ExperimentalAccessController (ESAPI 2.2.0.0 API)

java.lang.Object
- org.owasp.esapi.reference.accesscontrol.ExperimentalAccessController

All Implemented Interfaces:: AccessController

public class ExperimentalAccessController
extends Object
implements AccessController

Field Summary

Fields
Modifier and Type Field and Description

protected Logger logger

Fields
Modifier and Type	Field and Description
`protected Logger`	`logger`

Constructor Summary

Constructors
Constructor and Description

ExperimentalAccessController()

ExperimentalAccessController(Map ruleMap)

Constructors
Constructor and Description
`ExperimentalAccessController()`
`ExperimentalAccessController(Map ruleMap)`

Method Summary

All Methods Instance Methods Concrete Methods Deprecated Methods
Modifier and Type	Method and Description
`void`	`assertAuthorized(Object key, Object runtimeParameter)` `assertAuthorized` executes the `AccessControlRule` that is identified by `key` and listed in the `resources/ESAPI-AccessControlPolicy.xml` file.
`void`	`assertAuthorizedForData(String action, Object data)` Deprecated.
`void`	`assertAuthorizedForFile(String filepath)` Deprecated.
`void`	`assertAuthorizedForFunction(String functionName)` Deprecated.
`void`	`assertAuthorizedForService(String serviceName)` Deprecated.
`void`	`assertAuthorizedForURL(String url)` Deprecated.
`boolean`	`isAuthorized(Object key, Object runtimeParameter)` `isAuthorized` executes the `AccessControlRule` that is identified by `key` and listed in the `resources/ESAPI-AccessControlPolicy.xml` file.
`boolean`	`isAuthorizedForData(String action, Object data)` Deprecated.
`boolean`	`isAuthorizedForFile(String filepath)` Deprecated.
`boolean`	`isAuthorizedForFunction(String functionName)` Deprecated.
`boolean`	`isAuthorizedForService(String serviceName)` Deprecated.
`boolean`	`isAuthorizedForURL(String url)` Deprecated.

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

- Field Detail
  - logger
```
protected final Logger logger
```
- Constructor Detail
  - ExperimentalAccessController
```
public ExperimentalAccessController(Map ruleMap)
```
  - ExperimentalAccessController
```
public ExperimentalAccessController()
                             throws AccessControlException
```
    Throws:
    
    AccessControlException
- Method Detail
  - isAuthorized
```
public boolean isAuthorized(Object key,
                            Object runtimeParameter)
```
    Description copied from interface: AccessController
    
    isAuthorized executes the AccessControlRule that is identified by key and listed in the resources/ESAPI-AccessControlPolicy.xml file. It returns true if the AccessControlRule decides that the operation should be allowed. Otherwise, it returns false. Any exception thrown by the AccessControlRule must result in false. If key does not map to an AccessControlRule, then false is returned. Developers should call isAuthorized to control execution flow. For example, if you want to decide whether to display a UI widget in the browser using the same logic that you will use to enforce permissions on the server, then isAuthorized is the method that you want to use. Typically, assertAuthorized should be used to enforce permissions on the server.
    
    Specified by:
    
    isAuthorized in interface AccessController
    
    Parameters:
    
    key - key maps to <AccessControlPolicy><AccessControlRules> <AccessControlRule name="key"
    
    runtimeParameter - runtimeParameter can contain anything that the AccessControlRule needs from the runtime system.
    
    Returns:
    
    Returns true if and only if the AccessControlRule specified by key exists and returned true. Otherwise returns false
  - assertAuthorized
```
public void assertAuthorized(Object key,
                             Object runtimeParameter)
                      throws AccessControlException
```
    Description copied from interface: AccessController
    
    assertAuthorized executes the AccessControlRule that is identified by key and listed in the resources/ESAPI-AccessControlPolicy.xml file. It does nothing if the AccessControlRule decides that the operation should be allowed. Otherwise, it throws an org.owasp.esapi.errors.AccessControlException. Any exception thrown by the AccessControlRule will also result in an AccesControlException. If key does not map to an AccessControlRule, then an AccessControlException is thrown. Developers should call assertAuthorized to enforce privileged access to the system. It should be used to answer the question: "Should execution continue." Ideally, the call to assertAuthorized should be integrated into the application framework so that it is called automatically.
    
    Specified by:
    
    assertAuthorized in interface AccessController
    
    Parameters:
    
    key - key maps to <AccessControlPolicy><AccessControlRules> <AccessControlRule name="key"
    
    runtimeParameter - runtimeParameter can contain anything that the AccessControlRule needs from the runtime system.
    
    Throws:
    
    AccessControlException
  - assertAuthorizedForData
```
@Deprecated
public void assertAuthorizedForData(String action,
                                                Object data)
                                         throws AccessControlException
```
    Deprecated.
    
    Description copied from interface: AccessController
    Checks if the current user is authorized to access the referenced data. This method simply returns if access is authorized. It throws an AccessControlException if access is not authorized, or if the referenced data does not exist.
    Specification: The implementation should do the following:
    1. Check to see if the resource exists and if not, throw an AccessControlException
    2. Use available information to make an access control decision
    3. If access is not permitted, throw an AccessControlException with details
    Specified by:
    
    assertAuthorizedForData in interface AccessController
    
    Parameters:
    
    action -
    
    data -
    
    Throws:
    
    AccessControlException
    
    See Also:
    
    FileBasedACRs.isAuthorizedForData(java.lang.String, java.lang.Object)
  - assertAuthorizedForFile
```
@Deprecated
public void assertAuthorizedForFile(String filepath)
                                         throws AccessControlException
```
    Deprecated.
    
    Description copied from interface: AccessController
    Checks if the current user is authorized to access the referenced file. The implementation should validate and canonicalize the input to be sure the filepath is not malicious.
    This method throws an AccessControlException if access is not authorized, or if the referenced File does not exist. If the User is authorized, this method simply returns.
    Specification: The implementation should do the following:
    1. Check to see if the File exists and if not, throw an AccessControlException
    2. Use available information to make an access control decision
    3. If access is not permitted, throw an AccessControlException with details
    Specified by:
    
    assertAuthorizedForFile in interface AccessController
    
    Parameters:
    
    filepath -
    
    Throws:
    
    AccessControlException
    
    See Also:
    
    FileBasedACRs.isAuthorizedForFile(java.lang.String)
  - assertAuthorizedForFunction
```
@Deprecated
public void assertAuthorizedForFunction(String functionName)
                                             throws AccessControlException
```
    Deprecated.
    
    Description copied from interface: AccessController
    Checks if the current user is authorized to access the referenced function. The implementation should define the function "namespace" to be enforced. Choosing something simple like the class name of action classes or menu item names will make this implementation easier to use.
    This method throws an AccessControlException if access is not authorized, or if the referenced function does not exist. If the User is authorized, this method simply returns.
    Specification: The implementation should do the following:
    1. Check to see if the function exists and if not, throw an AccessControlException
    2. Use available information to make an access control decision
    3. If access is not permitted, throw an AccessControlException with details
    Specified by:
    
    assertAuthorizedForFunction in interface AccessController
    
    Parameters:
    
    functionName -
    
    Throws:
    
    AccessControlException
    
    See Also:
    
    FileBasedACRs.isAuthorizedForFunction(java.lang.String)
  - assertAuthorizedForService
```
@Deprecated
public void assertAuthorizedForService(String serviceName)
                                            throws AccessControlException
```
    Deprecated.
    
    Description copied from interface: AccessController
    Checks if the current user is authorized to access the referenced service. This can be used in applications that provide access to a variety of backend services.
    This method throws an AccessControlException if access is not authorized, or if the referenced service does not exist. If the User is authorized, this method simply returns.
    Specification: The implementation should do the following:
    1. Check to see if the service exists and if not, throw an AccessControlException
    2. Use available information to make an access control decision
    3. If access is not permitted, throw an AccessControlException with details
    Specified by:
    
    assertAuthorizedForService in interface AccessController
    
    Parameters:
    
    serviceName -
    
    Throws:
    
    AccessControlException
    
    See Also:
    
    FileBasedACRs.isAuthorizedForService(java.lang.String)
  - assertAuthorizedForURL
```
@Deprecated
public void assertAuthorizedForURL(String url)
                                        throws AccessControlException
```
    Deprecated.
    
    Description copied from interface: AccessController
    Checks if the current user is authorized to access the referenced URL. The implementation should allow access to be granted to any part of the URL. Generally, this method should be invoked in the application's controller or a filter as follows:
```
ESAPI.accessController().assertAuthorizedForURL(request.getRequestURI().toString());
```
    This method throws an AccessControlException if access is not authorized, or if the referenced URL does not exist. If the User is authorized, this method simply returns.
    Specification: The implementation should do the following:
    1. Check to see if the resource exists and if not, throw an AccessControlException
    2. Use available information to make an access control decision
    3. If access is not permitted, throw an AccessControlException with details
    Specified by:
    
    assertAuthorizedForURL in interface AccessController
    
    Parameters:
    
    url -
    
    Throws:
    
    AccessControlException
    
    See Also:
    
    FileBasedACRs.isAuthorizedForURL(java.lang.String)
  - isAuthorizedForData
```
@Deprecated
public boolean isAuthorizedForData(String action,
                                               Object data)
```
    Deprecated.
    
    Description copied from interface: AccessController
    
    Checks if the current user is authorized to access the referenced data, represented as an Object. The implementation of this method should call assertAuthorizedForData(String action, Object data), and if an AccessControlException is not thrown, this method should return true.
    
    Specified by:
    
    isAuthorizedForData in interface AccessController
    
    Parameters:
    
    action -
    
    data -
    
    Returns:
    
    true if access is permitted; false otherwise.
    
    See Also:
    
    FileBasedACRs.isAuthorizedForData(java.lang.String, java.lang.Object)
  - isAuthorizedForFile
```
@Deprecated
public boolean isAuthorizedForFile(String filepath)
```
    Deprecated.
    
    Description copied from interface: AccessController
    
    Checks if the current user is authorized to access the referenced file. The implementation of this method should call assertAuthorizedForFile(String filepath), and if an AccessControlException is not thrown, this method should return true.
    
    Specified by:
    
    isAuthorizedForFile in interface AccessController
    
    Parameters:
    
    filepath -
    
    Returns:
    
    true if access is permitted; false otherwise.
    
    See Also:
    
    FileBasedACRs.isAuthorizedForFile(java.lang.String)
  - isAuthorizedForFunction
```
@Deprecated
public boolean isAuthorizedForFunction(String functionName)
```
    Deprecated.
    
    Description copied from interface: AccessController
    
    Checks if the current user is authorized to access the referenced function. The implementation of this method should call assertAuthorizedForFunction(String functionName), and if an AccessControlException is not thrown, this method should return true.
    
    Specified by:
    
    isAuthorizedForFunction in interface AccessController
    
    Parameters:
    
    functionName -
    
    Returns:
    
    true if access is permitted; false otherwise.
    
    See Also:
    
    FileBasedACRs.isAuthorizedForFunction(java.lang.String)
  - isAuthorizedForService
```
@Deprecated
public boolean isAuthorizedForService(String serviceName)
```
    Deprecated.
    
    Description copied from interface: AccessController
    
    Checks if the current user is authorized to access the referenced service. This can be used in applications that provide access to a variety of back end services. The implementation of this method should call assertAuthorizedForService(String serviceName), and if an AccessControlException is not thrown, this method should return true.
    
    Specified by:
    
    isAuthorizedForService in interface AccessController
    
    Parameters:
    
    serviceName -
    
    Returns:
    
    true if access is permitted; false otherwise.
    
    See Also:
    
    FileBasedACRs.isAuthorizedForService(java.lang.String)
  - isAuthorizedForURL
```
@Deprecated
public boolean isAuthorizedForURL(String url)
```
    Deprecated.
    
    Description copied from interface: AccessController
    Checks if the current user is authorized to access the referenced URL. Generally, this method should be invoked in the application's controller or a filter as follows:
```
ESAPI.accessController().isAuthorizedForURL(request.getRequestURI().toString());
```
    The implementation of this method should call assertAuthorizedForURL(String url), and if an AccessControlException is not thrown, this method should return true. This way, if the user is not authorized, false would be returned, and the exception would be logged.
    Specified by:
    
    isAuthorizedForURL in interface AccessController
    
    Parameters:
    
    url -
    
    Returns:
    
    true if access is permitted; false otherwise.
    
    See Also:
    
    FileBasedACRs.isAuthorizedForURL(java.lang.String)

Class ExperimentalAccessController

Field Summary

Constructor Summary

Method Summary

Methods inherited from class java.lang.Object

Field Detail

logger

Constructor Detail

ExperimentalAccessController

ExperimentalAccessController

Method Detail

isAuthorized

assertAuthorized

assertAuthorizedForData

assertAuthorizedForFile

assertAuthorizedForFunction

assertAuthorizedForService

assertAuthorizedForURL

isAuthorizedForData

isAuthorizedForFile

isAuthorizedForFunction

isAuthorizedForService

isAuthorizedForURL