Class ExperimentalAccessController
- java.lang.Object
-
- org.owasp.esapi.reference.accesscontrol.ExperimentalAccessController
-
- All Implemented Interfaces:
AccessController
public class ExperimentalAccessController extends java.lang.Object implements AccessController
-
-
Constructor Summary
Constructors Constructor Description ExperimentalAccessController()
ExperimentalAccessController(java.util.Map ruleMap)
-
Method Summary
All Methods Instance Methods Concrete Methods Deprecated Methods Modifier and Type Method Description void
assertAuthorized(java.lang.Object key, java.lang.Object runtimeParameter)
assertAuthorized
executes theAccessControlRule
that is identified bykey
and listed in theresources/ESAPI-AccessControlPolicy.xml
file.void
assertAuthorizedForData(java.lang.String action, java.lang.Object data)
Deprecated.void
assertAuthorizedForFile(java.lang.String filepath)
Deprecated.void
assertAuthorizedForFunction(java.lang.String functionName)
Deprecated.void
assertAuthorizedForService(java.lang.String serviceName)
Deprecated.void
assertAuthorizedForURL(java.lang.String url)
Deprecated.boolean
isAuthorized(java.lang.Object key, java.lang.Object runtimeParameter)
isAuthorized
executes theAccessControlRule
that is identified bykey
and listed in theresources/ESAPI-AccessControlPolicy.xml
file.boolean
isAuthorizedForData(java.lang.String action, java.lang.Object data)
Deprecated.boolean
isAuthorizedForFile(java.lang.String filepath)
Deprecated.boolean
isAuthorizedForFunction(java.lang.String functionName)
Deprecated.boolean
isAuthorizedForService(java.lang.String serviceName)
Deprecated.boolean
isAuthorizedForURL(java.lang.String url)
Deprecated.
-
-
-
Field Detail
-
logger
protected final Logger logger
-
-
Constructor Detail
-
ExperimentalAccessController
public ExperimentalAccessController(java.util.Map ruleMap)
-
ExperimentalAccessController
public ExperimentalAccessController() throws AccessControlException
- Throws:
AccessControlException
-
-
Method Detail
-
isAuthorized
public boolean isAuthorized(java.lang.Object key, java.lang.Object runtimeParameter)
Description copied from interface:AccessController
isAuthorized
executes theAccessControlRule
that is identified bykey
and listed in theresources/ESAPI-AccessControlPolicy.xml
file. It returns true if theAccessControlRule
decides that the operation should be allowed. Otherwise, it returns false. Any exception thrown by theAccessControlRule
must result in false. Ifkey
does not map to anAccessControlRule
, then false is returned. Developers should call isAuthorized to control execution flow. For example, if you want to decide whether to display a UI widget in the browser using the same logic that you will use to enforce permissions on the server, then isAuthorized is the method that you want to use. Typically, assertAuthorized should be used to enforce permissions on the server.- Specified by:
isAuthorized
in interfaceAccessController
- Parameters:
key
-key
maps to<AccessControlPolicy><AccessControlRules> <AccessControlRule name="key"
runtimeParameter
- runtimeParameter can contain anything that the AccessControlRule needs from the runtime system.- Returns:
- Returns
true
if and only if the AccessControlRule specified bykey
exists and returnedtrue
. Otherwise returnsfalse
-
assertAuthorized
public void assertAuthorized(java.lang.Object key, java.lang.Object runtimeParameter) throws AccessControlException
Description copied from interface:AccessController
assertAuthorized
executes theAccessControlRule
that is identified bykey
and listed in theresources/ESAPI-AccessControlPolicy.xml
file. It does nothing if theAccessControlRule
decides that the operation should be allowed. Otherwise, it throws anorg.owasp.esapi.errors.AccessControlException
. Any exception thrown by theAccessControlRule
will also result in anAccesControlException
. Ifkey
does not map to anAccessControlRule
, then anAccessControlException
is thrown. Developers should callassertAuthorized
to enforce privileged access to the system. It should be used to answer the question: "Should execution continue." Ideally, the call toassertAuthorized
should be integrated into the application framework so that it is called automatically.- Specified by:
assertAuthorized
in interfaceAccessController
- Parameters:
key
-key
maps to <AccessControlPolicy><AccessControlRules> <AccessControlRule name="key"runtimeParameter
- runtimeParameter can contain anything that the AccessControlRule needs from the runtime system.- Throws:
AccessControlException
-
assertAuthorizedForData
public void assertAuthorizedForData(java.lang.String action, java.lang.Object data) throws AccessControlException
Deprecated.Description copied from interface:AccessController
Checks if the current user is authorized to access the referenced data. This method simply returns if access is authorized. It throws an AccessControlException if access is not authorized, or if the referenced data does not exist.Specification: The implementation should do the following:
- Check to see if the resource exists and if not, throw an AccessControlException
- Use available information to make an access control decision
- Ideally, this policy would be data driven
- You can use the current User, roles, data type, data name, time of day, etc.
- Access control decisions must deny by default
- If access is not permitted, throw an AccessControlException with details
- Specified by:
assertAuthorizedForData
in interfaceAccessController
- Parameters:
action
-data
-- Throws:
AccessControlException
- See Also:
org.owasp.esapi.reference.accesscontrol.FileBasedACRs#assertAuthorizedForData(java.lang.String, java.lang.Object)
-
assertAuthorizedForFile
public void assertAuthorizedForFile(java.lang.String filepath) throws AccessControlException
Deprecated.Description copied from interface:AccessController
Checks if the current user is authorized to access the referenced file. The implementation should validate and canonicalize the input to be sure the filepath is not malicious.This method throws an AccessControlException if access is not authorized, or if the referenced File does not exist. If the User is authorized, this method simply returns.
Specification: The implementation should do the following:
- Check to see if the File exists and if not, throw an AccessControlException
- Use available information to make an access control decision
- Ideally, this policy would be data driven
- You can use the current User, roles, data type, data name, time of day, etc.
- Access control decisions must deny by default
- If access is not permitted, throw an AccessControlException with details
- Specified by:
assertAuthorizedForFile
in interfaceAccessController
- Parameters:
filepath
-- Throws:
AccessControlException
- See Also:
org.owasp.esapi.reference.accesscontrol.FileBasedACRs#assertAuthorizedForFile(java.lang.String)
-
assertAuthorizedForFunction
public void assertAuthorizedForFunction(java.lang.String functionName) throws AccessControlException
Deprecated.Description copied from interface:AccessController
Checks if the current user is authorized to access the referenced function. The implementation should define the function "namespace" to be enforced. Choosing something simple like the class name of action classes or menu item names will make this implementation easier to use.This method throws an AccessControlException if access is not authorized, or if the referenced function does not exist. If the User is authorized, this method simply returns.
Specification: The implementation should do the following:
- Check to see if the function exists and if not, throw an AccessControlException
- Use available information to make an access control decision
- Ideally, this policy would be data driven
- You can use the current User, roles, data type, data name, time of day, etc.
- Access control decisions must deny by default
- If access is not permitted, throw an AccessControlException with details
- Specified by:
assertAuthorizedForFunction
in interfaceAccessController
- Parameters:
functionName
-- Throws:
AccessControlException
- See Also:
org.owasp.esapi.reference.accesscontrol.FileBasedACRs#assertAuthorizedForFunction(java.lang.String)
-
assertAuthorizedForService
public void assertAuthorizedForService(java.lang.String serviceName) throws AccessControlException
Deprecated.Description copied from interface:AccessController
Checks if the current user is authorized to access the referenced service. This can be used in applications that provide access to a variety of backend services.This method throws an AccessControlException if access is not authorized, or if the referenced service does not exist. If the User is authorized, this method simply returns.
Specification: The implementation should do the following:
- Check to see if the service exists and if not, throw an AccessControlException
- Use available information to make an access control decision
- Ideally, this policy would be data driven
- You can use the current User, roles, data type, data name, time of day, etc.
- Access control decisions must deny by default
- If access is not permitted, throw an AccessControlException with details
- Specified by:
assertAuthorizedForService
in interfaceAccessController
- Parameters:
serviceName
-- Throws:
AccessControlException
- See Also:
org.owasp.esapi.reference.accesscontrol.FileBasedACRs#assertAuthorizedForService(java.lang.String)
-
assertAuthorizedForURL
public void assertAuthorizedForURL(java.lang.String url) throws AccessControlException
Deprecated.Description copied from interface:AccessController
Checks if the current user is authorized to access the referenced URL. The implementation should allow access to be granted to any part of the URL. Generally, this method should be invoked in the application's controller or a filter as follows:ESAPI.accessController().assertAuthorizedForURL(request.getRequestURI().toString());
This method throws an AccessControlException if access is not authorized, or if the referenced URL does not exist. If the User is authorized, this method simply returns.Specification: The implementation should do the following:
- Check to see if the resource exists and if not, throw an AccessControlException
- Use available information to make an access control decision
- Ideally, this policy would be data driven
- You can use the current User, roles, data type, data name, time of day, etc.
- Access control decisions must deny by default
- If access is not permitted, throw an AccessControlException with details
- Specified by:
assertAuthorizedForURL
in interfaceAccessController
- Parameters:
url
-- Throws:
AccessControlException
- See Also:
org.owasp.esapi.reference.accesscontrol.FileBasedACRs#assertAuthorizedForURL(java.lang.String)
-
isAuthorizedForData
public boolean isAuthorizedForData(java.lang.String action, java.lang.Object data)
Deprecated.Description copied from interface:AccessController
Checks if the current user is authorized to access the referenced data, represented as an Object. The implementation of this method should call assertAuthorizedForData(String action, Object data), and if an AccessControlException is not thrown, this method should return true.- Specified by:
isAuthorizedForData
in interfaceAccessController
- Parameters:
action
-data
-- Returns:
true
if access is permitted;false
otherwise.- See Also:
FileBasedACRs.isAuthorizedForData(java.lang.String, java.lang.Object)
-
isAuthorizedForFile
public boolean isAuthorizedForFile(java.lang.String filepath)
Deprecated.Description copied from interface:AccessController
Checks if the current user is authorized to access the referenced file. The implementation of this method should call assertAuthorizedForFile(String filepath), and if an AccessControlException is not thrown, this method should return true.- Specified by:
isAuthorizedForFile
in interfaceAccessController
- Parameters:
filepath
-- Returns:
true
if access is permitted;false
otherwise.- See Also:
FileBasedACRs.isAuthorizedForFile(java.lang.String)
-
isAuthorizedForFunction
public boolean isAuthorizedForFunction(java.lang.String functionName)
Deprecated.Description copied from interface:AccessController
Checks if the current user is authorized to access the referenced function. The implementation of this method should call assertAuthorizedForFunction(String functionName), and if an AccessControlException is not thrown, this method should return true.- Specified by:
isAuthorizedForFunction
in interfaceAccessController
- Parameters:
functionName
-- Returns:
true
if access is permitted;false
otherwise.- See Also:
FileBasedACRs.isAuthorizedForFunction(java.lang.String)
-
isAuthorizedForService
public boolean isAuthorizedForService(java.lang.String serviceName)
Deprecated.Description copied from interface:AccessController
Checks if the current user is authorized to access the referenced service. This can be used in applications that provide access to a variety of back end services. The implementation of this method should call assertAuthorizedForService(String serviceName), and if an AccessControlException is not thrown, this method should return true.- Specified by:
isAuthorizedForService
in interfaceAccessController
- Parameters:
serviceName
-- Returns:
true
if access is permitted;false
otherwise.- See Also:
FileBasedACRs.isAuthorizedForService(java.lang.String)
-
isAuthorizedForURL
public boolean isAuthorizedForURL(java.lang.String url)
Deprecated.Description copied from interface:AccessController
Checks if the current user is authorized to access the referenced URL. Generally, this method should be invoked in the application's controller or a filter as follows:ESAPI.accessController().isAuthorizedForURL(request.getRequestURI().toString());
The implementation of this method should call assertAuthorizedForURL(String url), and if an AccessControlException is not thrown, this method should return true. This way, if the user is not authorized, false would be returned, and the exception would be logged.- Specified by:
isAuthorizedForURL
in interfaceAccessController
- Parameters:
url
-- Returns:
true
if access is permitted;false
otherwise.- See Also:
FileBasedACRs.isAuthorizedForURL(java.lang.String)
-
-