cms/util/ACL.java

/* 
 * i-scream central monitoring system
 * http://www.i-scream.org
 * Copyright (C) 2000-2002 i-scream
 * 
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License
 * as published by the Free Software Foundation; either version 2
 * of the License, or (at your option) any later version.
 * 
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 * 
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
 */

//---PACKAGE DECLARATION---
package uk.org.iscream.cms.util;

//---IMPORTS---
import java.util.ArrayList;
import java.util.StringTokenizer;
import java.net.InetAddress;
import java.io.Serializable;

/**
 * Access Control List for use primarily
 * with the ACLServerSocket. It could, however
 * have other uses as it has a fairly generic
 * behaviour. Rules are added using the add
 * method, and then checks can be made using
 * the relevant check method.
 *
 * @author  $Author: tdb $
 * @version $Id: ACL.java,v 1.7 2003/02/05 14:27:58 tdb Exp $
 */
public class ACL implements Serializable {

//---FINAL ATTRIBUTES---

    /**
     * The current CVS revision of this class
     */
    public static final String REVISION = "$Revision: 1.7 $";
    
    /**
     * static to be used when adding an ALLOW rule to the ACL.
     */
    public static final boolean ALLOW = true;
    
    /**
     * static to be used when adding a DENY rule to the ACL.
     */
    public static final boolean DENY = false;
    
    /**
     * default setting for the default mode for a new ACL.
     */
    public static final boolean DEFMODE = ACL.ALLOW;

//---STATIC METHODS---

//---CONSTRUCTORS---

    /**
     * Construct a new Access Control List. The default
     * mode is to ALLOW anything that isn't explicitly
     * blocked by a rule.
     */
    public ACL() {
        // default to DEFMODE
        this(DEFMODE);
    }
    
    /**
     * Construct a new Access Control List with a given
     * default mode. This mode specifies what should
     * happen if a check does not match any rules.
     *
     * @param defaultMode the default mode for non-matched checks
     */
    public ACL(boolean defaultMode) {
        setDefaultMode(defaultMode);
    }

    /**
     * Construct a new Access Control List with a given
     * String representation of the ACL rules. The String
     * should be of the format:
     *     expression:rule;expression:rule;expression:rule...
     * Where expression is a wildcard to match against, and
     * rule is either 'ALLOW' or 'DENY'. There is a special
     * expression of 'DEFAULT' which represents the default
     * rule (what should happen if no expression is matched
     * when performing a check).
     * The default mode is set to ALLOW if one is not
     * specified in the String.
     *
     * @param acl a String representation of the ACL.
     */
    public ACL(String acl) {
        setDefaultMode(DEFMODE);
        add(acl);
    }

//---PUBLIC METHODS---

    /**
     * Add a new rule to the ACL immediately after the
     * previous rule. The rule can either be an ACL.ALLOW
     * rule, or an ACL.DENY rule. The expression can
     * contain a wildcard (a * only). Rules can only be
     * added to the end of the list.
     *
     * param allow whether this is an ALLOW or DENY rule
     * param expression what this rule matches using wildcards
     */
    public void add(boolean allow, String expression) {
        // try and convert the expression into an IP address
        short[] ipaddr = ipStringToShort(expression);
        // a result of null means it's not an IP address
        // add either a name rule or an IP rule
        if(ipaddr != null) {
            _acl.add(new ACLRule(allow, expression, ipaddr, true));
        }
        else {
            _acl.add(new ACLRule(allow, expression, ipaddr, false));
        }
    }
    
    /**
     * Add some new rules to the Access Control List in
     * the form of a String. The String should be of the
     * following format:
     *     expression:rule;expression:rule;expression:rule...
     * Where expression is a wildcard to match against, and
     * rule is either 'ALLOW' or 'DENY'. There is a special
     * expression of 'DEFAULT' which represents the default
     * rule (what should happen if no expression is matched
     * when performing a check).
     *
     * @param acl a String representation of the ACL.
     */
    public void add(String acl) {
        if(acl != null) {
            // split the String into expression:rule parts
            StringTokenizer st1 = new StringTokenizer(acl, ";");
            while(st1.hasMoreTokens()) {
                String token1 = st1.nextToken();
                // if it doesn't have a :, it's not the correct format
                if(token1.indexOf(":") != -1) {
                    // split into expression and rule part
                    StringTokenizer st2 = new StringTokenizer(token1, ":");
                    String expression = "";
                    String rule = "";
                    if(st2.hasMoreTokens()) {
                        expression = st2.nextToken();
                    }
                    else {
                        // mall-formed?
                        continue;
                    }
                    if(st2.hasMoreTokens()) {
                        rule = st2.nextToken();
                    }
                    else {
                        // mall-formed?
                        continue;
                    }
                    // check to see what sort of rule
                    if(rule.equals("ALLOW")) {
                        // case for special 'DEFAULT' expression
                        if(expression.equals("DEFAULT")) {
                            setDefaultMode(ACL.ALLOW);
                        }
                        else {
                            add(ACL.ALLOW, expression);
                        }
                    }
                    else if(rule.equals("DENY")) {
                        // case for special 'DEFAULT' expression
                        if(expression.equals("DEFAULT")) {
                            setDefaultMode(ACL.DENY);
                        }
                        else {
                            add(ACL.DENY, expression);
                        }
                    }
                    // if it's not ALLOW or DENY, it's not a
                    // proper rule, so we'll ignore it
                }
            }
        }
    }
    
    /**
     * Check to see if a string is permitted by the
     * ACL. Useful for testing, and non-Socket uses
     * of this class.
     *
     * @param address the string to check
     * @return whether the address was permitted by the ACL
     */
    public boolean check(String address) {
        for(int i=0; i < _acl.size(); i++) {
            ACLRule rule = (ACLRule) _acl.get(i);
            if(StringUtils.wildcardMatch(address, rule._expression)) {
                return rule._allow;
            }
        }
        return _defaultMode;
    }
    
    /**
     * Check to see if an InetAddress is permitted
     * by the ACL. Perfect for Socket uses of this
     * class. A rule will either be for a name, or
     * an IP address (this is determined in the add
     * method), and the appropriate comparison will
     * be performed.
     *
     * @param address the InetAddress to check
     * @return whether the InetAddress was permitted by the ACL
     */
    public boolean check(InetAddress address) {
        // gather the details first
        String hostname = address.getHostName();
        String ip = address.getHostAddress();
        short[] ipaddr = ipStringToShort(ip);
        // check each rule against this InetAddress
        for(int i=0; i < _acl.size(); i++) {
            ACLRule rule = (ACLRule) _acl.get(i);
            if(rule._iprule) {
                // if this is an IP rule do a short comparison
                // must specify the wildcarded rule first
                if(compareShorts(rule._ipaddr, ipaddr)) {
                    return rule._allow;
                }
            }
            else {
                // if not do a full blown String comparsion
                if(StringUtils.wildcardMatch(hostname, rule._expression)) {
                    return rule._allow;
                }
            }
            
        }
        // if we haven't matched a rule, return the default
        return _defaultMode;
    }
    
    /**
     * Clears the ACL and resets the default mode.
     */
    public void clear() {
        // just clear out our underlying ArrayList
        // containing our ACL objects
        _acl.clear();
        // and reset the default mode to the default
        setDefaultMode(DEFMODE);
    }
    
    /**
     * Changes the default mode of the ACL. This is what
     * the check will return if it does not find an explict
     * rule to match against.
     *
     * @param defaultMode the new default mode
     */
    public void setDefaultMode(boolean defaultMode) {
        _defaultMode = defaultMode;
    }
    
    /**
     * Gives a String representation of this ACL.
     *
     * @return A String representation of this ACL.
     */
    public String toString() {
        StringBuffer acl = new StringBuffer();
        // put in the i-scream toString code
        acl.append(FormatName.getName(_name, getClass().getName(), REVISION));
        acl.append("{");
        // put the value of each Rule in the result
        for(int i=0; i < _acl.size(); i++) {
            acl.append((ACLRule) _acl.get(i));
            acl.append(",");
        }
        // put the default mode in the result
        if(_defaultMode) {
            acl.append("DEFAULT=ALLOW");
        }
        else {
            acl.append("DEFAULT=DENY");
        }
        acl.append("}");
        return acl.toString();
    }

//---PRIVATE METHODS---

    /**
     * Converts an IP address in String format into
     * a short array of length 4. Any wildcards, *,
     * found in the IP address are represented by
     * a -1. If the given String is not an IP address
     * null is returned instead.
     * 
     * @param ip The IP address in String format
     * @return The IP address in a short[]
     */
    private short[] ipStringToShort(String ip) {
        // default to expecting it to be an IP
        // we will try to disprove this :)
        short[] ipaddr = {-1, -1, -1, -1};
        int i = 0;
        String s = "";
        // tokenize the String on fullstops, so we can break
        // up the quads of an IP (if it's an IP!)
        StringTokenizer st = new StringTokenizer(ip, ".");
        while(st.hasMoreTokens() && i++ < 4) {
            s = st.nextToken();
            // if it's a wildcard, we'll skip to the next one
            // as no more checks are required
            if(s.equals("*")) {
                continue;
            }
            // attempt to parse it into a short
            try {
                short n = Short.parseShort(s);
                // if it's an int but outside of the
                // valid range, it can't be an IP
                if(n < 0 || n > 255) {
                    // give up checking further
                    return null;
                }
                ipaddr[i-1] = n;
            }
            // if it didn't parse as a short it can't be an IP
            catch (NumberFormatException e) {
                // give up checking further
                return null;
            }
        }
        // we've done 4 parts, so if there's any
        // more this can't be an IP
        if(st.hasMoreTokens()) {
            return null;
        }
        // if we've done less than 4, see if the last one
        // was a wildcard - if it isn't then it's not an IP
        //   -- this allows 129.12.*
        if(i < 4 && !s.equals("*")) {
            return null;
        }
        // if we had one or less entries it can't be an IP
        //   -- this disallows * matching as an IP due
        //      to the rule above
        if(i <= 1) {
            return null;
        }
        return ipaddr;
    }
    
    /**
     * Compares two short arrays. The first array can contain a -1,
     * which will always match any value -- it's a wildcard.
     * They must be the same length to match.
     *
     * @param first The first array to compare (with -1 wildcard if required)
     * @param second The second array to compare
     * @return the result of the comparison
     */
    private boolean compareShorts(short[] first, short[] second) {
        if(first.length != second.length) {
            return false;
        }
        for(int i=0; i < first.length; i++) {
            if(first[i] == -1) {
                continue;
            }
            if(first[i] != second[i]) {
                return false;
            }
        }
        return true;
    }

//---ACCESSOR/MUTATOR METHODS---

//---ATTRIBUTES---

    /**
     * This is the friendly identifier of the
     * component this class is running in.
     * eg, a Filter may be called "filter1",
     * If this class does not have an owning
     * component,  a name from the configuration
     * can be placed here.  This name could also
     * be changed to null for utility classes.
     */
    private String _name = null;
    
    /**
     * The ACL is stored in this ArrayList.
     */
    private ArrayList _acl = new ArrayList();
    
    /**
     * The default mode of this ACL.
     */
    private boolean _defaultMode = DEFMODE;

//---STATIC ATTRIBUTES---

//---INNER CLASSES---

    /**
     * Wrapper class for an ACL rule.
     */
    private class ACLRule implements Serializable {
        
        /**
         * Construct an ACL rule.
         *
         * @param allow whether this is an ALLOW or DENY rule
         * @param expression what this rule matches
         * @param ipaddr the IP address wildcard this rule matches if it's an IP rule
         * @param iprule whether this is an IP rule
         */
        private ACLRule(boolean allow, String expression, short[] ipaddr, boolean iprule) {
            _allow = allow;
            _expression = expression;
            _ipaddr = ipaddr;
            _iprule = iprule;
        }
        
        /**
         * Returns a String representation of this rule.
         *
         * @return A String representation of this rule.
         */
        public String toString() {
            if(_allow) {
                return _expression + "=ALLOW";
            }
            else {
                return _expression + "=DENY";
            }
        }
        
        /**
         * Whether this is an ALLOW or DENY rule.
         */
        private boolean _allow;
        
        /**
         * What this rule matches.
         */
        private String _expression;
        
        /**
         * The IP wildcard, only valid if this
         * is an IP rule.
         */
        private short[] _ipaddr;
        
        /**
         * Whether this is an IP rule.
         */
        private boolean _iprule;
        
    }

}
Revision:	1.8
Committed:	Sun Aug 1 10:41:08 2004 UTC (19 years, 9 months ago) by tdb
Branch:	MAIN
CVS Tags:	HEAD
Changes since 1.7:	+3 -3 lines
Log Message:	Catch a lot of old URL's and update them. Also remove a couple of old files that aren't used.
#	User	Rev	Content
1	tdb	1.5	/*
2			* i-scream central monitoring system
3	tdb	1.8	* http://www.i-scream.org
4	tdb	1.5	* Copyright (C) 2000-2002 i-scream
5			*
6			* This program is free software; you can redistribute it and/or
7			* modify it under the terms of the GNU General Public License
8			* as published by the Free Software Foundation; either version 2
9			* of the License, or (at your option) any later version.
10			*
11			* This program is distributed in the hope that it will be useful,
12			* but WITHOUT ANY WARRANTY; without even the implied warranty of
13			* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14			* GNU General Public License for more details.
15			*
16			* You should have received a copy of the GNU General Public License
17			* along with this program; if not, write to the Free Software
18			* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
19			*/
20
21	tdb	1.1	//---PACKAGE DECLARATION---
22	tdb	1.7	package uk.org.iscream.cms.util;
23	tdb	1.1
24			//---IMPORTS---
25			import java.util.ArrayList;
26			import java.util.StringTokenizer;
27			import java.net.InetAddress;
28			import java.io.Serializable;
29
30			/**
31			* Access Control List for use primarily
32			* with the ACLServerSocket. It could, however
33			* have other uses as it has a fairly generic
34			* behaviour. Rules are added using the add
35			* method, and then checks can be made using
36			* the relevant check method.
37			*
38			* @author $Author: tdb $
39	tdb	1.8	* @version $Id: ACL.java,v 1.7 2003/02/05 14:27:58 tdb Exp $
40	tdb	1.1	*/
41			public class ACL implements Serializable {
42
43			//---FINAL ATTRIBUTES---
44
45			/**
46			* The current CVS revision of this class
47			*/
48	tdb	1.8	public static final String REVISION = "$Revision: 1.7 $";
49	tdb	1.1
50			/**
51			* static to be used when adding an ALLOW rule to the ACL.
52			*/
53			public static final boolean ALLOW = true;
54
55			/**
56			* static to be used when adding a DENY rule to the ACL.
57			*/
58			public static final boolean DENY = false;
59	tdb	1.4
60			/**
61			* default setting for the default mode for a new ACL.
62			*/
63			public static final boolean DEFMODE = ACL.ALLOW;
64	tdb	1.1
65			//---STATIC METHODS---
66
67			//---CONSTRUCTORS---
68
69			/**
70			* Construct a new Access Control List. The default
71			* mode is to ALLOW anything that isn't explicitly
72			* blocked by a rule.
73			*/
74			public ACL() {
75	tdb	1.4	// default to DEFMODE
76			this(DEFMODE);
77	tdb	1.1	}
78
79			/**
80			* Construct a new Access Control List with a given
81			* default mode. This mode specifies what should
82			* happen if a check does not match any rules.
83			*
84			* @param defaultMode the default mode for non-matched checks
85			*/
86			public ACL(boolean defaultMode) {
87	tdb	1.4	setDefaultMode(defaultMode);
88	tdb	1.3	}
89
90			/**
91			* Construct a new Access Control List with a given
92			* String representation of the ACL rules. The String
93			* should be of the format:
94			* expression:rule;expression:rule;expression:rule...
95			* Where expression is a wildcard to match against, and
96			* rule is either 'ALLOW' or 'DENY'. There is a special
97			* expression of 'DEFAULT' which represents the default
98			* rule (what should happen if no expression is matched
99			* when performing a check).
100			* The default mode is set to ALLOW if one is not
101	tdb	1.4	* specified in the String.
102	tdb	1.3	*
103			* @param acl a String representation of the ACL.
104			*/
105			public ACL(String acl) {
106	tdb	1.4	setDefaultMode(DEFMODE);
107			add(acl);
108			}
109
110			//---PUBLIC METHODS---
111
112			/**
113			* Add a new rule to the ACL immediately after the
114			* previous rule. The rule can either be an ACL.ALLOW
115			* rule, or an ACL.DENY rule. The expression can
116			* contain a wildcard (a * only). Rules can only be
117			* added to the end of the list.
118			*
119			* param allow whether this is an ALLOW or DENY rule
120			* param expression what this rule matches using wildcards
121			*/
122			public void add(boolean allow, String expression) {
123			// try and convert the expression into an IP address
124			short[] ipaddr = ipStringToShort(expression);
125			// a result of null means it's not an IP address
126			// add either a name rule or an IP rule
127			if(ipaddr != null) {
128			_acl.add(new ACLRule(allow, expression, ipaddr, true));
129			}
130			else {
131			_acl.add(new ACLRule(allow, expression, ipaddr, false));
132			}
133			}
134
135			/**
136			* Add some new rules to the Access Control List in
137			* the form of a String. The String should be of the
138			* following format:
139			* expression:rule;expression:rule;expression:rule...
140			* Where expression is a wildcard to match against, and
141			* rule is either 'ALLOW' or 'DENY'. There is a special
142			* expression of 'DEFAULT' which represents the default
143			* rule (what should happen if no expression is matched
144			* when performing a check).
145			*
146			* @param acl a String representation of the ACL.
147			*/
148			public void add(String acl) {
149	tdb	1.3	if(acl != null) {
150			// split the String into expression:rule parts
151			StringTokenizer st1 = new StringTokenizer(acl, ";");
152			while(st1.hasMoreTokens()) {
153			String token1 = st1.nextToken();
154			// if it doesn't have a :, it's not the correct format
155			if(token1.indexOf(":") != -1) {
156			// split into expression and rule part
157			StringTokenizer st2 = new StringTokenizer(token1, ":");
158			String expression = "";
159			String rule = "";
160			if(st2.hasMoreTokens()) {
161			expression = st2.nextToken();
162			}
163			else {
164			// mall-formed?
165			continue;
166			}
167			if(st2.hasMoreTokens()) {
168			rule = st2.nextToken();
169			}
170			else {
171			// mall-formed?
172			continue;
173			}
174			// check to see what sort of rule
175			if(rule.equals("ALLOW")) {
176			// case for special 'DEFAULT' expression
177			if(expression.equals("DEFAULT")) {
178	tdb	1.4	setDefaultMode(ACL.ALLOW);
179	tdb	1.3	}
180			else {
181			add(ACL.ALLOW, expression);
182			}
183			}
184			else if(rule.equals("DENY")) {
185			// case for special 'DEFAULT' expression
186			if(expression.equals("DEFAULT")) {
187	tdb	1.4	setDefaultMode(ACL.DENY);
188	tdb	1.3	}
189			else {
190			add(ACL.DENY, expression);
191			}
192			}
193			// if it's not ALLOW or DENY, it's not a
194			// proper rule, so we'll ignore it
195			}
196			}
197			}
198	tdb	1.1	}
199
200			/**
201			* Check to see if a string is permitted by the
202			* ACL. Useful for testing, and non-Socket uses
203			* of this class.
204			*
205			* @param address the string to check
206			* @return whether the address was permitted by the ACL
207			*/
208			public boolean check(String address) {
209			for(int i=0; i < _acl.size(); i++) {
210			ACLRule rule = (ACLRule) _acl.get(i);
211			if(StringUtils.wildcardMatch(address, rule._expression)) {
212			return rule._allow;
213			}
214			}
215			return _defaultMode;
216			}
217
218			/**
219			* Check to see if an InetAddress is permitted
220			* by the ACL. Perfect for Socket uses of this
221			* class. A rule will either be for a name, or
222			* an IP address (this is determined in the add
223			* method), and the appropriate comparison will
224			* be performed.
225			*
226			* @param address the InetAddress to check
227			* @return whether the InetAddress was permitted by the ACL
228			*/
229			public boolean check(InetAddress address) {
230			// gather the details first
231			String hostname = address.getHostName();
232			String ip = address.getHostAddress();
233			short[] ipaddr = ipStringToShort(ip);
234			// check each rule against this InetAddress
235			for(int i=0; i < _acl.size(); i++) {
236			ACLRule rule = (ACLRule) _acl.get(i);
237			if(rule._iprule) {
238			// if this is an IP rule do a short comparison
239			// must specify the wildcarded rule first
240			if(compareShorts(rule._ipaddr, ipaddr)) {
241			return rule._allow;
242			}
243			}
244			else {
245			// if not do a full blown String comparsion
246			if(StringUtils.wildcardMatch(hostname, rule._expression)) {
247			return rule._allow;
248			}
249			}
250
251			}
252			// if we haven't matched a rule, return the default
253			return _defaultMode;
254			}
255
256			/**
257	tdb	1.4	* Clears the ACL and resets the default mode.
258			*/
259			public void clear() {
260			// just clear out our underlying ArrayList
261			// containing our ACL objects
262			_acl.clear();
263			// and reset the default mode to the default
264			setDefaultMode(DEFMODE);
265			}
266
267			/**
268			* Changes the default mode of the ACL. This is what
269			* the check will return if it does not find an explict
270			* rule to match against.
271			*
272			* @param defaultMode the new default mode
273			*/
274			public void setDefaultMode(boolean defaultMode) {
275			_defaultMode = defaultMode;
276			}
277
278			/**
279	tdb	1.1	* Gives a String representation of this ACL.
280			*
281			* @return A String representation of this ACL.
282			*/
283			public String toString() {
284			StringBuffer acl = new StringBuffer();
285			// put in the i-scream toString code
286			acl.append(FormatName.getName(_name, getClass().getName(), REVISION));
287			acl.append("{");
288			// put the value of each Rule in the result
289			for(int i=0; i < _acl.size(); i++) {
290			acl.append((ACLRule) _acl.get(i));
291			acl.append(",");
292			}
293			// put the default mode in the result
294			if(_defaultMode) {
295			acl.append("DEFAULT=ALLOW");
296			}
297			else {
298			acl.append("DEFAULT=DENY");
299			}
300			acl.append("}");
301			return acl.toString();
302			}
303
304			//---PRIVATE METHODS---
305
306			/**
307			* Converts an IP address in String format into
308			* a short array of length 4. Any wildcards, *,
309			* found in the IP address are represented by
310			* a -1. If the given String is not an IP address
311			* null is returned instead.
312			*
313			* @param ip The IP address in String format
314			* @return The IP address in a short[]
315			*/
316			private short[] ipStringToShort(String ip) {
317			// default to expecting it to be an IP
318			// we will try to disprove this :)
319			short[] ipaddr = {-1, -1, -1, -1};
320			int i = 0;
321			String s = "";
322			// tokenize the String on fullstops, so we can break
323			// up the quads of an IP (if it's an IP!)
324			StringTokenizer st = new StringTokenizer(ip, ".");
325			while(st.hasMoreTokens() && i++ < 4) {
326			s = st.nextToken();
327			// if it's a wildcard, we'll skip to the next one
328			// as no more checks are required
329			if(s.equals("*")) {
330			continue;
331			}
332			// attempt to parse it into a short
333			try {
334			short n = Short.parseShort(s);
335			// if it's an int but outside of the
336			// valid range, it can't be an IP
337			if(n < 0 \|\| n > 255) {
338			// give up checking further
339			return null;
340			}
341			ipaddr[i-1] = n;
342			}
343			// if it didn't parse as a short it can't be an IP
344			catch (NumberFormatException e) {
345			// give up checking further
346			return null;
347			}
348			}
349			// we've done 4 parts, so if there's any
350			// more this can't be an IP
351			if(st.hasMoreTokens()) {
352			return null;
353			}
354			// if we've done less than 4, see if the last one
355			// was a wildcard - if it isn't then it's not an IP
356			// -- this allows 129.12.*
357			if(i < 4 && !s.equals("*")) {
358			return null;
359			}
360			// if we had one or less entries it can't be an IP
361			// -- this disallows * matching as an IP due
362			// to the rule above
363			if(i <= 1) {
364			return null;
365			}
366			return ipaddr;
367			}
368
369			/**
370			* Compares two short arrays. The first array can contain a -1,
371			* which will always match any value -- it's a wildcard.
372			* They must be the same length to match.
373			*
374			* @param first The first array to compare (with -1 wildcard if required)
375			* @param second The second array to compare
376	tdb	1.2	* @return the result of the comparison
377	tdb	1.1	*/
378			private boolean compareShorts(short[] first, short[] second) {
379			if(first.length != second.length) {
380			return false;
381			}
382			for(int i=0; i < first.length; i++) {
383			if(first[i] == -1) {
384			continue;
385			}
386			if(first[i] != second[i]) {
387			return false;
388			}
389			}
390			return true;
391			}
392
393			//---ACCESSOR/MUTATOR METHODS---
394
395			//---ATTRIBUTES---
396
397			/**
398			* This is the friendly identifier of the
399			* component this class is running in.
400			* eg, a Filter may be called "filter1",
401			* If this class does not have an owning
402			* component, a name from the configuration
403			* can be placed here. This name could also
404			* be changed to null for utility classes.
405			*/
406			private String _name = null;
407
408			/**
409			* The ACL is stored in this ArrayList.
410			*/
411			private ArrayList _acl = new ArrayList();
412
413			/**
414			* The default mode of this ACL.
415			*/
416	tdb	1.4	private boolean _defaultMode = DEFMODE;
417	tdb	1.1
418			//---STATIC ATTRIBUTES---
419
420			//---INNER CLASSES---
421
422			/**
423			* Wrapper class for an ACL rule.
424			*/
425			private class ACLRule implements Serializable {
426
427			/**
428			* Construct an ACL rule.
429			*
430			* @param allow whether this is an ALLOW or DENY rule
431			* @param expression what this rule matches
432			* @param ipaddr the IP address wildcard this rule matches if it's an IP rule
433			* @param iprule whether this is an IP rule
434			*/
435			private ACLRule(boolean allow, String expression, short[] ipaddr, boolean iprule) {
436			_allow = allow;
437			_expression = expression;
438			_ipaddr = ipaddr;
439			_iprule = iprule;
440			}
441
442			/**
443			* Returns a String representation of this rule.
444			*
445			* @return A String representation of this rule.
446			*/
447			public String toString() {
448			if(_allow) {
449			return _expression + "=ALLOW";
450			}
451			else {
452			return _expression + "=DENY";
453			}
454			}
455
456			/**
457			* Whether this is an ALLOW or DENY rule.
458			*/
459			private boolean _allow;
460
461			/**
462			* What this rule matches.
463			*/
464			private String _expression;
465
466			/**
467			* The IP wildcard, only valid if this
468			* is an IP rule.
469			*/
470			private short[] _ipaddr;
471
472			/**
473			* Whether this is an IP rule.
474			*/
475			private boolean _iprule;
476
477			}
478
479			}