MBeanServerFileAccessControllerpublic class MBeanServerFileAccessController extends MBeanServerAccessController An object of this class implements the MBeanServerAccessController
interface and, for each of its methods, calls an appropriate checking
method and then forwards the request to a wrapped MBeanServer object.
The checking method may throw a SecurityException if the operation is
not allowed; in this case the request is not forwarded to the
wrapped object.
This class implements the {@link #checkRead()} and {@link #checkWrite()}
methods based on an access level properties file containing username/access
level pairs. The set of username/access level pairs is passed either as a
filename which denotes a properties file on disk, or directly as an instance
of the {@link Properties} class. In both cases, the name of each property
represents a username, and the value of the property is the associated access
level. Thus, any given username either does not exist in the properties or
has exactly one access level. The same access level can be shared by several
usernames.
The supported access level values are readonly and
readwrite. |
| Fields Summary |
|---|
| public static final String | READONLY | | public static final String | READWRITE | | private Properties | props | | private Properties | originalProps | | private String | accessFileName |
| Constructors Summary |
|---|
public MBeanServerFileAccessController(String accessFileName)Create a new MBeanServerAccessController that forwards all the
MBeanServer requests to the MBeanServer set by invoking the {@link
#setMBeanServer} method after doing access checks based on read and
write permissions.
This instance is initialized from the specified properties file.
super();
this.accessFileName = accessFileName;
props = propertiesFromFile(accessFileName);
checkValues(props);
| public MBeanServerFileAccessController(String accessFileName, MBeanServer mbs)Create a new MBeanServerAccessController that forwards all the
MBeanServer requests to mbs after doing access checks
based on read and write permissions.
This instance is initialized from the specified properties file.
this(accessFileName);
setMBeanServer(mbs);
| public MBeanServerFileAccessController(Properties accessFileProps)Create a new MBeanServerAccessController that forwards all the
MBeanServer requests to the MBeanServer set by invoking the {@link
#setMBeanServer} method after doing access checks based on read and
write permissions.
This instance is initialized from the specified properties instance.
This constructor makes a copy of the properties instance using its
clone method and it is the copy that is consulted to check
the username and access level of an incoming connection. The original
properties object can be modified without affecting the copy. If the
{@link #refresh} method is then called, the
MBeanServerFileAccessController will make a new copy of the
properties object at that time.
super();
if (accessFileProps == null)
throw new IllegalArgumentException("Null properties");
originalProps = accessFileProps;
props = (Properties) accessFileProps.clone();
checkValues(props);
| public MBeanServerFileAccessController(Properties accessFileProps, MBeanServer mbs)Create a new MBeanServerAccessController that forwards all the
MBeanServer requests to the MBeanServer set by invoking the {@link
#setMBeanServer} method after doing access checks based on read and
write permissions.
This instance is initialized from the specified properties instance.
This constructor makes a copy of the properties instance using its
clone method and it is the copy that is consulted to check
the username and access level of an incoming connection. The original
properties object can be modified without affecting the copy. If the
{@link #refresh} method is then called, the
MBeanServerFileAccessController will make a new copy of the
properties object at that time.
this(accessFileProps);
setMBeanServer(mbs);
|
| Methods Summary |
|---|
| private void | checkAccessLevel(java.lang.String accessLevel)
final AccessControlContext acc = AccessController.getContext();
final Subject s = (Subject)
AccessController.doPrivileged(new PrivilegedAction() {
public Object run() {
return Subject.getSubject(acc);
}
});
if (s == null) return; /* security has not been enabled */
final Set principals = s.getPrincipals();
for (Iterator i = principals.iterator(); i.hasNext(); ) {
final Principal p = (Principal) i.next();
String grantedAccessLevel;
synchronized (props) {
grantedAccessLevel = props.getProperty(p.getName());
}
if (grantedAccessLevel != null) {
if (accessLevel.equals(READONLY) &&
(grantedAccessLevel.equals(READONLY) ||
grantedAccessLevel.equals(READWRITE)))
return;
if (accessLevel.equals(READWRITE) &&
grantedAccessLevel.equals(READWRITE))
return;
}
}
throw new SecurityException("Access denied! Invalid access level for " +
"requested MBeanServer operation.");
| | public void | checkRead()Check if the caller can do read operations. This method does
nothing if so, otherwise throws SecurityException.
checkAccessLevel(READONLY);
| | private void | checkValues(java.util.Properties props)
Collection c = props.values();
for (Iterator i = c.iterator(); i.hasNext(); ) {
final String accessLevel = (String) i.next();
if (!accessLevel.equals(READONLY) &&
!accessLevel.equals(READWRITE)) {
throw new IllegalArgumentException(
"Syntax error in access level entry [" + accessLevel + "]");
}
}
| | public void | checkWrite()Check if the caller can do write operations. This method does
nothing if so, otherwise throws SecurityException.
checkAccessLevel(READWRITE);
| | private static java.util.Properties | propertiesFromFile(java.lang.String fname)
FileInputStream fin = new FileInputStream(fname);
Properties p = new Properties();
p.load(fin);
fin.close();
return p;
| | public void | refresh()Refresh the set of username/access level entries.
If this instance was created using the
{@link #MBeanServerFileAccessController(String)} or
{@link #MBeanServerFileAccessController(String,MBeanServer)}
constructors to specify a file from which the entries are read,
the file is re-read.
If this instance was created using the
{@link #MBeanServerFileAccessController(Properties)} or
{@link #MBeanServerFileAccessController(Properties,MBeanServer)}
constructors then a new copy of the Properties object
is made.
synchronized (props) {
if (accessFileName == null)
props = (Properties) originalProps.clone();
else
props = propertiesFromFile(accessFileName);
checkValues(props);
}
|
|
