Revision 570
Added by bojilova over 23 years ago
AccessControlList.java | ||
---|---|---|
38 | 38 |
static final int WRITE = 2; |
39 | 39 |
static final int READ = 4; |
40 | 40 |
|
41 |
private Connection conn; |
|
42 |
private String docid; |
|
41 |
private Connection conn; |
|
43 | 42 |
private String parserName; |
44 | 43 |
private Stack elementStack; |
45 | 44 |
|
46 |
private Vector allow = new Vector(); |
|
47 |
private Vector begin1 = new Vector(); |
|
48 |
private Vector end1 = new Vector(); |
|
49 |
private Vector count1 = new Vector(); |
|
50 |
|
|
51 |
private Vector denyv = new Vector(); |
|
52 |
private Vector begin2 = new Vector(); |
|
53 |
private Vector end2 = new Vector(); |
|
54 |
private Vector count2 = new Vector(); |
|
45 |
private String resourceId; |
|
46 |
private Vector principalName; |
|
47 |
private int permission; |
|
48 |
private String permType; |
|
49 |
private String permOrder; |
|
50 |
private String beginTime; |
|
51 |
private String endTime; |
|
52 |
private int ticketCount; |
|
55 | 53 |
|
56 |
private String principal_name = ""; |
|
57 |
private String principal_type; |
|
58 |
private int permission = 0; |
|
59 |
private String begin_time; |
|
60 |
private String end_time; |
|
61 |
private int count; |
|
62 |
private int deny; |
|
63 |
|
|
64 | 54 |
/** |
65 | 55 |
* Construct an instance of the AccessControlList class. |
56 |
* It is used by the permission check up from DBQuery and DocumentImpl |
|
57 |
* |
|
58 |
* @param conn the JDBC connection where acl data are loaded |
|
59 |
*/ |
|
60 |
public AccessControlList ( Connection conn ) |
|
61 |
{ |
|
62 |
this.conn = conn; |
|
63 |
} |
|
64 |
|
|
65 |
/** |
|
66 |
* Construct an instance of the AccessControlList class. |
|
66 | 67 |
* It parse acl file and loads acl data into db connection. |
67 | 68 |
* |
68 | 69 |
* @param conn the JDBC connection where acl data are loaded |
69 | 70 |
* @param docid the Accession# of the document with the acl data |
70 |
* @param acl the acl file containing acl data for the document
|
|
71 |
* @param acl the acl file containing acl data |
|
71 | 72 |
*/ |
72 | 73 |
public AccessControlList ( Connection conn, String docid, Reader acl ) |
73 | 74 |
throws SAXException, IOException, ClassNotFoundException |
... | ... | |
77 | 78 |
String parserName = util.getOption("saxparser"); |
78 | 79 |
|
79 | 80 |
this.conn = conn; |
80 |
this.docid = docid; |
|
81 | 81 |
this.parserName = parserName; |
82 |
elementStack = new Stack(); |
|
82 |
this.elementStack = new Stack(); |
|
83 |
|
|
84 |
this.principalName = new Vector(); |
|
85 |
this.permission = 0; |
|
86 |
this.ticketCount = 0; |
|
83 | 87 |
|
84 | 88 |
// Initialize the parser and read the queryspec |
85 | 89 |
XMLReader parser = initializeParser(); |
... | ... | |
87 | 91 |
|
88 | 92 |
} |
89 | 93 |
|
94 |
/** |
|
95 |
* Construct an instance of the AccessControlList class. |
|
96 |
* It parse acl file and loads acl data into db connection. |
|
97 |
* |
|
98 |
* @param conn the JDBC connection where acl data are loaded |
|
99 |
* @param docid the Accession# of the document with the acl data |
|
100 |
* @param aclfilename the name of acl file containing acl data |
|
101 |
*/ |
|
90 | 102 |
public AccessControlList( Connection conn, String docid, String aclfilename ) |
91 | 103 |
throws SAXException, IOException, ClassNotFoundException |
92 | 104 |
{ |
... | ... | |
128 | 140 |
currentNode.setAttribute(atts.getLocalName(i), atts.getValue(i)); |
129 | 141 |
} |
130 | 142 |
} |
143 |
if ( currentNode.getTagName().equals("resource") ) { |
|
144 |
permOrder = currentNode.getAttribute("order"); |
|
145 |
} |
|
131 | 146 |
elementStack.push(currentNode); |
132 | 147 |
} |
133 | 148 |
|
... | ... | |
143 | 158 |
BasicNode currentNode = (BasicNode)elementStack.peek(); |
144 | 159 |
String currentTag = currentNode.getTagName(); |
145 | 160 |
|
146 |
if (currentTag.equals("groupName")) { |
|
147 |
principal_name = inputString; |
|
148 |
principal_type = "group"; |
|
149 |
} else if (currentTag.equals("userName")) { |
|
150 |
principal_name = inputString; |
|
151 |
principal_type = "user"; |
|
161 |
if (currentTag.equals("resourceIdentifier")) { |
|
162 |
resourceId = inputString; |
|
163 |
} else if (currentTag.equals("principalName")) { |
|
164 |
principalName.addElement(new String(inputString)); |
|
152 | 165 |
} else if (currentTag.equals("permission")) { |
153 | 166 |
if ( inputString.trim().toUpperCase().equals("READ") ) { |
154 | 167 |
permission = permission | READ; |
... | ... | |
158 | 171 |
permission = permission | ALL; |
159 | 172 |
} |
160 | 173 |
} else if (currentTag.equals("duration") && |
161 |
begin_time == null && end_time == null ) {
|
|
174 |
beginTime == null && endTime == null ) {
|
|
162 | 175 |
try { |
163 |
begin_time = inputString.substring(0, inputString.indexOf(" "));
|
|
164 |
end_time = inputString.substring(inputString.indexOf(" ")+1);
|
|
176 |
beginTime = inputString.substring(0, inputString.indexOf(" "));
|
|
177 |
endTime = inputString.substring(inputString.indexOf(" ")+1);
|
|
165 | 178 |
} catch (StringIndexOutOfBoundsException se) { |
166 |
begin_time = inputString;
|
|
179 |
beginTime = inputString;
|
|
167 | 180 |
} |
168 |
} else if (currentTag.equals("count") && count == 0 ) {
|
|
169 |
count = (new Integer(inputString.trim())).intValue();
|
|
181 |
} else if (currentTag.equals("ticketCount") && ticketCount == 0 ) {
|
|
182 |
ticketCount = (new Integer(inputString.trim())).intValue();
|
|
170 | 183 |
} |
171 | 184 |
} |
172 | 185 |
|
... | ... | |
179 | 192 |
throws SAXException |
180 | 193 |
{ |
181 | 194 |
BasicNode leaving = (BasicNode)elementStack.pop(); |
182 |
if ( leaving.getTagName().equals("allow") && permission > 0 ) { |
|
183 |
// collect allowed permissions in a Vector variable allow |
|
184 |
allow.add(new Integer(permission)); |
|
185 |
begin1.add(begin_time); |
|
186 |
end1.add(end_time); |
|
187 |
count1.add(new Integer(count)); |
|
195 |
if ( leaving.getTagName().equals("allow") ) { |
|
196 |
|
|
197 |
if ( permission > 0 ) { |
|
188 | 198 |
|
199 |
// insert into db calculated permission for the list of principals |
|
200 |
try { |
|
201 |
insertPermissions("allowed"); |
|
202 |
} catch (SQLException sqle) { |
|
203 |
throw new SAXException(sqle); |
|
204 |
} |
|
205 |
} |
|
206 |
|
|
189 | 207 |
// reset the allowed permission |
208 |
principalName = new Vector(); |
|
190 | 209 |
permission = 0; |
191 |
begin_time = null;
|
|
192 |
end_time = null;
|
|
193 |
count = 0;
|
|
210 |
beginTime = null;
|
|
211 |
endTime = null;
|
|
212 |
ticketCount = 0;
|
|
194 | 213 |
|
195 |
} else if ( leaving.getTagName().equals("deny") && permission > 0 ) { |
|
196 |
// collect denied permissions in a Vector variable denyv |
|
197 |
denyv.add(new Integer(permission)); |
|
198 |
begin2.add(begin_time); |
|
199 |
end2.add(end_time); |
|
200 |
count2.add(new Integer(count)); |
|
214 |
} else if ( leaving.getTagName().equals("deny") ) { |
|
215 |
|
|
216 |
if ( permission > 0 ) { |
|
201 | 217 |
|
202 |
// reset the denied permission |
|
203 |
permission = 0; |
|
204 |
begin_time = null; |
|
205 |
end_time = null; |
|
206 |
count = 0; |
|
207 |
|
|
208 |
} else if ( leaving.getTagName().equals("accessControl") ) { |
|
209 |
// when order attribute for <accessControl> is specified to "denyFirst" |
|
210 |
// exclude the allowed permissions from the list of denied ones |
|
211 |
if ( leaving.getAttribute("order").equals("denyFirst") ) { |
|
212 |
for ( int i = 0; i < allow.size(); i++ ) { |
|
213 |
for ( int j = 0; j < denyv.size(); j++ ) { |
|
214 |
denyv.setElementAt( |
|
215 |
new Integer(((Integer)denyv.elementAt(j)).intValue() & |
|
216 |
~((Integer)allow.elementAt(i)).intValue()), j); |
|
217 |
} |
|
218 |
// insert into db calculated permission for the list of principals |
|
219 |
try { |
|
220 |
insertPermissions("denied"); |
|
221 |
} catch (SQLException sqle) { |
|
222 |
throw new SAXException(sqle); |
|
218 | 223 |
} |
219 | 224 |
} |
220 | 225 |
|
221 |
// insert into db connection collected permissions for the principal
|
|
222 |
try {
|
|
223 |
insertPermissions();
|
|
224 |
} catch (SQLException sqle) {
|
|
225 |
throw new SAXException(sqle);
|
|
226 |
}
|
|
226 |
// reset the denied permission
|
|
227 |
principalName = new Vector();
|
|
228 |
permission = 0;
|
|
229 |
beginTime = null;
|
|
230 |
endTime = null;
|
|
231 |
ticketCount = 0;
|
|
227 | 232 |
|
228 |
// reset the list of allowed and denied permissions |
|
229 |
// for use for the next principal |
|
230 |
allow = new Vector(); |
|
231 |
begin1 = new Vector(); |
|
232 |
end1 = new Vector(); |
|
233 |
count1 = new Vector(); |
|
233 |
} else if ( leaving.getTagName().equals("resource") ) { |
|
234 |
// reset the resource identifier |
|
235 |
resourceId = null; |
|
236 |
permOrder = null; |
|
237 |
} |
|
234 | 238 |
|
235 |
denyv = new Vector(); |
|
236 |
begin2 = new Vector(); |
|
237 |
end2 = new Vector(); |
|
238 |
count2 = new Vector(); |
|
239 |
|
|
240 |
} else if ( leaving.getTagName().equals("user") || |
|
241 |
leaving.getTagName().equals("group") ) { |
|
242 |
// try { |
|
243 |
// principal_name = |
|
244 |
// principal_name.substring(0, principal_name.lastIndexOf(".")); |
|
245 |
// } catch (StringIndexOutOfBoundsException se) { |
|
246 |
// reset the name of the current principal for next use |
|
247 |
principal_name = ""; |
|
248 |
// } |
|
249 |
} |
|
250 | 239 |
} |
251 | 240 |
|
252 |
/** Insert into db connection collected permissions for a principal */
|
|
253 |
private void insertPermissions() |
|
241 |
/** Insert into db calculated permission for the list of principals */
|
|
242 |
private void insertPermissions( String permType )
|
|
254 | 243 |
throws SQLException |
255 | 244 |
{ |
256 | 245 |
PreparedStatement pstmt; |
... | ... | |
258 | 247 |
try { |
259 | 248 |
pstmt = conn.prepareStatement( |
260 | 249 |
"INSERT INTO xml_access " + |
261 |
"(docid, principal_name, principal_type, " + |
|
262 |
"permission, begin_time, end_time, ticket_counter, deny)" + |
|
263 |
"VALUES (?, ?, ?, ?, to_date(?,'mm/dd/yy'), " + |
|
264 |
" to_date(?,'mm/dd/yy'), ?, ?)"); |
|
250 |
"(docid,principal_name,permission,perm_type,perm_order," + |
|
251 |
"begin_time,end_time,ticket_count) VALUES " + |
|
252 |
"(?,?,?,?,?,to_date(?,'mm/dd/yy'),to_date(?,'mm/dd/yy'),?)"); |
|
265 | 253 |
// Bind the values to the query |
266 |
pstmt.setString(1, docid); |
|
267 |
pstmt.setString(2, principal_name); |
|
268 |
pstmt.setString(3, principal_type); |
|
269 |
// insert the allowed permissions first |
|
270 |
for ( int i = 0; i < allow.size(); i++ ) { |
|
271 |
pstmt.setInt(4, ((Integer)allow.elementAt(i)).intValue()); |
|
272 |
pstmt.setString(5, (String)begin1.elementAt(i)); |
|
273 |
pstmt.setString(6, (String)end1.elementAt(i)); |
|
274 |
if ( ((Integer)count1.elementAt(i)).intValue() > 0 ) { |
|
275 |
pstmt.setString(7, "" + ((Integer)count1.elementAt(i)).intValue()); |
|
276 |
} else { |
|
277 |
pstmt.setString(7, ""); |
|
278 |
} |
|
254 |
pstmt.setString(1, resourceId); |
|
255 |
pstmt.setInt(3, permission); |
|
256 |
pstmt.setString(4, permType); |
|
257 |
pstmt.setString(5, permOrder); |
|
258 |
pstmt.setString(6, beginTime); |
|
259 |
pstmt.setString(7, endTime); |
|
260 |
if ( ticketCount > 0 ) { |
|
261 |
pstmt.setString(8, "" + ticketCount); |
|
262 |
} else { |
|
279 | 263 |
pstmt.setString(8, ""); |
264 |
} |
|
265 |
for ( int i = 0; i < principalName.size(); i++ ) { |
|
266 |
pstmt.setString(2, (String)principalName.elementAt(i)); |
|
267 |
pstmt.execute(); |
|
268 |
} |
|
280 | 269 |
|
270 |
} catch (SQLException e) { |
|
271 |
throw new |
|
272 |
SQLException("AccessControlList.insertPermissions(): " + e.getMessage()); |
|
273 |
} |
|
274 |
} |
|
275 |
|
|
276 |
/** Check for @permission for @principal on @resourceId from db connection */ |
|
277 |
public boolean hasPermission ( String permission, String principal, |
|
278 |
String resourceId ) |
|
279 |
throws SQLException |
|
280 |
{ |
|
281 |
PreparedStatement pstmt; |
|
282 |
// check public access to @resourceId from xml_documents table |
|
283 |
if ( permission.equals("READ") ) { |
|
284 |
try { |
|
285 |
pstmt = conn.prepareStatement( |
|
286 |
"SELECT 'x' FROM xml_documents " + |
|
287 |
"WHERE docid LIKE ? AND public_access = 1"); |
|
288 |
// Bind the values to the query |
|
289 |
pstmt.setString(1, principal); |
|
290 |
|
|
281 | 291 |
pstmt.execute(); |
292 |
ResultSet rs = pstmt.getResultSet(); |
|
293 |
boolean hasRow = rs.next(); |
|
294 |
pstmt.close(); |
|
295 |
if (hasRow) { |
|
296 |
return true; |
|
297 |
} |
|
298 |
//System.out.println("Passed the check for public access"); |
|
299 |
|
|
300 |
} catch (SQLException e) { |
|
301 |
throw new |
|
302 |
SQLException("Error checking document's public access: " |
|
303 |
+ e.getMessage()); |
|
282 | 304 |
} |
305 |
} |
|
306 |
|
|
307 |
// since owner of resource has all permission on it, |
|
308 |
// check if @principal is owner of @resourceId in xml_documents table |
|
309 |
if ( principal != null ) { |
|
310 |
try { |
|
311 |
pstmt = conn.prepareStatement( |
|
312 |
"SELECT 'x' FROM xml_documents " + |
|
313 |
"WHERE docid LIKE ? AND user_owner LIKE ?"); |
|
314 |
// Bind the values to the query |
|
315 |
pstmt.setString(1, resourceId); |
|
316 |
pstmt.setString(2, principal); |
|
283 | 317 |
|
284 |
// insert the denied permissions |
|
285 |
for ( int i = 0; i < denyv.size(); i++ ) { |
|
286 |
if ( ((Integer)denyv.elementAt(i)).intValue() <= 0 ) { |
|
287 |
continue; |
|
318 |
pstmt.execute(); |
|
319 |
ResultSet rs = pstmt.getResultSet(); |
|
320 |
boolean hasRow = rs.next(); |
|
321 |
pstmt.close(); |
|
322 |
if (hasRow) { |
|
323 |
return true; |
|
288 | 324 |
} |
289 |
pstmt.setInt(4, ((Integer)denyv.elementAt(i)).intValue()); |
|
290 |
pstmt.setString(5, (String)begin2.elementAt(i)); |
|
291 |
pstmt.setString(6, (String)end2.elementAt(i)); |
|
292 |
if ( ((Integer)count2.elementAt(i)).intValue() > 0 ) { |
|
293 |
pstmt.setString(7, "" + ((Integer)count2.elementAt(i)).intValue()); |
|
294 |
} else { |
|
295 |
pstmt.setString(7, ""); |
|
325 |
//System.out.println("Passed the check for ownership"); |
|
326 |
|
|
327 |
} catch (SQLException e) { |
|
328 |
throw new |
|
329 |
SQLException("AccessControlList.hasPermission(): " + |
|
330 |
"Error checking document's ownership. " + e.getMessage()); |
|
331 |
} |
|
332 |
|
|
333 |
// check @principal's @permission on @resourceId from xml_access table |
|
334 |
int accessValue = 0; |
|
335 |
int ticketCount = 0; |
|
336 |
String permOrder = ""; |
|
337 |
try { |
|
338 |
pstmt = conn.prepareStatement( |
|
339 |
"SELECT permission, perm_order, ticket_count " + |
|
340 |
"FROM xml_access " + |
|
341 |
"WHERE docid LIKE ? " + |
|
342 |
"AND principal_name LIKE ? " + |
|
343 |
"AND sysdate BETWEEN nvl(begin_time,sysdate) " + |
|
344 |
"AND nvl(end_time,sysdate) " + |
|
345 |
"AND perm_type LIKE ?"); |
|
346 |
// check if it is "denied" first |
|
347 |
// Bind the values to the query |
|
348 |
pstmt.setString(1, resourceId); |
|
349 |
pstmt.setString(2, principal); |
|
350 |
pstmt.setString(3, "denied"); |
|
351 |
|
|
352 |
pstmt.execute(); |
|
353 |
ResultSet rs = pstmt.getResultSet(); |
|
354 |
boolean hasRows = rs.next(); |
|
355 |
while ( hasRows ) { |
|
356 |
accessValue = rs.getInt(1); |
|
357 |
permOrder = rs.getString(2); |
|
358 |
ticketCount = rs.getInt(3); |
|
359 |
if ( ( accessValue & intValue(permission) ) == intValue(permission) && |
|
360 |
( permOrder.equals("allow first") ) && |
|
361 |
( rs.wasNull() || ticketCount > 0 ) ) { |
|
362 |
if ( !rs.wasNull() && ticketCount > 0 ) { |
|
363 |
decreaseNumberOfAccess(accessValue,principal,resourceId,"denied"); |
|
364 |
} |
|
365 |
pstmt.close(); |
|
366 |
return false; |
|
367 |
} |
|
368 |
hasRows = rs.next(); |
|
296 | 369 |
} |
297 |
pstmt.setString(8, "" + 1);
|
|
370 |
//System.out.println("Passed the check for denied access");
|
|
298 | 371 |
|
372 |
// it is not denied then check if it is "allowed" |
|
373 |
// Bind the values to the query |
|
374 |
pstmt.setString(1, resourceId); |
|
375 |
pstmt.setString(2, principal); |
|
376 |
pstmt.setString(3, "allowed"); |
|
377 |
|
|
299 | 378 |
pstmt.execute(); |
379 |
rs = pstmt.getResultSet(); |
|
380 |
hasRows = rs.next(); |
|
381 |
while ( hasRows ) { |
|
382 |
accessValue = rs.getInt(1); |
|
383 |
ticketCount = rs.getInt(3); |
|
384 |
if ( ( accessValue & intValue(permission) )==intValue(permission) && |
|
385 |
( rs.wasNull() || ticketCount > 0 ) ) { |
|
386 |
if ( !rs.wasNull() && ticketCount > 0 ) { |
|
387 |
decreaseNumberOfAccess(accessValue,principal,resourceId,"allowed"); |
|
388 |
} |
|
389 |
pstmt.close(); |
|
390 |
return true; |
|
391 |
} |
|
392 |
hasRows = rs.next(); |
|
393 |
} |
|
394 |
//System.out.println("Passed the check for allowed access"); |
|
395 |
|
|
396 |
// ??? |
|
397 |
// here there could be a check for the group's permission like |
|
398 |
// selfrecursive call to hasPermission(conn,permission,group,recourceId) |
|
399 |
// |
|
400 |
|
|
401 |
pstmt.close(); |
|
402 |
return false; |
|
403 |
|
|
404 |
} catch (SQLException e) { |
|
405 |
throw new |
|
406 |
SQLException("AccessControlList.hasPermission(): " + |
|
407 |
"Error checking document's permission. " + e.getMessage()); |
|
300 | 408 |
} |
409 |
} |
|
410 |
|
|
411 |
return false; |
|
412 |
} |
|
301 | 413 |
|
302 |
} catch (SQLException e) { |
|
303 |
throw new |
|
304 |
SQLException("AccessControlList.insertPermissions(): " + e.getMessage()); |
|
414 |
/** decrease the number of access to @resourceId for @principal */ |
|
415 |
private void decreaseNumberOfAccess(int permission, String principal, |
|
416 |
String resourceId, String permType) |
|
417 |
throws SQLException |
|
418 |
{ |
|
419 |
PreparedStatement pstmt; |
|
420 |
pstmt = conn.prepareStatement( |
|
421 |
"UPDATE xml_access SET ticket_count = ticket_count - 1 " + |
|
422 |
"WHERE docid LIKE ? " + |
|
423 |
"AND principal_name LIKE ? " + |
|
424 |
"AND permission LIKE ? " + |
|
425 |
"AND sysdate BETWEEN nvl(begin_time,sysdate) " + |
|
426 |
"AND nvl(end_time,sysdate) " + |
|
427 |
"AND perm_type LIKE ?"); |
|
428 |
// Bind the values to the query |
|
429 |
pstmt.setString(1, resourceId); |
|
430 |
pstmt.setString(2, principal); |
|
431 |
pstmt.setInt(3, permission); |
|
432 |
pstmt.setString(4, permType); |
|
433 |
|
|
434 |
pstmt.execute(); |
|
435 |
pstmt.close(); |
|
436 |
} |
|
437 |
|
|
438 |
// get the int value of READ, WRITE or ALL |
|
439 |
private int intValue ( String permission ) |
|
440 |
{ |
|
441 |
if ( permission.equals("READ") ) { |
|
442 |
return READ; |
|
443 |
} else if ( permission.equals("WRITE") ) { |
|
444 |
return WRITE; |
|
445 |
} else if ( permission.equals("ALL") ) { |
|
446 |
return ALL; |
|
305 | 447 |
} |
448 |
|
|
449 |
return -1; |
|
306 | 450 |
} |
307 |
|
|
308 | 451 |
} |
Also available in: Unified diff
AccessControlList
- methods for parsing and loading acl file
- checkup method for permission for given principal on given resource
DBQuery
- checkup for READ permission using AccessControlList.hasPermission()
DocumentImpl
- using AccessControlList object to parse and load an acl file into xml_access table
- checkup for WRITE permission on UPDATE action using the same AccessControl.hasPermission()