nbi.xmlsec.biocase.protocol.filter
Class RBACFilter

java.lang.Object
  extended byorg.xml.sax.helpers.XMLFilterImpl
      extended bynbi.xmlsec.biocase.protocol.filter.ProtocolFilter
          extended bynbi.xmlsec.biocase.protocol.filter.RBACFilter
All Implemented Interfaces:
ContentHandler, DTDHandler, EntityResolver, ErrorHandler, XMLFilter, XMLReader

public class RBACFilter
extends ProtocolFilter

The class RBACFilter removes treeElements and attributes according to policies defined in XACML-RBAC policies from the SAX stream.

The filter acts on incoming SAX-events and delivers these (modified) events to its defined ContentHandler. It uses the RBACPDP, which must be given as RBACFilterParametervia setFilterParameter(Object) to grant access or not based on a given roleset, action and resource. The latter is build up from the formatURI and the path to the current element. When access is refused for a given element, the complete element will be removed from the stream recursively, including all subelements and character events. When access is refused for an element attribute, only this single attribute will be removed.

Since:
Version:
$Revision: 1.25 $
Author:
Lutz Suhrbier

Field Summary
private  Stack deny
          Stack storing the evaluated access conditions for each XML element
(package private) static Logger logger
           
private  Set signElements
          Set of element paths evaluated for signing
(package private) static int trackMode
          Track mode for the filter stack
 
Fields inherited from class nbi.xmlsec.biocase.protocol.filter.ProtocolFilter
elementStack, filterMode, FILTERMODE_FILTER, FILTERMODE_NONE, FILTERMODE_PARSER, filterRoot, PROT_URI_13, PROT_URI_20
 
Fields inherited from class org.xml.sax.helpers.XMLFilterImpl
 
Constructor Summary
RBACFilter(String protocolURI, String filterRoot, int filterMode)
          Inits the filter instance.
RBACFilter(XMLReader parent, String protocolURI, String filterRoot, int filterMode)
          Inits the filter instance with specified parent.
 
Method Summary
protected  nbi.xml.sax.SAXElement evaluateAttributes(nbi.xml.sax.SAXElement element)
          Evaluates the attributes of the given element with the pdp.
protected  nbi.xml.sax.SAXElement evaluateElement(nbi.xml.sax.SAXElement element)
          Evaluates the given element with the PDP.
protected  nbi.xml.sax.SAXElement filterCharacters(nbi.xml.sax.SAXElement element)
          Prevents further processing of the character event, if the element was denied before.
protected  nbi.xml.sax.SAXElement filterElement(nbi.xml.sax.SAXElement element)
          Evaluates the current element, removes it or some of its attributes before it will be followed up.
protected  RBACFilterParameter getParameter()
          Gets the parameter of this filter.
 Set getSignElements()
          Gets the set of element paths evaluated for signing.
private  void initSubFilter()
          Registers subfilters for subelements.
protected  nbi.xml.sax.SAXElement parseElement(nbi.xml.sax.SAXElement element)
          Cleans up the deny stack, when the endElement event for the element was received.
 
Methods inherited from class nbi.xmlsec.biocase.protocol.filter.ProtocolFilter
characters, checkFilterParameter, endElement, getFilterMode, getFilterParameter, getProtocolURI, isParsingComplete, parseComplete, parseInit, registerSubFilter, setFilterParameter, setProtocolURI, startElement, unregisterSubFilter
 
Methods inherited from class org.xml.sax.helpers.XMLFilterImpl
endDocument, endPrefixMapping, error, fatalError, getContentHandler, getDTDHandler, getEntityResolver, getErrorHandler, getFeature, getParent, getProperty, ignorableWhitespace, notationDecl, parse, parse, processingInstruction, resolveEntity, setContentHandler, setDocumentLocator, setDTDHandler, setEntityResolver, setErrorHandler, setFeature, setParent, setProperty, skippedEntity, startDocument, startPrefixMapping, unparsedEntityDecl, warning
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

logger

static Logger logger

deny

private Stack deny
Stack storing the evaluated access conditions for each XML element


signElements

private Set signElements
Set of element paths evaluated for signing


trackMode

static final int trackMode
Track mode for the filter stack

See Also:
Constant Field Values
Constructor Detail

RBACFilter

public RBACFilter(String protocolURI,
                  String filterRoot,
                  int filterMode)
Inits the filter instance.

Parameters:
protocolURI - protocol version URI of this filter.
filterRoot - Root element for this filter.
filterMode - filterMode of this filter ProtocolFilter.filterMode.

RBACFilter

public RBACFilter(XMLReader parent,
                  String protocolURI,
                  String filterRoot,
                  int filterMode)
Inits the filter instance with specified parent.

Parameters:
parent - parent reader.
protocolURI - protocol version URI of this filter.
filterRoot - Root element for this filter.
filterMode - filterMode of this filter ProtocolFilter.filterMode.
Method Detail

initSubFilter

private void initSubFilter()
Registers subfilters for subelements.


evaluateAttributes

protected nbi.xml.sax.SAXElement evaluateAttributes(nbi.xml.sax.SAXElement element)
Evaluates the attributes of the given element with the pdp. The element's attributes are evaluated based on the concatenated uri of the current element, the elementPath, "@" as delimiter and the attribute's local name as PDP resource argument. Denied attributes are removed from the SAX stream.

Parameters:
element - element containing the attributes to evaluate.
Returns:
element with possibly removed attributes.

evaluateElement

protected nbi.xml.sax.SAXElement evaluateElement(nbi.xml.sax.SAXElement element)
Evaluates the given element with the PDP. The current element is evaluated. If it is permitted, then the element's attributes are evaluated. Denied attributes are removed from the element. The attribute list may be empty! All permitted elements are added to the list of signable elements and may be retrieved using getSignElements() when parsing is complete.

Returns:
null, if element was denied, the element with possibly removed attributes otherwise.

filterElement

protected nbi.xml.sax.SAXElement filterElement(nbi.xml.sax.SAXElement element)
                                        throws SAXException
Evaluates the current element, removes it or some of its attributes before it will be followed up.

Overrides:
filterElement in class ProtocolFilter
Parameters:
element - The element corresponding to the startElement event.
Returns:
The (modified) element or null when element shall be removed.
Throws:
SAXException - If any parsing error occurs.
See Also:
ProtocolFilter.filterElement(SAXElement)

parseElement

protected nbi.xml.sax.SAXElement parseElement(nbi.xml.sax.SAXElement element)
                                       throws SAXException
Cleans up the deny stack, when the endElement event for the element was received. Prevents further processing of the endElement event when element was denied before.

Overrides:
parseElement in class ProtocolFilter
Parameters:
element - The element corresponding to the endElement event.
Returns:
The (modified) element or null when element shall be removed.
Throws:
SAXException - If any parsing error occurs.
See Also:
ProtocolFilter.parseElement(SAXElement)

filterCharacters

protected nbi.xml.sax.SAXElement filterCharacters(nbi.xml.sax.SAXElement element)
                                           throws SAXException
Prevents further processing of the character event, if the element was denied before.

Overrides:
filterCharacters in class ProtocolFilter
Parameters:
element - The element corresponding to the startElement event.
Returns:
The (modified) element or null when element shall be removed.
Throws:
SAXException - If any parsing error occurs.
See Also:
ProtocolFilter.filterCharacters(SAXElement)

getParameter

protected RBACFilterParameter getParameter()
Gets the parameter of this filter.

Returns:
filter parameter.

getSignElements

public Set getSignElements()
Gets the set of element paths evaluated for signing.

Returns:
The set of element paths evaluated for signing.


Copyright © 2006 Lutz Suhrbier, Freie Universität Berlin. All Rights Reserved.