EnterpriseUserPermissionRequestCommand (OpenEAI API beta 3.0)

Overview

Package

Class

Use

Tree

Deprecated

Index

Help

PREV CLASS NEXT CLASS

FRAMES NO FRAMES

SUMMARY: NESTED | FIELD | CONSTR | METHOD

DETAIL: FIELD | CONSTR | METHOD

org.openeai.implementations.services.eas.commands
Class EnterpriseUserPermissionRequestCommand


java.lang.Object

  |

  +--org.openeai.OpenEaiObject

        |

        +--org.openeai.jms.consumer.commands.ConsumerCommand

              |

              +--org.openeai.jms.consumer.commands.RequestCommandImpl

                    |

                    +--org.openeai.implementations.services.eas.commands.EnterpriseApplicationServiceCommand

                          |

                          +--org.openeai.implementations.services.eas.commands.EnterpriseUserPermissionRequestCommand

All Implemented Interfaces:: RequestCommand

public class EnterpriseUserPermissionRequestCommand
extends EnterpriseApplicationServiceCommand
implements RequestCommand

This class implements part of the message support of the EnterpriseApplicationService.

Specifically, this command handles org.openeai.CoreApplication/EnterpriseUserPermission/Query-Request messages and replies with an org.openeai.CoreApplication/EnterpriseUserPermission/Provide-Reply.

1. org.openeai.CoreApplication/EnterpriseUserPermission/Query-Request

Consults the directory server to determine if an EnterpriseUser has a specific permission.

This command assumes that permissions are managed using the following or very similar directory schema objects:

inetOrgPerson for people -- this is a schema object common to nearly all directory server implementations and the most widely compatible object for representing users among LDAP-enabled software.
openeaiOrgPermission for permissions (or something similar) -- this object that extends top with only ‘cn’ and ‘description’ attributes.
groupOfOpeneaiOrgNames for groups (or something similar) --- this extends groupOfUniqueNames adding a multivalued ‘uniquePermission’ attribute which contains the distinguished name of an openeaiOrgPermission instance.

Given this structure, permissions are assigned to users through groups. The search looks to see if one or more groups exist that have both the EnterpriseUser as a uniqueMember and the permission as a uniquePermission. For details on the search that determines whether or not an EnterpriseUser see the hasPermission method of this class.

If the EnterpriseUser does not have the permission named in the Query-Request, this command returns an org.openeai.CoreApplication/EnterpriseUserPermission/Provide-Reply with a status of success and an empty data area as prescribed by the OpenEAI Message Protocol.

If an EnterpriseUser does have the permission named in the Query-Request, it returns an org.openeai.CoreApplication/EnterpriseUserPermission/Provide-Reply with a status of success and a data area containing the EnterpriseUser as prescribed by the OpenEAI Message Protocol.

Configuration Parameters:

This command expects exactly one properties object in the command configuration with the following properties. The properties object may have any name, because it is retrieved by type.

Name Required Description

provideDocumentUri yes URI for retrieving the primed org.openeai.CoreApplication/EnterpriseUser/Provide-Reply document

responseDocumentUri yes URI for retrieving the primed org.openeai.CoreMessaging/Generic/Response-Reply document

initialContextFactory yes Class name of the initial context factory to use to connect to the directory server for the purpose of performing hasPermission searches. For example, one possible value for this property is 'com.sun.jndi.ldap.LdapCtxFactory'.

providerUrl yes URL for connecting to the directory server for the purpose of performing hasPermission searches. This providerURL should point to the base of the directory tree where the groups reside in which permissions are assigned to users. For example, one possible value for this property is 'ldaps://ldap.aits.uillinois.edu:636/ou=Development,ou=Groups,dc=uillinois,dc=edu'.

Name	Required	Description
provideDocumentUri	yes	URI for retrieving the primed org.openeai.CoreApplication/EnterpriseUser/Provide-Reply document
responseDocumentUri	yes	URI for retrieving the primed org.openeai.CoreMessaging/Generic/Response-Reply document
initialContextFactory	yes	Class name of the initial context factory to use to connect to the directory server for the purpose of performing hasPermission searches. For example, one possible value for this property is 'com.sun.jndi.ldap.LdapCtxFactory'.
providerUrl	yes	URL for connecting to the directory server for the purpose of performing hasPermission searches. This providerURL should point to the base of the directory tree where the groups reside in which permissions are assigned to users. For example, one possible value for this property is 'ldaps://ldap.aits.uillinois.edu:636/ou=Development,ou=Groups,dc=uillinois,dc=edu'.

Error Messages:

Code Type Description Explanation

OpenEAI-1001 application Unsupported message object: [unsupported message object name]. This command expects '[supported message object name(s)]'. (in this case 'EnterpriseUserPermission') Somehow the wrong message object name is getting placed into the message by the sending application or it is sending the wrong message entirely.

OpenEAI-1002 application Unsupported message action: [unsupported message action name]. This command only supports '[supported message action name(s)]'. (in this case 'query') Somehow the wrong message action name is getting placed into the message by the sending application or it is sending the wrong message entirely. This command only supports Query-Requests.

OpenEAI-1003 application Invalid query element found in the Query-Request message. This command expects '[name of the expected query object(s)]'. (in this case 'EnterpriseUserPermission') A null or inappropriate query object is getting placed into the message by the sending application or it is sending the wrong message entirely. This command only supports EnterpriseUser/Query-Request, which must have a NetId as the query object.

OpenEAI-1004 application Inauthentic request message. The request message does not appear to come from an application that is authorized to make the request. Verify that the SenderAppId and AuthUserSignature in the request message sent in match the appropriate application name and secret application signature in the EnterpriseApplicationService database (in table APPLSVC.T_APPLICATION).
More background: There are several ways to authentication messages. In the case of the EnterpriseApplicationService, administrators issue a secret signature to each application that is authorized to use the EnterpriseApplicationService in addition to all of the normal security principals and credentials that are always established for directory server and broker access. All applications that use the EnterpriseApplication configure themselves to send that secret signature in the AuthUserSignature element of the ControlArea of each message they send. The command authenticates the message by comparing the AuthUserSignature and SenderAppId in the ControlArea of each message to the EnterpriseApplicationService database, specifically APPLSVC.T_APPLICATION, which contains records identifying authorized applications with their secret signatures. For details on how request authentication is performed see the authenticateMessage(Element) method of EnterpriseApplicationServiceCommand.

OpenEAI-1005 system Error authenticating request message. The exception is: [SQLException message]. Some type of database error occurred while attempting to retrieve the application signature from the EnterpriseApplicationService database to compare it with the signature found in the message. Consult the detail of the SQLException message to get a better idea of what precisely is wrong. The database may be unavailable, there may be a problem with the query the command is using, or there may be a data error or inconsistency in the data in the EnterpriseApplicationService database.

EnterpriseApplicationService-1004 application Error building EnterpriseUserPermission object from the EnterpriseUserPermission element in the Query-Request message. The exception is: [EnterpriseLayoutException message]. There was an error building an EnterpriseUserPermission XmlEnterpriseObject from the EnterpriseUserPermission element used as the query object in the incoming Query-Request message. There is most likely bad data in this EnterpriseUserPermission element or its children or the element (and therefore the entire message) is not well formed and valid. Verify that the message is well formed and valid and consult the appropriate EnterpriseObjects document for the EnterpriseUserPermission object to verify that the data being passed is allowable.

EnterpriseApplicationService-1005 system Error querying the directory server for the EnterpriseUserPermission. The exception is: [NamingException message]. Some type of directory server error occurred while attempting to search for a group or groups with the matching uniqueMember and uniquePermission. Consult the detail of the NamingException message to get a better idea of what precisely is wrong. The directory server may be unavailable, there may be a problem with the search the command is using, or there may be a data error or inconsistency in the data in the directory server.

EnterpriseApplicationService-1006 application Error building EnterpriseUserPermission element from the EnterpriseUserPermission object. The exception is: [EnterpriseLayoutException message]. There was an error serializing the EnterpriseUserPermission XmlEnterpriseObject for the Provide-Reply. If this error occurs, something strange is going on, because the way this command is presently implemented this EnterpriseUserPermission object is build from the EnterpriseUserPermission element in the incoming Query-Request and just retained for serialization back into the Provide-Reply is the hasPermission method returns true. In other words, if the EnterpriseUserPermission object can be successfully build from the XML element in the Query-Request; in theory, you should never really have a problem serializing it for the Provide-Reply. However, this isn't theory, so this error is checked for and returned.

Code	Type	Description	Explanation
OpenEAI-1001	application	Unsupported message object: [unsupported message object name]. This command expects '[supported message object name(s)]'. (in this case 'EnterpriseUserPermission')	Somehow the wrong message object name is getting placed into the message by the sending application or it is sending the wrong message entirely.
OpenEAI-1002	application	Unsupported message action: [unsupported message action name]. This command only supports '[supported message action name(s)]'. (in this case 'query')	Somehow the wrong message action name is getting placed into the message by the sending application or it is sending the wrong message entirely. This command only supports Query-Requests.
OpenEAI-1003	application	Invalid query element found in the Query-Request message. This command expects '[name of the expected query object(s)]'. (in this case 'EnterpriseUserPermission')	A null or inappropriate query object is getting placed into the message by the sending application or it is sending the wrong message entirely. This command only supports EnterpriseUser/Query-Request, which must have a NetId as the query object.
OpenEAI-1004	application	Inauthentic request message.	The request message does not appear to come from an application that is authorized to make the request. Verify that the SenderAppId and AuthUserSignature in the request message sent in match the appropriate application name and secret application signature in the EnterpriseApplicationService database (in table APPLSVC.T_APPLICATION). More background: There are several ways to authentication messages. In the case of the EnterpriseApplicationService, administrators issue a secret signature to each application that is authorized to use the EnterpriseApplicationService in addition to all of the normal security principals and credentials that are always established for directory server and broker access. All applications that use the EnterpriseApplication configure themselves to send that secret signature in the AuthUserSignature element of the ControlArea of each message they send. The command authenticates the message by comparing the AuthUserSignature and SenderAppId in the ControlArea of each message to the EnterpriseApplicationService database, specifically APPLSVC.T_APPLICATION, which contains records identifying authorized applications with their secret signatures. For details on how request authentication is performed see the authenticateMessage(Element) method of EnterpriseApplicationServiceCommand.
OpenEAI-1005	system	Error authenticating request message. The exception is: [SQLException message].	Some type of database error occurred while attempting to retrieve the application signature from the EnterpriseApplicationService database to compare it with the signature found in the message. Consult the detail of the SQLException message to get a better idea of what precisely is wrong. The database may be unavailable, there may be a problem with the query the command is using, or there may be a data error or inconsistency in the data in the EnterpriseApplicationService database.
EnterpriseApplicationService-1004	application	Error building EnterpriseUserPermission object from the EnterpriseUserPermission element in the Query-Request message. The exception is: [EnterpriseLayoutException message].	There was an error building an EnterpriseUserPermission XmlEnterpriseObject from the EnterpriseUserPermission element used as the query object in the incoming Query-Request message. There is most likely bad data in this EnterpriseUserPermission element or its children or the element (and therefore the entire message) is not well formed and valid. Verify that the message is well formed and valid and consult the appropriate EnterpriseObjects document for the EnterpriseUserPermission object to verify that the data being passed is allowable.
EnterpriseApplicationService-1005	system	Error querying the directory server for the EnterpriseUserPermission. The exception is: [NamingException message].	Some type of directory server error occurred while attempting to search for a group or groups with the matching uniqueMember and uniquePermission. Consult the detail of the NamingException message to get a better idea of what precisely is wrong. The directory server may be unavailable, there may be a problem with the search the command is using, or there may be a data error or inconsistency in the data in the directory server.
EnterpriseApplicationService-1006	application	Error building EnterpriseUserPermission element from the EnterpriseUserPermission object. The exception is: [EnterpriseLayoutException message].	There was an error serializing the EnterpriseUserPermission XmlEnterpriseObject for the Provide-Reply. If this error occurs, something strange is going on, because the way this command is presently implemented this EnterpriseUserPermission object is build from the EnterpriseUserPermission element in the incoming Query-Request and just retained for serialization back into the Provide-Reply is the hasPermission method returns true. In other words, if the EnterpriseUserPermission object can be successfully build from the XML element in the Query-Request; in theory, you should never really have a problem serializing it for the Provide-Reply. However, this isn't theory, so this error is checked for and returned.

Version:: 1.0 beta - 18 October 2002
Author:: Steve Wheat (steve@openeai.org)
See Also:: EnterpriseApplicationServiceCommand#authenticateMessage, EnterpriseApplicationServiceCommand

Constructor Detail