directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From smckin...@apache.org
Subject [14/19] directory-fortress-core git commit: FC-109 - break core package cycles
Date Mon, 01 Jun 2015 23:02:19 GMT
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/0c46e4de/src/main/java/org/apache/directory/fortress/core/model/Permission.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/model/Permission.java b/src/main/java/org/apache/directory/fortress/core/model/Permission.java
new file mode 100755
index 0000000..641075e
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/model/Permission.java
@@ -0,0 +1,790 @@
+/*
+ *   Licensed to the Apache Software Foundation (ASF) under one
+ *   or more contributor license agreements.  See the NOTICE file
+ *   distributed with this work for additional information
+ *   regarding copyright ownership.  The ASF licenses this file
+ *   to you under the Apache License, Version 2.0 (the
+ *   "License"); you may not use this file except in compliance
+ *   with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing,
+ *   software distributed under the License is distributed on an
+ *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *   KIND, either express or implied.  See the License for the
+ *   specific language governing permissions and limitations
+ *   under the License.
+ *
+ */
+package org.apache.directory.fortress.core.model;
+
+
+import java.io.Serializable;
+import java.util.Enumeration;
+import java.util.List;
+import java.util.Properties;
+import java.util.Set;
+import java.util.TreeSet;
+import java.util.UUID;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlRootElement;
+import javax.xml.bind.annotation.XmlType;
+
+
+/*
+## OC2: Fortress Permission Structural Object Class
+    objectclass    ( 1.3.6.1.4.1.38088.2.2
+    NAME 'ftObject'
+    DESC 'Fortress Permission Object Class'
+    SUP organizationalunit
+    STRUCTURAL
+    MUST (
+    ftId $
+    ftObjNm
+    )
+    MAY (
+    ftType
+    )
+    )
+*/
+/**
+ * All entities ({@link User}, {@link Role}, {@link Permission},
+ * {@link PwPolicy} {@link SDSet} etc...) are used to carry data between three Fortress
+ * layers.starting with the (1) Manager layer down thru middle (2) Process layer and it's processing rules into
+ * (3) DAO layer where persistence with the OpenLDAP server occurs.
+ * <h4>Fortress Processing Layers</h4>
+ * <ol>
+ * <li>Manager layer:  {@link org.apache.directory.fortress.core.rbac.AdminMgrImpl}, {@link org.apache.directory.fortress.core.rbac.AccessMgrImpl}, {@link org.apache.directory.fortress.core.rbac.ReviewMgrImpl},...</li>
+ * <li>Process layer:  {@link org.apache.directory.fortress.core.rbac.UserP}, {@link org.apache.directory.fortress.core.rbac.RoleP}, {@link org.apache.directory.fortress.core.rbac.PermP},...</li>
+ * <li>DAO layer: {@link org.apache.directory.fortress.core.rbac.UserDAO}, {@link org.apache.directory.fortress.core.rbac.RoleDAO}, {@link org.apache.directory.fortress.core.rbac.PermDAO},...</li>
+ * </ol>
+ * Fortress clients first instantiate and populate a data entity before invoking any of the Manager APIs.  The caller must
+ * provide enough information to uniquely identity the entity target within ldap.<br />
+ * For example, this entity requires {@link #setObjName} and {@link #setOpName} attributes set before passing into {@link org.apache.directory.fortress.core.rbac.AccessMgrImpl} APIs.
+ * Create methods usually require more attributes (than Read) due to constraints enforced between entities.
+ * <p/>
+ * <h4>Permission entity attribute usages include</h4>
+ * <ul>
+ * <li>{@link #setObjName} and {@link #setOpName} attributes set before calling {@link org.apache.directory.fortress.core.rbac.AccessMgrImpl#checkAccess(Session, Permission)}.
+ * <li>{@link #getRoles} may be set after calling {@link org.apache.directory.fortress.core.rbac.ReviewMgrImpl#readPermission(Permission)} or {@link org.apache.directory.fortress.core.rbac.AccessMgrImpl#sessionPermissions(Session)}.
+ *
+ * <li>{@link #getUsers} may be set after calling {@link org.apache.directory.fortress.core.rbac.ReviewMgrImpl#readPermission(Permission)} or {@link org.apache.directory.fortress.core.rbac.AccessMgrImpl#sessionPermissions(Session)}.
+ *
+ * </ul>
+ * <p/>
+ * <h4>More Permission entity notes</h4>
+ * <ul>
+ * <li>The unique key to locate a Permission entity (which is required for all authZ requests) is {@link Permission#objName} and {@link Permission#opName}.<br />
+ * <li>The Permission entity is used to target function points within computer programs needing authorization. This permission model allows a one-to-many relationship between the objects {@link PermObj} and operations {@link Permission}.
+ * <p/>
+ * <img src="../doc-files/RbacCore.png">
+ * <li>The object to operation pairings enable application resources to be mapped to Fortress permissions in a way that is natural for object oriented programming.
+ * <li>Permissions = Object {@link PermObj} 1<->* Operations {@link Permission}
+ * <li>Permissions in Fortress may also be assigned directly to {@link #users}.
+ * <li>Objects {@link #objName}, Operations {@link #opName}, Roles {@link #roles}, Users {@link #users} are not case sensitive for reads or searches.
+ * </ul>
+ * <p/>
+ * The application entity that requires authorization will be mapped to the {@link PermObj} entity and the application's methods or operation names
+ * will be mapped to {@link Permission} entities.
+ * For example, the application entity 'ShoppingCart' has 5 operations - 'create', 'read', 'update', 'delete' and 'checkout'.
+ * The following code will create the permissions and perform the necessary grants.
+ * <pre>
+ * try
+ * {
+ *  // Instantiate the AdminMgr first
+ *  AdminMgr adminMgr = AdminMgrFactory.createInstance();
+ *
+ *  // Now Instantiate the Object
+ *  PermObj shoppingCart = new PermObj("ShoppingCart", "KillerBikes.com");
+ *
+ *  // Add it to the directory
+ *  adminMgr.addPermObj(shoppingCart);
+ *
+ *  // Now create the permission operations and grant to applicable roles:
+ *  Permission create = new Permission(shoppingCart.getObjName(), "create");
+ *  adminMgr.addPermission(create);
+ *  adminMgr.grantPermission(create, new Role("Customer"));
+ *
+ *  Permission read = new Permission(shoppingCart.getObjName(), "read");
+ *  adminMgr.addPermission(read);
+ *  adminMgr.grantPermission(read, new Role("Customer"));
+ *
+ *  Permission update = new Permission(shoppingCart.getObjName(), "update");
+ *  adminMgr.addPermission(update);
+ *  adminMgr.grantPermission(update, new Role("Admin"));
+ *
+ *  Permission delete = new Permission(shoppingCart.getObjName(), "delete");
+ *  adminMgr.addPermission(delete);
+ *  adminMgr.grantPermission(delete, new Role("Manager"));
+ *
+ *  Permission checkout = new Permission(shoppingCart.getObjName(), "checkout");
+ *  adminMgr.addPermission(checkout);
+ *  adminMgr.grantPermission(delete, new Role("Customer"));
+ * }
+ * catch (SecurityException ex)
+ * {
+ *  // log or throw
+ * }
+ * </pre>
+ * <p/>
+ * <h4>Notes on the shopping cart example</h4>
+ * <ul>
+ * <li> {@link User} that activate 'Manager' role into their Sessions will be allowed access to 'ShoppingCart.delete' permission.
+ * <li> {@link User} that activate 'Admin' role may perform 'ShoppingCart.update'.
+ * <li> {@link User} with 'Customer' role may perform the 'ShoppingCart.create'  'ShoppingCart.read and 'ShoppingCart.checkout'.
+ * <li> {@link Role}s must exist in ldap before assignment here, see javadoc {@link Role} for details.
+ * <p/>
+ * </ul>
+ * <p/>
+ * <h4>Permission Schema</h4>
+ * This Permission entity extends a single standard ldap structural object class, {@code organizationalRole} with
+ * one extension structural class, {@code ftOperation}, and two auxiliary object classes, {@code ftProperties}, {@code ftMods}.
+ * The following 3 LDAP object classes will be mapped into this entity:
+ * <p/>
+ * 1. {@code ftOperation} STRUCTURAL Object Class is assigned roles and/or users which grants permissions which can be later checked
+ * using either 'checkAccess' or 'sessionPermissions APIs both methods that reside in the 'AccessMgrImpl' class.
+ * <pre>
+ * ------------------------------------------
+ * Fortress Operation Structural Object Class
+ * objectclass    ( 1.3.6.1.4.1.38088.2.3
+ *  NAME 'ftOperation'
+ *  DESC 'Fortress Permission Operation Structural Object Class'
+ *  SUP organizationalrole
+ *  STRUCTURAL
+ *  MUST (
+ *      ftId $
+ *      ftPermName $
+ *      ftObjNm $
+ *      ftOpNm
+ *  )
+ *  MAY (
+ *      ftObjId $
+ *      ftRoles $
+ *      ftUsers $
+ *      ftType
+ *  )
+ *  )
+ * 2. {@code ftProperties} AUXILIARY Object Class is used to store optional client or otherwise custom name/value pairs on target entity.<br />
+ * <code># This aux object class can be used to store custom attributes.</code><br />
+ * <code># The properties collections consist of name/value pairs and are not constrainted by Fortress.</code><br />
+ * <pre>
+ * ------------------------------------------
+ * AC2: Fortress Properties Auxiliary Object Class
+ * objectclass ( 1.3.6.1.4.1.38088.3.2
+ *  NAME 'ftProperties'
+ *  DESC 'Fortress Properties AUX Object Class'
+ *  AUXILIARY
+ *  MAY (
+ *      ftProps
+ *  )
+ * )
+ * ------------------------------------------
+ * </pre>
+ * <p/>
+ * 3. {@code ftMods} AUXILIARY Object Class is used to store Fortress audit variables on target entity.
+ * <pre>
+ * ------------------------------------------
+ * Fortress Audit Modification Auxiliary Object Class
+ * objectclass ( 1.3.6.1.4.1.38088.3.4
+ *  NAME 'ftMods'
+ *  DESC 'Fortress Modifiers AUX Object Class'
+ *  AUXILIARY
+ *  MAY (
+ *      ftModifier $
+ *      ftModCode $
+ *      ftModId
+ *  )
+ * )
+ * ------------------------------------------
+ * </pre>
+ * <p/>
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ */
+@XmlRootElement(name = "fortPermission")
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "permission", propOrder =
+    {
+        "objName",
+        "opName",
+        "objId",
+        "description",
+        "abstractName",
+        "internalId",
+        "type",
+        "users",
+        "roles",
+        "props",
+        "dn",
+        "admin"
+})
+public class Permission extends FortEntity implements Serializable
+{
+    /** Default serialVersionUID */
+    private static final long serialVersionUID = 1L;
+
+    private boolean admin;
+    private String internalId;
+    private String opName;
+    private String objName;
+    private String objId;
+    private String abstractName;
+    private String type;
+    private String dn;
+    private String description;
+    @XmlElement(nillable = true)
+    private Props props = new Props();
+    //private Properties props;
+    @XmlElement(nillable = true)
+    private Set<String> roles;
+    @XmlElement(nillable = true)
+    private Set<String> users;
+
+
+    /**
+     * This constructor is commonly used to create Permission that is a target for authorization API.
+     *
+     * @param objName maps to 'ftObjNm' attribute in 'ftOperation' object class.
+     * @param opName     maps to 'ftOpNm' attribute in 'ftOperation' object class.
+     */
+    public Permission( String objName, String opName )
+    {
+        this.objName = objName;
+        this.opName = opName;
+    }
+
+
+    /**
+     * Default constructor is used by internal Fortress classes and not intended for external use.
+     */
+    public Permission()
+    {
+    }
+
+
+    /**
+     * Constructor is used for APIs that do not require opName for example ARBAC canGrant/canRevoke.
+     *
+     * @param objName maps to 'ftObjNm' attribute in 'ftOperation' object class.
+     */
+    public Permission( String objName )
+    {
+        this.objName = objName;
+    }
+
+
+    /**
+     * This constructor adds the objId which is used for creating Permissions that have an identity.
+     *
+     * @param objName maps to 'ftObjNm' attribute in 'ftOperation' object class.
+     * @param opName     maps to 'ftOpNm' attribute in 'ftOperation' object class.
+     * @param objId   maps to 'ftObjId' attribute in 'ftOperation' object class.
+     */
+    public Permission( String objName, String opName, String objId )
+    {
+        this.objName = objName;
+        this.opName = opName;
+        this.objId = objId;
+    }
+
+
+    /**
+     * This constructor adds the admin flag which is used to process as Administrative permission.
+     *
+     * @param objName maps to 'ftObjNm' attribute in 'ftOperation' object class.
+     * @param opName     maps to 'ftOpNm' attribute in 'ftOperation' object class.
+     * @param admin      attribute is used to specify the Permission is to be stored and processed in the Administrative RBAC data sets.
+     */
+    public Permission( String objName, String opName, boolean admin )
+    {
+        this.objName = objName;
+        this.opName = opName;
+        this.admin = admin;
+    }
+
+
+    /**
+     * Determine if this Permission is for RBAC or ARBAC processing.
+     *
+     * @return 'true' indicates administrative permission.
+     */
+    public boolean isAdmin()
+    {
+        return admin;
+    }
+
+
+    /**
+     * Set will determine if this Permission is for RBAC or ARBAC processing.
+     *
+     * @param admin contains is 'true' if ARBAC permission..
+     */
+    public void setAdmin( boolean admin )
+    {
+        this.admin = admin;
+    }
+
+
+    /**
+     * This attribute is required but is set automatically by Fortress DAO class before object is persisted to ldap.
+     * This generated internal id is associated with Permission.  This method is used by DAO class and
+     * is not available to outside classes.   The generated attribute maps to 'ftId' in 'ftOperation' object class.
+     */
+    public void setInternalId()
+    {
+        // generate a unique id that will be used as the rDn for this entry:
+        UUID uuid = UUID.randomUUID();
+        this.internalId = uuid.toString();
+    }
+
+
+    /**
+     * Set the internal id that is associated with Permission.  This method is used by DAO class and
+     * is generated automatically by Fortress.  Attribute stored in LDAP cannot be changed by external caller.
+     * This method can be used by client for search purposes only.
+     *
+     * @param internalId maps to 'ftId' in 'ftObject' object class.
+     */
+    public void setInternalId( String internalId )
+    {
+        this.internalId = internalId;
+    }
+
+
+    /**
+     * Return the internal id that is associated with Permission.  This attribute is generated automatically
+     * by Fortress when new PermObj is added to directory and is not known or changeable by external client.
+     *
+     * @return attribute maps to 'ftId' in 'ftOperation' object class.
+     */
+    public String getInternalId()
+    {
+        return internalId;
+    }
+
+
+    /**
+     * Get the Permission operation name.  This is used to specify method name - i.e. Create, Read, Update, Delete, ...
+     *
+     * @return opName maps to 'ftOpNm' attribute in 'ftOperation' object class.
+     */
+    public String getOpName()
+    {
+        return opName;
+    }
+
+
+    /**
+     * Set the Permission operation name.  This is used to specify method name - i.e. Create, Read, Update, Delete, ...
+     *
+     * @param opName maps to 'ftOpNm' attribute in 'ftOperation' object class.
+     */
+    public void setOpName( String opName )
+    {
+        this.opName = opName;
+    }
+
+
+    /**
+     * Get the authorization target's object name.  This is typically mapped to the class name for component
+     * that is the target for Fortress authorization check. For example 'PatientRelationshipInquire'.
+     *
+     * @return the name of the object which maps to 'ftObjNm' attribute in 'ftOperation' object class.
+     */
+    public String getObjName()
+    {
+        return this.objName;
+    }
+
+
+    /**
+     * This attribute is required and sets the authorization target object name.  This name is typically derived from the class name
+     * for component that is the target for Fortress authorization check. For example 'CustomerCheckOutPage'.
+     *
+     */
+    public void setObjName( String objName )
+    {
+        this.objName = objName;
+    }
+
+
+    /**
+     * Return the Permission's abstract name which is the value of objName concatenated with OpName, i.e. 'Patient.checkin'
+     * This value is automatically generated by the Fortress DAO class.
+     *
+     * @return abstractName maps to 'ftPermName' attribute in 'ftOperation' object class.
+     */
+    public String getAbstractName()
+    {
+        return abstractName;
+    }
+
+
+    /**
+     * Set the Permission's abstract name which is the value of objName concatenated with OpName, i.e. 'Patient.checkin'
+     * This value is automatically generated by the Fortress DAO class and value will be ignored if set by external client.
+     *
+     * @param abstractName maps to 'ftPermName' attribute in 'ftOperation' object class.
+     */
+    public void setAbstractName( String abstractName )
+    {
+        this.abstractName = abstractName;
+    }
+
+
+    /**
+     * Get the optional type name which is an unconstrained attribute on Permission entity.
+     *
+     * @return type maps to 'ftType' attribute in 'ftOperation' object class.
+     */
+    public String getType()
+    {
+        return type;
+    }
+
+
+    /**
+     * Set the optional type name which is an unconstrained attribute on Permission entity.
+     *
+     * @param type maps to 'ftType' attribute in 'ftOperation' object class.
+     */
+    public void setType( String type )
+    {
+        this.type = type;
+    }
+
+
+    /**
+     * Get optional objId attribute which can be used to tag a Permission object with an identity, i.e. objName='Customer', objId='12345'.
+     * This value is not constrained by any other object.
+     *
+     * @return maps to 'ftObjectId' attribute in 'ftOperation' object class.
+     */
+    public String getObjId()
+    {
+        return objId;
+    }
+
+
+    /**
+     * Set optional objId which can be used to tag a Permission object with an identity, i.e. objName='Account', objId='09876543'.
+     * This value is not constrained by any other object.
+     *
+     * @param objId maps to 'ftObjectId' attribute in 'ftOperation' object class.
+     */
+    public void setObjId( String objId )
+    {
+        this.objId = objId;
+    }
+
+
+    /**
+     * Add a Role name to list of Roles that are valid for this Permission.  This is optional attribute.
+     *
+     * @param role maps to 'ftRoles' attribute in 'ftOperation' object class.
+     */
+    public void setRole( String role )
+    {
+        if ( roles == null )
+        {
+            roles = new TreeSet<>( String.CASE_INSENSITIVE_ORDER );
+        }
+
+        this.roles.add( role );
+    }
+
+
+    /**
+     * Delete a Role name from list of Roles that are valid for this Permission.
+     *
+     * @param role maps to 'ftRoles' attribute in 'ftOperation' object class.
+     */
+    public void delRole( String role )
+    {
+        if ( this.roles != null )
+        {
+            this.roles.remove( role );
+        }
+    }
+
+
+    /**
+     * Return the collection of optional Roles that have been loaded into this entity.  This is stored as a multi-occurring
+     * attribute of Role names on the 'ftOperation' object class.
+     *
+     * @return Set containing the roles which maps to 'ftRoles' attribute in 'ftOperation' object class.
+     */
+    public Set<String> getRoles()
+    {
+        return this.roles;
+    }
+
+
+    /**
+     * Set the collection of optional Roles that have been loaded into this entity.  This is stored as a multi-occurring
+     * attribute of Role names on the 'ftOperation' object class.
+     *
+     * @param roles maps to 'ftRoles' attribute in 'ftOperation' object class.
+     */
+    public void setRoles( Set<String> roles )
+    {
+        this.roles = roles;
+    }
+
+
+    /**
+     * Add a UserId to list of Users that are valid for this Permission.  This is optional attribute.
+     *
+     * @param user maps to 'ftUsers' attribute in 'ftOperation' object class.
+     */
+    public void setUser( String user )
+    {
+        if ( users == null )
+        {
+            users = new TreeSet<>( String.CASE_INSENSITIVE_ORDER );
+        }
+
+        this.users.add( user );
+    }
+
+
+    /**
+     * Return the collection of optional Users that have been loaded into this entity.  This is stored as a multi-occurring
+     * attribute of ftUsers on the 'ftOperation' object class.
+     *
+     * @return Set containing the Users which maps to 'ftUsers' attribute in 'ftOperation' object class.
+     */
+    public Set<String> getUsers()
+    {
+        return this.users;
+    }
+
+
+    /**
+     * Set the collection of optional Users that have been loaded into this entity.  This is stored as a multi-occurring
+     * attribute of userIds on the 'ftOperation' object class.
+     *
+     * @param users maps to 'ftUsers' attribute in 'ftOperation' object class.
+     */
+    public void setUsers( Set<String> users )
+    {
+        this.users = users;
+    }
+
+
+    public String getDn()
+    {
+        return dn;
+    }
+
+
+    public void setDn( String dn )
+    {
+        this.dn = dn;
+    }
+
+
+    /**
+     * Return the description field on this entity.  The description is often used as a human readable label for the permission.
+     * @return String containing the description.
+     */
+    public String getDescription()
+    {
+        return description;
+    }
+
+
+    /**
+     * Set the optional description field on this entity.  The description is used as a human readable label for the permission.
+     *
+     * @param description String contains the description.
+     */
+    public void setDescription( String description )
+    {
+        this.description = description;
+    }
+
+
+    /**
+      * Gets the value of the Props property.  This method is used by Fortress and En Masse and should not be called by external programs.
+      *
+      * @return
+      *     possible object is
+      *     {@link Props }
+      *
+      */
+    public Props getProps()
+    {
+        return props;
+    }
+
+
+    /**
+     * Sets the value of the Props property.  This method is used by Fortress and En Masse and should not be called by external programs.
+     *
+     * @param value
+     *     allowed object is
+     *     {@link Props }
+     *
+     */
+    public void setProps( Props value )
+    {
+        this.props = value;
+    }
+
+
+    /**
+     * Add name/value pair to list of properties associated with Permission.  These values are not constrained by Fortress.
+     * Properties are optional.
+     *
+     * @param key   contains property name and maps to 'ftProps' attribute in 'ftProperties' aux object class.
+     * @param value
+     */
+    public void addProperty( String key, String value )
+    {
+        Props.Entry entry = new Props.Entry();
+        entry.setKey( key );
+        entry.setValue( value );
+        this.props.getEntry().add( entry );
+    }
+
+
+    /**
+     * Get a name/value pair attribute from list of properties associated with Permission.  These values are not constrained by Fortress.
+     * Properties are optional.
+     *
+     * @param key contains property name and maps to 'ftProps' attribute in 'ftProperties' aux object class.
+     * @return value containing name/value pair that maps to 'ftProps' attribute in 'ftProperties' aux object class.
+     */
+    public String getProperty( String key )
+    {
+        List<Props.Entry> props = this.props.getEntry();
+        Props.Entry keyObj = new Props.Entry();
+        keyObj.setKey( key );
+
+        String value = null;
+        int indx = props.indexOf( keyObj );
+        if ( indx != -1 )
+        {
+            Props.Entry entry = props.get( props.indexOf( keyObj ) );
+            value = entry.getValue();
+        }
+
+        return value;
+    }
+
+
+    /**
+     * Add new collection of name/value pairs to attributes associated with Permission.  These values are not constrained by Fortress.
+     * Properties are optional.
+     *
+     * @param props contains collection of name/value pairs and maps to 'ftProps' attribute in 'ftProperties' aux object class.
+     */
+    public void addProperties( Properties props )
+    {
+        if ( props != null )
+        {
+            for ( Enumeration<?> e = props.propertyNames(); e.hasMoreElements(); )
+            {
+                // This LDAP attr is stored as a name-value pair separated by a ':'.
+                String key = ( String ) e.nextElement();
+                String val = props.getProperty( key );
+                addProperty( key, val );
+            }
+        }
+    }
+
+
+    /**
+     * Return the collection of name/value pairs to attributes associated with Permission.  These values are not constrained by Fortress.
+     * Properties are optional.
+     *
+     * @return Properties contains collection of name/value pairs and maps to 'ftProps' attribute in 'ftProperties' aux object class.
+     */
+    public Properties getProperties()
+    {
+        Properties properties = null;
+        List<Props.Entry> props = this.props.getEntry();
+        if ( props.size() > 0 )
+        {
+            properties = new Properties();
+            //int size = props.size();
+            for ( Props.Entry entry : props )
+            {
+                String key = entry.getKey();
+                String val = entry.getValue();
+                properties.setProperty( key, val );
+            }
+        }
+        return properties;
+    }
+
+
+    /**
+     * Matches the objName and opName from two Permission entities.
+     *
+     * @param thatOp contains a Permission entity.
+     * @return boolean indicating both Permissions contain matching objName and opName attributes.
+     */
+    public boolean equals( Object thatOp )
+    {
+        if ( this == thatOp )
+        {
+            return true;
+        }
+
+        if ( this.getObjName() == null )
+        {
+            return false;
+        }
+
+        if ( !( thatOp instanceof Permission ) )
+        {
+            return false;
+        }
+
+        Permission thatPermission = ( Permission ) thatOp;
+
+        if ( thatPermission.getObjName() == null )
+        {
+            return false;
+        }
+
+        return ( ( thatPermission.getObjName().equalsIgnoreCase( this.getObjName() ) ) && ( thatPermission
+            .getOpName().equalsIgnoreCase( this.getOpName() ) ) );
+    }
+
+
+    @Override
+    public int hashCode()
+    {
+        int result = ( admin ? 1 : 0 );
+        result = 31 * result + ( internalId != null ? internalId.hashCode() : 0 );
+        result = 31 * result + ( opName != null ? opName.hashCode() : 0 );
+        result = 31 * result + ( objName != null ? objName.hashCode() : 0 );
+        result = 31 * result + ( objId != null ? objId.hashCode() : 0 );
+        result = 31 * result + ( abstractName != null ? abstractName.hashCode() : 0 );
+        result = 31 * result + ( type != null ? type.hashCode() : 0 );
+        result = 31 * result + ( dn != null ? dn.hashCode() : 0 );
+        result = 31 * result + ( description != null ? description.hashCode() : 0 );
+        result = 31 * result + ( props != null ? props.hashCode() : 0 );
+        result = 31 * result + ( roles != null ? roles.hashCode() : 0 );
+        result = 31 * result + ( users != null ? users.hashCode() : 0 );
+        return result;
+    }
+
+
+    @Override
+    public String toString()
+    {
+        return "Permission{" +
+            "objName='" + objName + '\'' +
+            ", opName='" + opName + '\'' +
+            ", objId='" + objId + '\'' +
+            '}';
+    }
+}

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/0c46e4de/src/main/java/org/apache/directory/fortress/core/model/Props.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/model/Props.java b/src/main/java/org/apache/directory/fortress/core/model/Props.java
new file mode 100755
index 0000000..bd06fe8
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/model/Props.java
@@ -0,0 +1,222 @@
+/*
+ *   Licensed to the Apache Software Foundation (ASF) under one
+ *   or more contributor license agreements.  See the NOTICE file
+ *   distributed with this work for additional information
+ *   regarding copyright ownership.  The ASF licenses this file
+ *   to you under the Apache License, Version 2.0 (the
+ *   "License"); you may not use this file except in compliance
+ *   with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing,
+ *   software distributed under the License is distributed on an
+ *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *   KIND, either express or implied.  See the License for the
+ *   specific language governing permissions and limitations
+ *   under the License.
+ *
+ */
+package org.apache.directory.fortress.core.model;
+
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlRootElement;
+import javax.xml.bind.annotation.XmlType;
+import java.io.Serializable;
+import java.util.ArrayList;
+import java.util.List;
+
+
+/**
+ * This class is used as a container for {@code java.util.Properties} for passing to En Masse server.
+ * </p>
+ * This class is thread safe.
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ *         <p/>
+ *         <p>The following schema fragment specifies the expected content contained within this class.
+ *         <p/>
+ *         <pre>
+ *                 &lt;complexType>
+ *                   &lt;complexContent>
+ *                     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *                       &lt;sequence>
+ *                         &lt;element name="entry" maxOccurs="unbounded" minOccurs="0">
+ *                           &lt;complexType>
+ *                             &lt;complexContent>
+ *                               &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *                                 &lt;sequence>
+ *                                   &lt;element name="key" type="{http://www.w3.org/2001/XMLSchema}anyType" minOccurs="0"/>
+ *                                   &lt;element name="value" type="{http://www.w3.org/2001/XMLSchema}anyType" minOccurs="0"/>
+ *                                 &lt;/sequence>
+ *                               &lt;/restriction>
+ *                             &lt;/complexContent>
+ *                           &lt;/complexType>
+ *                         &lt;/element>
+ *                       &lt;/sequence>
+ *                     &lt;/restriction>
+ *                   &lt;/complexContent>
+ *                 &lt;/complexType>
+ *                 </pre>
+ */
+@XmlRootElement(name = "fortProps")
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "props", propOrder =
+    {
+        "entry"
+})
+public class Props extends FortEntity implements Serializable
+{
+    /** Default serialVersionUID */
+    private static final long serialVersionUID = 1L;
+    private List<Props.Entry> entry;
+
+
+    /**
+     * Gets the value of the entry property.
+     *
+     * <p>
+     * This accessor method returns a reference to the live list,
+     * not a snapshot. Therefore any modification you make to the
+     * returned list will be present inside the JAXB object.
+     * This is why there is not a <CODE>set</CODE> method for the entry property.
+     *
+     * <p>
+     * For example, to add a new item, do as follows:
+     * <pre>
+     *    getEntry().add(newItem);
+     * </pre>
+     *
+     *
+     * <p>
+     * Objects of the following type(s) are allowed in the list
+     * {@link Props.Entry }
+     *
+     *
+     */
+    public List<Props.Entry> getEntry()
+    {
+        if ( entry == null )
+        {
+            entry = new ArrayList<>();
+        }
+        return this.entry;
+    }
+
+    /**
+     * <p>Java class for anonymous complex type.
+     *
+     * <p>The following schema fragment specifies the expected content contained within this class.
+     *
+     * <pre>
+     * &lt;complexType>
+     *   &lt;complexContent>
+     *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+     *       &lt;sequence>
+     *         &lt;element name="key" type="{http://www.w3.org/2001/XMLSchema}anyType" minOccurs="0"/>
+     *         &lt;element name="value" type="{http://www.w3.org/2001/XMLSchema}anyType" minOccurs="0"/>
+     *       &lt;/sequence>
+     *     &lt;/restriction>
+     *   &lt;/complexContent>
+     * &lt;/complexType>
+     * </pre>
+     *
+     *
+     */
+    @XmlAccessorType(XmlAccessType.FIELD)
+    @XmlType(name = "", propOrder =
+        {
+            "key",
+            "value"
+    })
+    public static class Entry implements Serializable
+    {
+        /** Default serialVersionUID */
+        private static final long serialVersionUID = 1L;
+
+        protected String key;
+        protected String value;
+
+
+        /**
+         * Gets the value of the key property.
+         *
+         * @return
+         *     possible object is
+         *     {@link Object }
+         *
+         */
+        public String getKey()
+        {
+            return key;
+        }
+
+
+        /**
+         * Sets the value of the key property.
+         *
+         * @param value
+         *     allowed object is
+         *     {@link Object }
+         *
+         */
+        public void setKey( String value )
+        {
+            this.key = value;
+        }
+
+
+        /**
+         * Gets the value of the value property.
+         *
+         * @return
+         *     possible object is
+         *     {@link Object }
+         *
+         */
+        public String getValue()
+        {
+            return value;
+        }
+
+
+        /**
+         * Sets the value of the value property.
+         *
+         * @param value
+         *     allowed object is
+         *     {@link Object }
+         *
+         */
+        public void setValue( String value )
+        {
+            this.value = value;
+        }
+
+
+        /**
+         *
+         * @param obj
+         * @return boolean value
+         */
+        public boolean equals( Object obj )
+        {
+            if ( obj instanceof Props.Entry )
+            {
+                Props.Entry inObj = ( Props.Entry ) obj;
+                return key.equals( inObj.getKey() );
+            }
+            return false;
+        }
+
+        @Override
+        public int hashCode()
+        {
+            int result = key != null ? key.hashCode() : 0;
+            result = 31 * result + ( value != null ? value.hashCode() : 0 );
+            return result;
+        }
+    }
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/0c46e4de/src/main/java/org/apache/directory/fortress/core/model/PwPolicy.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/model/PwPolicy.java b/src/main/java/org/apache/directory/fortress/core/model/PwPolicy.java
new file mode 100755
index 0000000..3421528
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/model/PwPolicy.java
@@ -0,0 +1,881 @@
+/*
+ *   Licensed to the Apache Software Foundation (ASF) under one
+ *   or more contributor license agreements.  See the NOTICE file
+ *   distributed with this work for additional information
+ *   regarding copyright ownership.  The ASF licenses this file
+ *   to you under the Apache License, Version 2.0 (the
+ *   "License"); you may not use this file except in compliance
+ *   with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing,
+ *   software distributed under the License is distributed on an
+ *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *   KIND, either express or implied.  See the License for the
+ *   specific language governing permissions and limitations
+ *   under the License.
+ *
+ */
+package org.apache.directory.fortress.core.model;
+
+
+import java.io.Serializable;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlRootElement;
+import javax.xml.bind.annotation.XmlType;
+
+/**
+ * This class contains the Password Policy entity which is used to pass directives into and out of ldap.
+ * <br />The unique key to locate a Policy entity (which is subsequently assigned to Users) is {@link #name}.<br />
+ * <p/>
+ * <h4>Password Policies</h4>
+ * <a href="http://www.openldap.org/">OpenLDAP</a> supports the IETF draft <a href="http://tools.ietf.org/html/draft-behera-ldap-password-policy-10/">Password Policies for LDAP directories</a></li>.  Policies may be applied at the user, group or global level.
+ * <p/>
+ * <img src="../doc-files/PasswordPolicy.png">
+ * <p/>
+ * Password enforcement options include:
+ * <ol>
+ * <li>A configurable limit on failed authentication attempts.</li>
+ * <li>A counter to track the number of failed authentication attempts.</li>
+ * <li>A time frame in which the limit of consecutive failed authentication attempts must happen before action is taken.</li>
+ * <li>The action to be taken when the limit is reached. The action will either be nothing, or the account will be locked.</li>
+ * <li>An amount of time the account is locked (if it is to be locked) This can be indefinite.</li>
+ * <li>Password expiration.</li>
+ * <li>Expiration warning</li>
+ * <li>Grace authentications</li>
+ * <li>Password history</li>
+ * <li>Password minimum age</li>
+ * <li>Password minimum length</li>
+ * <li>Password Change after Reset</li>
+ * <li>Safe Modification of Password</li>
+ * </ol>
+ * <p/>
+ * <h4>Schema</h4>
+ * The OpenLDAP Password Policy entity is a composite of the following structural and aux object classes:
+ * <p/>
+ * 1. organizationalRole Structural Object Class is used to store basic attributes like cn and description.
+ * <pre>
+ * ------------------------------------------
+ * objectclass ( 2.5.6.14 NAME 'device'
+ *  DESC 'RFC2256: a device'
+ *  SUP top STRUCTURAL
+ *  MUST cn
+ *  MAY (
+ *      serialNumber $ seeAlso $ owner $ ou $ o $ l $ description
+ *  )
+ * )
+ * ------------------------------------------
+ * </pre>
+ * <p/>
+ * 2. pwdPolicy AUXILIARY Object Class is used to store OpenLDAP Password Policies.
+ * <pre>
+ * ------------------------------------------
+ * objectclass ( 1.3.6.1.4.1.42.2.27.8.2.1</code>
+ *  NAME 'pwdPolicy'</code>
+ *  SUP top</code>
+ *  AUXILIARY</code>
+ *  MUST (
+ *      pwdAttribute
+ *  )
+ *  MAY (
+ *      pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheckQuality $
+ *      pwdMinLength $ pwdExpireWarning $ pwdGraceAuthNLimit $ pwdLockout $
+ *      pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $
+ *      pwdMustChange $ pwdAllowUserChange $ pwdSafeModify
+ *  )
+ * )
+ * ------------------------------------------
+ * </pre>
+ * <p/>
+ * 3. ftMods AUXILIARY Object Class is used to store Fortress audit variables on target entity.
+ * <pre>
+ * ------------------------------------------
+ * Fortress Audit Modification Auxiliary Object Class
+ * objectclass ( 1.3.6.1.4.1.38088.3.4
+ *  NAME 'ftMods'
+ *  DESC 'Fortress Modifiers AUX Object Class'
+ *  AUXILIARY
+ *  MAY (
+ *      ftModifier $
+ *      ftModCode $
+ *      ftModId
+ *  )
+ * )
+ * ------------------------------------------
+ * </pre>
+ * <p/>
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ */
+@XmlRootElement(name = "fortPolicy")
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "pswdpolicy", propOrder = {
+    "name",
+    "attribute",
+    "minAge",
+    "maxAge",
+    "inHistory",
+    "checkQuality",
+    "minLength",
+    "expireWarning",
+    "graceLoginLimit",
+    "lockout",
+    "lockoutDuration",
+    "maxFailure",
+    "failureCountInterval",
+    "mustChange",
+    "allowUserChange",
+    "safeModify"
+})
+public class PwPolicy extends FortEntity implements Serializable
+{
+    private static final long serialVersionUID = 1L;
+
+    /**
+     * Maps to name attribute of pwdPolicy object class.
+     */
+    private String name;
+
+    /**
+     * 5.2.1  pwdAttribute
+     * <p/>
+     * This holds the name of the attribute to which the password policy is
+     * applied.  For example, the password policy may be applied to the
+     * userPassword attribute.
+     */
+    private String attribute;
+
+    /**
+     * 5.2.2  pwdMinAge
+     * <p/>
+     * This attribute holds the number of seconds that must elapse between
+     * modifications to the password.  If this attribute is not present, 0
+     * seconds is assumed.
+     */
+    @XmlElement(nillable = true)
+    private Integer minAge;
+    //private String minAge;
+
+    /**
+     * 5.2.3  pwdMaxAge
+     * <p/>
+     * This attribute holds the number of seconds after which a modified
+     * password will expire.
+     * <p/>
+     * If this attribute is not present, or if the value is 0 the password
+     * does not expire.  If not 0, the value must be greater than or equal
+     * to the value of the pwdMinAge.
+     */
+    @XmlElement(nillable = true)
+    private Long maxAge;
+
+    /**
+     * 5.2.4  pwdInHistory
+     * <p/>
+     * This attribute specifies the maximum number of used passwords stored
+     * in the pwdHistory attribute.
+     * <p/>
+     * If this attribute is not present, or if the value is 0, used
+     * passwords are not stored in the pwdHistory attribute and thus may be
+     * reused.
+     */
+    @XmlElement(nillable = true)
+    private Short inHistory;
+
+    /**
+     * 5.2.5  pwdCheckQuality
+     * <p/>
+     * This attribute indicates how the password quality will be verified
+     * while being modified or added.  If this attribute is not present, or
+     * if the value is '0', quality checking will not be enforced.  A value
+     * of '1' indicates that the server will check the quality, and if the
+     * server is unable to check it (due to a hashed password or other
+     * reasons) it will be accepted.  A value of '2' indicates that the
+     * server will check the quality, and if the server is unable to verify
+     * it, it will return an error refusing the password.
+     */
+    @XmlElement(nillable = true)
+    private Short checkQuality;
+
+    /**
+     * 5.2.6  pwdMinLength
+     * <p/>
+     * When quality checking is enabled, this attribute holds the minimum
+     * number of characters that must be used in a password.  If this
+     * attribute is not present, no minimum password length will be
+     * enforced.  If the server is unable to check the length (due to a
+     * hashed password or otherwise), the server will, depending on the
+     * value of the pwdCheckQuality attribute, either accept the password
+     * without checking it ('0' or '1') or refuse it ('2').
+     */
+    @XmlElement(nillable = true)
+    private Short minLength;
+
+    /**
+     * 5.2.7  pwdExpireWarning
+     * <p/>
+     * This attribute specifies the maximum number of seconds before a
+     * password is due to expire that expiration warning messages will be
+     * returned to an authenticating user.
+     * <p/>
+     * If this attribute is not present, or if the value is 0 no warnings
+     * will be returned.  If not 0, the value must be smaller than the value
+     * of the pwdMaxAge attribute.
+     */
+    @XmlElement(nillable = true)
+    private Long expireWarning;
+
+    /**
+     * 5.2.8  pwdGraceAuthNLimit
+     * <p/>
+     * This attribute specifies the number of times an expired password can
+     * be used to authenticate.  If this attribute is not present or if the
+     * value is 0, authentication will fail.
+     */
+    @XmlElement(nillable = true)
+    private Short graceLoginLimit;
+
+    /**
+     * 5.2.9  pwdLockout
+     * <p/>
+     * This attribute indicates, when its value is "TRUE", that the password
+     * may not be used to authenticate after a specified number of
+     * consecutive failed bind attempts.  The maximum number of consecutive
+     * failed bind attempts is specified in pwdMaxFailure.
+     * <p/>
+     * If this attribute is not present, or if the value is "FALSE", the
+     * password may be used to authenticate when the number of failed bind
+     * attempts has been reached.
+     */
+    @XmlElement(nillable = true)
+    private Boolean lockout;
+
+    /**
+     * 5.2.10  pwdLockoutDuration
+     * <p/>
+     * This attribute holds the number of seconds that the password cannot
+     * be used to authenticate due to too many failed bind attempts.  If
+     * this attribute is not present, or if the value is 0 the password
+     * cannot be used to authenticate until reset by a password
+     * administrator.
+     */
+    @XmlElement(nillable = true)
+    private Integer lockoutDuration;
+
+    /**
+     * 5.2.11  pwdMaxFailure
+     * <p/>
+     * This attribute specifies the number of consecutive failed bind
+     * attempts after which the password may not be used to authenticate.
+     * If this attribute is not present, or if the value is 0, this policy
+     * is not checked, and the value of pwdLockout will be ignored.
+     */
+    @XmlElement(nillable = true)
+    private Short maxFailure;
+
+    /**
+     * 5.2.12  pwdFailureCountInterval
+     * <p/>
+     * This attribute holds the number of seconds after which the password
+     * failures are purged from the failure counter, even though no
+     * successful authentication occurred.
+     * <p/>
+     * If this attribute is not present, or if its value is 0, the failure
+     * counter is only reset by a successful authentication.
+     */
+    @XmlElement(nillable = true)
+    private Short failureCountInterval;
+
+    /**
+     * 5.2.13  pwdMustChange
+     * <p/>
+     * This attribute specifies with a value of "TRUE" that users must
+     * change their passwords when they first bind to the directory after a
+     * password is set or reset by a password administrator.  If this
+     * attribute is not present, or if the value is "FALSE", users are not
+     * required to change their password upon binding after the password
+     * administrator sets or resets the password.  This attribute is not set
+     * due to any actions specified by this document, it is typically set by
+     * a password administrator after resetting a user's password.
+     */
+    @XmlElement(nillable = true)
+    private Boolean mustChange;
+
+    /**
+     * 5.2.14  pwdAllowUserChange
+     * <p/>
+     * This attribute indicates whether users can change their own
+     * passwords, although the change operation is still subject to access
+     * control.  If this attribute is not present, a value of "TRUE" is
+     * assumed.  This attribute is intended to be used in the absence of an
+     * access control mechanism.
+     */
+    @XmlElement(nillable = true)
+    private Boolean allowUserChange;
+
+    /**
+     * 5.2.15  pwdSafeModify
+     * <p/>
+     * This attribute specifies whether or not the existing password must be
+     * sent along with the new password when being changed.  If this
+     * attribute is not present, a "FALSE" value is assumed.
+     */
+    @XmlElement(nillable = true)
+    private Boolean safeModify;
+
+    /**
+     * Default constructor is used by internal Fortress classes and not intended for external use.
+     */
+    public PwPolicy()
+    {
+    }
+    
+
+    /**
+     * Create instance given a policy name.
+     * @param name
+     */
+    public PwPolicy(String name)
+    {
+        this.name = name;
+    }
+
+
+    /**
+     * Get the policy name associated with this instance.
+     * @return attribute stored as 'cn' in 'pwdPolicy' object class.
+     */
+    public String getName()
+    {
+        return name;
+    }
+    
+
+    /**
+     * Set the required attribute policy name on this entity.
+     * @param name stored as 'cn' in 'pwdPolicy' object class.
+     */
+    public void setName(String name)
+    {
+        this.name = name;
+    }
+    
+
+    /**
+     * This optional attribute holds the number of seconds that must elapse between
+     * modifications to the password. If this attribute is not present, 0
+     * seconds is assumed.
+     *
+     * @return attribute stored as 'pwdMinAge' in 'pwdPolicy' object class.
+     */
+    public Integer getMinAge()
+    {
+        return minAge;
+    }
+    
+
+    /**
+     * This optional attribute holds the number of seconds that must elapse between
+     * modifications to the password. If this attribute is not present, 0
+     * seconds is assumed.
+     *
+     * @param minAge stored as 'pwdMinAge' in 'pwdPolicy' object class.
+     */
+    public void setMinAge(Integer minAge)
+    {
+        this.minAge = minAge;
+    }
+    
+
+    /**
+     * This optional attribute holds the number of seconds after which a modified
+     * password will expire.
+     * If this attribute is not present, or if the value is 0 the password
+     * does not expire. If not 0, the value must be greater than or equal
+     * to the value of the pwdMinAge.
+     *
+     * @return attribute stored as 'pwdMaxAge' in 'pwdPolicy' object class.
+     */
+    public Long getMaxAge()
+    {
+        return maxAge;
+    }
+    
+
+    /**
+     * This optional attribute holds the number of seconds after which a modified
+     * password will expire.
+     * If this attribute is not present, or if the value is 0 the password
+     * does not expire. If not 0, the value must be greater than or equal
+     * to the value of the pwdMinAge.
+     *
+     * @param maxAge attribute stored as 'pwdMaxAge' in 'pwdPolicy' object class.
+     */
+    public void setMaxAge(Long maxAge)
+    {
+        this.maxAge = maxAge;
+    }
+    
+
+    /**
+     * This optional attribute specifies the maximum number of used passwords stored
+     * in the pwdHistory attribute.
+     * If this attribute is not present, or if the value is 0, used
+     * passwords are not stored in the pwdInHistory attribute and thus may be
+     * reused.
+     *
+     * @return attribute stored as 'pwdInHistory' in 'pwdPolicy' object class.
+     */
+    public Short getInHistory()
+    {
+        return inHistory;
+    }
+    
+
+    /**
+     * This optional attribute specifies the maximum number of used passwords stored
+     * in the pwdHistory attribute.
+     * If this attribute is not present, or if the value is 0, used
+     * passwords are not stored in the pwdInHistory attribute and thus may be
+     * reused.
+     *
+     * @param inHistory attribute stored as 'pwdInHistory' in 'pwdPolicy' object class.
+     */
+    public void setInHistory(Short inHistory)
+    {
+        this.inHistory = inHistory;
+    }
+    
+
+    /**
+     * This optional attribute is not currently supported by Fortress.
+     * This attribute indicates how the password quality will be verified
+     * while being modified or added. If this attribute is not present, or
+     * if the value is '0', quality checking will not be enforced. A value
+     * of '1' indicates that the server will check the quality, and if the
+     * server is unable to check it (due to a hashed password or other
+     * reasons) it will be accepted. A value of '2' indicates that the
+     * server will check the quality, and if the server is unable to verify
+     * it, it will return an error refusing the password.
+     *
+     * @return attribute stored as 'pwdCheckQuality' in 'pwdPolicy' object class.
+     */
+    public Short getCheckQuality()
+    {
+        return checkQuality;
+    }
+    
+
+    /**
+     * This optional attribute is not currently supported by Fortress.
+     * This attribute indicates how the password quality will be verified
+     * while being modified or added. If this attribute is not present, or
+     * if the value is '0', quality checking will not be enforced. A value
+     * of '1' indicates that the server will check the quality, and if the
+     * server is unable to check it (due to a hashed password or other
+     * reasons) it will be accepted. A value of '2' indicates that the
+     * server will check the quality, and if the server is unable to verify
+     * it, it will return an error refusing the password.
+     *
+     * @param checkQuality attribute stored as 'pwdCheckQuality' in 'pwdPolicy' object class.
+     */
+    public void setCheckQuality(Short checkQuality)
+    {
+        this.checkQuality = checkQuality;
+    }
+    
+
+    /**
+     * When quality checking is enabled, this optional attribute holds the minimum
+     * number of characters that must be used in a password. If this
+     * attribute is not present, no minimum password length will be
+     * enforced. If the server is unable to check the length (due to a
+     * hashed password or otherwise), the server will, depending on the
+     * value of the pwdCheckQuality attribute, either accept the password
+     * without checking it ('0' or '1') or refuse it ('2').
+     *
+     * @return attribute stored as 'pwdMinLength' in 'pwdPolicy' object class.
+     */
+    public Short getMinLength()
+    {
+        return minLength;
+    }
+    
+
+    /**
+     * When quality checking is enabled, this optional attribute holds the minimum
+     * number of characters that must be used in a password. If this
+     * attribute is not present, no minimum password length will be
+     * enforced. If the server is unable to check the length (due to a
+     * hashed password or otherwise), the server will, depending on the
+     * value of the pwdCheckQuality attribute, either accept the password
+     * without checking it ('0' or '1') or refuse it ('2').
+     *
+     * @param minLength attribute stored as 'pwdMinLength' in 'pwdPolicy' object class.
+     */
+    public void setMinLength(Short minLength)
+    {
+        this.minLength = minLength;
+    }
+    
+
+    /**
+     * This optional attribute specifies the maximum number of seconds before a
+     * password is due to expire that expiration warning messages will be
+     * returned to an authenticating user.
+     * If this attribute is not present, or if the value is 0 no warnings
+     * will be returned. If not 0, the value must be smaller than the value
+     * of the pwdMaxAge attribute.
+     *
+     * @return attribute stored as 'pwdExpireWarning' in 'pwdPolicy' object class.
+     */
+    public Long getExpireWarning()
+    {
+        return expireWarning;
+    }
+    
+
+    /**
+     * This optional attribute specifies the maximum number of seconds before a
+     * password is due to expire that expiration warning messages will be
+     * returned to an authenticating user.
+     * If this attribute is not present, or if the value is 0 no warnings
+     * will be returned. If not 0, the value must be smaller than the value
+     * of the pwdMaxAge attribute.
+     *
+     * @param expireWarning attribute stored as 'pwdExpireWarning' in 'pwdPolicy' object class.
+     */
+    public void setExpireWarning(Long expireWarning)
+    {
+        this.expireWarning = expireWarning;
+    }
+    
+
+    /**
+     * This optional attribute specifies the number of times an expired password can
+     * be used to authenticate. If this attribute is not present or if the
+     * value is 0, authentication will fail.
+     *
+     * @return attribute stored as 'pwdGraceAuthNLimit' in 'pwdPolicy' object class.
+     */
+    public Short getGraceLoginLimit()
+    {
+        return graceLoginLimit;
+    }
+    
+
+    /**
+     * This optional attribute specifies the number of times an expired password can
+     * be used to authenticate. If this attribute is not present or if the
+     * value is 0, authentication will fail.
+     *
+     * @param graceLoginLimit attribute stored as 'pwdGraceAuthNLimit' in 'pwdPolicy' object class.
+     */
+    public void setGraceLoginLimit(Short graceLoginLimit)
+    {
+        this.graceLoginLimit = graceLoginLimit;
+    }
+    
+
+    /**
+     * This optional attribute indicates, when its value is "TRUE", that the password
+     * may not be used to authenticate after a specified number of
+     * consecutive failed bind attempts. The maximum number of consecutive
+     * failed bind attempts is specified in pwdMaxFailure.
+     * If this attribute is not present, or if the value is "FALSE", the
+     * password may be used to authenticate when the number of failed bind
+     * attempts has been reached.
+     *
+     * @return attribute stored as 'pwdLockout' in 'pwdPolicy' object class.
+     */
+    public Boolean getLockout()
+    {
+        return lockout;
+    }
+    
+
+    /**
+     * This optional attribute indicates, when its value is "TRUE", that the password
+     * may not be used to authenticate after a specified number of
+     * consecutive failed bind attempts. The maximum number of consecutive
+     * failed bind attempts is specified in pwdMaxFailure.
+     * If this attribute is not present, or if the value is "FALSE", the
+     * password may be used to authenticate when the number of failed bind
+     * attempts has been reached.
+     *
+     * @param lockout attribute stored as 'pwdLockout' in 'pwdPolicy' object class.
+     */
+    public void setLockout(Boolean lockout)
+    {
+        this.lockout = lockout;
+    }
+    
+
+    /**
+     * This optional attribute holds the number of seconds that the password cannot
+     * be used to authenticate due to too many failed bind attempts. If
+     * this attribute is not present, or if the value is 0 the password
+     * cannot be used to authenticate until reset by a password
+     * administrator.
+     *
+     * @return attribute stored as 'pwdLockoutDuration' in 'pwdPolicy' object class.
+     */
+    public Integer getLockoutDuration()
+    {
+        return lockoutDuration;
+    }
+    
+
+    /**
+     * This optional attribute holds the number of seconds that the password cannot
+     * be used to authenticate due to too many failed bind attempts. If
+     * this attribute is not present, or if the value is 0 the password
+     * cannot be used to authenticate until reset by a password
+     * administrator.
+     *
+     * @param lockoutDuration attribute stored as 'pwdLockoutDuration' in 'pwdPolicy' object class.
+     */
+    public void setLockoutDuration(Integer lockoutDuration)
+    {
+        this.lockoutDuration = lockoutDuration;
+    }
+    
+
+    /**
+     * This optional attribute specifies the number of consecutive failed bind
+     * attempts after which the password may not be used to authenticate.
+     * If this attribute is not present, or if the value is 0, this policy
+     * is not checked, and the value of pwdLockout will be ignored.
+     *
+     * @return attribute stored as 'pwdMaxFailure' in 'pwdPolicy' object class.
+     */
+    public Short getMaxFailure()
+    {
+        return maxFailure;
+    }
+    
+
+    /**
+     * This optional attribute specifies the number of consecutive failed bind
+     * attempts after which the password may not be used to authenticate.
+     * If this attribute is not present, or if the value is 0, this policy
+     * is not checked, and the value of pwdLockout will be ignored.
+     *
+     * @param maxFailure attribute stored as 'pwdMaxFailure' in 'pwdPolicy' object class.
+     */
+    public void setMaxFailure(Short maxFailure)
+    {
+        this.maxFailure = maxFailure;
+    }
+    
+
+    /**
+     * This optional attribute holds the number of seconds after which the password
+     * failures are purged from the failure counter, even though no
+     * successful authentication occurred.
+     * If this attribute is not present, or if its value is 0, the failure
+     * counter is only reset by a successful authentication.
+     *
+     * @return attribute stored as 'pwdFailureCountInterval' in 'pwdPolicy' object class.
+     */
+    public Short getFailureCountInterval()
+    {
+        return failureCountInterval;
+    }
+    
+
+    /**
+     * This optional attribute holds the number of seconds after which the password
+     * failures are purged from the failure counter, even though no
+     * successful authentication occurred.
+     * If this attribute is not present, or if its value is 0, the failure
+     * counter is only reset by a successful authentication.
+     *
+     * @param failureCountInterval attribute stored as 'pwdFailureCountInterval' in 'pwdPolicy' object class.
+     */
+    public void setFailureCountInterval(Short failureCountInterval)
+    {
+        this.failureCountInterval = failureCountInterval;
+    }
+    
+
+    /**
+     * This optional attribute specifies with a value of "TRUE" that users must
+     * change their passwords when they first bind to the directory after a
+     * password is set or reset by a password administrator. If this
+     * attribute is not present, or if the value is "FALSE", users are not
+     * required to change their password upon binding after the password
+     * administrator sets or resets the password. This attribute is not set
+     * due to any actions specified by this document, it is typically set by
+     * a password administrator after resetting a user's password.
+     *
+     * @return attribute stored as 'pwdMustChange' in 'pwdPolicy' object class.
+     */
+    public Boolean getMustChange()
+    {
+        return mustChange;
+    }
+    
+
+    /**
+     * This optional attribute specifies with a value of "TRUE" that users must
+     * change their passwords when they first bind to the directory after a
+     * password is set or reset by a password administrator. If this
+     * attribute is not present, or if the value is "FALSE", users are not
+     * required to change their password upon binding after the password
+     * administrator sets or resets the password. This attribute is not set
+     * due to any actions specified by this document, it is typically set by
+     * a password administrator after resetting a user's password.
+     *
+     * @param mustChange attribute stored as 'pwdMustChange' in 'pwdPolicy' object class.
+     */
+    public void setMustChange(Boolean mustChange)
+    {
+        this.mustChange = mustChange;
+    }
+    
+
+    /**
+     * This optional attribute indicates whether users can change their own
+     * passwords, although the change operation is still subject to access
+     * control. If this attribute is not present, a value of "TRUE" is
+     * assumed. This attribute is intended to be used in the absence of an
+     * access control mechanism.
+     *
+     * @return attribute stored as 'pwdAllowUserChange' in 'pwdPolicy' object class.
+     */
+    public Boolean getAllowUserChange()
+    {
+        return allowUserChange;
+    }
+    
+
+    /**
+     * This optional attribute indicates whether users can change their own
+     * passwords, although the change operation is still subject to access
+     * control. If this attribute is not present, a value of "TRUE" is
+     * assumed. This attribute is intended to be used in the absence of an
+     * access control mechanism.
+     *
+     * @param allowUserChange attribute stored as 'pwdAllowUserChange' in 'pwdPolicy' object class.
+     */
+    public void setAllowUserChange(Boolean allowUserChange)
+    {
+        this.allowUserChange = allowUserChange;
+    }
+    
+
+    /**
+     * This optional attribute specifies whether or not the existing password must be
+     * sent along with the new password when being changed. If this
+     * attribute is not present, a "FALSE" value is assumed.
+     *
+     * @return attribute stored as 'pwdSafeModify' in 'pwdPolicy' object class.
+     */
+    public Boolean getSafeModify()
+    {
+        return safeModify;
+    }
+    
+
+    /**
+     * This optional attribute specifies whether or not the existing password must be
+     * sent along with the new password when being changed. If this
+     * attribute is not present, a "FALSE" value is assumed.
+     *
+     * @param safeModify attribute stored as 'pwdSafeModify' in 'pwdPolicy' object class.
+     */
+    public void setSafeModify(Boolean safeModify)
+    {
+        this.safeModify = safeModify;
+    }
+    
+
+    /**
+     * Matches the name from two PwPolicy entities.
+     *
+     * @param thatObj contains a Role entity.
+     * @return boolean indicating both objects contain matching PwPolicy names.
+     */
+    public boolean equals(Object thatObj)
+    {
+        if ( this == thatObj )
+        {
+            return true;
+        }
+        
+        if ( this.getName() == null )
+        {
+            return false;
+        }
+        
+        if ( !( thatObj instanceof PwPolicy ) )
+        {
+            return false;
+        }
+        
+        PwPolicy thatPolicy = (PwPolicy) thatObj;
+        
+        if ( thatPolicy.getName() == null )
+        {
+            return false;
+        }
+        
+        return thatPolicy.getName().equalsIgnoreCase( this.getName() );
+    }
+
+    @Override
+    public int hashCode()
+    {
+        int result = name != null ? name.hashCode() : 0;
+        result = 31 * result + ( attribute != null ? attribute.hashCode() : 0 );
+        result = 31 * result + ( minAge != null ? minAge.hashCode() : 0 );
+        result = 31 * result + ( maxAge != null ? maxAge.hashCode() : 0 );
+        result = 31 * result + ( inHistory != null ? inHistory.hashCode() : 0 );
+        result = 31 * result + ( checkQuality != null ? checkQuality.hashCode() : 0 );
+        result = 31 * result + ( minLength != null ? minLength.hashCode() : 0 );
+        result = 31 * result + ( expireWarning != null ? expireWarning.hashCode() : 0 );
+        result = 31 * result + ( graceLoginLimit != null ? graceLoginLimit.hashCode() : 0 );
+        result = 31 * result + ( lockout != null ? lockout.hashCode() : 0 );
+        result = 31 * result + ( lockoutDuration != null ? lockoutDuration.hashCode() : 0 );
+        result = 31 * result + ( maxFailure != null ? maxFailure.hashCode() : 0 );
+        result = 31 * result + ( failureCountInterval != null ? failureCountInterval.hashCode() : 0 );
+        result = 31 * result + ( mustChange != null ? mustChange.hashCode() : 0 );
+        result = 31 * result + ( allowUserChange != null ? allowUserChange.hashCode() : 0 );
+        result = 31 * result + ( safeModify != null ? safeModify.hashCode() : 0 );
+        return result;
+    }
+
+    /**
+     * @see Object#toString()
+     */
+    public String toString()
+    {
+        StringBuilder sb = new StringBuilder();
+
+        sb.append( "PwPolicy object: \n" );
+
+        sb.append( "    attribute :" ).append( attribute ).append( '\n' );
+        sb.append( "    maxAge :" ).append( maxAge ).append( '\n' );
+        sb.append( "    minAge :" ).append( minAge ).append( '\n' );
+        sb.append( "    allowUserChange :" ).append( allowUserChange ).append( '\n' );
+        sb.append( "    checkQuality :" ).append( checkQuality ).append( '\n' );
+        sb.append( "    expireWarning :" ).append( expireWarning ).append( '\n' );
+        sb.append( "    failureCountInterval :" ).append( failureCountInterval ).append( '\n' );
+        sb.append( "    graceLoginLimit :" ).append( graceLoginLimit ).append( '\n' );
+        sb.append( "    inHistory :" ).append( inHistory ).append( '\n' );
+        sb.append( "    lockout :" ).append( lockout ).append( '\n' );
+        sb.append( "    lockoutDuration :" ).append( lockoutDuration ).append( '\n' );
+        sb.append( "    maxFailure :" ).append( maxFailure ).append( '\n' );
+        sb.append( "    minLength :" ).append( minLength ).append( '\n' );
+        sb.append( "    mustChange :" ).append( mustChange ).append( '\n' );
+        sb.append( "    name :" ).append( name ).append( '\n' );
+        sb.append( "    safeModify :" ).append( safeModify ).append( '\n' );
+
+        return sb.toString();
+    }
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/0c46e4de/src/main/java/org/apache/directory/fortress/core/model/Relationship.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/model/Relationship.java b/src/main/java/org/apache/directory/fortress/core/model/Relationship.java
new file mode 100755
index 0000000..8f453d9
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/model/Relationship.java
@@ -0,0 +1,167 @@
+/*
+ *   Licensed to the Apache Software Foundation (ASF) under one
+ *   or more contributor license agreements.  See the NOTICE file
+ *   distributed with this work for additional information
+ *   regarding copyright ownership.  The ASF licenses this file
+ *   to you under the Apache License, Version 2.0 (the
+ *   "License"); you may not use this file except in compliance
+ *   with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing,
+ *   software distributed under the License is distributed on an
+ *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *   KIND, either express or implied.  See the License for the
+ *   specific language governing permissions and limitations
+ *   under the License.
+ *
+ */
+package org.apache.directory.fortress.core.model;
+
+import java.io.Serializable;
+
+/**
+ * Contains a parent child data entity that is used for hierarchical processing.  This entity is used to construct edges in graphs.
+ * <p/>
+
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ */
+public class Relationship implements Serializable
+{
+    private static final long serialVersionUID = 1L;
+    
+    /** The child */
+    private String child;
+    
+    /** The parent */
+    private String parent;
+
+    /**
+     * No argument constructor is necessary for Ant admin utility
+     *
+     */
+    public Relationship()
+    {
+    }
+    
+    
+    /**
+     * Construct a new relationship given a child and parent name.
+     *
+     * @param child  contains the name of child.
+     * @param parent contains the name of parent.
+     */
+    public Relationship( String child, String parent )
+    {
+        this.child = child;
+        this.parent = parent;
+    }
+    
+
+    /**
+     * Return the child name.
+     *
+     * @return name of child.
+     */
+    public String getChild()
+    {
+        return child;
+    }
+    
+
+    /**
+     * Set the child name.
+     *
+     * @param child contains the name of child.
+     */
+    public void setChild( String child )
+    {
+        this.child = child;
+    }
+    
+
+    /**
+     * Return the parent name.
+     *
+     * @return name of parent.
+     */
+    public String getParent()
+    {
+        return parent;
+    }
+    
+
+    /**
+     * Set the parent name.
+     *
+     * @param parent contains the name of parent.
+     */
+    public void setParent( String parent )
+    {
+        this.parent = parent;
+    }
+    
+
+    /**
+     * Compute the hashcode on the parent and child values.  This is used for list processing.
+     *
+     * @return hashcode that includes parent concatenated with child.
+     */
+    public final int hashCode()
+    {
+        return child.hashCode() + parent.hashCode();
+    }
+    
+
+    /**
+     * Matches the parent and child values from two Relationship entities.
+     *
+     * @param thatObj contains a Relationship entity.
+     * @return boolean indicating both objects contain matching parent and child names.
+     */
+    public boolean equals (Object thatObj )
+    {
+        if ( this == thatObj )
+        {
+            return true;
+        }
+        
+        if ( ( this.getChild() == null ) || ( this.getParent() == null ) )
+        {
+            return false;
+        }
+        
+        if ( !( thatObj instanceof Relationship ) )
+        {
+            return false;
+        }
+        
+        Relationship thatKey = (Relationship) thatObj;
+        
+        if ( ( thatKey.getChild() == null ) || ( thatKey.getParent() == null ) )
+        {
+            return false;
+        }
+        
+        return ( thatKey.getChild().equalsIgnoreCase( this.getChild() ) 
+                 && thatKey.getParent().equalsIgnoreCase( this.getParent() ) );
+    }
+
+
+    /**
+     * @see Object#toString()
+     */
+    public String toString()
+    {
+        StringBuilder sb = new StringBuilder();
+
+        sb.append( "Relationship object: \n" );
+
+        sb.append( "    parent :" ).append( parent ).append( '\n' );
+        sb.append( "    child :" ).append( child ).append( '\n' );
+
+        return sb.toString();
+    }
+}


Mime
View raw message