class PolicyAuthorizer |
A PolicyAuthorizer evalautes the UseCondition certifcates and generates Capability if at least one UseCondition certificate has been satisfied or partially satisfied and if no UseCondition certificate with the enable flag set is not satisfied.
![]() | PolicyAuthorizer (AKRuntime* akRuntime) Constructs this object. |
![]() | ~PolicyAuthorizer () Destroys this object |
![]() | authorize () Determines the allowable actions. |
![]() | getAkentiMessage () const |
A PolicyAuthorizer evalautes the UseCondition certifcates and generates Capability if at least one UseCondition certificate has been satisfied or partially satisfied and if no UseCondition certificate with the enable flag set is not satisfied.
* Algorithm to determine these actions: * * For each policy: * Evaluate the UseCondition certificates. * For each UseCondition: * If a UseCondition certificate evaluates to false * and enable is true access is denied. * If a UseCondition certificate evaluates to true * we just add the actions specified by that UseCondition. * Otherwise we do nothing. * * Algorithm to evaluate a UseCondition: * * The boolean expression specified in the UseCondition * is evaluated using short-circuit evaluation. Therefore not * all attribute/value pairs are considered. * For each attribute/value pair, we have two cases: * a) X509 * First we check if the CA of the AkentiPrincipal * is one of the CAs that can attest to this attribute value pair. * Second we check if the DistinguishedName contains the * attribute/value pair. * b) GENERIC: * This involves using attribute certificates. * The collection of attribute certificates is essenatially the * same as the collection of X509 identity certificates. See * CertificateVerifier. The verification has an additional test * which makes sure that the issuer of the attribute certificate * is one of the issuers for this attribute/value pair. *
Alphabetic index HTML hierarchy of classes or Java