authorization package

The authorization package provides various types of security authorization request types with which a CSI consumer could construct more complex authorization requests.

Members

All public members of the authorization package.

AbstractAuthzChecker class – The abstract base class that implements the setters/getters in the AuthorizationChecker interface.
AbstractAuthzRequest class – Base class that implements the setters/getters in the AuthzRequest interface.
AuthorizationChecker interface – Interface that should be implemented by all authorization checkers.
AuthorizationCheckerFactory class – Factory to obtain an AuthorizationChecker that knows how to evaluate a given AuthzRequest type.
AuthzRequest interface – The Marker interface to define authorization requests.
AuthzResponse interface – The Marker interface to define the authorization response returned.
AuthzResponseImpl class – Basic implementation of AuthzResponse interface.
CompositeAuthzRequest interface – An authorization request interface that groups multiple requests together in some fashion.
FineGrainedAuthzChecker class – Authorization checker that checks if the subject is allowed to perform specified action on the specified resource using the SecContext.checkAccess() method.
FineGrainedAuthzRequest class – Fine grained authorization request to check if the subject is allowed to perform specified action on the specified resource.
LogicalAndAuthzChecker class – Authorization checker that returns a response with PERMIT decision only if all of the authorization requests are successful.
LogicalAndAuthzRequest class – Composite authorization request for authorization check to succeed only if all of the authorization requests are successful.
LogicalOrAuthzChecker class – Authorization checker that returns a response with PERMIT decision if at least one of the authorization requests is successful.
LogicalOrAuthzRequest class – Composite authorization request for authorization check to succeed if at least one of the authorization requests is successful.
RoleAuthzChecker class – Authorization checker that performs role check using the SecContext.checkRole() method.
RoleAuthzRequest class – An implementation class for Role based authorization requests.

Remarks

In cases where the access control policy is not straight forward role based access control, these request objects may be combined to pose a more complex authorization request, and use the SecContext.checkAuthorization method. One benefit of this is to avoid false negative audit records.

For example, if the security policy says "grant access if the user is in any one of this set of roles {A, B, C}", the Policy Enforcement Point (PEP), without the support for complex authorization requests, could have checked each role separately and granted access if any of the checks succeeded, but we might have ended up with DENY audit records for failed checks without any indication that all the role checks are tied to one single access check.

Using this package, a composite request can be constructed as demonstrated int he following sample code:

           
              CompositeAuthzRequest request = 
         RoleAuthzRequest.getCompositeAuthzRequest(
     Arrays.asList(new String[]
          { "A", "B", "C" }), LogicalOrAuthzRequest.class);
      request.setPackage("Application A");
      AuthzResponse resp = _context.checkAuthorization(request);
      if (resp.getDecision() == Decision.PERMIT)
      {
          // access granted

The audit records generated for a composite authorization check are all tied with the same request ID to indicate that they are all part of one composite authorization check.

At the moment there are 4 types of AuthzRequest: RoleAuthzRequest uses checkRole to check a role. LogicalOrAuthzRequest returns PERMIT if any of the requests contained within the composite request returns PERMIT LogicalAndAuthzRequest returns PERMIT only if all of the requests contained within the composite return PERMIT FineGrainedAuthzRequest uses checkAccess to perform a fine grained access check

For each AuthzRequest there is a corresponding AuthorizationChecker. The AuthorizationCheckerFactory is used to correlate a AuthzRequest with its corresponding checker. At some future point we may allow extensions beyond these 4 request types, but for the moment this is closed.