Example 16 with IdRepoException
use of com.sun.identity.idm.IdRepoException in project OpenAM by OpenRock.
the class AuthenticatedSharedAgentsCondition method getConditionDecision.
/**
* Gets the decision computed by this condition object.
*
* @param token single sign on token of the user
*
* @param env request specific environment map of key/value pairs.
*
* @return the condition decision. The condition decision
* encapsulates whether a policy applies for the request.
*
* Policy framework continues evaluating a policy only if it
* applies to the request as indicated by the CondtionDecision.
* Otherwise, further evaluation of the policy is skipped.
*
* @throws SSOException if the token is invalid
*/
public ConditionDecision getConditionDecision(SSOToken token, Map env) throws PolicyException, SSOException {
boolean allowed = false;
if (debug.messageEnabled()) {
debug.message("AuthenticatedSharedAgentsCondition." + "getConditionDecision: " + "called with Token: " + token.getPrincipal().getName() + ", requestedResourcename: " + env.get(PolicyEvaluator.SUN_AM_ORIGINAL_REQUESTED_RESOURCE));
}
String realmName = null;
String sharedAgentName = null;
String sharedAgentUnivId = null;
try {
AMIdentity id = IdUtils.getIdentity(token);
realmName = id.getRealm();
sharedAgentName = id.getName();
sharedAgentUnivId = id.getUniversalId();
} catch (SSOException ssoe) {
// Debug it and throe error message.
if (debug.messageEnabled()) {
debug.message("AuthenticatedSharedAgentsCondition." + "getConditionDecision: invalid sso token: " + ssoe.getMessage());
}
throw ssoe;
} catch (IdRepoException ide) {
// Debug it and throw converted policy exception.
if (debug.messageEnabled()) {
debug.message("AuthenticatedSharedAgentsCondition." + "getConditionDecision IdRepo exception: ", ide);
}
throw new PolicyException(ide);
}
// Get the resource name from the env
Object o = env.get(PolicyEvaluator.SUN_AM_ORIGINAL_REQUESTED_RESOURCE);
if (debug.messageEnabled()) {
debug.message("AuthenticatedSharedAgentsCondition." + "getConditionDecision:" + " name: " + sharedAgentName + " resource: " + o);
}
if (o != null) {
String resourceName = null;
if (o instanceof String) {
resourceName = (String) o;
} else if (o instanceof Set) {
if (!((Set) o).isEmpty()) {
resourceName = (String) ((Set) o).iterator().next();
}
} else if (debug.warningEnabled()) {
resourceName = "";
debug.warning("AuthenticatedSharedAgentsCondition." + "getConditionDecision: Unable to get resource name");
}
try {
Set agentsFromEnv = new HashSet();
String agentTypeName = IdType.AGENT.getName();
String agentOnlyTypeName = IdType.AGENTONLY.getName();
SSOToken adminToken = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance());
ServiceConfig orgConfig = getOrgConfig(adminToken, realmName);
String[] retVal = split(resourceName);
if ((retVal[0].equalsIgnoreCase(agentTypeName) && retVal[1].equalsIgnoreCase(agentTypeName)) || (retVal[0].equalsIgnoreCase(agentOnlyTypeName) && retVal[1].equalsIgnoreCase(agentOnlyTypeName))) {
agentsFromEnv.add(retVal[0]);
}
if ((!retVal[0].equalsIgnoreCase(agentTypeName)) && (!retVal[0].equalsIgnoreCase(agentOnlyTypeName))) {
retVal[0] = getAgentNameFromEnv(resourceName);
if (retVal[0] == null) {
return new ConditionDecision(false);
}
if (retVal[0].equalsIgnoreCase(sharedAgentName)) {
Map envMap = getAttributes(orgConfig, retVal[0]);
agentsFromEnv = (Set) envMap.get(attributeToRead);
} else {
agentsFromEnv.add(retVal[0]);
}
if (debug.messageEnabled()) {
debug.message("AuthenticatedSharedAgentsCondition." + "getConditionDecision: agentsFromEnv: " + agentsFromEnv + "retVal[0] " + retVal[0]);
}
}
// Check in cache
if ((sharedAgentsCache != null) && (sharedAgentsCache.containsKey(sharedAgentUnivId))) {
Set agentsfromCache = (Set) sharedAgentsCache.get(sharedAgentUnivId);
if (agentsfromCache != null && !agentsfromCache.isEmpty()) {
allowed = getPermission(agentsFromEnv, agentsfromCache);
}
return new ConditionDecision(allowed);
}
// If not in cache.
// Return the attributes for the given agent under
// default group.
Map agentsAttrMap = getAttributes(orgConfig, sharedAgentName);
Set agentsToRead = (Set) agentsAttrMap.get(attributeToRead);
if (debug.messageEnabled()) {
debug.message("AuthenticatedSharedAgentsCondition." + "getConditionDecision: agentsToRead: " + agentsToRead);
}
if (agentsToRead != null && !agentsToRead.isEmpty()) {
allowed = getPermission(agentsFromEnv, agentsToRead);
}
// Update the cache.
updateCache(sharedAgentUnivId, agentsToRead);
} catch (IdRepoException idpe) {
debug.error("AuthenticatedSharedAgentsCondition." + "getConditionDecision(): Unable to read agent" + " attributes for " + sharedAgentName, idpe);
throw new PolicyException(idpe);
}
}
return new ConditionDecision(allowed);
}
Also used :
CaseInsensitiveHashSet(com.sun.identity.common.CaseInsensitiveHashSet)
HashSet(java.util.HashSet)
Set(java.util.Set)
SSOToken(com.iplanet.sso.SSOToken)
IdRepoException(com.sun.identity.idm.IdRepoException)
SSOException(com.iplanet.sso.SSOException)
ConditionDecision(com.sun.identity.policy.ConditionDecision)
PolicyException(com.sun.identity.policy.PolicyException)
ServiceConfig(com.sun.identity.sm.ServiceConfig)
AMIdentity(com.sun.identity.idm.AMIdentity)
HashMap(java.util.HashMap)
Map(java.util.Map)
CaseInsensitiveHashSet(com.sun.identity.common.CaseInsensitiveHashSet)
HashSet(java.util.HashSet)
Example 17 with IdRepoException
use of com.sun.identity.idm.IdRepoException in project OpenAM by OpenRock.
the class AMIdentityMembershipCondition method isMember.
/**
* Determines if the user is a member of this instance of the
* <code>Subject</code> object.
*
* @param token single sign on token of the user
*
* @return <code>true</code> if the user is member of
* this subject; <code>false</code> otherwise.
*
* @exception SSOException if SSO token is not valid
* @exception PolicyException if an error occured while
* checking if the user is a member of this subject
*/
private boolean isMember(String invocatorUuid) throws SSOException, PolicyException {
boolean subjectMatch = false;
if (invocatorUuid == null) {
if (DEBUG.warningEnabled()) {
DEBUG.warning("AMIdentityMembershipCondition.isMember():" + "invocatorUuid is null");
DEBUG.warning("AMIdentityMembershipCondition.isMember():" + "returning false");
}
return false;
}
if (DEBUG.messageEnabled()) {
DEBUG.warning("AMIdentityMembershipCondition.isMember():" + "invocatorUuid:" + invocatorUuid);
}
if (!nameValues.isEmpty()) {
Iterator valueIter = nameValues.iterator();
while (valueIter.hasNext()) {
String nameValue = (String) valueIter.next();
if (DEBUG.messageEnabled()) {
DEBUG.message("AMIndentityMembershipCondition.isMember(): " + "checking membership with nameValue = " + nameValue + ", invocatorUuid = " + invocatorUuid);
}
try {
AMIdentity invocatorIdentity = IdUtils.getIdentity(getAdminToken(), invocatorUuid);
if (invocatorIdentity == null) {
if (DEBUG.messageEnabled()) {
DEBUG.message("AMidentityMembershipCondition.isMember():" + "invocatorIdentity is null for " + "invocatorUuid = " + invocatorUuid);
DEBUG.message("AMidentityMembershipCondition.isMember():" + "returning false");
}
return false;
}
AMIdentity nameValueIdentity = IdUtils.getIdentity(getAdminToken(), nameValue);
if (nameValueIdentity == null) {
if (DEBUG.messageEnabled()) {
DEBUG.message("AMidentityMembershipCondition.isMember():" + "nameValueidentity is null for " + "nameValue = " + nameValue);
DEBUG.message("AMidentityMembershipCondition.isMember():" + "returning false");
}
return false;
}
IdType invocatorIdType = invocatorIdentity.getType();
IdType nameValueIdType = nameValueIdentity.getType();
Set allowedMemberTypes = null;
if (invocatorIdentity.equals(nameValueIdentity)) {
if (DEBUG.messageEnabled()) {
DEBUG.message("AMidentityMembershipCondition.isMember():" + "invocatorIdentity equals " + " nameValueIdentity:" + "membership=true");
}
subjectMatch = true;
} else if (((allowedMemberTypes = nameValueIdType.canHaveMembers()) != null) && allowedMemberTypes.contains(invocatorIdType)) {
subjectMatch = invocatorIdentity.isMember(nameValueIdentity);
if (DEBUG.messageEnabled()) {
DEBUG.message("AMIdentityMembershipCondition.isMember():" + "invocatorIdentityType " + invocatorIdType + " can be a member of " + " nameValueIdentityType " + nameValueIdType + ":membership=" + subjectMatch);
}
} else {
subjectMatch = false;
if (DEBUG.messageEnabled()) {
DEBUG.message("AMIdentityMembershipCondition.isMember():" + "invocatoridentityType " + invocatorIdType + " can be a member of " + " nameValueIdentityType " + nameValueIdType + ":membership=" + subjectMatch);
}
}
if (subjectMatch) {
break;
}
} catch (IdRepoException ire) {
DEBUG.warning("AMidentityMembershipCondition.isMember():" + "can not check membership for invocator " + invocatorUuid + ", nameValue " + nameValue, ire);
String[] args = { invocatorUuid, nameValue };
throw (new PolicyException(ResBundleUtils.rbName, "am_id_subject_membership_evaluation_error", args, ire));
}
}
}
if (DEBUG.messageEnabled()) {
DEBUG.message("AMIdentityMembershipCondition.isMember():" + "invocatorUuidr=" + invocatorUuid + ",nameValues=" + nameValues + ",subjectMatch=" + subjectMatch);
}
return subjectMatch;
}
Also used :
PolicyException(com.sun.identity.policy.PolicyException)
AMIdentity(com.sun.identity.idm.AMIdentity)
IdRepoException(com.sun.identity.idm.IdRepoException)
IdType(com.sun.identity.idm.IdType)
Example 18 with IdRepoException
use of com.sun.identity.idm.IdRepoException in project OpenAM by OpenRock.
the class AuthenticatedAgents method isMember.
/**
* Determines if the agent belongs to the
* <code>AuthenticatedAgents</code> object.
* @param token SSOToken of the agent
* @return <code>true</code> if the agent SSOToken is valid.
* <code>false</code> otherwise.
* @exception SSOException if error occurs while validating the token.
*/
public boolean isMember(SSOToken token) throws SSOException {
if (token == null) {
return false;
}
if (!SSOTokenManager.getInstance().isValidToken(token)) {
return false;
}
try {
AMIdentity amId = IdUtils.getIdentity(token);
IdType idType = amId.getType();
if (debug.messageEnabled()) {
debug.message("AuthenticatedAgents:isMember:idType = " + idType + ", amId.getName() = " + amId.getName());
}
if (!idType.equals(IdType.AGENT)) {
if (isSpecialUser(token.getPrincipal().getName())) {
return true;
}
return false;
}
} catch (IdRepoException ire) {
debug.error("AuthenticatedAgents:isMember:IdRepoException:msg = " + ire.getMessage());
return false;
}
return true;
}
Also used :
AMIdentity(com.sun.identity.idm.AMIdentity)
IdRepoException(com.sun.identity.idm.IdRepoException)
IdType(com.sun.identity.idm.IdType)
Example 19 with IdRepoException
use of com.sun.identity.idm.IdRepoException in project OpenAM by OpenRock.
the class AuthenticatedSharedAgents method isMember.
/**
* Determines if the agent belongs to the
* <code>AuthenticatedSharedAgents</code> object.
* @param token SSOToken of the agent
* @return <code>true</code> if the agent SSOToken is valid.
* <code>false</code> otherwise.
* @exception SSOException if error occurs while validating the token.
*/
public boolean isMember(SSOToken token) throws SSOException {
boolean ismember = false;
int errCode = 0;
if ((token != null) && (SSOTokenManager.getInstance().isValidToken(token))) {
try {
String userDN = null;
String userDNUnivId = null;
AMIdentity amId = IdUtils.getIdentity(token);
IdType idType = amId.getType();
userDN = amId.getName();
userDNUnivId = amId.getUniversalId();
if (debug.messageEnabled()) {
debug.message("AuthenticatedSharedAgents:isMember:" + "idType = " + idType + ", userDN = " + userDN);
}
if ((userDN != null) && (idType.equals(IdType.AGENT) || idType.equals(IdType.AGENTONLY))) {
String rlmName = amId.getRealm();
if (isSharedAgent(token, userDN, userDNUnivId, rlmName)) {
errCode = 1;
if (debug.messageEnabled()) {
debug.message("AuthenticatedSharedAgents:isMember:" + "YES");
}
} else {
if (debug.messageEnabled()) {
debug.message("AuthenticatedSharedAgents:isMember:" + "NO");
}
}
} else {
if (debug.messageEnabled()) {
debug.message("AuthenticatedSharedAgents.isMember():" + "userDN is null or invalid IdType " + userDN + "IdType :" + idType);
debug.message("AuthenticatedSharedAgents.isMember():" + "returning false");
}
errCode = 0;
}
} catch (IdRepoException ire) {
debug.error("AuthenticatedSharedAgents:isMember:" + " IdRepoException:msg = " + ire.getMessage());
errCode = 0;
}
if (errCode == 1) {
ismember = true;
}
}
return ismember;
}
Also used :
AMIdentity(com.sun.identity.idm.AMIdentity)
IdRepoException(com.sun.identity.idm.IdRepoException)
IdType(com.sun.identity.idm.IdType)
Example 20 with IdRepoException
use of com.sun.identity.idm.IdRepoException in project OpenAM by OpenRock.
the class FSDefaultSPAdapter method postSSOFederationSuccess.
/**
* Invokes this method after the successful Single Sign-On or Federation.
* @param hostedEntityID provider ID for the hosted SP
* @param request servlet request
* @param response servlet response
* @param ssoToken user's SSO token
* @param authnRequest the original authentication request sent from SP
* @param authnResponse response from IDP if Browser POST or LECP profile
* is used for the request, value will be null if Browser Artifact
* profile is used.
* @param samlResponse response from IDP if Browser Artifact profile is used
* for the request, value will be null if Browser POST or LECP
* profile is used.
* @exception FederationException if user want to fail the process.
* @return true if browser redirection happened, false otherwise.
*/
public boolean postSSOFederationSuccess(String hostedEntityID, HttpServletRequest request, HttpServletResponse response, Object ssoToken, FSAuthnRequest authnRequest, FSAuthnResponse authnResponse, FSResponse samlResponse) throws FederationException {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSDefaultSPAdapter.postFedSuccess, " + "process " + hostedEntityID);
}
// find out if this is a federation request
boolean isFederation = false;
if (authnRequest == null) {
FSUtils.debug.error("FSDefaultSPAdapter.postFedSuccess null");
} else {
String nameIDPolicy = authnRequest.getNameIDPolicy();
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSDefaultSPAdapter.postSuccess " + nameIDPolicy);
}
if (nameIDPolicy.equals(IFSConstants.NAME_ID_POLICY_FEDERATED)) {
isFederation = true;
}
}
SSOToken adminToken = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance());
if (isFederation && adminToken != null) {
try {
// get name Identifier
String nameId = null;
List assertions = null;
String idpEntityId = null;
if (authnResponse != null) {
// POST profile
assertions = authnResponse.getAssertion();
idpEntityId = authnResponse.getProviderId();
} else {
// Artifact profile
assertions = samlResponse.getAssertion();
}
FSAssertion assertion = (FSAssertion) assertions.iterator().next();
if (idpEntityId == null) {
idpEntityId = assertion.getIssuer();
}
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAdapter.postSuccess: idp=" + idpEntityId);
}
Iterator stmtIter = assertion.getStatement().iterator();
while (stmtIter.hasNext()) {
Statement statement = (Statement) stmtIter.next();
int stmtType = statement.getStatementType();
if (stmtType == Statement.AUTHENTICATION_STATEMENT) {
FSAuthenticationStatement authStatement = (FSAuthenticationStatement) statement;
FSSubject subject = (FSSubject) authStatement.getSubject();
NameIdentifier ni = subject.getIDPProvidedNameIdentifier();
if (ni == null) {
ni = subject.getNameIdentifier();
}
if (ni != null) {
nameId = ni.getName();
}
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAdapter.postSuccess: " + "found name id =" + nameId);
}
break;
}
}
if (nameId == null) {
FSUtils.debug.warning("FSAdapter.postSuc : null nameID");
return false;
}
Map map = new HashMap();
Set set = new HashSet();
set.add("|" + hostedEntityID + "|" + nameId + "|");
map.put("iplanet-am-user-federation-info-key", set);
AMIdentityRepository idRepo = new AMIdentityRepository(adminToken, ((SSOToken) ssoToken).getProperty(ISAuthConstants.ORGANIZATION));
IdSearchControl searchControl = new IdSearchControl();
searchControl.setTimeOut(0);
searchControl.setMaxResults(0);
searchControl.setAllReturnAttributes(false);
searchControl.setSearchModifiers(IdSearchOpModifier.AND, map);
IdSearchResults searchResults = idRepo.searchIdentities(IdType.USER, "*", searchControl);
Set amIdSet = searchResults.getSearchResults();
if (amIdSet.size() > 1) {
String univId = ((SSOToken) ssoToken).getProperty(Constants.UNIVERSAL_IDENTIFIER);
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAdapter.postSuccess: found " + amIdSet.size() + " federation with same ID as " + univId);
}
String metaAlias = null;
try {
IDFFMetaManager metaManager = new IDFFMetaManager(ssoToken);
if (metaManager != null) {
SPDescriptorConfigElement spConfig = metaManager.getSPDescriptorConfig(realm, hostedEntityID);
if (spConfig != null) {
metaAlias = spConfig.getMetaAlias();
}
}
} catch (IDFFMetaException ie) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAdapter.postSuccess: " + "couldn't find meta alias:", ie);
}
}
FSAccountManager accManager = FSAccountManager.getInstance(metaAlias);
FSAccountFedInfoKey fedInfoKey = new FSAccountFedInfoKey(hostedEntityID, nameId);
// previous federation exists with different users
Iterator it = amIdSet.iterator();
while (it.hasNext()) {
AMIdentity amId = (AMIdentity) it.next();
// compare with the SSO token
String tmpUnivId = IdUtils.getUniversalId(amId);
if (univId.equalsIgnoreCase(tmpUnivId)) {
continue;
}
// remove federation information for this user
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAdapter.postSucces, " + "remove fed info for user " + tmpUnivId);
}
accManager.removeAccountFedInfo(tmpUnivId, fedInfoKey, idpEntityId);
}
}
} catch (FSAccountMgmtException f) {
FSUtils.debug.warning("FSDefaultSPAdapter.postSSOSuccess", f);
} catch (IdRepoException i) {
FSUtils.debug.warning("FSDefaultSPAdapter.postSSOSuccess", i);
} catch (SSOException e) {
FSUtils.debug.warning("FSDefaultSPAdapter.postSSOSuccess", e);
}
}
return false;
}
Also used :
SSOToken(com.iplanet.sso.SSOToken)
Set(java.util.Set)
HashSet(java.util.HashSet)
FSSubject(com.sun.identity.federation.message.FSSubject)
NameIdentifier(com.sun.identity.saml.assertion.NameIdentifier)
HashMap(java.util.HashMap)
IdSearchResults(com.sun.identity.idm.IdSearchResults)
SPDescriptorConfigElement(com.sun.identity.federation.jaxb.entityconfig.SPDescriptorConfigElement)
SSOException(com.iplanet.sso.SSOException)
FSAccountFedInfoKey(com.sun.identity.federation.accountmgmt.FSAccountFedInfoKey)
FSAccountManager(com.sun.identity.federation.accountmgmt.FSAccountManager)
FSAssertion(com.sun.identity.federation.message.FSAssertion)
Iterator(java.util.Iterator)
IdSearchControl(com.sun.identity.idm.IdSearchControl)
List(java.util.List)
HashSet(java.util.HashSet)
FSAuthenticationStatement(com.sun.identity.federation.message.FSAuthenticationStatement)
Statement(com.sun.identity.saml.assertion.Statement)
FSAuthenticationStatement(com.sun.identity.federation.message.FSAuthenticationStatement)
IDFFMetaException(com.sun.identity.federation.meta.IDFFMetaException)
IdRepoException(com.sun.identity.idm.IdRepoException)
IDFFMetaManager(com.sun.identity.federation.meta.IDFFMetaManager)
AMIdentity(com.sun.identity.idm.AMIdentity)
AMIdentityRepository(com.sun.identity.idm.AMIdentityRepository)
FSAccountMgmtException(com.sun.identity.federation.accountmgmt.FSAccountMgmtException)
Map(java.util.Map)
HashMap(java.util.HashMap)
Aggregations
IdRepoException (com.sun.identity.idm.IdRepoException)403
SSOException (com.iplanet.sso.SSOException)275
Set (java.util.Set)224
AMIdentity (com.sun.identity.idm.AMIdentity)221
HashSet (java.util.HashSet)183
Map (java.util.Map)121
Iterator (java.util.Iterator)118
SSOToken (com.iplanet.sso.SSOToken)112
HashMap (java.util.HashMap)110
SMSException (com.sun.identity.sm.SMSException)103
AMIdentityRepository (com.sun.identity.idm.AMIdentityRepository)96
CaseInsensitiveHashSet (com.sun.identity.common.CaseInsensitiveHashSet)67
AMConsoleException (com.sun.identity.console.base.model.AMConsoleException)58
IdType (com.sun.identity.idm.IdType)57
CaseInsensitiveHashMap (com.sun.identity.common.CaseInsensitiveHashMap)51
CLIException (com.sun.identity.cli.CLIException)48
IOutput (com.sun.identity.cli.IOutput)45
IdSearchResults (com.sun.identity.idm.IdSearchResults)44
IdSearchControl (com.sun.identity.idm.IdSearchControl)39
IdRepoUnsupportedOpException (com.sun.identity.idm.IdRepoUnsupportedOpException)35
