cms/util/ACL.java

//---PACKAGE DECLARATION---
package uk.org.iscream.cms.server.util;

//---IMPORTS---
import java.util.ArrayList;
import java.util.StringTokenizer;
import java.net.InetAddress;
import java.io.Serializable;

/**
 * Access Control List for use primarily
 * with the ACLServerSocket. It could, however
 * have other uses as it has a fairly generic
 * behaviour. Rules are added using the add
 * method, and then checks can be made using
 * the relevant check method.
 *
 * @author  $Author: tdb $
 * @version $Id: ACL.java,v 1.3 2002/03/19 12:18:22 tdb Exp $
 */
public class ACL implements Serializable {

//---FINAL ATTRIBUTES---

    /**
     * The current CVS revision of this class
     */
    public static final String REVISION = "$Revision: 1.3 $";
    
    /**
     * static to be used when adding an ALLOW rule to the ACL.
     */
    public static final boolean ALLOW = true;
    
    /**
     * static to be used when adding a DENY rule to the ACL.
     */
    public static final boolean DENY = false;
    
    /**
     * default setting for the default mode for a new ACL.
     */
    public static final boolean DEFMODE = ACL.ALLOW;

//---STATIC METHODS---

//---CONSTRUCTORS---

    /**
     * Construct a new Access Control List. The default
     * mode is to ALLOW anything that isn't explicitly
     * blocked by a rule.
     */
    public ACL() {
        // default to DEFMODE
        this(DEFMODE);
    }
    
    /**
     * Construct a new Access Control List with a given
     * default mode. This mode specifies what should
     * happen if a check does not match any rules.
     *
     * @param defaultMode the default mode for non-matched checks
     */
    public ACL(boolean defaultMode) {
        setDefaultMode(defaultMode);
    }

    /**
     * Construct a new Access Control List with a given
     * String representation of the ACL rules. The String
     * should be of the format:
     *     expression:rule;expression:rule;expression:rule...
     * Where expression is a wildcard to match against, and
     * rule is either 'ALLOW' or 'DENY'. There is a special
     * expression of 'DEFAULT' which represents the default
     * rule (what should happen if no expression is matched
     * when performing a check).
     * The default mode is set to ALLOW if one is not
     * specified in the String.
     *
     * @param acl a String representation of the ACL.
     */
    public ACL(String acl) {
        setDefaultMode(DEFMODE);
        add(acl);
    }

//---PUBLIC METHODS---

    /**
     * Add a new rule to the ACL immediately after the
     * previous rule. The rule can either be an ACL.ALLOW
     * rule, or an ACL.DENY rule. The expression can
     * contain a wildcard (a * only). Rules can only be
     * added to the end of the list.
     *
     * param allow whether this is an ALLOW or DENY rule
     * param expression what this rule matches using wildcards
     */
    public void add(boolean allow, String expression) {
        // try and convert the expression into an IP address
        short[] ipaddr = ipStringToShort(expression);
        // a result of null means it's not an IP address
        // add either a name rule or an IP rule
        if(ipaddr != null) {
            _acl.add(new ACLRule(allow, expression, ipaddr, true));
        }
        else {
            _acl.add(new ACLRule(allow, expression, ipaddr, false));
        }
    }
    
    /**
     * Add some new rules to the Access Control List in
     * the form of a String. The String should be of the
     * following format:
     *     expression:rule;expression:rule;expression:rule...
     * Where expression is a wildcard to match against, and
     * rule is either 'ALLOW' or 'DENY'. There is a special
     * expression of 'DEFAULT' which represents the default
     * rule (what should happen if no expression is matched
     * when performing a check).
     *
     * @param acl a String representation of the ACL.
     */
    public void add(String acl) {
        if(acl != null) {
            // split the String into expression:rule parts
            StringTokenizer st1 = new StringTokenizer(acl, ";");
            while(st1.hasMoreTokens()) {
                String token1 = st1.nextToken();
                // if it doesn't have a :, it's not the correct format
                if(token1.indexOf(":") != -1) {
                    // split into expression and rule part
                    StringTokenizer st2 = new StringTokenizer(token1, ":");
                    String expression = "";
                    String rule = "";
                    if(st2.hasMoreTokens()) {
                        expression = st2.nextToken();
                    }
                    else {
                        // mall-formed?
                        continue;
                    }
                    if(st2.hasMoreTokens()) {
                        rule = st2.nextToken();
                    }
                    else {
                        // mall-formed?
                        continue;
                    }
                    // check to see what sort of rule
                    if(rule.equals("ALLOW")) {
                        // case for special 'DEFAULT' expression
                        if(expression.equals("DEFAULT")) {
                            setDefaultMode(ACL.ALLOW);
                        }
                        else {
                            add(ACL.ALLOW, expression);
                        }
                    }
                    else if(rule.equals("DENY")) {
                        // case for special 'DEFAULT' expression
                        if(expression.equals("DEFAULT")) {
                            setDefaultMode(ACL.DENY);
                        }
                        else {
                            add(ACL.DENY, expression);
                        }
                    }
                    // if it's not ALLOW or DENY, it's not a
                    // proper rule, so we'll ignore it
                }
            }
        }
    }
    
    /**
     * Check to see if a string is permitted by the
     * ACL. Useful for testing, and non-Socket uses
     * of this class.
     *
     * @param address the string to check
     * @return whether the address was permitted by the ACL
     */
    public boolean check(String address) {
        for(int i=0; i < _acl.size(); i++) {
            ACLRule rule = (ACLRule) _acl.get(i);
            if(StringUtils.wildcardMatch(address, rule._expression)) {
                return rule._allow;
            }
        }
        return _defaultMode;
    }
    
    /**
     * Check to see if an InetAddress is permitted
     * by the ACL. Perfect for Socket uses of this
     * class. A rule will either be for a name, or
     * an IP address (this is determined in the add
     * method), and the appropriate comparison will
     * be performed.
     *
     * @param address the InetAddress to check
     * @return whether the InetAddress was permitted by the ACL
     */
    public boolean check(InetAddress address) {
        // gather the details first
        String hostname = address.getHostName();
        String ip = address.getHostAddress();
        short[] ipaddr = ipStringToShort(ip);
        // check each rule against this InetAddress
        for(int i=0; i < _acl.size(); i++) {
            ACLRule rule = (ACLRule) _acl.get(i);
            if(rule._iprule) {
                // if this is an IP rule do a short comparison
                // must specify the wildcarded rule first
                if(compareShorts(rule._ipaddr, ipaddr)) {
                    return rule._allow;
                }
            }
            else {
                // if not do a full blown String comparsion
                if(StringUtils.wildcardMatch(hostname, rule._expression)) {
                    return rule._allow;
                }
            }
            
        }
        // if we haven't matched a rule, return the default
        return _defaultMode;
    }
    
    /**
     * Clears the ACL and resets the default mode.
     */
    public void clear() {
        // just clear out our underlying ArrayList
        // containing our ACL objects
        _acl.clear();
        // and reset the default mode to the default
        setDefaultMode(DEFMODE);
    }
    
    /**
     * Changes the default mode of the ACL. This is what
     * the check will return if it does not find an explict
     * rule to match against.
     *
     * @param defaultMode the new default mode
     */
    public void setDefaultMode(boolean defaultMode) {
        _defaultMode = defaultMode;
    }
    
    /**
     * Gives a String representation of this ACL.
     *
     * @return A String representation of this ACL.
     */
    public String toString() {
        StringBuffer acl = new StringBuffer();
        // put in the i-scream toString code
        acl.append(FormatName.getName(_name, getClass().getName(), REVISION));
        acl.append("{");
        // put the value of each Rule in the result
        for(int i=0; i < _acl.size(); i++) {
            acl.append((ACLRule) _acl.get(i));
            acl.append(",");
        }
        // put the default mode in the result
        if(_defaultMode) {
            acl.append("DEFAULT=ALLOW");
        }
        else {
            acl.append("DEFAULT=DENY");
        }
        acl.append("}");
        return acl.toString();
    }

//---PRIVATE METHODS---

    /**
     * Converts an IP address in String format into
     * a short array of length 4. Any wildcards, *,
     * found in the IP address are represented by
     * a -1. If the given String is not an IP address
     * null is returned instead.
     * 
     * @param ip The IP address in String format
     * @return The IP address in a short[]
     */
    private short[] ipStringToShort(String ip) {
        // default to expecting it to be an IP
        // we will try to disprove this :)
        short[] ipaddr = {-1, -1, -1, -1};
        int i = 0;
        String s = "";
        // tokenize the String on fullstops, so we can break
        // up the quads of an IP (if it's an IP!)
        StringTokenizer st = new StringTokenizer(ip, ".");
        while(st.hasMoreTokens() && i++ < 4) {
            s = st.nextToken();
            // if it's a wildcard, we'll skip to the next one
            // as no more checks are required
            if(s.equals("*")) {
                continue;
            }
            // attempt to parse it into a short
            try {
                short n = Short.parseShort(s);
                // if it's an int but outside of the
                // valid range, it can't be an IP
                if(n < 0 || n > 255) {
                    // give up checking further
                    return null;
                }
                ipaddr[i-1] = n;
            }
            // if it didn't parse as a short it can't be an IP
            catch (NumberFormatException e) {
                // give up checking further
                return null;
            }
        }
        // we've done 4 parts, so if there's any
        // more this can't be an IP
        if(st.hasMoreTokens()) {
            return null;
        }
        // if we've done less than 4, see if the last one
        // was a wildcard - if it isn't then it's not an IP
        //   -- this allows 129.12.*
        if(i < 4 && !s.equals("*")) {
            return null;
        }
        // if we had one or less entries it can't be an IP
        //   -- this disallows * matching as an IP due
        //      to the rule above
        if(i <= 1) {
            return null;
        }
        return ipaddr;
    }
    
    /**
     * Compares two short arrays. The first array can contain a -1,
     * which will always match any value -- it's a wildcard.
     * They must be the same length to match.
     *
     * @param first The first array to compare (with -1 wildcard if required)
     * @param second The second array to compare
     * @return the result of the comparison
     */
    private boolean compareShorts(short[] first, short[] second) {
        if(first.length != second.length) {
            return false;
        }
        for(int i=0; i < first.length; i++) {
            if(first[i] == -1) {
                continue;
            }
            if(first[i] != second[i]) {
                return false;
            }
        }
        return true;
    }

//---ACCESSOR/MUTATOR METHODS---

//---ATTRIBUTES---

    /**
     * This is the friendly identifier of the
     * component this class is running in.
     * eg, a Filter may be called "filter1",
     * If this class does not have an owning
     * component,  a name from the configuration
     * can be placed here.  This name could also
     * be changed to null for utility classes.
     */
    private String _name = null;
    
    /**
     * The ACL is stored in this ArrayList.
     */
    private ArrayList _acl = new ArrayList();
    
    /**
     * The default mode of this ACL.
     */
    private boolean _defaultMode = DEFMODE;

//---STATIC ATTRIBUTES---

//---INNER CLASSES---

    /**
     * Wrapper class for an ACL rule.
     */
    private class ACLRule implements Serializable {
        
        /**
         * Construct an ACL rule.
         *
         * @param allow whether this is an ALLOW or DENY rule
         * @param expression what this rule matches
         * @param ipaddr the IP address wildcard this rule matches if it's an IP rule
         * @param iprule whether this is an IP rule
         */
        private ACLRule(boolean allow, String expression, short[] ipaddr, boolean iprule) {
            _allow = allow;
            _expression = expression;
            _ipaddr = ipaddr;
            _iprule = iprule;
        }
        
        /**
         * Returns a String representation of this rule.
         *
         * @return A String representation of this rule.
         */
        public String toString() {
            if(_allow) {
                return _expression + "=ALLOW";
            }
            else {
                return _expression + "=DENY";
            }
        }
        
        /**
         * Whether this is an ALLOW or DENY rule.
         */
        private boolean _allow;
        
        /**
         * What this rule matches.
         */
        private String _expression;
        
        /**
         * The IP wildcard, only valid if this
         * is an IP rule.
         */
        private short[] _ipaddr;
        
        /**
         * Whether this is an IP rule.
         */
        private boolean _iprule;
        
    }

}
Revision:	1.4
Committed:	Wed Mar 20 17:03:35 2002 UTC (22 years, 1 month ago) by tdb
Branch:	MAIN
Changes since 1.3:	+79 -36 lines
Log Message:	Added three new methods; clear() allows one to completely reset the ACL add(String acl) allows one to add rules in a String format setDefaultMode(boolean defaultMode) allows one to change the default mode Also made it clearer what the default "default mode" is, and what it will get set to upon construction. The thinking behind some of this is that you can "on the fly" change the setup of the ACL should it take your fancy. In terms of i-scream, you'd simply call clear() and the add(String acl) with the new String. You could do this by just creating a new ACL, and replacing the ACLServerSocket with a new one, but this seems neater. A downside is that there will be a point in time when the ACL will allow stuff that maybe it shouldn't. Maybe some synchronization is needed?
#	User	Rev	Content
1	tdb	1.1	//---PACKAGE DECLARATION---
2			package uk.org.iscream.cms.server.util;
3
4			//---IMPORTS---
5			import java.util.ArrayList;
6			import java.util.StringTokenizer;
7			import java.net.InetAddress;
8			import java.io.Serializable;
9
10			/**
11			* Access Control List for use primarily
12			* with the ACLServerSocket. It could, however
13			* have other uses as it has a fairly generic
14			* behaviour. Rules are added using the add
15			* method, and then checks can be made using
16			* the relevant check method.
17			*
18			* @author $Author: tdb $
19	tdb	1.4	* @version $Id: ACL.java,v 1.3 2002/03/19 12:18:22 tdb Exp $
20	tdb	1.1	*/
21			public class ACL implements Serializable {
22
23			//---FINAL ATTRIBUTES---
24
25			/**
26			* The current CVS revision of this class
27			*/
28	tdb	1.4	public static final String REVISION = "$Revision: 1.3 $";
29	tdb	1.1
30			/**
31			* static to be used when adding an ALLOW rule to the ACL.
32			*/
33			public static final boolean ALLOW = true;
34
35			/**
36			* static to be used when adding a DENY rule to the ACL.
37			*/
38			public static final boolean DENY = false;
39	tdb	1.4
40			/**
41			* default setting for the default mode for a new ACL.
42			*/
43			public static final boolean DEFMODE = ACL.ALLOW;
44	tdb	1.1
45			//---STATIC METHODS---
46
47			//---CONSTRUCTORS---
48
49			/**
50			* Construct a new Access Control List. The default
51			* mode is to ALLOW anything that isn't explicitly
52			* blocked by a rule.
53			*/
54			public ACL() {
55	tdb	1.4	// default to DEFMODE
56			this(DEFMODE);
57	tdb	1.1	}
58
59			/**
60			* Construct a new Access Control List with a given
61			* default mode. This mode specifies what should
62			* happen if a check does not match any rules.
63			*
64			* @param defaultMode the default mode for non-matched checks
65			*/
66			public ACL(boolean defaultMode) {
67	tdb	1.4	setDefaultMode(defaultMode);
68	tdb	1.3	}
69
70			/**
71			* Construct a new Access Control List with a given
72			* String representation of the ACL rules. The String
73			* should be of the format:
74			* expression:rule;expression:rule;expression:rule...
75			* Where expression is a wildcard to match against, and
76			* rule is either 'ALLOW' or 'DENY'. There is a special
77			* expression of 'DEFAULT' which represents the default
78			* rule (what should happen if no expression is matched
79			* when performing a check).
80			* The default mode is set to ALLOW if one is not
81	tdb	1.4	* specified in the String.
82	tdb	1.3	*
83			* @param acl a String representation of the ACL.
84			*/
85			public ACL(String acl) {
86	tdb	1.4	setDefaultMode(DEFMODE);
87			add(acl);
88			}
89
90			//---PUBLIC METHODS---
91
92			/**
93			* Add a new rule to the ACL immediately after the
94			* previous rule. The rule can either be an ACL.ALLOW
95			* rule, or an ACL.DENY rule. The expression can
96			* contain a wildcard (a * only). Rules can only be
97			* added to the end of the list.
98			*
99			* param allow whether this is an ALLOW or DENY rule
100			* param expression what this rule matches using wildcards
101			*/
102			public void add(boolean allow, String expression) {
103			// try and convert the expression into an IP address
104			short[] ipaddr = ipStringToShort(expression);
105			// a result of null means it's not an IP address
106			// add either a name rule or an IP rule
107			if(ipaddr != null) {
108			_acl.add(new ACLRule(allow, expression, ipaddr, true));
109			}
110			else {
111			_acl.add(new ACLRule(allow, expression, ipaddr, false));
112			}
113			}
114
115			/**
116			* Add some new rules to the Access Control List in
117			* the form of a String. The String should be of the
118			* following format:
119			* expression:rule;expression:rule;expression:rule...
120			* Where expression is a wildcard to match against, and
121			* rule is either 'ALLOW' or 'DENY'. There is a special
122			* expression of 'DEFAULT' which represents the default
123			* rule (what should happen if no expression is matched
124			* when performing a check).
125			*
126			* @param acl a String representation of the ACL.
127			*/
128			public void add(String acl) {
129	tdb	1.3	if(acl != null) {
130			// split the String into expression:rule parts
131			StringTokenizer st1 = new StringTokenizer(acl, ";");
132			while(st1.hasMoreTokens()) {
133			String token1 = st1.nextToken();
134			// if it doesn't have a :, it's not the correct format
135			if(token1.indexOf(":") != -1) {
136			// split into expression and rule part
137			StringTokenizer st2 = new StringTokenizer(token1, ":");
138			String expression = "";
139			String rule = "";
140			if(st2.hasMoreTokens()) {
141			expression = st2.nextToken();
142			}
143			else {
144			// mall-formed?
145			continue;
146			}
147			if(st2.hasMoreTokens()) {
148			rule = st2.nextToken();
149			}
150			else {
151			// mall-formed?
152			continue;
153			}
154			// check to see what sort of rule
155			if(rule.equals("ALLOW")) {
156			// case for special 'DEFAULT' expression
157			if(expression.equals("DEFAULT")) {
158	tdb	1.4	setDefaultMode(ACL.ALLOW);
159	tdb	1.3	}
160			else {
161			add(ACL.ALLOW, expression);
162			}
163			}
164			else if(rule.equals("DENY")) {
165			// case for special 'DEFAULT' expression
166			if(expression.equals("DEFAULT")) {
167	tdb	1.4	setDefaultMode(ACL.DENY);
168	tdb	1.3	}
169			else {
170			add(ACL.DENY, expression);
171			}
172			}
173			// if it's not ALLOW or DENY, it's not a
174			// proper rule, so we'll ignore it
175			}
176			}
177			}
178	tdb	1.1	}
179
180			/**
181			* Check to see if a string is permitted by the
182			* ACL. Useful for testing, and non-Socket uses
183			* of this class.
184			*
185			* @param address the string to check
186			* @return whether the address was permitted by the ACL
187			*/
188			public boolean check(String address) {
189			for(int i=0; i < _acl.size(); i++) {
190			ACLRule rule = (ACLRule) _acl.get(i);
191			if(StringUtils.wildcardMatch(address, rule._expression)) {
192			return rule._allow;
193			}
194			}
195			return _defaultMode;
196			}
197
198			/**
199			* Check to see if an InetAddress is permitted
200			* by the ACL. Perfect for Socket uses of this
201			* class. A rule will either be for a name, or
202			* an IP address (this is determined in the add
203			* method), and the appropriate comparison will
204			* be performed.
205			*
206			* @param address the InetAddress to check
207			* @return whether the InetAddress was permitted by the ACL
208			*/
209			public boolean check(InetAddress address) {
210			// gather the details first
211			String hostname = address.getHostName();
212			String ip = address.getHostAddress();
213			short[] ipaddr = ipStringToShort(ip);
214			// check each rule against this InetAddress
215			for(int i=0; i < _acl.size(); i++) {
216			ACLRule rule = (ACLRule) _acl.get(i);
217			if(rule._iprule) {
218			// if this is an IP rule do a short comparison
219			// must specify the wildcarded rule first
220			if(compareShorts(rule._ipaddr, ipaddr)) {
221			return rule._allow;
222			}
223			}
224			else {
225			// if not do a full blown String comparsion
226			if(StringUtils.wildcardMatch(hostname, rule._expression)) {
227			return rule._allow;
228			}
229			}
230
231			}
232			// if we haven't matched a rule, return the default
233			return _defaultMode;
234			}
235
236			/**
237	tdb	1.4	* Clears the ACL and resets the default mode.
238			*/
239			public void clear() {
240			// just clear out our underlying ArrayList
241			// containing our ACL objects
242			_acl.clear();
243			// and reset the default mode to the default
244			setDefaultMode(DEFMODE);
245			}
246
247			/**
248			* Changes the default mode of the ACL. This is what
249			* the check will return if it does not find an explict
250			* rule to match against.
251			*
252			* @param defaultMode the new default mode
253			*/
254			public void setDefaultMode(boolean defaultMode) {
255			_defaultMode = defaultMode;
256			}
257
258			/**
259	tdb	1.1	* Gives a String representation of this ACL.
260			*
261			* @return A String representation of this ACL.
262			*/
263			public String toString() {
264			StringBuffer acl = new StringBuffer();
265			// put in the i-scream toString code
266			acl.append(FormatName.getName(_name, getClass().getName(), REVISION));
267			acl.append("{");
268			// put the value of each Rule in the result
269			for(int i=0; i < _acl.size(); i++) {
270			acl.append((ACLRule) _acl.get(i));
271			acl.append(",");
272			}
273			// put the default mode in the result
274			if(_defaultMode) {
275			acl.append("DEFAULT=ALLOW");
276			}
277			else {
278			acl.append("DEFAULT=DENY");
279			}
280			acl.append("}");
281			return acl.toString();
282			}
283
284			//---PRIVATE METHODS---
285
286			/**
287			* Converts an IP address in String format into
288			* a short array of length 4. Any wildcards, *,
289			* found in the IP address are represented by
290			* a -1. If the given String is not an IP address
291			* null is returned instead.
292			*
293			* @param ip The IP address in String format
294			* @return The IP address in a short[]
295			*/
296			private short[] ipStringToShort(String ip) {
297			// default to expecting it to be an IP
298			// we will try to disprove this :)
299			short[] ipaddr = {-1, -1, -1, -1};
300			int i = 0;
301			String s = "";
302			// tokenize the String on fullstops, so we can break
303			// up the quads of an IP (if it's an IP!)
304			StringTokenizer st = new StringTokenizer(ip, ".");
305			while(st.hasMoreTokens() && i++ < 4) {
306			s = st.nextToken();
307			// if it's a wildcard, we'll skip to the next one
308			// as no more checks are required
309			if(s.equals("*")) {
310			continue;
311			}
312			// attempt to parse it into a short
313			try {
314			short n = Short.parseShort(s);
315			// if it's an int but outside of the
316			// valid range, it can't be an IP
317			if(n < 0 \|\| n > 255) {
318			// give up checking further
319			return null;
320			}
321			ipaddr[i-1] = n;
322			}
323			// if it didn't parse as a short it can't be an IP
324			catch (NumberFormatException e) {
325			// give up checking further
326			return null;
327			}
328			}
329			// we've done 4 parts, so if there's any
330			// more this can't be an IP
331			if(st.hasMoreTokens()) {
332			return null;
333			}
334			// if we've done less than 4, see if the last one
335			// was a wildcard - if it isn't then it's not an IP
336			// -- this allows 129.12.*
337			if(i < 4 && !s.equals("*")) {
338			return null;
339			}
340			// if we had one or less entries it can't be an IP
341			// -- this disallows * matching as an IP due
342			// to the rule above
343			if(i <= 1) {
344			return null;
345			}
346			return ipaddr;
347			}
348
349			/**
350			* Compares two short arrays. The first array can contain a -1,
351			* which will always match any value -- it's a wildcard.
352			* They must be the same length to match.
353			*
354			* @param first The first array to compare (with -1 wildcard if required)
355			* @param second The second array to compare
356	tdb	1.2	* @return the result of the comparison
357	tdb	1.1	*/
358			private boolean compareShorts(short[] first, short[] second) {
359			if(first.length != second.length) {
360			return false;
361			}
362			for(int i=0; i < first.length; i++) {
363			if(first[i] == -1) {
364			continue;
365			}
366			if(first[i] != second[i]) {
367			return false;
368			}
369			}
370			return true;
371			}
372
373			//---ACCESSOR/MUTATOR METHODS---
374
375			//---ATTRIBUTES---
376
377			/**
378			* This is the friendly identifier of the
379			* component this class is running in.
380			* eg, a Filter may be called "filter1",
381			* If this class does not have an owning
382			* component, a name from the configuration
383			* can be placed here. This name could also
384			* be changed to null for utility classes.
385			*/
386			private String _name = null;
387
388			/**
389			* The ACL is stored in this ArrayList.
390			*/
391			private ArrayList _acl = new ArrayList();
392
393			/**
394			* The default mode of this ACL.
395			*/
396	tdb	1.4	private boolean _defaultMode = DEFMODE;
397	tdb	1.1
398			//---STATIC ATTRIBUTES---
399
400			//---INNER CLASSES---
401
402			/**
403			* Wrapper class for an ACL rule.
404			*/
405			private class ACLRule implements Serializable {
406
407			/**
408			* Construct an ACL rule.
409			*
410			* @param allow whether this is an ALLOW or DENY rule
411			* @param expression what this rule matches
412			* @param ipaddr the IP address wildcard this rule matches if it's an IP rule
413			* @param iprule whether this is an IP rule
414			*/
415			private ACLRule(boolean allow, String expression, short[] ipaddr, boolean iprule) {
416			_allow = allow;
417			_expression = expression;
418			_ipaddr = ipaddr;
419			_iprule = iprule;
420			}
421
422			/**
423			* Returns a String representation of this rule.
424			*
425			* @return A String representation of this rule.
426			*/
427			public String toString() {
428			if(_allow) {
429			return _expression + "=ALLOW";
430			}
431			else {
432			return _expression + "=DENY";
433			}
434			}
435
436			/**
437			* Whether this is an ALLOW or DENY rule.
438			*/
439			private boolean _allow;
440
441			/**
442			* What this rule matches.
443			*/
444			private String _expression;
445
446			/**
447			* The IP wildcard, only valid if this
448			* is an IP rule.
449			*/
450			private short[] _ipaddr;
451
452			/**
453			* Whether this is an IP rule.
454			*/
455			private boolean _iprule;
456
457			}
458
459			}