseconds)
milliseconds
- The number of milliseconds of the cache timeout.
public void invalidateCache()
retrieveSubject(URI)
is called.
public Subject retrieveSubject(URI identity) throws SubjectRepositoryException
SubjectRepository
identity
- a URI
that identifies a subject.
Subject
associating a person with her assigned roles. The returned
subject is never null
, but will have no assigned roles for unknown identities.
SubjectRepositoryException
- when the repository fails to retrieve the roles
for the specified identity.
|
![]() |
||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
PERMIS Role Based Access Control 0.4.0 (Build 15)
2009/05/20 08:14:49
Copyright (c) 2002-2007 Ergon Informatik AG