Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD

uk.ac.soton.itinnovation.grid.types
Class MatchPattern

java.lang.Object
  extended by uk.ac.soton.itinnovation.grid.types.MatchPattern
All Implemented Interfaces:
Comparable
public class MatchPattern
extends Object
implements Comparable

A pattern for matching a set of security credentials.

When determining whether a SOAP operation should be permitted, the PBAC PDP must first find the set of process roles which the caller has in the context of the resource. This is done by evaluating each of the resource's policy's rules. Each rule has two parts: a pattern to match (the MatchPattern) and what to do if the pattern matches (e.g. grant a particular process role).

There are various different types of MatchPattern, although all are handled by this single class, rather than with subclasses:

World matches match anyone at all.

Wildcarded issuer matches match anyone whose identity is vouched for by a particular CA. This could be used to ensure that people can't open new accounts under bogus names, for example.

Specific subject matches only match someone with that exact distinguished name (DN), signed by a given CA. Note that only the distinguished name is taken from the user's certificate, not their public key. If the user generates a new key they can still get the role, provided it has the same DN and is signed by the same issuer. This allows the use of short-lived X.509 user certificates.

Group matches match anyone who is a member of the specified group. Each group is itself a resource, and has its own set of match rules to determine who is a member. See GroupUtils for more details about groups.

SAML attribute matches match anyone who presents a SAML assertion signed by a given authority, stating that they have the specified attribute.

Since:
5.1

Constructor Summary
MatchPattern()
          Create an empty match rule.
MatchPattern(MatchPattern rule)
          Create a rule based on an existing one.
MatchPattern(String memberOfGroup)
          Group membership rule.
MatchPattern(String attributeName, String attributeValue, X509Certificate authority)
          Full constructor that allows setting all values for a SAML attribute.
MatchPattern(String subjectDN, X509Certificate authority)
          Full constructor that allows setting all values for an X.509 match.
MatchPattern(SubjectDescription subject, SubjectDescription authority)
          Convenience constructor that extracts the subject DN from 'subject', and the issuer certificate from 'authority'.
 
Method Summary
 void checkValid()
          Ensure that all required fields are set, and no fields conflict.
 int compareTo(Object otherObj)
          Used to ensure a stable sort order for display.
static MatchPattern createAnyonePattern()
          Create a pattern that will match anyone at all.
 String getAttributeName()
          Get SAML attribute name.
 String getAttributeValue()
          Get SAML attribute value.
 String getIssuerCertificate()
          Get a serialised form of the issuer's certificate, or null if there isn't one.
 String getMemberOfGroup()
           
 String getSubjectDN()
           
static TypeDesc getTypeDesc()
          Return type metadata object for Axis serialisation.
 X509Certificate parseIssuerCertificate()
          Decode the issuerCertificate into an X509Certificate.
 void setAttributeName(String value)
          Set required SAML attribute name (for SAML match rules).
 void setAttributeValue(String value)
          Set required SAML attribute value (for SAML match rules).
 void setIssuerCertificate(String issuerCertificate)
           
 void setMemberOfGroup(String memberOfGroup)
          For group rules: set the group of which the subject must be a member.
 void setSubjectDN(String subjectDN)
           
 String toString()
           
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait
 

Constructor Detail

MatchPattern

public MatchPattern()
Create an empty match rule. This is mainly useful for systems which populate the object using the setters (e.g., hibernate or Axis deserialisers).

MatchPattern

public MatchPattern(MatchPattern rule)
             throws InvalidMatchRuleException
Create a rule based on an existing one. Mainly used by the internal SavedMatchRule class.

Throws:
InvalidMatchRuleException

MatchPattern

public MatchPattern(SubjectDescription subject,
                    SubjectDescription authority)
Convenience constructor that extracts the subject DN from 'subject', and the issuer certificate from 'authority'.

Parameters:
subject - subject containing the DN to extract
authority - authority containing the X.509 certificate to extract

MatchPattern

public MatchPattern(String subjectDN,
                    X509Certificate authority)
Full constructor that allows setting all values for an X.509 match.

Parameters:
subjectDN - the client certificate's subject DN must match this string.
authority - the client certificate must be signed by this certificate's public key.

MatchPattern

public MatchPattern(String attributeName,
                    String attributeValue,
                    X509Certificate authority)
Full constructor that allows setting all values for a SAML attribute.

Parameters:
attributeName - the name of the SAML attribute
attributeValue - the value of the SAML attribute
authority - the assertion must be signed by this certificate's public key; use null to match only trusted attributes (verified outside of PBAC)

MatchPattern

public MatchPattern(String memberOfGroup)
Group membership rule.

Parameters:
memberOfGroup - the group resource in which users must have PDP.GROUP_MEMBER_ROLE.
Method Detail

createAnyonePattern

public static MatchPattern createAnyonePattern()
Create a pattern that will match anyone at all. This is not a constructor because there are too many of them and it's getting confusing.

Returns:
the new rule

getIssuerCertificate

public String getIssuerCertificate()
Get a serialised form of the issuer's certificate, or null if there isn't one.

See Also:
parseIssuerCertificate()

setIssuerCertificate

public void setIssuerCertificate(String issuerCertificate)

setSubjectDN

public void setSubjectDN(String subjectDN)

getSubjectDN

public String getSubjectDN()

setAttributeName

public void setAttributeName(String value)
Set required SAML attribute name (for SAML match rules).

setAttributeValue

public void setAttributeValue(String value)
Set required SAML attribute value (for SAML match rules).

getAttributeName

public String getAttributeName()
Get SAML attribute name.

getAttributeValue

public String getAttributeValue()
Get SAML attribute value.

setMemberOfGroup

public void setMemberOfGroup(String memberOfGroup)
For group rules: set the group of which the subject must be a member.

getMemberOfGroup

public String getMemberOfGroup()

toString

public String toString()
Overrides:
toString in class Object

checkValid

public void checkValid()
                throws InvalidMatchRuleException
Ensure that all required fields are set, and no fields conflict.

Throws:
InvalidMatchRuleException

getTypeDesc

public static TypeDesc getTypeDesc()
Return type metadata object for Axis serialisation.

parseIssuerCertificate

public X509Certificate parseIssuerCertificate()
Decode the issuerCertificate into an X509Certificate.

Returns:
the X.509 certificate of the authority
Throws:
RuntimeException - if no certificate is set, or if the certificate cannot be decoded

compareTo

public int compareTo(Object otherObj)
Used to ensure a stable sort order for display.

Specified by:
compareTo in interface Comparable
Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD
Copyright © 2001-2007 University of Southampton IT Innovation Centre. All Rights Reserved.