|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
public interface AzRequestContext
The AzRequestContext is the structure used to collect all the information that is required to make one or more authorization requests.
The AzRequestContext is used as the input to a decision. It primarily consists of a group of collections of AzEntity objects, where each AzEntity contains a collection of AzAttributes describing that entity. From a XACML perspective, one may think of the AzEntity objects representing "actors" in a XACML decision request, where the actors consist of the entity making the request (Subject), the entity representing the request (Action), the entity representing that which access is being requested to (Resource) and an entity capturing general operating conditions under which the request is being made (Environment). one or more AzSubjects.
The official term XACML uses to distinguish these actors is "Category".
The allowed Category identifiers are represented in AzApi by Enums that
implement the AzCategoryId
interface.
The general rule is that a single authorization decision corresponds to
a set of entities, where only one entity per Category is allowed.
The general mechanism by which multiple decisions can be requested in a single AzRequestContext object is by including multiple entities within the same category, then for each entity within a category, a separate decision will be made using each member of the specific category, against a fixed set of members, one each, of the other categories. The specifics of these mechanisms vary, with the most significant constraint being that AzResourceActionAssociations are created to indicate specific resource-action combinations against which a decision will be requested as opposed to simply requesting the cross-product of all resources and actions in an AzRequestContext.
Note: an AzRequestContext may be populated incrementally by
several independent software components prior to the request
actually being submitted to a PDP.
Note: there is no direct support for XACML Attribute Selectors,
which are primarily xpaths used to access attributes in supplied
xml content. All attributes from this AzAPI should be considered
to be accessible using XACML Attribute Designators, which are based
on using reference to the AttributeId(required), Issuer(optional),
DataType(required), and Category(required, but generally implicit)
associated with a XACML Attribute.
Method Summary | ||
---|---|---|
|
addAzEntity(AzEntity<T> azEntity)
Adds an AzEntity |
|
java.util.Set<AzResourceActionAssociation> |
addResourceActionAssociation(AzEntity<AzCategoryIdResource> resource,
java.util.Set<AzEntity<AzCategoryIdAction>> actions)
Add the cross-product of a single AzResource and a Set of AzActions to the AzRequestContext. |
|
java.util.Set<AzResourceActionAssociation> |
addResourceActionAssociation(java.util.Set<AzEntity<AzCategoryIdResource>> resources,
AzEntity<AzCategoryIdAction> action)
Add the cross-product of a Set of AzResources and a single AzAction to the AzRequestContext. |
|
java.util.Set<AzResourceActionAssociation> |
addResourceActionAssociation(java.util.Set<AzEntity<AzCategoryIdResource>> azResourceSet,
java.util.Set<AzEntity<AzCategoryIdAction>> azActionSet)
Add an AzResourceActionAssociation to the AzRequestContext for each possible AzResource-AzAction combination (cross-product (nxm)) of a Set of "n" AzResource entities and a Set of "m" AzAction entities. |
|
AzResourceActionAssociation |
createAndAddResourceActionAssociation(AzEntity<AzCategoryIdResource> azResource,
AzEntity<AzCategoryIdAction> azAction)
Add an AzResourceActionAssociation to the AzRequestContext by providing an AzResource entity and an AzAction entity, which the method will combine into the appropriate association object and add it to the Set of associations. |
|
AzEntity<AzCategoryIdAction> |
createAzEntity(AzCategoryIdAction t)
Creates and returns an AzEntity |
|
AzEntity<AzCategoryIdEnvironment> |
createAzEntity(AzCategoryIdEnvironment t)
|
|
AzEntity<AzCategoryIdResource> |
createAzEntity(AzCategoryIdResource t)
Creates and returns an AzEntity |
|
AzEntity<AzCategoryIdSubjectAccess> |
createAzEntity(AzCategoryIdSubjectAccess t)
|
|
AzEntity<AzCategoryIdSubjectCodebase> |
createAzEntity(AzCategoryIdSubjectCodebase t)
|
|
AzEntity<AzCategoryIdSubjectIntermediary> |
createAzEntity(AzCategoryIdSubjectIntermediary t)
|
|
AzEntity<AzCategoryIdSubjectRecipient> |
createAzEntity(AzCategoryIdSubjectRecipient t)
|
|
AzEntity<AzCategoryIdSubjectRequestingMachine> |
createAzEntity(AzCategoryIdSubjectRequestingMachine t)
|
|
java.util.Set<AzEntity<AzCategoryIdAction>> |
getActions()
Get the Set |
|
java.util.Set<AzResourceActionAssociation> |
getAssociations()
Return the set of tuples corresponding to the resource and action pairs that have been set in the resource context. |
|
AzEntity<AzCategoryIdAction> |
getAzEntity(AzCategoryIdAction t)
|
|
AzEntity<AzCategoryIdEnvironment> |
getAzEntity(AzCategoryIdEnvironment t)
|
|
AzEntity<AzCategoryIdResource> |
getAzEntity(AzCategoryIdResource t)
|
|
AzEntity<AzCategoryIdSubjectAccess> |
getAzEntity(AzCategoryIdSubjectAccess t)
|
|
AzEntity<AzCategoryIdSubjectCodebase> |
getAzEntity(AzCategoryIdSubjectCodebase t)
|
|
AzEntity<AzCategoryIdSubjectIntermediary> |
getAzEntity(AzCategoryIdSubjectIntermediary t)
|
|
AzEntity<AzCategoryIdSubjectRecipient> |
getAzEntity(AzCategoryIdSubjectRecipient t)
|
|
AzEntity<AzCategoryIdSubjectRequestingMachine> |
getAzEntity(AzCategoryIdSubjectRequestingMachine t)
|
|
AzEntity<AzCategoryIdEnvironment> |
getAzEnvironment()
Return the AzEnvironment component of the AzRequestContext or null if it has not been added. |
|
java.util.Set<AzEntity<AzCategoryIdResource>> |
getResources()
Get the Set of AzEntity |
|
void |
removeAllResourceActionAssociations()
Remove all AzResourceActionAssociations from AzRequestContext. |
|
void |
removeResourceActionAssociation(AzEntity<AzCategoryIdResource> resource,
AzEntity<AzCategoryIdAction> action)
Delete the AzResource and AzAction association from the AzRequestContext collection of AzResourceActionAssociations. |
|
void |
removeResourceActionAssociations(java.util.Set<AzEntity<AzCategoryIdResource>> resources,
java.util.Set<AzEntity<AzCategoryIdAction>> actions)
delete the cross-product of the AzResource and AzAction sets from the AzRequestContext, should the association exist. |
Method Detail |
---|
AzEntity<AzCategoryIdResource> createAzEntity(AzCategoryIdResource t)
The created AzEntity
Note: The term "AzResource" may be used in discussion as a
synonym for AzEntity
Note: adding an AzEntity
t
- an AzCategoryIdResource Enum
AzEntity<AzCategoryIdAction> createAzEntity(AzCategoryIdAction t)
The created AzEntity
Note: The term "AzAction" may be used in discussion as a
synonym for AzEntity
Note: adding an AzEntity
t
- an AzCategoryIdAction Enum
AzEntity<AzCategoryIdEnvironment> createAzEntity(AzCategoryIdEnvironment t)
AzEntity<AzCategoryIdSubjectAccess> createAzEntity(AzCategoryIdSubjectAccess t)
AzEntity<AzCategoryIdSubjectCodebase> createAzEntity(AzCategoryIdSubjectCodebase t)
AzEntity<AzCategoryIdSubjectIntermediary> createAzEntity(AzCategoryIdSubjectIntermediary t)
AzEntity<AzCategoryIdSubjectRecipient> createAzEntity(AzCategoryIdSubjectRecipient t)
AzEntity<AzCategoryIdSubjectRequestingMachine> createAzEntity(AzCategoryIdSubjectRequestingMachine t)
<T extends java.lang.Enum<T> & AzCategoryId> boolean addAzEntity(AzEntity<T> azEntity)
T
- azEntity
-
AzEntity<AzCategoryIdAction> getAzEntity(AzCategoryIdAction t)
AzEntity<AzCategoryIdEnvironment> getAzEntity(AzCategoryIdEnvironment t)
AzEntity<AzCategoryIdResource> getAzEntity(AzCategoryIdResource t)
AzEntity<AzCategoryIdSubjectAccess> getAzEntity(AzCategoryIdSubjectAccess t)
AzEntity<AzCategoryIdSubjectCodebase> getAzEntity(AzCategoryIdSubjectCodebase t)
AzEntity<AzCategoryIdSubjectIntermediary> getAzEntity(AzCategoryIdSubjectIntermediary t)
AzEntity<AzCategoryIdSubjectRecipient> getAzEntity(AzCategoryIdSubjectRecipient t)
AzEntity<AzCategoryIdSubjectRequestingMachine> getAzEntity(AzCategoryIdSubjectRequestingMachine t)
AzResourceActionAssociation createAndAddResourceActionAssociation(AzEntity<AzCategoryIdResource> azResource, AzEntity<AzCategoryIdAction> azAction)
Note that the association is based on associating the AzResource and
AzAction objects, independent of the sets of attributes that the
objects contain.
Therefore, the association can be established independently of the
presence of resource-id and action-id attributes within the objects.
TBD: do we need to require the presence of resource-id and action-id
attributes and thence a relate Exception? These are not required by
XACML 2.0 (for resource-id see sections 6.3 (MAY contain one or more
resource-id attributes), section 6.10 (lines 3080-3083), section B.6 )
(for action-id see section B.7, section 6.1 (lines 2896-2898),
section 6.5
azResource
- azAction
-
AzResourceActionAssociation
,
AzResult
java.util.Set<AzResourceActionAssociation> getAssociations()
java.util.Set<AzResourceActionAssociation> addResourceActionAssociation(java.util.Set<AzEntity<AzCategoryIdResource>> azResourceSet, java.util.Set<AzEntity<AzCategoryIdAction>> azActionSet)
For concreteness consider N AzResource rows and M AzAction columns, where a single AzResource is a single row and each cell in that row represents one of the M actions that potentially could be performed on that resource.
Similarly the removeResourceActionAssociation calls will remove
any resource-action object pairs that have been added that are
identical to any of the resource-action object pairs in the
current remove call.
At the end of all the add and remove calls there will remain N'
AzResource objects and M' AzAction objects participating in a
maximum of N'xM' associations or a minimum of the larger of (N',M')
associations, or any combination in between.
TBD: there has been some discussion that if the resource-id and
action-id could be guaranteed to be present, singular, and unique
in every AzResource and AzAction object, then resource-id<->action-id
pairings would effectively be isomorphic (the same) as the pairings
of the objects described above.
some of the considerations for not doing things this way include
that it is not required by XACML 2.0 or 3.0
that it is not possible to anticipate in advance the how or why
that users will want to batch the requests,
that there is the possibility of two requests having AzResource
entities for the same resource-id (or action-id), but with a different
set of attributes,
and finally, it would seem a fairly straight-forward extension
to this conceptualization to subclass the AzResource and AzAction
entities and the AzRequestContext to apply filtering to achieve
this effect.
Note: use of a MissingRequestIdException/MissingActionIdException, might be the mechanism to signal this condition, if necessary.
azResourceSet
- azActionSet
-
createAndAddResourceActionAssociation(AzEntity, AzEntity)
java.util.Set<AzResourceActionAssociation> addResourceActionAssociation(AzEntity<AzCategoryIdResource> resource, java.util.Set<AzEntity<AzCategoryIdAction>> actions)
resource
- actions
-
java.util.Set<AzResourceActionAssociation> addResourceActionAssociation(java.util.Set<AzEntity<AzCategoryIdResource>> resources, AzEntity<AzCategoryIdAction> action)
resources
- action
-
void removeResourceActionAssociation(AzEntity<AzCategoryIdResource> resource, AzEntity<AzCategoryIdAction> action)
It is only the association that is deleted. If the AzResource entity and/or the AzAction entity belong to other AzResourceActionAssociations, then the AzResource and/or AzAction object will be kept in its respective collection. If an AzAction or AzResource object entity no longer is part of any association, then no reference to the object will be kept by the AzRequestContext and it will be considered deleted from the AzRequestContext.
resource
- action
- void removeResourceActionAssociations(java.util.Set<AzEntity<AzCategoryIdResource>> resources, java.util.Set<AzEntity<AzCategoryIdAction>> actions)
resources
- actions
- void removeAllResourceActionAssociations()
AzEntity<AzCategoryIdEnvironment> getAzEnvironment()
If null, then empty XACML Environment element will be sent when AzService.decide() call is issued. TBD: determine whether to support multiple AzEnvironment entities
java.util.Set<AzEntity<AzCategoryIdResource>> getResources()
If no AzResources have been added an empty Set will be returned.
Only AzResources that have been identified by AzResourceActionAssociations will be included in authorization requests.
java.util.Set<AzEntity<AzCategoryIdAction>> getActions()
If no Action entities have been added an empty Set will be returned.
Note: This Set may contain AzEntity
|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |