View Javadoc
1   /*
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements.  See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership.  The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License.  You may obtain a copy of the License at
9    *
10   * http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing,
13   * software distributed under the License is distributed on an
14   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   * KIND, either express or implied.  See the License for the
16   * specific language governing permissions and limitations
17   * under the License.
18   */
19  package org.apache.directory.api.ldap.model.message.controls;
20  
21  
22  import org.apache.directory.api.ldap.model.message.Control;
23  
24  
25  /**
26   * Control which defines the Proxy Authorization request. More information is available in <a
27   * href="https://tools.ietf.org/html/rfc4370">RFC 4370</a>. Below we have included section 3 of the RFC describing
28   * this control:
29   *
30   * <pre>
31   *  3. Proxy Authorization Control
32   *
33   *      A single Proxy Authorization Control may be included in any search,
34   *   compare, modify, add, delete, or modify Distinguished Name (DN) or
35   *   extended operation request message.  The exception is any extension
36   *   that causes a change in authentication, authorization, or data
37   *   confidentiality [RFC2829], such as Start TLS [LDAPTLS] as part of the
38   *   controls field of the LDAPMessage, as defined in [RFC2251].
39   *
40   *   The controlType of the proxy authorization control is
41   *   "2.16.840.1.113730.3.4.18".
42   *
43   *   The criticality MUST be present and MUST be TRUE.  This requirement
44   *   protects clients from submitting a request that is executed with an
45   *   unintended authorization identity.
46   *
47   *   Clients MUST include the criticality flag and MUST set it to TRUE.
48   *   Servers MUST reject any request containing a Proxy Authorization
49   *   Control without a criticality flag or with the flag set to FALSE with
50   *   a protocolError error.  These requirements protect clients from
51   *   submitting a request that is executed with an unintended
52   *   authorization identity.
53   *
54   *   The controlValue SHALL be present and SHALL either contain an authzId
55   *   [AUTH] representing the authorization identity for the request or be
56   *   empty if an anonymous association is to be used.
57   *
58   *   The mechanism for determining proxy access rights is specific to the
59   *   server's proxy authorization policy.
60   *
61   *   If the requested authorization identity is recognized by the server,
62   *   and the client is authorized to adopt the requested authorization
63   *   identity, the request will be executed as if submitted by the proxy
64   *   authorization identity; otherwise, the result code 123 is returned.
65   * </pre>
66   *
67   * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
68   */
69  public interface ProxiedAuthz extends Control
70  {
71      /** This control OID */
72      String OID = "2.16.840.1.113730.3.4.18";
73  
74  
75      /**
76       * @return The authzId 
77       */
78      String getAuthzId();
79  
80  
81      /**
82       * @param authzId The authzId to set. Must be empty (not null), or a valid DN prefixed by 'dn:', or any
83       * user information prefixed by 'u:'
84       */
85      void setAuthzId( String authzId );
86  }