Example 31 with SSOToken
use of com.iplanet.sso.SSOToken in project OpenAM by OpenRock.
the class IdUtils method initialize.
protected static void initialize() {
if (ServiceManager.isConfigMigratedTo70()) {
// entities from there
try {
SSOToken adminToken = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance());
serviceConfigManager = new ServiceConfigManager(adminToken, IdConstants.REPO_SERVICE, "1.0");
ServiceConfig ss = serviceConfigManager.getGlobalConfig(null);
Set typeSchemaNames = ss.getSubConfigNames("*", IdConstants.SUPPORTED_TYPES);
if (typeSchemaNames == null || typeSchemaNames.isEmpty()) {
loadDefaultTypes();
} else {
Iterator it = typeSchemaNames.iterator();
while (it.hasNext()) {
String typeSchema = (String) it.next();
IdType idType = new IdType(typeSchema);
supportedTypes.add(idType);
mapSupportedTypes.put(idType.getName(), idType);
ServiceConfig tsc = ss.getSubConfig(typeSchema);
Map attributes = tsc.getAttributes();
Set serviceNameSet = (Set) attributes.get(IdConstants.SERVICE_NAME);
Set canBeMembersOf = (Set) attributes.get(IdConstants.ATTR_MEMBER_OF);
Set canHaveMembers = (Set) attributes.get(IdConstants.ATTR_HAVE_MEMBERS);
Set canAddMembers = (Set) attributes.get(IdConstants.ATTR_ADD_MEMBERS);
if (serviceNameSet != null && !serviceNameSet.isEmpty()) {
mapTypesToServiceNames.put(typeSchema, (String) serviceNameSet.iterator().next());
}
if (canBeMembersOf != null && !canBeMembersOf.isEmpty()) {
Set memberOfSet = getMemberSet(canBeMembersOf);
typesCanBeMemberOf.put(typeSchema, memberOfSet);
}
if (canHaveMembers != null && !canHaveMembers.isEmpty()) {
Set memberSet = getMemberSet(canHaveMembers);
typesCanHaveMembers.put(typeSchema, memberSet);
}
if (canAddMembers != null && !canAddMembers.isEmpty()) {
Set memberSet = getMemberSet(canAddMembers);
typesCanAddMembers.put(typeSchema, memberSet);
}
}
}
} catch (SMSException e) {
String installTime = SystemProperties.get(Constants.SYS_PROPERTY_INSTALL_TIME, "false");
if (!installTime.equals("true")) {
debug.error("IdUtils.initialize: Loading default types.", e);
}
loadDefaultTypes();
} catch (SSOException ssoe) {
debug.error("dUtils.initialize: Loading default types", ssoe);
loadDefaultTypes();
}
} else {
loadDefaultTypes();
}
// Register for SMS notifications to root realm
if (notificationId == null) {
try {
SSOToken adminToken = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance());
if (serviceConfigManager == null) {
serviceConfigManager = new ServiceConfigManager(adminToken, IdConstants.REPO_SERVICE, "1.0");
}
notificationId = serviceConfigManager.addListener(new IdUtilsListener());
} catch (SMSException e) {
String installTime = SystemProperties.get(Constants.SYS_PROPERTY_INSTALL_TIME, "false");
if (!installTime.equals("true")) {
debug.error("IdUtils.initialize: Register notification", e);
}
} catch (SSOException ssoe) {
String installTime = SystemProperties.get(Constants.SYS_PROPERTY_INSTALL_TIME, "false");
if (!installTime.equals("true")) {
debug.error("IdUtils.initialize: Register notification", ssoe);
}
}
}
}
Also used :
SSOToken(com.iplanet.sso.SSOToken)
HashSet(java.util.HashSet)
Set(java.util.Set)
ServiceConfig(com.sun.identity.sm.ServiceConfig)
SMSException(com.sun.identity.sm.SMSException)
Iterator(java.util.Iterator)
SSOException(com.iplanet.sso.SSOException)
CaseInsensitiveHashMap(com.sun.identity.common.CaseInsensitiveHashMap)
Map(java.util.Map)
ServiceConfigManager(com.sun.identity.sm.ServiceConfigManager)
Example 32 with SSOToken
use of com.iplanet.sso.SSOToken in project OpenAM by OpenRock.
the class AuthenticatedSharedAgentsCondition method getConditionDecision.
/**
* Gets the decision computed by this condition object.
*
* @param token single sign on token of the user
*
* @param env request specific environment map of key/value pairs.
*
* @return the condition decision. The condition decision
* encapsulates whether a policy applies for the request.
*
* Policy framework continues evaluating a policy only if it
* applies to the request as indicated by the CondtionDecision.
* Otherwise, further evaluation of the policy is skipped.
*
* @throws SSOException if the token is invalid
*/
public ConditionDecision getConditionDecision(SSOToken token, Map env) throws PolicyException, SSOException {
boolean allowed = false;
if (debug.messageEnabled()) {
debug.message("AuthenticatedSharedAgentsCondition." + "getConditionDecision: " + "called with Token: " + token.getPrincipal().getName() + ", requestedResourcename: " + env.get(PolicyEvaluator.SUN_AM_ORIGINAL_REQUESTED_RESOURCE));
}
String realmName = null;
String sharedAgentName = null;
String sharedAgentUnivId = null;
try {
AMIdentity id = IdUtils.getIdentity(token);
realmName = id.getRealm();
sharedAgentName = id.getName();
sharedAgentUnivId = id.getUniversalId();
} catch (SSOException ssoe) {
// Debug it and throe error message.
if (debug.messageEnabled()) {
debug.message("AuthenticatedSharedAgentsCondition." + "getConditionDecision: invalid sso token: " + ssoe.getMessage());
}
throw ssoe;
} catch (IdRepoException ide) {
// Debug it and throw converted policy exception.
if (debug.messageEnabled()) {
debug.message("AuthenticatedSharedAgentsCondition." + "getConditionDecision IdRepo exception: ", ide);
}
throw new PolicyException(ide);
}
// Get the resource name from the env
Object o = env.get(PolicyEvaluator.SUN_AM_ORIGINAL_REQUESTED_RESOURCE);
if (debug.messageEnabled()) {
debug.message("AuthenticatedSharedAgentsCondition." + "getConditionDecision:" + " name: " + sharedAgentName + " resource: " + o);
}
if (o != null) {
String resourceName = null;
if (o instanceof String) {
resourceName = (String) o;
} else if (o instanceof Set) {
if (!((Set) o).isEmpty()) {
resourceName = (String) ((Set) o).iterator().next();
}
} else if (debug.warningEnabled()) {
resourceName = "";
debug.warning("AuthenticatedSharedAgentsCondition." + "getConditionDecision: Unable to get resource name");
}
try {
Set agentsFromEnv = new HashSet();
String agentTypeName = IdType.AGENT.getName();
String agentOnlyTypeName = IdType.AGENTONLY.getName();
SSOToken adminToken = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance());
ServiceConfig orgConfig = getOrgConfig(adminToken, realmName);
String[] retVal = split(resourceName);
if ((retVal[0].equalsIgnoreCase(agentTypeName) && retVal[1].equalsIgnoreCase(agentTypeName)) || (retVal[0].equalsIgnoreCase(agentOnlyTypeName) && retVal[1].equalsIgnoreCase(agentOnlyTypeName))) {
agentsFromEnv.add(retVal[0]);
}
if ((!retVal[0].equalsIgnoreCase(agentTypeName)) && (!retVal[0].equalsIgnoreCase(agentOnlyTypeName))) {
retVal[0] = getAgentNameFromEnv(resourceName);
if (retVal[0] == null) {
return new ConditionDecision(false);
}
if (retVal[0].equalsIgnoreCase(sharedAgentName)) {
Map envMap = getAttributes(orgConfig, retVal[0]);
agentsFromEnv = (Set) envMap.get(attributeToRead);
} else {
agentsFromEnv.add(retVal[0]);
}
if (debug.messageEnabled()) {
debug.message("AuthenticatedSharedAgentsCondition." + "getConditionDecision: agentsFromEnv: " + agentsFromEnv + "retVal[0] " + retVal[0]);
}
}
// Check in cache
if ((sharedAgentsCache != null) && (sharedAgentsCache.containsKey(sharedAgentUnivId))) {
Set agentsfromCache = (Set) sharedAgentsCache.get(sharedAgentUnivId);
if (agentsfromCache != null && !agentsfromCache.isEmpty()) {
allowed = getPermission(agentsFromEnv, agentsfromCache);
}
return new ConditionDecision(allowed);
}
// If not in cache.
// Return the attributes for the given agent under
// default group.
Map agentsAttrMap = getAttributes(orgConfig, sharedAgentName);
Set agentsToRead = (Set) agentsAttrMap.get(attributeToRead);
if (debug.messageEnabled()) {
debug.message("AuthenticatedSharedAgentsCondition." + "getConditionDecision: agentsToRead: " + agentsToRead);
}
if (agentsToRead != null && !agentsToRead.isEmpty()) {
allowed = getPermission(agentsFromEnv, agentsToRead);
}
// Update the cache.
updateCache(sharedAgentUnivId, agentsToRead);
} catch (IdRepoException idpe) {
debug.error("AuthenticatedSharedAgentsCondition." + "getConditionDecision(): Unable to read agent" + " attributes for " + sharedAgentName, idpe);
throw new PolicyException(idpe);
}
}
return new ConditionDecision(allowed);
}
Also used :
CaseInsensitiveHashSet(com.sun.identity.common.CaseInsensitiveHashSet)
HashSet(java.util.HashSet)
Set(java.util.Set)
SSOToken(com.iplanet.sso.SSOToken)
IdRepoException(com.sun.identity.idm.IdRepoException)
SSOException(com.iplanet.sso.SSOException)
ConditionDecision(com.sun.identity.policy.ConditionDecision)
PolicyException(com.sun.identity.policy.PolicyException)
ServiceConfig(com.sun.identity.sm.ServiceConfig)
AMIdentity(com.sun.identity.idm.AMIdentity)
HashMap(java.util.HashMap)
Map(java.util.Map)
CaseInsensitiveHashSet(com.sun.identity.common.CaseInsensitiveHashSet)
HashSet(java.util.HashSet)
Example 33 with SSOToken
use of com.iplanet.sso.SSOToken in project OpenAM by OpenRock.
the class AllowedAgents method getChoiceValues.
/**
* Returns the choice values from configured environment params.
* @param envParams map for configured parameters
* @return the choice values from configured environment params.
*/
public Map getChoiceValues(Map envParams) {
String orgDN = null;
SSOToken adminToken = null;
Map answer = new HashMap(2);
if (envParams != null) {
orgDN = (String) envParams.get(Constants.ORGANIZATION_NAME);
}
if (orgDN == null || orgDN.length() == 0) {
orgDN = SMSEntry.getRootSuffix();
}
try {
adminToken = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance());
ServiceConfig oc = getOrgConfig(adminToken, orgDN);
Set agentConfigs = oc.getSubConfigNames();
if (agentConfigs != null && !agentConfigs.isEmpty()) {
// Agent Authenticator name from the list.
for (Iterator it = agentConfigs.iterator(); it.hasNext(); ) {
String agentName = (String) it.next();
ServiceConfig aCfg = oc.getSubConfig(agentName);
if (aCfg != null) {
String agentType = aCfg.getSchemaID();
if (!agentType.equalsIgnoreCase("SharedAgent")) {
answer.put(agentName, agentName);
}
}
}
}
} catch (SSOException ssoe) {
if (debug.warningEnabled()) {
debug.warning("AllowedAgents.getChoiceValues(): SSOException:" + ssoe);
}
} catch (SMSException smse) {
if (debug.warningEnabled()) {
debug.warning("AllowedAgents.getChoiceValues(): SMSException:" + smse);
}
}
//return the choice values map
return (answer);
}
Also used :
SSOToken(com.iplanet.sso.SSOToken)
Set(java.util.Set)
HashMap(java.util.HashMap)
ServiceConfig(com.sun.identity.sm.ServiceConfig)
SMSException(com.sun.identity.sm.SMSException)
Iterator(java.util.Iterator)
SSOException(com.iplanet.sso.SSOException)
HashMap(java.util.HashMap)
Map(java.util.Map)
Example 34 with SSOToken
use of com.iplanet.sso.SSOToken in project OpenAM by OpenRock.
the class ISPermission method implies.
/**
* Checks if the specified permission's actions are "implied by"
* this object's actions.
* <P>
* The <code>implies</code> method is used by the
* <code>AccessController</code> to determine whether or not a requested
* permission is implied by another permission that is known to be valid
* in the current execution context.
*
* @param perm the permission to check against.
*
* @return true if the specified permission is implied by this object,
* false if not. The check is made against the OpenAM's
* policy service to determine this evaluation.
*/
public boolean implies(Permission perm) {
debug.message("ISPermission: implies called");
boolean allowed = false;
if (perm instanceof ISPermission) {
debug.message("ISPermission:passed perm is of type ISPermission");
if (protectionDomain != null) {
debug.message("ISPermission:implies:protectionDomain not null");
if (debug.messageEnabled()) {
debug.message("ISPermission::implies: protectionDomain:" + protectionDomain.toString());
}
final String serviceName = ((ISPermission) perm).getServiceName();
final String resourceName = ((ISPermission) perm).getResourceName();
final String actions = ((ISPermission) perm).getActions();
final Map envParams = ((ISPermission) perm).getEnvParams();
if (debug.messageEnabled()) {
debug.message("ISPermission: resourceName=" + resourceName);
debug.message("ISPermission: serviceName=" + serviceName);
debug.message("ISPermission: actions=" + actions);
}
SSOTokenPrincipal tokenPrincipal = null;
try {
Principal[] principals = protectionDomain.getPrincipals();
// principals should have only one entry
Principal principal = (Principal) principals[0];
if (principal.getName().equals("com.sun.identity." + "authentication.service.SSOTokenPrincipal")) {
if (debug.messageEnabled()) {
debug.message("ISPermission::implies:principals:" + principal.toString());
}
tokenPrincipal = (SSOTokenPrincipal) principal;
}
if (tokenPrincipal == null) {
if (debug.messageEnabled()) {
debug.error("ISPermission::implies:" + " Principal is null");
}
} else {
SSOTokenManager ssomgr = SSOTokenManager.getInstance();
final SSOToken token = ssomgr.createSSOToken(tokenPrincipal.getName());
/* TODO currently ISPermission uses remote policy
client API so if this class gets used from server side
, will always make remote call, need to make changes
in this code to to make a local/remote call accordingly.
*/
if (policyEvalFactory == null) {
policyEvalFactory = PolicyEvaluatorFactory.getInstance();
}
PolicyEvaluator policyEvaluator = policyEvalFactory.getPolicyEvaluator(serviceName);
if (debug.messageEnabled()) {
debug.message("ISPermission::implies::created " + "PolicyEvaluator for " + serviceName);
}
if (actions != null) {
StringTokenizer st = new StringTokenizer(actions, ",");
while (st.hasMoreTokens()) {
String action = (String) st.nextToken();
allowed = policyEvaluator.isAllowed(token, resourceName, action, envParams);
if (!allowed) {
// the final result is not allowwed
break;
}
if (debug.messageEnabled()) {
debug.message("ISPermission::result for " + action + " is :" + allowed);
}
}
if (debug.messageEnabled()) {
debug.message("ISPermission::result for " + actions + " is :" + allowed);
}
} else {
if (debug.messageEnabled()) {
debug.message("ISPermission:: actions is null");
}
}
}
} catch (SSOException ssoe) {
if (debug.messageEnabled()) {
debug.error("ISPermission::SSOException:" + ssoe.getMessage());
ssoe.printStackTrace();
}
} catch (Exception e) {
if (debug.messageEnabled()) {
debug.error("ISPermission::Exception:" + e.getMessage());
e.printStackTrace();
}
}
} else {
debug.message("ISPermission:: subject was null");
}
}
if (debug.messageEnabled()) {
debug.message("ISPermission: allowed::" + allowed);
}
return allowed;
}
Also used :
SSOTokenManager(com.iplanet.sso.SSOTokenManager)
SSOToken(com.iplanet.sso.SSOToken)
SSOTokenPrincipal(com.sun.identity.authentication.service.SSOTokenPrincipal)
SSOException(com.iplanet.sso.SSOException)
SSOException(com.iplanet.sso.SSOException)
StringTokenizer(java.util.StringTokenizer)
PolicyEvaluator(com.sun.identity.policy.client.PolicyEvaluator)
Map(java.util.Map)
Principal(java.security.Principal)
SSOTokenPrincipal(com.sun.identity.authentication.service.SSOTokenPrincipal)
Example 35 with SSOToken
use of com.iplanet.sso.SSOToken in project OpenAM by OpenRock.
the class AuthenticatedSharedAgents method isSharedAgent.
/**
* Checks if distinguished user name is a shared user/agent
* if returns true if so.
*/
protected boolean isSharedAgent(SSOToken token, String userName, String userDNUnivId, String rlmName) {
boolean isSharedAgent = false;
try {
if (debug.messageEnabled()) {
debug.message("AuthenticatedSharedAgents:isSharedAgent:" + "userName = " + userName + " Realm Name = " + rlmName);
}
if (userName != null) {
String agentName = userName;
if (LDAPUtils.isDN(userName)) {
agentName = LDAPUtils.rdnValueFromDn(userName);
}
if (debug.messageEnabled()) {
debug.message("AuthenticatedSharedAgents:isSharedAgent:" + "agentName = " + agentName);
}
// Check in cache
if ((sharedAgentsCache != null) && (!sharedAgentsCache.isEmpty()) && (sharedAgentsCache.contains(userDNUnivId))) {
return (true);
}
SSOToken adminToken = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance());
ServiceConfig oc = getOrgConfig(adminToken, rlmName);
// Get the agent's schemaID from the config.
ServiceConfig aCfg = oc.getSubConfig(agentName);
if (aCfg != null) {
String agentType = aCfg.getSchemaID();
if ((oc.getSubConfigNames().contains(agentName)) && (agentType.equalsIgnoreCase("SharedAgent"))) {
isSharedAgent = true;
updateCache(userDNUnivId);
}
}
}
} catch (SSOException ssoe) {
if (debug.warningEnabled()) {
debug.warning("AuthenticatedSharedAgents.isSharedAgent(): " + "SSOException: " + ssoe);
}
} catch (SMSException smse) {
if (debug.warningEnabled()) {
debug.warning("AuthenticatedSharedAgents.isSharedAgent(): " + "SMSException: " + smse);
}
}
return isSharedAgent;
}
Also used :
SSOToken(com.iplanet.sso.SSOToken)
ServiceConfig(com.sun.identity.sm.ServiceConfig)
SMSException(com.sun.identity.sm.SMSException)
SSOException(com.iplanet.sso.SSOException)
Aggregations
SSOToken (com.iplanet.sso.SSOToken)776
SSOException (com.iplanet.sso.SSOException)390
Set (java.util.Set)226
SMSException (com.sun.identity.sm.SMSException)218
HashSet (java.util.HashSet)179
IdRepoException (com.sun.identity.idm.IdRepoException)144
HashMap (java.util.HashMap)130
Test (org.testng.annotations.Test)130
CLIException (com.sun.identity.cli.CLIException)117
Iterator (java.util.Iterator)115
AMIdentity (com.sun.identity.idm.AMIdentity)113
Map (java.util.Map)113
IOutput (com.sun.identity.cli.IOutput)99
IOException (java.io.IOException)68
List (java.util.List)57
AMIdentityRepository (com.sun.identity.idm.AMIdentityRepository)56
IdType (com.sun.identity.idm.IdType)54
ServiceConfigManager (com.sun.identity.sm.ServiceConfigManager)53
EntitlementException (com.sun.identity.entitlement.EntitlementException)52
ServiceConfig (com.sun.identity.sm.ServiceConfig)52
