Class FileBasedACRs
- java.lang.Object
-
- org.owasp.esapi.reference.accesscontrol.FileBasedACRs
-
public class FileBasedACRs extends java.lang.Object
This class exists for backwards compatibility with the AccessController 1.0 reference implementation. This reference implementation uses a simple model for specifying a set of access control rules. Many organizations will want to create their own implementation of the methods provided in the AccessController interface.This reference implementation uses a simple scheme for specifying the rules. The first step is to create a namespace for the resources being accessed. For files and URL's, this is easy as they already have a namespace. Be extremely careful about canonicalizing when relying on information from the user in an access control decision.
For functions, data, and services, you will have to come up with your own namespace for the resources being accessed. You might simply define a flat namespace with a list of category names. For example, you might specify 'FunctionA', 'FunctionB', and 'FunctionC'. Or you can create a richer namespace with a hierarchical structure, such as:
/functions
- purchasing
- shipping
- inventory
- createUser
- deleteUser
There is a single configuration file supporting each of the five methods in the AccessController interface. These files are located in the ESAPI resources directory as specified when the JVM was started. The use of a default deny rule is STRONGLY recommended. The file format is as follows:
path | role,role | allow/deny | comment ------------------------------------------------------------------------------------ /banking/* | user,admin | allow | authenticated users can access /banking /admin | admin | allow | only admin role can access /admin / | any | deny | default deny rule
To find the matching rules, this implementation follows the general approach used in Java EE when matching HTTP requests to servlets in web.xml. The four mapping rules are used in the following order:- exact match, e.g. /access/login
- longest path prefix match, beginning / and ending /*, e.g. /access/* or /*
- extension match, beginning *., e.g. *.css
- default rule, specified by the single character pattern /
- Since:
- June 1, 2007
- Author:
- Mike Fauzy (mike.fauzy@aspectsecurity.com), Jeff Williams (jeff.williams@aspectsecurity.com)
-
-
Constructor Summary
Constructors Constructor Description FileBasedACRs()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description boolean
isAuthorizedForData(java.lang.String action, java.lang.Object data)
TODO Javadocboolean
isAuthorizedForFile(java.lang.String filepath)
TODO Javadocboolean
isAuthorizedForFunction(java.lang.String functionName)
TODO Javadocboolean
isAuthorizedForService(java.lang.String serviceName)
TODO Javadocboolean
isAuthorizedForURL(java.lang.String url)
Check if URL is authorized.
-
-
-
Method Detail
-
isAuthorizedForURL
public boolean isAuthorizedForURL(java.lang.String url)
Check if URL is authorized.- Parameters:
url
- The URL tested for authorization- Returns:
true
if access is allowed,false
otherwise.
-
isAuthorizedForFunction
public boolean isAuthorizedForFunction(java.lang.String functionName) throws AccessControlException
TODO Javadoc- Throws:
AccessControlException
-
isAuthorizedForData
public boolean isAuthorizedForData(java.lang.String action, java.lang.Object data) throws AccessControlException
TODO Javadoc- Throws:
AccessControlException
-
isAuthorizedForFile
public boolean isAuthorizedForFile(java.lang.String filepath) throws AccessControlException
TODO Javadoc- Throws:
AccessControlException
-
isAuthorizedForService
public boolean isAuthorizedForService(java.lang.String serviceName) throws AccessControlException
TODO Javadoc- Throws:
AccessControlException
-
-