Interface horb.orb.ACL
All Packages Class Hierarchy This Package Previous Next Index
Interface horb.orb.ACL
- public interface ACL
- extends Object
Interface to HORB distributed access control list. You can specify hosts and
users that are allowed to access to a class or a method.
Syntax of ACL file
name=acl_name
className.host=hostname networkaddress domain...
className.host_exclude=hostname networkaddress domain...
className.user=username1 username2...
className.user_exclude=username1 username2...
className.creatable=false
className2....
className3....
username1.password: lklaskjdf
username2....
username3....
Example:
name=etl_acl
horb.orb.HORBAgent.host=bungo.etl.go.jp 192.31.99.23
WClock.Test.host=etl.go.jp 192.31.*.*
WCLock.Test.host_exclude=gate.etl.go.jp ftp.etl.go.jp
WCLock.Test.user=hirano connelly guest
WCLock.Test.user_exclude=hashimoto anonymous
hirano.password=LKU&232ZC
guest.password=*
default.host=*
default.host_exclude=gate.etl.go.jp
default.user=*
default.user_exclude=anonymous
If ACL system is used in a HORB server, client must pass the following
access control.
- Client's host name or network address must be included in the class'
host include list or default host include list if class' host include
list is not exists.
- Clien't host name or network address must not be included in the
class' host exclude list or default host exclude list if class' host
exclude list is not exists.
- Client's username must be included in the class'
user include list or default user include list if class' user include
list is not exists.
- Client's password must match with user's password.
- Clien't username must not be included in the
class' user exclude list or default user exclude list if class' user
exclude list is not exists.
String matching is case insensitive. Thus Bungo.Etl.Go.Jp matches
with etl.go.jp. As default, access control is performed for
classes. However, if you need, you can control accesses for
objects, methods or other in your program. See examples/accessControl.
Components of an ACL file:
- ACL Name
-
name is the name of the ACL file. It is used to distinguish ACL file
when another machine donwload the ACL file from this machine.
Hostname list is a space separated list of
hostnames and/or network addresses.
- Host Include List
-
A hostname is either a domain name or a host name. Actually string
matching is performed to compare client's hostname with this name.
If client's hostname ends with this name, the matching succeeds.
For example, bungo.etl.go.jp matches with etl.go.jp in the list.
Note that abcetl.go.jp also matches with etl.go.jp. If
client has the name of bungo instead of bungo.etl.go.jp, it does
not match with etl.go.jp. You can use "localhost" to represent
the local hostname.
Dot separated numbers represent network addresses. Each number
must be in the range 0 to 255.
You can use * character
to represent "any number". For example, 192.31.22.* allows access from
192.31.22.1 to 192.31.22.255. 192.31.22.* is equivalent to 192.31.22.0
internally. Use *.*.*.* or * to represent any
host. ACL does not depends on IP address. That is, you can use
arbitrary length of dot separated byte sequences.
- Host Exclude List
-
A list with a key suffixed by ".host_exclude" is called a host exclude list.
Hosts appear in this list are not allowed to access this class.
- User Include List
-
A list with a key suffiexed by ".user" is called a host include list.
Clien't username must appear in this list to access the class. Use "*" to
represent any user. If client does not give a username, the user is
treated as "anonymous".
- User Exclude List
-
Users that appear in this list are not allowed to access this class.
- User Password
-
Each user appears in the user include list must have password entry.
A password entry is a non-encrypted string. Encryption will be supported
in the future release. If you need an encrypted password, do encryption
in your program. If you don't need password, give "*" as password.
It allows any password.
- Creatable Flag
-
If there exist a line like "className.creatable=false", the class
is not allowed to create remotely. Clients are allowed only to
connect the object. If this flag does not exists, clients can
create objects of the class.
- Default Host Include List
-
If requested class has no host include list in ACL, "default.host" is
checked if it exists. Default host include list is optional.
- Default Host Exclude List
-
If requested class has no host exclude list in ACL, "default.host_exclude" is
checked if it exists. Default host exclude list is optional.
- Default User Include List
-
If requested class has no user include list in ACL, "default.user" is
checked if it exists. Default user include list is optional.
- Default User Exclude List
-
If requested class has no user exclude list in ACL, "default.user_exclude" is
checked if it exists. Default user exclude list is optional.
How to access to ACL, refresh ACL for example:
Local:
ACL acl = HORBServer.getSystemACL();
acl.refresh();
Remote:
HorbURL url = new HorbURL("horb://hostname/SystemACLMaster");
ACL acl = new ACL_Proxy(url);
acl.refresh();
If you want to access the system ACL remotely, set ACLMaster=true in
a configuration file to start the SystemACLMaster object or
call HORBServer.startSystemACLMaster().
-
ACL_NO_PERMISSION
-
-
ACL_NOT_CHANGED
-
-
ACL_NOT_FOUND
-
-
ACL_NOT_REDISTRIBUTABLE
-
-
ACL_OK
-
-
SYSTEM_ACL_MASTER
-
-
checkHost_Local(String, IOCIService)
- check access permission for a host.
-
checkHostUser_Local(String, IOCIService)
- check access permission for host and user.
-
checkUser_Local(String, IOCIService)
- check access permission for a user.
-
getList(String, long, boolean)
- (Internal) get an ACL file.
-
getValue_Local(String)
- return value of the key.
-
refresh()
-
refresh ACL.
-
startACLMaster_Local(String)
- start ACL Master as specified objectID.
-
startRefresher(int)
-
start a autorefresher thread.
-
stopACLMaster_Local()
- stop ACL Master.
-
stopRefresher()
- stop the autorefresher thread
ACL_OK
public final static short ACL_OK
ACL_NOT_CHANGED
public final static short ACL_NOT_CHANGED
ACL_NOT_REDISTRIBUTABLE
public final static short ACL_NOT_REDISTRIBUTABLE
ACL_NOT_FOUND
public final static short ACL_NOT_FOUND
ACL_NO_PERMISSION
public final static short ACL_NO_PERMISSION
SYSTEM_ACL_MASTER
public final static String SYSTEM_ACL_MASTER
checkHostUser_Local
public abstract boolean checkHostUser_Local(String className,
IOCIService ioci)
- check access permission for host and user.
returns true if className.host and className.user matches with the
client bound to ioci.
local method.
- Parameters:
- className - class name or classname+methodname.
- ioci - IOCI of client
- Returns:
- true if the list includes the host and the user, or no ACL
checkHost_Local
public abstract boolean checkHost_Local(String className,
IOCIService ioci)
- check access permission for a host.
returns true if className.host matches with the
client bound to ioci.
local method.
- Parameters:
- className - class name or classname+methodname.
- ioci - IOCI of client
- Returns:
- true if the list includes the host, or no ACL
checkUser_Local
public abstract boolean checkUser_Local(String className,
IOCIService ioci)
- check access permission for a user.
returns true if className.user matches with the
client bound to ioci.
local method.
- Parameters:
- className - class name or classname+methodname.
- ioci - IOCI of client
- Returns:
- true if the list includes the user, or no ACL
getValue_Local
public abstract String getValue_Local(String key)
- return value of the key. only the first item of the value is returned.
For example, there is a line like;
classname.creatable=false true
getValue("classname.creatable") returns "false".
- Returns:
- null if no ACL or the key is not found.
getList
public abstract ACLpair getList(String name,
long lastCheckTime,
boolean force) throws HORBException, IOException
- (Internal) get an ACL file. ACLpair[] is an array of key, value pair.
To access this method, HORB server must have SystemACLMaster
entry in the system ACL.
- Parameters:
- name - ACL name.
- force - if true, returns list even if ACL has not changed since
last download.
- Returns:
- ACLpair object. status contains ACL_* flag. ACL_NOT_CHANGED if
requested ACL has not chaned since last download.
refresh
public abstract void refresh() throws HORBException, IOException
- refresh ACL. Reload ACL files that were modified since last refresh.
startRefresher
public abstract void startRefresher(int refresh) throws HORBException, IOException
- start a autorefresher thread. This thread reloads ACL files.
- Parameters:
- refresh - refresh interval.
stopRefresher
public abstract void stopRefresher() throws HORBException, IOException
- stop the autorefresher thread
startACLMaster_Local
public abstract void startACLMaster_Local(String objectName) throws HORBException, IOException
- start ACL Master as specified objectID. local method.
stopACLMaster_Local
public abstract void stopACLMaster_Local() throws HORBException, IOException
- stop ACL Master. local method.
All Packages Class Hierarchy This Package Previous Next Index