com.amazonaws.auth.policy.conditions

Class ConditionFactory

java.lang.Object

com.amazonaws.auth.policy.conditions.ConditionFactory

public class ConditionFactory
extends Object

Factory for creating common AWS access control policy conditions. These conditions are common for AWS services and can be expected to work across any service that supports AWS access control policies.

Field Summary

Fields

Modifier and Type	Field and Description
static String	CURRENT_TIME_CONDITION_KEY Condition key for the current time.
static String	EPOCH_TIME_CONDITION_KEY Condition key for the current time, in epoch seconds.
static String	REFERER_CONDITION_KEY Condition key for the referer specified by a request.
static String	SECURE_TRANSPORT_CONDITION_KEY Condition key for whether or not an incoming request is using a secure transport to make the request (i.e.
static String	SOURCE_ARN_CONDITION_KEY Condition key for the Amazon Resource Name (ARN) of the source specified in a request.
static String	SOURCE_IP_CONDITION_KEY Condition key for the source IP from which a request originates.
static String	USER_AGENT_CONDITION_KEY Condition key for the user agent included in a request.

Method Summary

Modifier and Type	Method and Description
static Condition	newRefererCondition(StringCondition.StringComparisonType comparisonType, String value) Constructs a new access control policy condition that tests the incoming request's referer field against the specified value, using the specified comparison type.
static Condition	newSecureTransportCondition() Constructs a new access control policy condition that tests if the incoming request was sent over a secure transport (HTTPS).
static Condition	newSourceArnCondition(String arnPattern) Constructs a new access policy condition that compares the Amazon Resource Name (ARN) of the source of an AWS resource that is modifying another AWS resource with the specified pattern.
static Condition	newUserAgentCondition(StringCondition.StringComparisonType comparisonType, String value) Constructs a new access control policy condition that tests the incoming request's user agent field against the specified value, using the specified comparison type.

Methods inherited from class java.lang.Object

equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

CURRENT_TIME_CONDITION_KEY

public static final String CURRENT_TIME_CONDITION_KEY

Condition key for the current time.

This condition key should only be used with DateCondition objects.

See Also:

Constant Field Values

SECURE_TRANSPORT_CONDITION_KEY

public static final String SECURE_TRANSPORT_CONDITION_KEY

Condition key for whether or not an incoming request is using a secure transport to make the request (i.e. HTTPS instead of HTTP).

This condition key should only be used with BooleanCondition objects.

See Also:

Constant Field Values

SOURCE_IP_CONDITION_KEY

public static final String SOURCE_IP_CONDITION_KEY

Condition key for the source IP from which a request originates.

This condition key should only be used with IpAddressCondition objects.

See Also:

Constant Field Values

USER_AGENT_CONDITION_KEY

public static final String USER_AGENT_CONDITION_KEY

Condition key for the user agent included in a request.

This condition key should only be used with StringCondition objects.

See Also:

Constant Field Values

EPOCH_TIME_CONDITION_KEY

public static final String EPOCH_TIME_CONDITION_KEY

Condition key for the current time, in epoch seconds.

This condition key should only be used with NumericCondition objects.

See Also:

Constant Field Values

REFERER_CONDITION_KEY

public static final String REFERER_CONDITION_KEY

Condition key for the referer specified by a request.

This condition key should only be used with StringCondition objects.

See Also:

Constant Field Values

SOURCE_ARN_CONDITION_KEY

public static final String SOURCE_ARN_CONDITION_KEY

Condition key for the Amazon Resource Name (ARN) of the source specified in a request. The source ARN indicates which resource is affecting the resource listed in your policy. For example, an SNS topic is the source ARN when publishing messages from the topic to an SQS queue.

This condition key should only be used with ArnCondition objects.

See Also:

Constant Field Values

Method Detail

newSourceArnCondition

public static Condition newSourceArnCondition(String arnPattern)

Constructs a new access policy condition that compares the Amazon Resource Name (ARN) of the source of an AWS resource that is modifying another AWS resource with the specified pattern.

For example, the source ARN could be an Amazon SNS topic ARN that is sending messages to an Amazon SQS queue. In that case, the SNS topic ARN would be compared the ARN pattern specified here.

The endpoint pattern may optionally contain the multi-character wildcard (*) or the single-character wildcard (?). Each of the six colon-delimited components of the ARN is checked separately and each can include a wildcard.

 Policy policy = new Policy("MyQueuePolicy");
 policy.withStatements(new Statement("AllowSNSMessages", Effect.Allow)
         .withPrincipals(new Principal("*")).withActions(SQSActions.SendMessage)
         .withResources(new Resource(myQueueArn))
         .withConditions(ConditionFactory.newSourceArnCondition(myTopicArn)));
 

Parameters:

arnPattern - The ARN pattern against which the source ARN will be compared. Each of the six colon-delimited components of the ARN is checked separately and each can include a wildcard.

Returns:

A new access control policy condition that compares the ARN of the source specified in an incoming request with the ARN pattern specified here.

newSecureTransportCondition

public static Condition newSecureTransportCondition()

Constructs a new access control policy condition that tests if the incoming request was sent over a secure transport (HTTPS).

Returns:

A new access control policy condition that tests if the incoming request was sent over a secure transport (HTTPS).

newUserAgentCondition

public static Condition newUserAgentCondition(StringCondition.StringComparisonType comparisonType,
                                              String value)

Constructs a new access control policy condition that tests the incoming request's user agent field against the specified value, using the specified comparison type.

This condition should be used carefully. Since the UserAgent value is provided by the caller in an HTTP header, unintended parties can use modified or custom browsers to provide any UserAgent value that they choose. As a result, UserAgent should not be used to prevent unintended parties from making direct AWS requests. You can use it to allow only specific client applications, and only after testing your policy.

Parameters:

comparisonType - The type of string comparison to perform when testing an incoming request's user agent field with the specified value.

value - The value against which to compare the incoming request's user agent.

Returns:

A new access control policy condition that tests an incoming request's user agent field.

newRefererCondition

public static Condition newRefererCondition(StringCondition.StringComparisonType comparisonType,
                                            String value)

Constructs a new access control policy condition that tests the incoming request's referer field against the specified value, using the specified comparison type.

Parameters:

comparisonType - The type of string comparison to perform when testing an incoming request's referer field with the specified value.

value - The value against which to compare the incoming request's referer field.

Returns:

A new access control policy condition that tests an incoming request's referer field.