Example 11 with SSOToken
use of com.iplanet.sso.SSOToken in project OpenAM by OpenRock.
the class OpenSSOSubjectAttributesCollector method getUserAttributes.
/**
* Returns the attribute values of the given user represented by
* <class>Subject</class> object.
*
* @param subject identity of the user.
* @param attrNames requested attribute names.
* @return a map of attribute names and their values
* @throws com.sun.identity.entitlement.EntitlementException if this
* operation failed.
*/
public Map<String, Set<String>> getUserAttributes(Subject subject, Set<String> attrNames) throws EntitlementException {
String uuid = SubjectUtils.getPrincipalId(subject);
try {
SSOToken adminToken = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance());
AMIdentity amid = new AMIdentity(adminToken, uuid);
return amid.getAttributes(attrNames);
} catch (IdRepoException e) {
Object[] params = { uuid };
throw new EntitlementException(601, params, e);
} catch (SSOException e) {
Object[] params = { uuid };
throw new EntitlementException(601, params, e);
}
}
Also used :
EntitlementException(com.sun.identity.entitlement.EntitlementException)
SSOToken(com.iplanet.sso.SSOToken)
AMIdentity(com.sun.identity.idm.AMIdentity)
IdRepoException(com.sun.identity.idm.IdRepoException)
SSOException(com.iplanet.sso.SSOException)
Example 12 with SSOToken
use of com.iplanet.sso.SSOToken in project OpenAM by OpenRock.
the class OpenSSOApplicationPrivilegeManager method removeAllPrivileges.
static void removeAllPrivileges(String realm) throws EntitlementException {
SSOToken adminToken = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance());
Subject dsameUserSubject = SubjectUtils.createSubject(adminToken);
for (Iterator<IPrivilege> i = getPrivileges(realm); i.hasNext(); ) {
Privilege p = (Privilege) i.next();
String name = p.getName();
PrivilegeManager pm = PrivilegeManager.getInstance(getHiddenRealmDN(), dsameUserSubject);
pm.remove(name);
pm.remove(GHOST_PRIVILEGE_NAME_PREFIX + name);
}
}
Also used :
SSOToken(com.iplanet.sso.SSOToken)
IPrivilege(com.sun.identity.entitlement.IPrivilege)
ApplicationPrivilegeManager(com.sun.identity.entitlement.ApplicationPrivilegeManager)
PrivilegeManager(com.sun.identity.entitlement.PrivilegeManager)
ApplicationPrivilege(com.sun.identity.entitlement.ApplicationPrivilege)
IPrivilege(com.sun.identity.entitlement.IPrivilege)
Privilege(com.sun.identity.entitlement.Privilege)
ReferralPrivilege(com.sun.identity.entitlement.ReferralPrivilege)
EntitlementSubject(com.sun.identity.entitlement.EntitlementSubject)
Subject(javax.security.auth.Subject)
OrSubject(com.sun.identity.entitlement.OrSubject)
Example 13 with SSOToken
use of com.iplanet.sso.SSOToken in project OpenAM by OpenRock.
the class FMSubjectMapper method mapToNativeSubject.
/**
* Returns native subject, OpenAM SSOToken
* @param xacmlContextSubjects XACML context Subject(s) from the
* xacml-context:Request
* @return native subject, OpenAM SSOToken, returns null if
* Subject did not match
* @exception XACMLException if can not map to native subject
*/
public Object mapToNativeSubject(List xacmlContextSubjects) throws XACMLException {
if (xacmlContextSubjects == null) {
return null;
}
String sid = null;
String userName = null;
//for (int subCount=0;subCount<xacmlContextSubjects.length;subCount++) {
for (Iterator iter = xacmlContextSubjects.iterator(); iter.hasNext(); ) {
//Subject subject = xacmlContextSubjects[subCount];
Subject subject = (Subject) iter.next();
if (subject == null) {
continue;
}
URI subjectCategory = subject.getSubjectCategory();
if ((subjectCategory != null) && (!subjectCategory.toString().equals(XACMLConstants.ACCESS_SUBJECT))) {
continue;
}
List attributes = subject.getAttributes();
if (attributes != null) {
for (int count = 0; count < attributes.size(); count++) {
Attribute attr = (Attribute) attributes.get(count);
if (attr != null) {
URI tmpURI = attr.getAttributeId();
if (tmpURI.toString().equals(XACMLConstants.SUBJECT_ID)) {
tmpURI = attr.getDataType();
if (tmpURI.toString().equals(XACMLConstants.OPENSSO_SESSION_ID)) {
Element sidElement = (Element) attr.getAttributeValues().get(0);
sid = XMLUtils.getElementValue(sidElement);
} else if (tmpURI.toString().equals(XACMLConstants.X500NAME)) {
Element sidElement = (Element) attr.getAttributeValues().get(0);
userName = XMLUtils.getElementValue(sidElement);
} else if (tmpURI.toString().equals(XACMLConstants.SAML2_NAMEID)) {
Element sidElement = (Element) attr.getAttributeValues().get(0);
String nameID = XMLUtils.getElementValue(sidElement);
if (nameID != null) {
userName = (String) IDPCache.userIDByTransientNameIDValue.get(nameID);
}
// TODO:Need to support non-transient nameid format
}
}
}
}
}
}
SSOToken ssoToken = null;
if (sid != null) {
//create ssoToken based on sessionId
try {
SSOTokenManager tokenManager = SSOTokenManager.getInstance();
ssoToken = tokenManager.createSSOToken(sid);
} catch (SSOException ssoExp) {
if (XACMLSDKUtils.debug.messageEnabled()) {
XACMLSDKUtils.debug.message("FMSubjectMapper.mapToNativeSubject()" + ":caught SSOException:", ssoExp);
}
}
}
//create ssoToken based on x500name (userName)
if ((ssoToken == null) && (userName != null)) {
try {
ssoToken = createFMSession(userName);
} catch (SessionException se) {
if (XACMLSDKUtils.debug.messageEnabled()) {
XACMLSDKUtils.debug.message("FMSubjectMapper.mapToNativeSubject()" + ":caught SessionException:", se);
}
}
}
return ssoToken;
}
Also used :
SSOTokenManager(com.iplanet.sso.SSOTokenManager)
SSOToken(com.iplanet.sso.SSOToken)
Attribute(com.sun.identity.xacml.context.Attribute)
Element(org.w3c.dom.Element)
Iterator(java.util.Iterator)
SessionException(com.sun.identity.plugin.session.SessionException)
List(java.util.List)
SSOException(com.iplanet.sso.SSOException)
URI(java.net.URI)
Subject(com.sun.identity.xacml.context.Subject)
Example 14 with SSOToken
use of com.iplanet.sso.SSOToken in project OpenAM by OpenRock.
the class FMSubjectMapper method createFMSession.
private SSOToken createFMSession(String userName) throws SessionException {
Map info = new HashMap();
info.put(SessionProvider.REALM, "/");
info.put(SessionProvider.PRINCIPAL_NAME, userName);
SSOToken ssoToken = (SSOToken) fmSessionProvider.createSession(info, null, null, null);
return ssoToken;
}Example 15 with SSOToken
use of com.iplanet.sso.SSOToken in project OpenAM by OpenRock.
the class XACMLAuthzDecisionQueryHandler method handleQuery.
/**
* Processes an XACMLAuthzDecisionQuery and retruns a SAML2 Response.
*
* @param pdpEntityId EntityID of PDP
* @param pepEntityId EntityID of PEP
* @param samlpRequest SAML2 Request, an XAMLAuthzDecisionQuery
* @param soapMessage SOAPMessage that carried the SAML2 Request
* @return SAML2 Response with an XAMLAuthzDecisionStatement
* @exception SAML2Exception if the query can not be handled
*/
public com.sun.identity.saml2.protocol.Response handleQuery(String pdpEntityId, String pepEntityId, RequestAbstract samlpRequest, SOAPMessage soapMessage) throws SAML2Exception {
//TODO: logging, i18n
//TODO: long term, allow different mapper impls for different
//combination of pdp, pep
SubjectMapper subjectMapper = new FMSubjectMapper();
subjectMapper.initialize(pdpEntityId, pepEntityId, null);
ResourceMapper resourceMapper = new FMResourceMapper();
resourceMapper.initialize(pdpEntityId, pepEntityId, null);
ActionMapper actionMapper = new FMActionMapper();
actionMapper.initialize(pdpEntityId, pepEntityId, null);
EnvironmentMapper environmentMapper = new FMEnvironmentMapper();
environmentMapper.initialize(pdpEntityId, pepEntityId, null);
ResultMapper resultMapper = new FMResultMapper();
resultMapper.initialize(pdpEntityId, pepEntityId, null);
boolean evaluationFailed = false;
String statusCodeValue = null;
if (XACMLSDKUtils.debug.messageEnabled()) {
XACMLSDKUtils.debug.message("XACMLAuthzDecisionQueryHandler.handleQuery(), entering" + ":pdpEntityId=" + pdpEntityId + ":pepEntityId=" + pepEntityId + ":samlpRequest=\n" + samlpRequest.toXMLString(true, true) + ":soapMessage=\n" + soapMessage);
}
Request xacmlRequest = ((XACMLAuthzDecisionQuery) samlpRequest).getRequest();
boolean returnContext = ((XACMLAuthzDecisionQuery) samlpRequest).getReturnContext();
SSOToken ssoToken = null;
String resourceName = null;
String serviceName = null;
String actionName = null;
Map environment = null;
boolean booleanDecision = false;
try {
//get native sso token
ssoToken = (SSOToken) subjectMapper.mapToNativeSubject(xacmlRequest.getSubjects());
if (ssoToken == null) {
//TODO: log message and fill missing attribute details
statusCodeValue = XACMLConstants.STATUS_CODE_MISSING_ATTRIBUTE;
evaluationFailed = true;
} else {
if (XACMLSDKUtils.debug.messageEnabled()) {
XACMLSDKUtils.debug.message("XACMLAuthzDecisionQueryHandler.handleQuery()," + "created ssoToken");
}
}
if (ssoToken != null) {
//get native service name, resource name
List resources = xacmlRequest.getResources();
Resource resource = null;
if (!resources.isEmpty()) {
//We deal with only one resource for now
resource = (Resource) resources.get(0);
}
if (resource != null) {
String[] resourceService = resourceMapper.mapToNativeResource(resource);
if (resourceService != null) {
if (resourceService.length > 0) {
resourceName = resourceService[0];
}
if (resourceService.length > 1) {
serviceName = resourceService[1];
}
}
}
if (resourceName == null) {
//TODO: log message and fill missing attribute details
statusCodeValue = XACMLConstants.STATUS_CODE_MISSING_ATTRIBUTE;
evaluationFailed = true;
}
if (serviceName == null) {
//TODO: log message and fill missing attribute details
throw new SAML2Exception(XACMLSDKUtils.xacmlResourceBundle.getString("missing_attribute"));
}
}
if (serviceName != null) {
//get native action name
if (serviceName != null) {
actionName = actionMapper.mapToNativeAction(xacmlRequest.getAction(), serviceName);
}
if (actionName == null) {
//TODO: log message and fill missing attribute details
statusCodeValue = XACMLConstants.STATUS_CODE_MISSING_ATTRIBUTE;
evaluationFailed = true;
}
}
//get environment map
/*
environment = environmentMapper.mapToNativeEnvironment(
xacmlRequest.getEnvironment(),
xacmlRequest.getSubjects());
*/
} catch (XACMLException xe) {
statusCodeValue = XACMLConstants.STATUS_CODE_MISSING_ATTRIBUTE;
evaluationFailed = true;
if (XACMLSDKUtils.debug.warningEnabled()) {
XACMLSDKUtils.debug.warning("XACMLAuthzDecisionQueryHandler.handleQuery()," + "caught exception", xe);
}
}
//get native policy deicison using native policy evaluator
if (!evaluationFailed) {
try {
PolicyEvaluator pe = new PolicyEvaluator(serviceName);
booleanDecision = pe.isAllowed(ssoToken, resourceName, actionName, environment);
} catch (SSOException ssoe) {
if (XACMLSDKUtils.debug.warningEnabled()) {
XACMLSDKUtils.debug.warning("XACMLAuthzDecisionQueryHandler.handleQuery()," + "caught exception", ssoe);
}
evaluationFailed = true;
} catch (PolicyException pe) {
if (XACMLSDKUtils.debug.warningEnabled()) {
XACMLSDKUtils.debug.warning("XACMLAuthzDecisionQueryHandler.handleQuery()," + "caught exception", pe);
}
evaluationFailed = true;
}
}
//decision: Indeterminate, Deny, Permit, NotApplicable
//status code: missing_attribute, syntax_error, processing_error, ok
Decision decision = ContextFactory.getInstance().createDecision();
Status status = ContextFactory.getInstance().createStatus();
StatusCode code = ContextFactory.getInstance().createStatusCode();
StatusMessage message = ContextFactory.getInstance().createStatusMessage();
StatusDetail detail = ContextFactory.getInstance().createStatusDetail();
detail.getElement().insertBefore(detail.getElement().cloneNode(true), null);
if (evaluationFailed) {
decision.setValue(XACMLConstants.INDETERMINATE);
if (statusCodeValue == null) {
statusCodeValue = XACMLConstants.STATUS_CODE_PROCESSING_ERROR;
}
code.setValue(statusCodeValue);
//TODO: i18n
message.setValue("processing_error");
} else if (booleanDecision) {
decision.setValue(XACMLConstants.PERMIT);
code.setValue(XACMLConstants.STATUS_CODE_OK);
//TODO: i18n
message.setValue("ok");
} else {
decision.setValue(XACMLConstants.DENY);
code.setValue(XACMLConstants.STATUS_CODE_OK);
//TODO: i18n
message.setValue("ok");
}
Result result = ContextFactory.getInstance().createResult();
String resourceId = resourceName;
List resources = xacmlRequest.getResources();
Resource resource = null;
if (!resources.isEmpty()) {
//We deal with only one resource for now
resource = (Resource) resources.get(0);
if (resource != null) {
List attributes = resource.getAttributes();
if (attributes != null) {
for (int count = 0; count < attributes.size(); count++) {
Attribute attr = (Attribute) attributes.get(count);
if (attr != null) {
URI tmpURI = attr.getAttributeId();
if (tmpURI.toString().equals(XACMLConstants.RESOURCE_ID)) {
Element element = (Element) attr.getAttributeValues().get(0);
resourceId = XMLUtils.getElementValue(element);
break;
}
}
}
}
}
}
result.setResourceId(resourceId);
result.setDecision(decision);
status.setStatusCode(code);
status.setStatusMessage(message);
status.setStatusDetail(detail);
result.setStatus(status);
Response response = ContextFactory.getInstance().createResponse();
response.addResult(result);
XACMLAuthzDecisionStatement statement = ContextFactory.getInstance().createXACMLAuthzDecisionStatement();
statement.setResponse(response);
if (returnContext) {
statement.setRequest(xacmlRequest);
}
com.sun.identity.saml2.protocol.Response samlpResponse = createSamlpResponse(statement, status.getStatusCode().getValue());
if (XACMLSDKUtils.debug.messageEnabled()) {
XACMLSDKUtils.debug.message("XACMLAuthzDecisionQueryHandler.handleQuery(), returning" + ":samlResponse=\n" + samlpResponse.toXMLString(true, true));
}
return samlpResponse;
}
Also used :
SSOToken(com.iplanet.sso.SSOToken)
Attribute(com.sun.identity.xacml.context.Attribute)
Element(org.w3c.dom.Element)
SSOException(com.iplanet.sso.SSOException)
StatusCode(com.sun.identity.xacml.context.StatusCode)
URI(java.net.URI)
Result(com.sun.identity.xacml.context.Result)
ResourceResult(com.sun.identity.policy.ResourceResult)
ActionMapper(com.sun.identity.xacml.spi.ActionMapper)
XACMLAuthzDecisionStatement(com.sun.identity.xacml.saml2.XACMLAuthzDecisionStatement)
PolicyEvaluator(com.sun.identity.policy.PolicyEvaluator)
SubjectMapper(com.sun.identity.xacml.spi.SubjectMapper)
PolicyException(com.sun.identity.policy.PolicyException)
ResourceMapper(com.sun.identity.xacml.spi.ResourceMapper)
ArrayList(java.util.ArrayList)
List(java.util.List)
Status(com.sun.identity.xacml.context.Status)
Request(com.sun.identity.xacml.context.Request)
Resource(com.sun.identity.xacml.context.Resource)
EnvironmentMapper(com.sun.identity.xacml.spi.EnvironmentMapper)
Decision(com.sun.identity.xacml.context.Decision)
XACMLException(com.sun.identity.xacml.common.XACMLException)
StatusMessage(com.sun.identity.xacml.context.StatusMessage)
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
Response(com.sun.identity.xacml.context.Response)
ResultMapper(com.sun.identity.xacml.spi.ResultMapper)
StatusDetail(com.sun.identity.xacml.context.StatusDetail)
XACMLAuthzDecisionQuery(com.sun.identity.xacml.saml2.XACMLAuthzDecisionQuery)
Map(java.util.Map)
Aggregations
SSOToken (com.iplanet.sso.SSOToken)776
SSOException (com.iplanet.sso.SSOException)390
Set (java.util.Set)226
SMSException (com.sun.identity.sm.SMSException)218
HashSet (java.util.HashSet)179
IdRepoException (com.sun.identity.idm.IdRepoException)144
HashMap (java.util.HashMap)130
Test (org.testng.annotations.Test)130
CLIException (com.sun.identity.cli.CLIException)117
Iterator (java.util.Iterator)115
AMIdentity (com.sun.identity.idm.AMIdentity)113
Map (java.util.Map)113
IOutput (com.sun.identity.cli.IOutput)99
IOException (java.io.IOException)68
List (java.util.List)57
AMIdentityRepository (com.sun.identity.idm.AMIdentityRepository)56
IdType (com.sun.identity.idm.IdType)54
ServiceConfigManager (com.sun.identity.sm.ServiceConfigManager)53
EntitlementException (com.sun.identity.entitlement.EntitlementException)52
ServiceConfig (com.sun.identity.sm.ServiceConfig)52
