net.drijf.javaone
Class DelegatingPolicy

java.lang.Object
  |
  +--java.security.Policy
        |
        +--net.drijf.javaone.DelegatingPolicy

public class DelegatingPolicy

extends java.security.Policy

This class implements an authorization policy that enables granting of authorizition based on the CA of the associated certificates and based on Roles.

Author:

Otto Moerbeek

See Also:

Role

Constructor Summary

DelegatingPolicy(java.io.File keystorePath, char[] password, RoleMapping roledefs)
Construct a new DelegatingPolicy.

Method Summary

static void	addPermissions(java.security.PermissionCollection set1, java.security.PermissionCollection set2) Add permissions to a permission collection.
java.security.PermissionCollection	getPermissions(java.security.cert.Certificate[] certs) Return a permission collection associated with a list of certificates.
java.security.PermissionCollection	getPermissions(java.security.CodeSource cs) Get the permission collection associated with a code source.
java.security.PermissionCollection	getPermissions(java.lang.String alias) Return the permissions associated with a role.
void	refresh() Refreshes the policy definition.
static java.util.List	splitCertificateArray(java.security.cert.Certificate[] certs) Split up a certificate array returned by CodeSource.getCertficates into seperate chains.
java.lang.String	verifyChain(java.util.List chain) Do a quite strict verification of a chain of certificates.

Methods inherited from class java.security.Policy

getPolicy, setPolicy

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

DelegatingPolicy

public DelegatingPolicy(java.io.File keystorePath,
                        char[] password,
                        RoleMapping roledefs)

Construct a new DelegatingPolicy. Read the list of known certificates from a keystore.

Parameters:

keystorePath - the path of the file containing the keystore.

password - the password associated with the keystore.

roledefs - the map mapping role names to Roles.

Method Detail

refresh

public void refresh()

Refreshes the policy definition. This is done be rereading the keystore file.

Overrides:

refresh in class java.security.Policy

getPermissions

public java.security.PermissionCollection getPermissions(java.security.CodeSource cs)

Get the permission collection associated with a code source. The permissions associated with a code source are defined to be the permissions associated with the certificates associated with a codesource.

Overrides:

getPermissions in class java.security.Policy

Parameters:

cs - the code source to return the permissions of.

Returns:

the permissions associated with the code source.

getPermissions

public java.security.PermissionCollection getPermissions(java.security.cert.Certificate[] certs)

Return a permission collection associated with a list of certificates.

Parameters:

certs - an array of certificates. These certificates should be X509 certificates.

Returns:

The permissions associated with the certificates

See Also:

X509Certificate

getPermissions

public java.security.PermissionCollection getPermissions(java.lang.String alias)

Return the permissions associated with a role.

Parameters:

alias - the name of the role.

Returns:

a permission collection containing the permissions. Never null.

addPermissions

public static void addPermissions(java.security.PermissionCollection set1,
                                  java.security.PermissionCollection set2)

Add permissions to a permission collection.

Parameters:

set1 - the collection to add to.

set2 - the permissions to be added.

splitCertificateArray

public static java.util.List splitCertificateArray(java.security.cert.Certificate[] certs)

Split up a certificate array returned by CodeSource.getCertficates into seperate chains.

Parameters:

certs - the array of certificates.

Returns:

a list of lists containing the chains.

verifyChain

public java.lang.String verifyChain(java.util.List chain)
                             throws java.security.GeneralSecurityException

Do a quite strict verification of a chain of certificates. The standard verify code allows for expired certificates. This method does not allow that.

Parameters:

chain - the certificate chain to verify.

Returns:

the alias of the first know certificate in the chain, null if no alias was found in the keystore.

Throws:

java.security.GeneralSecurityException - if the chain fails verification