38 |
38 |
static final int WRITE = 2;
|
39 |
39 |
static final int READ = 4;
|
40 |
40 |
|
41 |
|
private Connection conn;
|
42 |
|
private String docid;
|
|
41 |
private Connection conn;
|
43 |
42 |
private String parserName;
|
44 |
43 |
private Stack elementStack;
|
45 |
44 |
|
46 |
|
private Vector allow = new Vector();
|
47 |
|
private Vector begin1 = new Vector();
|
48 |
|
private Vector end1 = new Vector();
|
49 |
|
private Vector count1 = new Vector();
|
50 |
|
|
51 |
|
private Vector denyv = new Vector();
|
52 |
|
private Vector begin2 = new Vector();
|
53 |
|
private Vector end2 = new Vector();
|
54 |
|
private Vector count2 = new Vector();
|
|
45 |
private String resourceId;
|
|
46 |
private Vector principalName;
|
|
47 |
private int permission;
|
|
48 |
private String permType;
|
|
49 |
private String permOrder;
|
|
50 |
private String beginTime;
|
|
51 |
private String endTime;
|
|
52 |
private int ticketCount;
|
55 |
53 |
|
56 |
|
private String principal_name = "";
|
57 |
|
private String principal_type;
|
58 |
|
private int permission = 0;
|
59 |
|
private String begin_time;
|
60 |
|
private String end_time;
|
61 |
|
private int count;
|
62 |
|
private int deny;
|
63 |
|
|
64 |
54 |
/**
|
65 |
55 |
* Construct an instance of the AccessControlList class.
|
|
56 |
* It is used by the permission check up from DBQuery and DocumentImpl
|
|
57 |
*
|
|
58 |
* @param conn the JDBC connection where acl data are loaded
|
|
59 |
*/
|
|
60 |
public AccessControlList ( Connection conn )
|
|
61 |
{
|
|
62 |
this.conn = conn;
|
|
63 |
}
|
|
64 |
|
|
65 |
/**
|
|
66 |
* Construct an instance of the AccessControlList class.
|
66 |
67 |
* It parse acl file and loads acl data into db connection.
|
67 |
68 |
*
|
68 |
69 |
* @param conn the JDBC connection where acl data are loaded
|
69 |
70 |
* @param docid the Accession# of the document with the acl data
|
70 |
|
* @param acl the acl file containing acl data for the document
|
|
71 |
* @param acl the acl file containing acl data
|
71 |
72 |
*/
|
72 |
73 |
public AccessControlList ( Connection conn, String docid, Reader acl )
|
73 |
74 |
throws SAXException, IOException, ClassNotFoundException
|
... | ... | |
77 |
78 |
String parserName = util.getOption("saxparser");
|
78 |
79 |
|
79 |
80 |
this.conn = conn;
|
80 |
|
this.docid = docid;
|
81 |
81 |
this.parserName = parserName;
|
82 |
|
elementStack = new Stack();
|
|
82 |
this.elementStack = new Stack();
|
|
83 |
|
|
84 |
this.principalName = new Vector();
|
|
85 |
this.permission = 0;
|
|
86 |
this.ticketCount = 0;
|
83 |
87 |
|
84 |
88 |
// Initialize the parser and read the queryspec
|
85 |
89 |
XMLReader parser = initializeParser();
|
... | ... | |
87 |
91 |
|
88 |
92 |
}
|
89 |
93 |
|
|
94 |
/**
|
|
95 |
* Construct an instance of the AccessControlList class.
|
|
96 |
* It parse acl file and loads acl data into db connection.
|
|
97 |
*
|
|
98 |
* @param conn the JDBC connection where acl data are loaded
|
|
99 |
* @param docid the Accession# of the document with the acl data
|
|
100 |
* @param aclfilename the name of acl file containing acl data
|
|
101 |
*/
|
90 |
102 |
public AccessControlList( Connection conn, String docid, String aclfilename )
|
91 |
103 |
throws SAXException, IOException, ClassNotFoundException
|
92 |
104 |
{
|
... | ... | |
128 |
140 |
currentNode.setAttribute(atts.getLocalName(i), atts.getValue(i));
|
129 |
141 |
}
|
130 |
142 |
}
|
|
143 |
if ( currentNode.getTagName().equals("resource") ) {
|
|
144 |
permOrder = currentNode.getAttribute("order");
|
|
145 |
}
|
131 |
146 |
elementStack.push(currentNode);
|
132 |
147 |
}
|
133 |
148 |
|
... | ... | |
143 |
158 |
BasicNode currentNode = (BasicNode)elementStack.peek();
|
144 |
159 |
String currentTag = currentNode.getTagName();
|
145 |
160 |
|
146 |
|
if (currentTag.equals("groupName")) {
|
147 |
|
principal_name = inputString;
|
148 |
|
principal_type = "group";
|
149 |
|
} else if (currentTag.equals("userName")) {
|
150 |
|
principal_name = inputString;
|
151 |
|
principal_type = "user";
|
|
161 |
if (currentTag.equals("resourceIdentifier")) {
|
|
162 |
resourceId = inputString;
|
|
163 |
} else if (currentTag.equals("principalName")) {
|
|
164 |
principalName.addElement(new String(inputString));
|
152 |
165 |
} else if (currentTag.equals("permission")) {
|
153 |
166 |
if ( inputString.trim().toUpperCase().equals("READ") ) {
|
154 |
167 |
permission = permission | READ;
|
... | ... | |
158 |
171 |
permission = permission | ALL;
|
159 |
172 |
}
|
160 |
173 |
} else if (currentTag.equals("duration") &&
|
161 |
|
begin_time == null && end_time == null ) {
|
|
174 |
beginTime == null && endTime == null ) {
|
162 |
175 |
try {
|
163 |
|
begin_time = inputString.substring(0, inputString.indexOf(" "));
|
164 |
|
end_time = inputString.substring(inputString.indexOf(" ")+1);
|
|
176 |
beginTime = inputString.substring(0, inputString.indexOf(" "));
|
|
177 |
endTime = inputString.substring(inputString.indexOf(" ")+1);
|
165 |
178 |
} catch (StringIndexOutOfBoundsException se) {
|
166 |
|
begin_time = inputString;
|
|
179 |
beginTime = inputString;
|
167 |
180 |
}
|
168 |
|
} else if (currentTag.equals("count") && count == 0 ) {
|
169 |
|
count = (new Integer(inputString.trim())).intValue();
|
|
181 |
} else if (currentTag.equals("ticketCount") && ticketCount == 0 ) {
|
|
182 |
ticketCount = (new Integer(inputString.trim())).intValue();
|
170 |
183 |
}
|
171 |
184 |
}
|
172 |
185 |
|
... | ... | |
179 |
192 |
throws SAXException
|
180 |
193 |
{
|
181 |
194 |
BasicNode leaving = (BasicNode)elementStack.pop();
|
182 |
|
if ( leaving.getTagName().equals("allow") && permission > 0 ) {
|
183 |
|
// collect allowed permissions in a Vector variable allow
|
184 |
|
allow.add(new Integer(permission));
|
185 |
|
begin1.add(begin_time);
|
186 |
|
end1.add(end_time);
|
187 |
|
count1.add(new Integer(count));
|
|
195 |
if ( leaving.getTagName().equals("allow") ) {
|
|
196 |
|
|
197 |
if ( permission > 0 ) {
|
188 |
198 |
|
|
199 |
// insert into db calculated permission for the list of principals
|
|
200 |
try {
|
|
201 |
insertPermissions("allowed");
|
|
202 |
} catch (SQLException sqle) {
|
|
203 |
throw new SAXException(sqle);
|
|
204 |
}
|
|
205 |
}
|
|
206 |
|
189 |
207 |
// reset the allowed permission
|
|
208 |
principalName = new Vector();
|
190 |
209 |
permission = 0;
|
191 |
|
begin_time = null;
|
192 |
|
end_time = null;
|
193 |
|
count = 0;
|
|
210 |
beginTime = null;
|
|
211 |
endTime = null;
|
|
212 |
ticketCount = 0;
|
194 |
213 |
|
195 |
|
} else if ( leaving.getTagName().equals("deny") && permission > 0 ) {
|
196 |
|
// collect denied permissions in a Vector variable denyv
|
197 |
|
denyv.add(new Integer(permission));
|
198 |
|
begin2.add(begin_time);
|
199 |
|
end2.add(end_time);
|
200 |
|
count2.add(new Integer(count));
|
|
214 |
} else if ( leaving.getTagName().equals("deny") ) {
|
|
215 |
|
|
216 |
if ( permission > 0 ) {
|
201 |
217 |
|
202 |
|
// reset the denied permission
|
203 |
|
permission = 0;
|
204 |
|
begin_time = null;
|
205 |
|
end_time = null;
|
206 |
|
count = 0;
|
207 |
|
|
208 |
|
} else if ( leaving.getTagName().equals("accessControl") ) {
|
209 |
|
// when order attribute for <accessControl> is specified to "denyFirst"
|
210 |
|
// exclude the allowed permissions from the list of denied ones
|
211 |
|
if ( leaving.getAttribute("order").equals("denyFirst") ) {
|
212 |
|
for ( int i = 0; i < allow.size(); i++ ) {
|
213 |
|
for ( int j = 0; j < denyv.size(); j++ ) {
|
214 |
|
denyv.setElementAt(
|
215 |
|
new Integer(((Integer)denyv.elementAt(j)).intValue() &
|
216 |
|
~((Integer)allow.elementAt(i)).intValue()), j);
|
217 |
|
}
|
|
218 |
// insert into db calculated permission for the list of principals
|
|
219 |
try {
|
|
220 |
insertPermissions("denied");
|
|
221 |
} catch (SQLException sqle) {
|
|
222 |
throw new SAXException(sqle);
|
218 |
223 |
}
|
219 |
224 |
}
|
220 |
225 |
|
221 |
|
// insert into db connection collected permissions for the principal
|
222 |
|
try {
|
223 |
|
insertPermissions();
|
224 |
|
} catch (SQLException sqle) {
|
225 |
|
throw new SAXException(sqle);
|
226 |
|
}
|
|
226 |
// reset the denied permission
|
|
227 |
principalName = new Vector();
|
|
228 |
permission = 0;
|
|
229 |
beginTime = null;
|
|
230 |
endTime = null;
|
|
231 |
ticketCount = 0;
|
227 |
232 |
|
228 |
|
// reset the list of allowed and denied permissions
|
229 |
|
// for use for the next principal
|
230 |
|
allow = new Vector();
|
231 |
|
begin1 = new Vector();
|
232 |
|
end1 = new Vector();
|
233 |
|
count1 = new Vector();
|
|
233 |
} else if ( leaving.getTagName().equals("resource") ) {
|
|
234 |
// reset the resource identifier
|
|
235 |
resourceId = null;
|
|
236 |
permOrder = null;
|
|
237 |
}
|
234 |
238 |
|
235 |
|
denyv = new Vector();
|
236 |
|
begin2 = new Vector();
|
237 |
|
end2 = new Vector();
|
238 |
|
count2 = new Vector();
|
239 |
|
|
240 |
|
} else if ( leaving.getTagName().equals("user") ||
|
241 |
|
leaving.getTagName().equals("group") ) {
|
242 |
|
// try {
|
243 |
|
// principal_name =
|
244 |
|
// principal_name.substring(0, principal_name.lastIndexOf("."));
|
245 |
|
// } catch (StringIndexOutOfBoundsException se) {
|
246 |
|
// reset the name of the current principal for next use
|
247 |
|
principal_name = "";
|
248 |
|
// }
|
249 |
|
}
|
250 |
239 |
}
|
251 |
240 |
|
252 |
|
/** Insert into db connection collected permissions for a principal */
|
253 |
|
private void insertPermissions()
|
|
241 |
/** Insert into db calculated permission for the list of principals */
|
|
242 |
private void insertPermissions( String permType )
|
254 |
243 |
throws SQLException
|
255 |
244 |
{
|
256 |
245 |
PreparedStatement pstmt;
|
... | ... | |
258 |
247 |
try {
|
259 |
248 |
pstmt = conn.prepareStatement(
|
260 |
249 |
"INSERT INTO xml_access " +
|
261 |
|
"(docid, principal_name, principal_type, " +
|
262 |
|
"permission, begin_time, end_time, ticket_counter, deny)" +
|
263 |
|
"VALUES (?, ?, ?, ?, to_date(?,'mm/dd/yy'), " +
|
264 |
|
" to_date(?,'mm/dd/yy'), ?, ?)");
|
|
250 |
"(docid,principal_name,permission,perm_type,perm_order," +
|
|
251 |
"begin_time,end_time,ticket_count) VALUES " +
|
|
252 |
"(?,?,?,?,?,to_date(?,'mm/dd/yy'),to_date(?,'mm/dd/yy'),?)");
|
265 |
253 |
// Bind the values to the query
|
266 |
|
pstmt.setString(1, docid);
|
267 |
|
pstmt.setString(2, principal_name);
|
268 |
|
pstmt.setString(3, principal_type);
|
269 |
|
// insert the allowed permissions first
|
270 |
|
for ( int i = 0; i < allow.size(); i++ ) {
|
271 |
|
pstmt.setInt(4, ((Integer)allow.elementAt(i)).intValue());
|
272 |
|
pstmt.setString(5, (String)begin1.elementAt(i));
|
273 |
|
pstmt.setString(6, (String)end1.elementAt(i));
|
274 |
|
if ( ((Integer)count1.elementAt(i)).intValue() > 0 ) {
|
275 |
|
pstmt.setString(7, "" + ((Integer)count1.elementAt(i)).intValue());
|
276 |
|
} else {
|
277 |
|
pstmt.setString(7, "");
|
278 |
|
}
|
|
254 |
pstmt.setString(1, resourceId);
|
|
255 |
pstmt.setInt(3, permission);
|
|
256 |
pstmt.setString(4, permType);
|
|
257 |
pstmt.setString(5, permOrder);
|
|
258 |
pstmt.setString(6, beginTime);
|
|
259 |
pstmt.setString(7, endTime);
|
|
260 |
if ( ticketCount > 0 ) {
|
|
261 |
pstmt.setString(8, "" + ticketCount);
|
|
262 |
} else {
|
279 |
263 |
pstmt.setString(8, "");
|
|
264 |
}
|
|
265 |
for ( int i = 0; i < principalName.size(); i++ ) {
|
|
266 |
pstmt.setString(2, (String)principalName.elementAt(i));
|
|
267 |
pstmt.execute();
|
|
268 |
}
|
280 |
269 |
|
|
270 |
} catch (SQLException e) {
|
|
271 |
throw new
|
|
272 |
SQLException("AccessControlList.insertPermissions(): " + e.getMessage());
|
|
273 |
}
|
|
274 |
}
|
|
275 |
|
|
276 |
/** Check for @permission for @principal on @resourceId from db connection */
|
|
277 |
public boolean hasPermission ( String permission, String principal,
|
|
278 |
String resourceId )
|
|
279 |
throws SQLException
|
|
280 |
{
|
|
281 |
PreparedStatement pstmt;
|
|
282 |
// check public access to @resourceId from xml_documents table
|
|
283 |
if ( permission.equals("READ") ) {
|
|
284 |
try {
|
|
285 |
pstmt = conn.prepareStatement(
|
|
286 |
"SELECT 'x' FROM xml_documents " +
|
|
287 |
"WHERE docid LIKE ? AND public_access = 1");
|
|
288 |
// Bind the values to the query
|
|
289 |
pstmt.setString(1, principal);
|
|
290 |
|
281 |
291 |
pstmt.execute();
|
|
292 |
ResultSet rs = pstmt.getResultSet();
|
|
293 |
boolean hasRow = rs.next();
|
|
294 |
pstmt.close();
|
|
295 |
if (hasRow) {
|
|
296 |
return true;
|
|
297 |
}
|
|
298 |
//System.out.println("Passed the check for public access");
|
|
299 |
|
|
300 |
} catch (SQLException e) {
|
|
301 |
throw new
|
|
302 |
SQLException("Error checking document's public access: "
|
|
303 |
+ e.getMessage());
|
282 |
304 |
}
|
|
305 |
}
|
|
306 |
|
|
307 |
// since owner of resource has all permission on it,
|
|
308 |
// check if @principal is owner of @resourceId in xml_documents table
|
|
309 |
if ( principal != null ) {
|
|
310 |
try {
|
|
311 |
pstmt = conn.prepareStatement(
|
|
312 |
"SELECT 'x' FROM xml_documents " +
|
|
313 |
"WHERE docid LIKE ? AND user_owner LIKE ?");
|
|
314 |
// Bind the values to the query
|
|
315 |
pstmt.setString(1, resourceId);
|
|
316 |
pstmt.setString(2, principal);
|
283 |
317 |
|
284 |
|
// insert the denied permissions
|
285 |
|
for ( int i = 0; i < denyv.size(); i++ ) {
|
286 |
|
if ( ((Integer)denyv.elementAt(i)).intValue() <= 0 ) {
|
287 |
|
continue;
|
|
318 |
pstmt.execute();
|
|
319 |
ResultSet rs = pstmt.getResultSet();
|
|
320 |
boolean hasRow = rs.next();
|
|
321 |
pstmt.close();
|
|
322 |
if (hasRow) {
|
|
323 |
return true;
|
288 |
324 |
}
|
289 |
|
pstmt.setInt(4, ((Integer)denyv.elementAt(i)).intValue());
|
290 |
|
pstmt.setString(5, (String)begin2.elementAt(i));
|
291 |
|
pstmt.setString(6, (String)end2.elementAt(i));
|
292 |
|
if ( ((Integer)count2.elementAt(i)).intValue() > 0 ) {
|
293 |
|
pstmt.setString(7, "" + ((Integer)count2.elementAt(i)).intValue());
|
294 |
|
} else {
|
295 |
|
pstmt.setString(7, "");
|
|
325 |
//System.out.println("Passed the check for ownership");
|
|
326 |
|
|
327 |
} catch (SQLException e) {
|
|
328 |
throw new
|
|
329 |
SQLException("AccessControlList.hasPermission(): " +
|
|
330 |
"Error checking document's ownership. " + e.getMessage());
|
|
331 |
}
|
|
332 |
|
|
333 |
// check @principal's @permission on @resourceId from xml_access table
|
|
334 |
int accessValue = 0;
|
|
335 |
int ticketCount = 0;
|
|
336 |
String permOrder = "";
|
|
337 |
try {
|
|
338 |
pstmt = conn.prepareStatement(
|
|
339 |
"SELECT permission, perm_order, ticket_count " +
|
|
340 |
"FROM xml_access " +
|
|
341 |
"WHERE docid LIKE ? " +
|
|
342 |
"AND principal_name LIKE ? " +
|
|
343 |
"AND sysdate BETWEEN nvl(begin_time,sysdate) " +
|
|
344 |
"AND nvl(end_time,sysdate) " +
|
|
345 |
"AND perm_type LIKE ?");
|
|
346 |
// check if it is "denied" first
|
|
347 |
// Bind the values to the query
|
|
348 |
pstmt.setString(1, resourceId);
|
|
349 |
pstmt.setString(2, principal);
|
|
350 |
pstmt.setString(3, "denied");
|
|
351 |
|
|
352 |
pstmt.execute();
|
|
353 |
ResultSet rs = pstmt.getResultSet();
|
|
354 |
boolean hasRows = rs.next();
|
|
355 |
while ( hasRows ) {
|
|
356 |
accessValue = rs.getInt(1);
|
|
357 |
permOrder = rs.getString(2);
|
|
358 |
ticketCount = rs.getInt(3);
|
|
359 |
if ( ( accessValue & intValue(permission) ) == intValue(permission) &&
|
|
360 |
( permOrder.equals("allow first") ) &&
|
|
361 |
( rs.wasNull() || ticketCount > 0 ) ) {
|
|
362 |
if ( !rs.wasNull() && ticketCount > 0 ) {
|
|
363 |
decreaseNumberOfAccess(accessValue,principal,resourceId,"denied");
|
|
364 |
}
|
|
365 |
pstmt.close();
|
|
366 |
return false;
|
|
367 |
}
|
|
368 |
hasRows = rs.next();
|
296 |
369 |
}
|
297 |
|
pstmt.setString(8, "" + 1);
|
|
370 |
//System.out.println("Passed the check for denied access");
|
298 |
371 |
|
|
372 |
// it is not denied then check if it is "allowed"
|
|
373 |
// Bind the values to the query
|
|
374 |
pstmt.setString(1, resourceId);
|
|
375 |
pstmt.setString(2, principal);
|
|
376 |
pstmt.setString(3, "allowed");
|
|
377 |
|
299 |
378 |
pstmt.execute();
|
|
379 |
rs = pstmt.getResultSet();
|
|
380 |
hasRows = rs.next();
|
|
381 |
while ( hasRows ) {
|
|
382 |
accessValue = rs.getInt(1);
|
|
383 |
ticketCount = rs.getInt(3);
|
|
384 |
if ( ( accessValue & intValue(permission) )==intValue(permission) &&
|
|
385 |
( rs.wasNull() || ticketCount > 0 ) ) {
|
|
386 |
if ( !rs.wasNull() && ticketCount > 0 ) {
|
|
387 |
decreaseNumberOfAccess(accessValue,principal,resourceId,"allowed");
|
|
388 |
}
|
|
389 |
pstmt.close();
|
|
390 |
return true;
|
|
391 |
}
|
|
392 |
hasRows = rs.next();
|
|
393 |
}
|
|
394 |
//System.out.println("Passed the check for allowed access");
|
|
395 |
|
|
396 |
// ???
|
|
397 |
// here there could be a check for the group's permission like
|
|
398 |
// selfrecursive call to hasPermission(conn,permission,group,recourceId)
|
|
399 |
//
|
|
400 |
|
|
401 |
pstmt.close();
|
|
402 |
return false;
|
|
403 |
|
|
404 |
} catch (SQLException e) {
|
|
405 |
throw new
|
|
406 |
SQLException("AccessControlList.hasPermission(): " +
|
|
407 |
"Error checking document's permission. " + e.getMessage());
|
300 |
408 |
}
|
|
409 |
}
|
|
410 |
|
|
411 |
return false;
|
|
412 |
}
|
301 |
413 |
|
302 |
|
} catch (SQLException e) {
|
303 |
|
throw new
|
304 |
|
SQLException("AccessControlList.insertPermissions(): " + e.getMessage());
|
|
414 |
/** decrease the number of access to @resourceId for @principal */
|
|
415 |
private void decreaseNumberOfAccess(int permission, String principal,
|
|
416 |
String resourceId, String permType)
|
|
417 |
throws SQLException
|
|
418 |
{
|
|
419 |
PreparedStatement pstmt;
|
|
420 |
pstmt = conn.prepareStatement(
|
|
421 |
"UPDATE xml_access SET ticket_count = ticket_count - 1 " +
|
|
422 |
"WHERE docid LIKE ? " +
|
|
423 |
"AND principal_name LIKE ? " +
|
|
424 |
"AND permission LIKE ? " +
|
|
425 |
"AND sysdate BETWEEN nvl(begin_time,sysdate) " +
|
|
426 |
"AND nvl(end_time,sysdate) " +
|
|
427 |
"AND perm_type LIKE ?");
|
|
428 |
// Bind the values to the query
|
|
429 |
pstmt.setString(1, resourceId);
|
|
430 |
pstmt.setString(2, principal);
|
|
431 |
pstmt.setInt(3, permission);
|
|
432 |
pstmt.setString(4, permType);
|
|
433 |
|
|
434 |
pstmt.execute();
|
|
435 |
pstmt.close();
|
|
436 |
}
|
|
437 |
|
|
438 |
// get the int value of READ, WRITE or ALL
|
|
439 |
private int intValue ( String permission )
|
|
440 |
{
|
|
441 |
if ( permission.equals("READ") ) {
|
|
442 |
return READ;
|
|
443 |
} else if ( permission.equals("WRITE") ) {
|
|
444 |
return WRITE;
|
|
445 |
} else if ( permission.equals("ALL") ) {
|
|
446 |
return ALL;
|
305 |
447 |
}
|
|
448 |
|
|
449 |
return -1;
|
306 |
450 |
}
|
307 |
|
|
308 |
451 |
}
|
AccessControlList
- methods for parsing and loading acl file
- checkup method for permission for given principal on given resource
DBQuery
- checkup for READ permission using AccessControlList.hasPermission()
DocumentImpl
- using AccessControlList object to parse and load an acl file into xml_access table
- checkup for WRITE permission on UPDATE action using the same AccessControl.hasPermission()