net.tirasa.adsddl.ntsd.dacl

Class DACLAssertor

java.lang.Object

net.tirasa.adsddl.ntsd.dacl.DACLAssertor

public class DACLAssertor
extends java.lang.Object

A class which asserts whether the DACL (Discretionary Access Control List) of an AD object grants the principal of an AdRoleAssertion all the rights which the assertion contains.

The caller must specify the LDAP search filter which will be used to locate the given object in the domain and fetch its nTSecurityDescriptor attribute, which contains the DACL. Alternatively, a constructor accepting a pre-created DACL is available. The DACL is then searched for all ACE entries which are expected to satisfy AceAssertions specified by the AdRoleAssertion; the assertion is passed in to the method doAssert. If there are unsatisfied assertions, and the adRoleAssertion refers to a user, the evaluation is repeated for all groups the user belongs to. The caller may then evaluate the result of doAssert(net.tirasa.adsddl.ntsd.dacl.AdRoleAssertion) and identify unsatisfied assertions by calling getUnsatisfiedAssertions.

See Also:

cc223510

Constructor Summary

Constructors

Constructor and Description
DACLAssertor(ACL dacl, boolean searchGroups) DACLAssertor constructor.
DACLAssertor(java.lang.String searchFilter, boolean searchGroups, javax.naming.ldap.LdapContext ldapContext) DACLAssertor constructor.

Method Summary

Modifier and Type	Method and Description
boolean	doAssert(AdRoleAssertion roleAssertion) Compares the object DACL located by the searchFilter against the specified AdRoleAssertion, and determines whether that assertion's principal is granted all the rights which the assertion contains.
java.util.List<AceAssertion>	getUnsatisfiedAssertions() Returns list of AceAssertions in the AdRoleAssertion given to doAssert which are unsatisfied.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

DACLAssertor

public DACLAssertor(java.lang.String searchFilter,
                    boolean searchGroups,
                    javax.naming.ldap.LdapContext ldapContext)

DACLAssertor constructor.

Parameters:

searchFilter - LDAP search filter, locating an object whose DACL will be evaluated against the AdRoleAssertion. NOTE: LDAP filter escaping is the caller's responsibility

searchGroups - whether to search groups of a user contained in the AdRoleAssertion

ldapContext - the pre-connected LDAP context

DACLAssertor

public DACLAssertor(ACL dacl,
                    boolean searchGroups)

DACLAssertor constructor. This version takes a pre-created DACL.

Parameters:

dacl - the DACL of the object to evaluate against the AdRoleAssertion

searchGroups - whether to search groups of a user contained in the AdRoleAssertion

Method Detail

doAssert

public boolean doAssert(AdRoleAssertion roleAssertion)
                 throws javax.naming.NamingException

Compares the object DACL located by the searchFilter against the specified AdRoleAssertion, and determines whether that assertion's principal is granted all the rights which the assertion contains.

When comparing ACEs of the DACL, only those of AceType.ACCESS_ALLOWED_ACE_TYPE or AceType.ACCESS_ALLOWED_OBJECT_ACE_TYPE will be considered for satisfying an AceAssertion of the roleAssertion.

Once completed, any unsatisfied assertions can be obtained by calling getUnsatisfiedAssertions.

Parameters:

roleAssertion - the AdRoleAssertion

Returns:

true if the DACL fulfills the claims of the roleAssertion, false otherwise.

Throws:

javax.naming.CommunicationException - if the context for searching the DACL is invalid or the domain cannot be reached

javax.naming.NameNotFoundException - if the DACL search fails

javax.naming.NamingException - if extracting the DACL fails or another JNDI issue occurs

javax.naming.SizeLimitExceededException - if more than one AD object found during DACL search

getUnsatisfiedAssertions

public java.util.List<AceAssertion> getUnsatisfiedAssertions()

Returns list of AceAssertions in the AdRoleAssertion given to doAssert which are unsatisfied.

Returns:

list of unsatisfied AceAssertions