class PolicyAuthorizer

A PolicyAuthorizer evalautes the UseCondition certifcates and generates Capability if at least one UseCondition certificate has been satisfied or partially satisfied and if no UseCondition certificate with the enable flag set is not satisfied.

Inheritance:


Public Methods

[more] PolicyAuthorizer (AKRuntime* akRuntime)
Constructs this object.
[more] ~PolicyAuthorizer ()
Destroys this object
[more]bool authorize ()
Determines the allowable actions.
[more]const AkentiMessage& getAkentiMessage () const


Inherited from LogInterface:

Public Methods

ovoid iLog(int level, const string& key, const string& mesg = "") const
ovoid bLog(int level, const string& key, const string& mesg = "") const
ovoid sLog(int level, const string& key, const string& mesg = "") const
ovoid fLog(int level, const string& key, const string& mesg = "") const


Documentation

A PolicyAuthorizer evalautes the UseCondition certifcates and generates Capability if at least one UseCondition certificate has been satisfied or partially satisfied and if no UseCondition certificate with the enable flag set is not satisfied.

o PolicyAuthorizer(AKRuntime* akRuntime)
Constructs this object.

o ~PolicyAuthorizer()
Destroys this object

obool authorize()
Determines the allowable actions.
    * Algorithm to determine these actions:
    *
    *   For each policy:
    *     Evaluate the UseCondition certificates. 
    *       For each UseCondition:
    *          If a UseCondition certificate evaluates to false
    *            and enable is true access is denied.
    *          If a UseCondition certificate evaluates to true 
    *            we just add the actions specified by that UseCondition.
    *          Otherwise we do nothing.
    *
    * Algorithm to evaluate a UseCondition:
    *
    *   The boolean expression specified in the UseCondition
    *   is evaluated using short-circuit evaluation. Therefore not
    *   all attribute/value pairs are considered.
    *   For each attribute/value pair, we have two cases:
    *     a) X509 
    *        First we check if the CA of the AkentiPrincipal 
    *        is one of the CAs that can attest to this attribute value pair.
    *        Second we check if the DistinguishedName contains the  
    *        attribute/value pair. 
    *     b) GENERIC:
    *        This involves using attribute certificates. 
    *        The collection of attribute certificates is essenatially the 
    *        same as the collection of X509 identity certificates. See
    *        CertificateVerifier. The verification has an additional test
    *        which makes sure that the issuer of the attribute certificate
    *        is one of the issuers for this attribute/value pair. 
    * 

oconst AkentiMessage& getAkentiMessage() const


This class has no child classes.
Author:
Abdlelilah Essiari Srilekha Mudumbai
Version:
1.1 00/05/01
See Also:
AKRuntime
Evaluator

Alphabetic index HTML hierarchy of classes or Java



This page was generated with the help of DOC++.