A PolicyAuthorizer evalautes the UseCondition certifcates and generates Capability if at least one UseCondition certificate has been satisfied or partially satisfied and if no UseCondition certificate with the enable flag set is not satisfied
![]() | PolicyAuthorizer (AKRuntime* akRuntime) Constructs this object |
![]() | ~PolicyAuthorizer () Destroys this object |
![]() | authorize () Determines the allowable actions |
![]() | getAkentiMessage () const |
A PolicyAuthorizer evalautes the UseCondition certifcates and generates Capability if at least one UseCondition certificate has been satisfied or partially satisfied and if no UseCondition certificate with the enable flag set is not satisfied.
~PolicyAuthorizer()
bool authorize()
Algorithm to determine these actions:
For each policy:
Evaluate the UseCondition certificates.
For each UseCondition:
If a UseCondition certificate evaluates to false
and enable is true access is denied.
If a UseCondition certificate evaluates to true
we just add the actions specified by that UseCondition.
Otherwise we do nothing.
Algorithm to evaluate a UseCondition:
The boolean expression specified in the UseCondition
is evaluated using short-circuit evaluation. Therefore not
all attribute/value pairs are considered.
For each attribute/value pair, we have two cases:
a) X509
First we check if the CA of the AkentiPrincipal
is one of the CAs that can attest to this attribute value pair.
Second we check if the DistinguishedName contains the
attribute/value pair.
b) GENERIC:
This involves using attribute certificates.
The collection of attribute certificates is essenatially the
same as the collection of X509 identity certificates. See
CertificateVerifier. The verification has an additional test
which makes sure that the issuer of the attribute certificate
is one of the issuers for this attribute/value pair.
alphabetic index hierarchy of classes
this page has been generated automatically by doc++
(c)opyright by Malte Zöckler, Roland Wunderling
contact: doc++@zib.de