class PolicyAuthorizer : public LogInterface

A PolicyAuthorizer evalautes the UseCondition certifcates and generates Capability if at least one UseCondition certificate has been satisfied or partially satisfied and if no UseCondition certificate with the enable flag set is not satisfied

Inheritance:


Public Methods

PolicyAuthorizer (AKRuntime* akRuntime)
Constructs this object
~PolicyAuthorizer ()
Destroys this object
bool authorize ()
Determines the allowable actions
const AkentiMessage& getAkentiMessage () const

Inherited from LogInterface:

Public Methods

void iLog(int level, const string& key, const string& mesg = "") const
void bLog(int level, const string& key, const string& mesg = "") const
void sLog(int level, const string& key, const string& mesg = "") const
void fLog(int level, const string& key, const string& mesg = "") const

Documentation

A PolicyAuthorizer evalautes the UseCondition certifcates and generates Capability if at least one UseCondition certificate has been satisfied or partially satisfied and if no UseCondition certificate with the enable flag set is not satisfied.
PolicyAuthorizer(AKRuntime* akRuntime)
Constructs this object

~PolicyAuthorizer()
Destroys this object

bool authorize()
Determines the allowable actions.
Algorithm to determine these actions:

For each policy:
Evaluate the UseCondition certificates. 
For each UseCondition:
If a UseCondition certificate evaluates to false
and enable is true access is denied.
If a UseCondition certificate evaluates to true 
we just add the actions specified by that UseCondition.
Otherwise we do nothing.

Algorithm to evaluate a UseCondition:

The boolean expression specified in the UseCondition
is evaluated using short-circuit evaluation. Therefore not
all attribute/value pairs are considered.
For each attribute/value pair, we have two cases:
a) X509 
First we check if the CA of the AkentiPrincipal 
is one of the CAs that can attest to this attribute value pair.
Second we check if the DistinguishedName contains the  
attribute/value pair. 
b) GENERIC:
This involves using attribute certificates. 
The collection of attribute certificates is essenatially the 
same as the collection of X509 identity certificates. See
CertificateVerifier. The verification has an additional test
which makes sure that the issuer of the attribute certificate
is one of the issuers for this attribute/value pair. 

const AkentiMessage& getAkentiMessage() const


This class has no child classes.
Author:
Abdlelilah Essiari Srilekha Mudumbai
Version:
1.1 00/05/01
See Also:
AKRuntime
Evaluator

alphabetic index hierarchy of classes


this page has been generated automatically by doc++

(c)opyright by Malte Zöckler, Roland Wunderling
contact: doc++@zib.de