weblogic.security.acl
Class AclImpl

java.lang.Object
  weblogic.security.acl.OwnerImpl
      weblogic.security.acl.AclImpl

All Implemented Interfaces:

Serializable, Acl, Owner

public class AclImpl
extends OwnerImpl
implements Acl, Serializable

This class implements the java.security.acl.Acl interface with optimization for checking permissions.

The implementation manages permissions in groups of 32. Each group has separate hash tables mapping groups and users to pairs of bit masks representing granted and not denied permissions. Permission is checked by finding the right group, computing the bitmask corresponding to the specific permission, and doing the bit arithmetic.

The AclEntry objects used in the interfaces are not kept. They are analyzed on input and synthesized on demand.

An ACL is a data structure with multiple AclEntry objects. Each AclEntry object contains a set of permissions associated with a particular principal, which represents an entity such as an individual user or a group).

Additionally, each AclEntry is specified as either positive or negative. If positive, the permissions are to be granted to the associated principal. If negative, the permissions are to be denied.

Each AclEntry in each ACL observes the following rules:

• Each principal can have at most one positive and one negative AclEntry; that is, multiple positive or negative ActEntries are not allowed for any principal. Each entry specifies the set of permissions that are to be granted (if positive) or denied (if negative).
• If there is no entry for a particular principal, then the principal is considered to have a null (empty) permission set.
• If there is a positive entry that grants a principal a particular permission, and a negative entry that denies the principal the same permission, the result is as though the permission was never granted or denied.
• Individual permissions always override permissions of the group(s) to which the individual belongs. That is, individual negative permissions (specific denial of permissions) override the groups' positive permissions. Likewise individual positive permissions override the groups' negative permissions.

The java.security.acl package provides the interfaces to the ACL and related data structures (ACL entries, groups, permissions, etc.), and the sun.security.acl classes provide a default implementation of the interfaces. For example, java.security.acl.Acl provides the interface to an ACL and the sun.security.acl.AclImpl class provides the default implementation of the interface.

The java.security.acl.Acl interface extends the java.security.acl.Owner interface. The Owner interface is used to maintain a list of owners for each ACL. Only owners are allowed to modify an ACL. For example, only an owner can call the ACL's addEntry() method to add a new AclEntry to the ACL.

See Also:

AclEntry, Owner, Acl.getPermissions(java.security.Principal), Serialized Form

AclImpl

public AclImpl(Principal caller,
               String name)

Deprecated. 

Sets the name of an ACL to the specified string. The principal that owns the ACL must be supplied.

Parameters:

principal - Principal that owns the ACL

name - Name for the ACL

setName

public void setName(Principal caller,
                    String name)
             throws NotOwnerException

Deprecated. 

Sets the name of an ACL to the specified string. The principal that owns the ACL must be supplied.

Specified by:

setName in interface Acl

Parameters:

caller - Principal that owns the ACL

name - Name for the ACL

Throws:

NotOwnerException - if the caller principal does not own the ACL

getName

public String getName()

Deprecated. 

Returns the name of this ACL as a string.

Specified by:

getName in interface Acl

Returns:

ACL name

addEntry

public boolean addEntry(Principal caller,
                        AclEntry entry)
                 throws NotOwnerException

Deprecated. 

Adds an AclEntry. An AclEntry associates a principal (e.g., an individual or a group) with a set of permissions. Each principal can have at most one positive AclEntry (specifying permissions to be granted to the principal) and one negative AclEntry (specifying permissions to be denied). If there is already an AclEntry of the same type (negative or positive) already in the ACL, false is returned.

The principal that owns the ACL must be supplied.

Specified by:

addEntry in interface Acl

Parameters:

caller - Principal that owns the ACL

entry - AclEntry to be added to an ACL

Returns:

false if an entry of the same type (positive or negative) for the same principal is already present

Throws:

NotOwnerException - if the caller principal does not own the ACL

removeEntry

public boolean removeEntry(Principal caller,
                           AclEntry entry)
                    throws NotOwnerException

Deprecated. 

Removes an AclEntry from an ACL. The principal that owns the ACL must be supplied.

Specified by:

removeEntry in interface Acl

Parameters:

caller - Principal that owns the ACL

entry - AclEntry to be removed from an ACL

Returns:

false if there is no entry

Throws:

NotOwnerException - if the caller principal does not own the ACL

getPermissions

public Enumeration getPermissions(Principal user)

Deprecated. 

Returns an enumeration for the set of allowed permissions for the specified principal (representing an entity such as an individual or a group). This set of allowed permissions is calculated as follows:

• If there is no entry in an ACL (access control list) for the specified principal, an empty permission set is returned.
• Otherwise, the principal's group permission sets are determined. (A principal can belong to one or more groups, where a group is a group of principals, represented by the Group interface.) The group positive permission set is the union of all the positive permissions of each group that the principal belongs to. The group negative permission set is the union of all the negative permissions of each group that the principal belongs to. If there is a specific permission that occurs in both the positive permission set and the negative permission set, it is removed from both.

  The individual positive and negative permission sets are also determined. The positive permission set contains the permissions specified in the positive AclEntry (if any) for the principal. Similarly, the negative permission set contains the permissions specified in the negative AclEntry (if any) for the principal. The individual positive (or negative) permission set is considered to be null if there is not a positive (negative) AclEntry for the principal in an ACL.

  The set of permissions granted to the principal is then calculated using the simple rule that individual permissions always override the group permissions. That is, the principal's individual negative permission set (specific denial of permissions) overrides the group positive permission set, and the principal's individual positive permission set overrides the group negative permission set.

Specified by:

getPermissions in interface Acl

Parameters:

user - Principal whose permission set is to be returned

Returns:

Enumeration of permissions the principal is allowed

entries

public Enumeration entries()

Deprecated. 

Returns an enumeration of the entries in an ACL. Each element in the enumeration is of type AclEntry.

Specified by:

entries in interface Acl

Returns:

Enumeration of the entries in an ACL

checkPermission

public boolean checkPermission(Principal principal,
                               Permission permission)

Deprecated. 

Determines whether the specified principal has the specified permission. True is returned if so; otherwise false is returned.

More specifically, this method checks whether the passed permission is a member of the allowed permission set of the specified principal. The allowed permission set is determined by the same algorithm as is used by the getPermissions() method.

Specified by:

checkPermission in interface Acl

Parameters:

principal - Principal (assumed to be a valid authenticated Principal)

permission - Permission to be checked for

Returns:

true if the principal has the specified permission

See Also:

AclImpl.getPermissions(java.security.Principal)

getPermission

protected int getPermission(Principal principal,
                            Permission permission)

Deprecated. 

toString

public String toString()

Deprecated. 

Returns a string representation of the contents of an ACL.

Specified by:

toString in interface Acl

Overrides:

toString in class Object

Returns:

String representation of the ACL contents