パッケージ jcifs.internal.dtyp

クラス ACE

java.lang.Object

jcifs.internal.dtyp.ACE

すべての実装されたインタフェース:

ACE, Decodable

public class ACE
extends Object
implements ACE, Decodable

An Access Control Entry (ACE) is an element in a security descriptor such as those associated with files and directories. The Windows OS determines which users have the necessary permissions to access objects based on these entries.

To fully understand the information exposed by this class a description of the access check algorithm used by Windows is required. The following is a basic description of the algorithm. For a more complete description we recommend reading the section on Access Control in Keith Brown's "The .NET Developer's Guide to Windows Security" (which is also available online).

Direct ACEs are evaluated first in order. The SID of the user performing the operation and the desired access bits are compared to the SID and access mask of each ACE. If the SID matches, the allow/deny flags and access mask are considered. If the ACE is a "deny" ACE and any of the desired access bits match bits in the access mask of the ACE, the whole access check fails. If the ACE is an "allow" ACE and all of the bits in the desired access bits match bits in the access mask of the ACE, the access check is successful. Otherwise, more ACEs are evaluated until all desired access bits (combined) are "allowed". If all of the desired access bits are not "allowed" the then same process is repeated for inherited ACEs.

For example, if user WNET\alice tries to open a file with desired access bits 0x00000003 (FILE_READ_DATA | FILE_WRITE_DATA) and the target file has the following security descriptor ACEs:

 Allow WNET\alice     0x001200A9  Direct
 Allow Administrators 0x001F01FF  Inherited
 Allow SYSTEM         0x001F01FF  Inherited
 

the access check would fail because the direct ACE has an access mask of 0x001200A9 which doesn't have the FILE_WRITE_DATA bit on (bit 0x00000002). Actually, this isn't quite correct. If WNET\alice is in the local Administrators group the access check will succeed because the inherited ACE allows local Administrators both FILE_READ_DATA and FILE_WRITE_DATA access.

フィールドの概要

インタフェースから継承されたフィールド jcifs.ACE

DELETE, FILE_APPEND_DATA, FILE_DELETE, FILE_EXECUTE, FILE_READ_ATTRIBUTES, FILE_READ_DATA, FILE_READ_EA, FILE_WRITE_ATTRIBUTES, FILE_WRITE_DATA, FILE_WRITE_EA, FLAGS_CONTAINER_INHERIT, FLAGS_INHERIT_ONLY, FLAGS_INHERITED, FLAGS_NO_PROPAGATE, FLAGS_OBJECT_INHERIT, GENERIC_ALL, GENERIC_EXECUTE, GENERIC_READ, GENERIC_WRITE, READ_CONTROL, SYNCHRONIZE, WRITE_DAC, WRITE_OWNER

コンストラクタの概要

コンストラクタ

コンストラクタ	説明
ACE()

メソッドの概要

修飾子とタイプ	メソッド	説明
int	decode(byte[] buf, int bi, int len)
int	getAccessMask()	Returns the access mask associated with this ACE.
String	getApplyToText()	Returns the 'Apply To' text for inheritance of ACEs on directories such as 'This folder, subfolder and files'.
int	getFlags()	Returns the flags for this ACE.
SID	getSID()	Return the SID associated with this ACE.
boolean	isAllow()	Returns true if this ACE is an allow ACE and false if it is a deny ACE.
boolean	isInherited()	Returns true if this ACE is an inherited ACE and false if it is a direct ACE.
String	toString()	Return a string represeting this ACE.

クラスから継承されたメソッド java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

コンストラクタの詳細

ACE

public ACE()

メソッドの詳細

isAllow

public boolean isAllow()

インタフェースからコピーされた説明: ACE

Returns true if this ACE is an allow ACE and false if it is a deny ACE.

定義:

isAllow インタフェース内 ACE

戻り値:

whether this in an allow ACE

isInherited

public boolean isInherited()

インタフェースからコピーされた説明: ACE

Returns true if this ACE is an inherited ACE and false if it is a direct ACE.

Note: For reasons not fully understood, FLAGS_INHERITED may not be set within all security descriptors even though the ACE was in face inherited. If an inherited ACE is added to a parent the Windows ACL editor will rebuild all children ACEs and set this flag accordingly.

定義:

isInherited インタフェース内 ACE

戻り値:

whether this is an inherited ACE

getFlags

public int getFlags()

インタフェースからコピーされた説明: ACE

Returns the flags for this ACE. The isInherited() method checks the FLAGS_INHERITED bit in these flags.

定義:

getFlags インタフェース内 ACE

戻り値:

the ACE flags

getApplyToText

public String getApplyToText()

インタフェースからコピーされた説明: ACE

Returns the 'Apply To' text for inheritance of ACEs on directories such as 'This folder, subfolder and files'. For files the text is always 'This object only'.

定義:

getApplyToText インタフェース内 ACE

戻り値:

descriptive text for the ACE scope

getAccessMask

public int getAccessMask()

インタフェースからコピーされた説明: ACE

Returns the access mask associated with this ACE. Use the constants for FILE_READ_DATA, FILE_WRITE_DATA, READ_CONTROL, GENERIC_ALL, etc with bitwise operators to determine which bits of the mask are on or off.

定義:

getAccessMask インタフェース内 ACE

戻り値:

the access mask

getSID

public SID getSID()

インタフェースからコピーされた説明: ACE

Return the SID associated with this ACE.

定義:

getSID インタフェース内 ACE

戻り値:

ACE target SID

decode

public int decode(byte[] buf,
                  int bi,
                  int len)

定義:

decode インタフェース内 Decodable

戻り値:

decoded length

toString

public String toString()

Return a string represeting this ACE.

Note: This function should probably be changed to return SDDL fragments but currently it does not.

オーバーライド:

toString クラス内 Object