org.owasp.esapi
Class AccessController

java.lang.Object
  org.owasp.esapi.AccessController

All Implemented Interfaces:

IAccessController

public class AccessController

extends java.lang.Object

implements IAccessController

Reference implementation of the IAccessController interface. This reference implementation uses a simple model for specifying a set of access control rules. Many organizations will want to create their own implementation of the methods provided in the IAccessController interface.

This reference implementation uses a simple scheme for specifying the rules. The first step is to create a namespace for the resources being accessed. For files and URL's, this is easy as they already have a namespace. Be extremely careful about canonicalizing when relying on information from the user in an access ctnrol decision.

For functions, data, and services, you will have to come up with your own namespace for the resources being accessed. You might simply define a flat namespace with a list of category names. For example, you might specify 'FunctionA', 'FunctionB', and 'FunctionC'. Or you can create a richer namespace with a hierarchical structure, such as:

/functions

• purchasing
• shipping
• inventory

/admin

• createUser
• deleteUser

Once you've defined your namespace, you have to work out the rules that govern access to the different parts of the namespace. This implementation allows you to attach a simple access control list (ACL) to any part of the namespace tree. The ACL lists a set of roles that are either allowed or denied access to a part of the tree. You specify these rules in a textfile with a simple format.

There is a single configuration file supporting each of the five methods in the IAccessController interface. These files are located in the ESAPI resources directory as specified when the JVM was started. The use of a default deny rule is STRONGLY recommended. The file format is as follows:

 path          | role,role   | allow/deny | comment
 ------------------------------------------------------------------------------------
 /banking/*    | user,admin  | allow      | authenticated users can access /banking
 /admin        | admin       | allow      | only admin role can access /admin
 /             | any         | deny       | default deny rule
 

To find the matching rules, this implementation follows the general approach used in Java EE when matching HTTP requests to servlets in web.xml. The four mapping rules are used in the following order:

• exact match, e.g. /access/login
• longest path prefix match, beginning / and ending /*, e.g. /access/* or /*
• extension match, beginning *., e.g. *.css
• default rule, specified by the single character pattern /

Since:

June 1, 2007

Author:

Jeff Williams (jeff.williams@aspectsecurity.com)

See Also:

IAccessController

Constructor Summary

AccessController()

Method Summary

void	assertAuthorizedForData(java.lang.String key)
void	assertAuthorizedForFile(java.lang.String filepath)
void	assertAuthorizedForFunction(java.lang.String functionName)
void	assertAuthorizedForService(java.lang.String serviceName)
void	assertAuthorizedForURL(java.lang.String url)
boolean	isAuthorizedForData(java.lang.String key) Checks if an account is authorized to access the referenced data.
boolean	isAuthorizedForFile(java.lang.String filepath) Checks if an account is authorized to access the referenced file.
boolean	isAuthorizedForFunction(java.lang.String functionName) Checks if an account is authorized to access the referenced function.
boolean	isAuthorizedForService(java.lang.String serviceName) Checks if an account is authorized to access the referenced service.
boolean	isAuthorizedForURL(java.lang.String url) Checks if an account is authorized to access the referenced URL.

Methods inherited from class java.lang.Object

equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

AccessController

public AccessController()

Method Detail

isAuthorizedForURL

public boolean isAuthorizedForURL(java.lang.String url)

Description copied from interface: IAccessController

Checks if an account is authorized to access the referenced URL. The implementation should allow access to be granted to any part of the URI. Generally, this method should be invoked in the application's controller or a filter as follows:

ESAPI.accessController().isAuthorizedForURL(request.getRequestURI().toString());

Specified by:

isAuthorizedForURL in interface IAccessController

Returns:

true, if is authorized for URL

isAuthorizedForFunction

public boolean isAuthorizedForFunction(java.lang.String functionName)

Description copied from interface: IAccessController

Checks if an account is authorized to access the referenced function. The implementation should define the function "namespace" to be enforced. Choosing something simple like the classname of action classes or menu item names will make this implementation easier to use.

Specified by:

isAuthorizedForFunction in interface IAccessController

Parameters:

functionName - the function name

Returns:

true, if is authorized for function

isAuthorizedForData

public boolean isAuthorizedForData(java.lang.String key)

Description copied from interface: IAccessController

Checks if an account is authorized to access the referenced data. The implementation should define the data "namespace" to be enforced.

Specified by:

isAuthorizedForData in interface IAccessController

Parameters:

key - the key

Returns:

true, if is authorized for data

isAuthorizedForFile

public boolean isAuthorizedForFile(java.lang.String filepath)

Description copied from interface: IAccessController

Checks if an account is authorized to access the referenced file. The implementation should be extremely careful about canonicalization.

Specified by:

isAuthorizedForFile in interface IAccessController

Parameters:

filepath - the filepath

Returns:

true, if is authorized for file

isAuthorizedForService

public boolean isAuthorizedForService(java.lang.String serviceName)

Description copied from interface: IAccessController

Checks if an account is authorized to access the referenced service. This can be used in applications that provide access to a variety of backend services.

Specified by:

isAuthorizedForService in interface IAccessController

Parameters:

serviceName - the service name

Returns:

true, if is authorized for service

assertAuthorizedForURL

public void assertAuthorizedForURL(java.lang.String url)
                            throws AccessControlException

Specified by:

assertAuthorizedForURL in interface IAccessController

Throws:

AccessControlException

assertAuthorizedForFunction

public void assertAuthorizedForFunction(java.lang.String functionName)
                                 throws AccessControlException

Specified by:

assertAuthorizedForFunction in interface IAccessController

Throws:

AccessControlException

assertAuthorizedForData

public void assertAuthorizedForData(java.lang.String key)
                             throws AccessControlException

Specified by:

assertAuthorizedForData in interface IAccessController

Throws:

AccessControlException

assertAuthorizedForFile

public void assertAuthorizedForFile(java.lang.String filepath)
                             throws AccessControlException

Specified by:

assertAuthorizedForFile in interface IAccessController

Throws:

AccessControlException

assertAuthorizedForService

public void assertAuthorizedForService(java.lang.String serviceName)
                                throws AccessControlException

Specified by:

assertAuthorizedForService in interface IAccessController

Throws:

AccessControlException