Example 1 with Decision
use of com.sun.identity.xacml.context.Decision in project OpenAM by OpenRock.
the class XACMLAuthzDecisionQueryHandler method handleQuery.
/**
* Processes an XACMLAuthzDecisionQuery and retruns a SAML2 Response.
*
* @param pdpEntityId EntityID of PDP
* @param pepEntityId EntityID of PEP
* @param samlpRequest SAML2 Request, an XAMLAuthzDecisionQuery
* @param soapMessage SOAPMessage that carried the SAML2 Request
* @return SAML2 Response with an XAMLAuthzDecisionStatement
* @exception SAML2Exception if the query can not be handled
*/
public com.sun.identity.saml2.protocol.Response handleQuery(String pdpEntityId, String pepEntityId, RequestAbstract samlpRequest, SOAPMessage soapMessage) throws SAML2Exception {
//TODO: logging, i18n
//TODO: long term, allow different mapper impls for different
//combination of pdp, pep
SubjectMapper subjectMapper = new FMSubjectMapper();
subjectMapper.initialize(pdpEntityId, pepEntityId, null);
ResourceMapper resourceMapper = new FMResourceMapper();
resourceMapper.initialize(pdpEntityId, pepEntityId, null);
ActionMapper actionMapper = new FMActionMapper();
actionMapper.initialize(pdpEntityId, pepEntityId, null);
EnvironmentMapper environmentMapper = new FMEnvironmentMapper();
environmentMapper.initialize(pdpEntityId, pepEntityId, null);
ResultMapper resultMapper = new FMResultMapper();
resultMapper.initialize(pdpEntityId, pepEntityId, null);
boolean evaluationFailed = false;
String statusCodeValue = null;
if (XACMLSDKUtils.debug.messageEnabled()) {
XACMLSDKUtils.debug.message("XACMLAuthzDecisionQueryHandler.handleQuery(), entering" + ":pdpEntityId=" + pdpEntityId + ":pepEntityId=" + pepEntityId + ":samlpRequest=\n" + samlpRequest.toXMLString(true, true) + ":soapMessage=\n" + soapMessage);
}
Request xacmlRequest = ((XACMLAuthzDecisionQuery) samlpRequest).getRequest();
boolean returnContext = ((XACMLAuthzDecisionQuery) samlpRequest).getReturnContext();
SSOToken ssoToken = null;
String resourceName = null;
String serviceName = null;
String actionName = null;
Map environment = null;
boolean booleanDecision = false;
try {
//get native sso token
ssoToken = (SSOToken) subjectMapper.mapToNativeSubject(xacmlRequest.getSubjects());
if (ssoToken == null) {
//TODO: log message and fill missing attribute details
statusCodeValue = XACMLConstants.STATUS_CODE_MISSING_ATTRIBUTE;
evaluationFailed = true;
} else {
if (XACMLSDKUtils.debug.messageEnabled()) {
XACMLSDKUtils.debug.message("XACMLAuthzDecisionQueryHandler.handleQuery()," + "created ssoToken");
}
}
if (ssoToken != null) {
//get native service name, resource name
List resources = xacmlRequest.getResources();
Resource resource = null;
if (!resources.isEmpty()) {
//We deal with only one resource for now
resource = (Resource) resources.get(0);
}
if (resource != null) {
String[] resourceService = resourceMapper.mapToNativeResource(resource);
if (resourceService != null) {
if (resourceService.length > 0) {
resourceName = resourceService[0];
}
if (resourceService.length > 1) {
serviceName = resourceService[1];
}
}
}
if (resourceName == null) {
//TODO: log message and fill missing attribute details
statusCodeValue = XACMLConstants.STATUS_CODE_MISSING_ATTRIBUTE;
evaluationFailed = true;
}
if (serviceName == null) {
//TODO: log message and fill missing attribute details
throw new SAML2Exception(XACMLSDKUtils.xacmlResourceBundle.getString("missing_attribute"));
}
}
if (serviceName != null) {
//get native action name
if (serviceName != null) {
actionName = actionMapper.mapToNativeAction(xacmlRequest.getAction(), serviceName);
}
if (actionName == null) {
//TODO: log message and fill missing attribute details
statusCodeValue = XACMLConstants.STATUS_CODE_MISSING_ATTRIBUTE;
evaluationFailed = true;
}
}
//get environment map
/*
environment = environmentMapper.mapToNativeEnvironment(
xacmlRequest.getEnvironment(),
xacmlRequest.getSubjects());
*/
} catch (XACMLException xe) {
statusCodeValue = XACMLConstants.STATUS_CODE_MISSING_ATTRIBUTE;
evaluationFailed = true;
if (XACMLSDKUtils.debug.warningEnabled()) {
XACMLSDKUtils.debug.warning("XACMLAuthzDecisionQueryHandler.handleQuery()," + "caught exception", xe);
}
}
//get native policy deicison using native policy evaluator
if (!evaluationFailed) {
try {
PolicyEvaluator pe = new PolicyEvaluator(serviceName);
booleanDecision = pe.isAllowed(ssoToken, resourceName, actionName, environment);
} catch (SSOException ssoe) {
if (XACMLSDKUtils.debug.warningEnabled()) {
XACMLSDKUtils.debug.warning("XACMLAuthzDecisionQueryHandler.handleQuery()," + "caught exception", ssoe);
}
evaluationFailed = true;
} catch (PolicyException pe) {
if (XACMLSDKUtils.debug.warningEnabled()) {
XACMLSDKUtils.debug.warning("XACMLAuthzDecisionQueryHandler.handleQuery()," + "caught exception", pe);
}
evaluationFailed = true;
}
}
//decision: Indeterminate, Deny, Permit, NotApplicable
//status code: missing_attribute, syntax_error, processing_error, ok
Decision decision = ContextFactory.getInstance().createDecision();
Status status = ContextFactory.getInstance().createStatus();
StatusCode code = ContextFactory.getInstance().createStatusCode();
StatusMessage message = ContextFactory.getInstance().createStatusMessage();
StatusDetail detail = ContextFactory.getInstance().createStatusDetail();
detail.getElement().insertBefore(detail.getElement().cloneNode(true), null);
if (evaluationFailed) {
decision.setValue(XACMLConstants.INDETERMINATE);
if (statusCodeValue == null) {
statusCodeValue = XACMLConstants.STATUS_CODE_PROCESSING_ERROR;
}
code.setValue(statusCodeValue);
//TODO: i18n
message.setValue("processing_error");
} else if (booleanDecision) {
decision.setValue(XACMLConstants.PERMIT);
code.setValue(XACMLConstants.STATUS_CODE_OK);
//TODO: i18n
message.setValue("ok");
} else {
decision.setValue(XACMLConstants.DENY);
code.setValue(XACMLConstants.STATUS_CODE_OK);
//TODO: i18n
message.setValue("ok");
}
Result result = ContextFactory.getInstance().createResult();
String resourceId = resourceName;
List resources = xacmlRequest.getResources();
Resource resource = null;
if (!resources.isEmpty()) {
//We deal with only one resource for now
resource = (Resource) resources.get(0);
if (resource != null) {
List attributes = resource.getAttributes();
if (attributes != null) {
for (int count = 0; count < attributes.size(); count++) {
Attribute attr = (Attribute) attributes.get(count);
if (attr != null) {
URI tmpURI = attr.getAttributeId();
if (tmpURI.toString().equals(XACMLConstants.RESOURCE_ID)) {
Element element = (Element) attr.getAttributeValues().get(0);
resourceId = XMLUtils.getElementValue(element);
break;
}
}
}
}
}
}
result.setResourceId(resourceId);
result.setDecision(decision);
status.setStatusCode(code);
status.setStatusMessage(message);
status.setStatusDetail(detail);
result.setStatus(status);
Response response = ContextFactory.getInstance().createResponse();
response.addResult(result);
XACMLAuthzDecisionStatement statement = ContextFactory.getInstance().createXACMLAuthzDecisionStatement();
statement.setResponse(response);
if (returnContext) {
statement.setRequest(xacmlRequest);
}
com.sun.identity.saml2.protocol.Response samlpResponse = createSamlpResponse(statement, status.getStatusCode().getValue());
if (XACMLSDKUtils.debug.messageEnabled()) {
XACMLSDKUtils.debug.message("XACMLAuthzDecisionQueryHandler.handleQuery(), returning" + ":samlResponse=\n" + samlpResponse.toXMLString(true, true));
}
return samlpResponse;
}
Also used :
SSOToken(com.iplanet.sso.SSOToken)
Attribute(com.sun.identity.xacml.context.Attribute)
Element(org.w3c.dom.Element)
SSOException(com.iplanet.sso.SSOException)
StatusCode(com.sun.identity.xacml.context.StatusCode)
URI(java.net.URI)
Result(com.sun.identity.xacml.context.Result)
ResourceResult(com.sun.identity.policy.ResourceResult)
ActionMapper(com.sun.identity.xacml.spi.ActionMapper)
XACMLAuthzDecisionStatement(com.sun.identity.xacml.saml2.XACMLAuthzDecisionStatement)
PolicyEvaluator(com.sun.identity.policy.PolicyEvaluator)
SubjectMapper(com.sun.identity.xacml.spi.SubjectMapper)
PolicyException(com.sun.identity.policy.PolicyException)
ResourceMapper(com.sun.identity.xacml.spi.ResourceMapper)
ArrayList(java.util.ArrayList)
List(java.util.List)
Status(com.sun.identity.xacml.context.Status)
Request(com.sun.identity.xacml.context.Request)
Resource(com.sun.identity.xacml.context.Resource)
EnvironmentMapper(com.sun.identity.xacml.spi.EnvironmentMapper)
Decision(com.sun.identity.xacml.context.Decision)
XACMLException(com.sun.identity.xacml.common.XACMLException)
StatusMessage(com.sun.identity.xacml.context.StatusMessage)
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
Response(com.sun.identity.xacml.context.Response)
ResultMapper(com.sun.identity.xacml.spi.ResultMapper)
StatusDetail(com.sun.identity.xacml.context.StatusDetail)
XACMLAuthzDecisionQuery(com.sun.identity.xacml.saml2.XACMLAuthzDecisionQuery)
Map(java.util.Map)
Example 2 with Decision
use of com.sun.identity.xacml.context.Decision in project OpenAM by OpenRock.
the class XACMLQueryUtil method getPolicyDecisionForFedlet.
/**
* Sends the XACML query to specifiied PDP, gets the policy decision
* and sends it back to the Fedlet
*
* @param request HTTP Servlet Request
* @param pepEntityID PEP entity ID
* @param pdpEntityID PDP entity ID
* @param nameIDValue NameID value
* @param serviceName Service Name
* @param resource Resource URL
* @param action Action
*
* @return the <code>String</code> object
* @exception SAML2Exception if the operation is not successful
*
* @supported.api
*/
public static String getPolicyDecisionForFedlet(HttpServletRequest request, String pepEntityID, String pdpEntityID, String nameIDValue, String serviceName, String resource, String action) throws SAML2Exception {
Request Xrequest = ContextFactory.getInstance().createRequest();
Response xacmlResponse = null;
try {
//Subject
Subject subject = ContextFactory.getInstance().createSubject();
subject.setSubjectCategory(new URI(XACMLConstants.ACCESS_SUBJECT));
//set subject id
Attribute attribute = ContextFactory.getInstance().createAttribute();
attribute.setAttributeId(new URI(XACMLConstants.SUBJECT_ID));
attribute.setDataType(new URI(XACMLConstants.SAML2_NAMEID));
List valueList = new ArrayList();
valueList.add(nameIDValue);
attribute.setAttributeStringValues(valueList);
List attributeList = new ArrayList();
attributeList.add(attribute);
subject.setAttributes(attributeList);
// Set Subject in Request
List subjectList = new ArrayList();
subjectList.add(subject);
Xrequest.setSubjects(subjectList);
// Resource
Resource xacml_resource = ContextFactory.getInstance().createResource();
// Set resource id
attribute = ContextFactory.getInstance().createAttribute();
attribute.setAttributeId(new URI(XACMLConstants.RESOURCE_ID));
attribute.setDataType(new URI(XACMLConstants.XS_STRING));
valueList = new ArrayList();
valueList.add(resource);
attribute.setAttributeStringValues(valueList);
attributeList = new ArrayList();
attributeList.add(attribute);
// Set serviceName
attribute = ContextFactory.getInstance().createAttribute();
attribute.setAttributeId(new URI(XACMLConstants.TARGET_SERVICE));
attribute.setDataType(new URI(XACMLConstants.XS_STRING));
valueList = new ArrayList();
valueList.add(serviceName);
attribute.setAttributeStringValues(valueList);
attributeList.add(attribute);
xacml_resource.setAttributes(attributeList);
// Set Resource in Request
List resourceList = new ArrayList();
resourceList.add(xacml_resource);
Xrequest.setResources(resourceList);
// Action
Action xacml_action = ContextFactory.getInstance().createAction();
attribute = ContextFactory.getInstance().createAttribute();
attribute.setAttributeId(new URI(XACMLConstants.ACTION_ID));
attribute.setDataType(new URI(XACMLConstants.XS_STRING));
// Set actionID
valueList = new ArrayList();
valueList.add(action);
attribute.setAttributeStringValues(valueList);
attributeList = new ArrayList();
attributeList.add(attribute);
xacml_action.setAttributes(attributeList);
// Set Action in Request
Xrequest.setAction(xacml_action);
Environment environment = ContextFactory.getInstance().createEnvironment();
Xrequest.setEnvironment(environment);
xacmlResponse = XACMLRequestProcessor.getInstance().processRequest(Xrequest, pdpEntityID, pepEntityID);
if (xacmlResponse != null) {
List results = xacmlResponse.getResults();
if (results.size() > 0) {
Result policy_result = (Result) results.get(0);
if (policy_result != null) {
Decision decision = (Decision) policy_result.getDecision();
if (decision != null) {
String policy_decision = decision.getValue();
if (policy_decision != null) {
return policy_decision;
}
}
}
}
}
} catch (URISyntaxException uriexp) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("XACMLQueryUtil." + "getPolicyDecisionForFedlet: " + "URI Exception while sending the XACML Request");
}
} catch (XACMLException xacmlexp) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("XACMLQueryUtil." + "getPolicyDecisionForFedlet: " + "Error while processing the XACML Response");
}
}
return null;
}
Also used :
Action(com.sun.identity.xacml.context.Action)
Attribute(com.sun.identity.xacml.context.Attribute)
Request(com.sun.identity.xacml.context.Request)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
ArrayList(java.util.ArrayList)
Resource(com.sun.identity.xacml.context.Resource)
URISyntaxException(java.net.URISyntaxException)
URI(java.net.URI)
Subject(com.sun.identity.xacml.context.Subject)
Decision(com.sun.identity.xacml.context.Decision)
Result(com.sun.identity.xacml.context.Result)
XACMLException(com.sun.identity.xacml.common.XACMLException)
Response(com.sun.identity.xacml.context.Response)
Environment(com.sun.identity.xacml.context.Environment)
ArrayList(java.util.ArrayList)
List(java.util.List)
Aggregations
XACMLException (com.sun.identity.xacml.common.XACMLException)2
Attribute (com.sun.identity.xacml.context.Attribute)2
Decision (com.sun.identity.xacml.context.Decision)2
Request (com.sun.identity.xacml.context.Request)2
Resource (com.sun.identity.xacml.context.Resource)2
Response (com.sun.identity.xacml.context.Response)2
Result (com.sun.identity.xacml.context.Result)2
URI (java.net.URI)2
ArrayList (java.util.ArrayList)2
List (java.util.List)2
SSOException (com.iplanet.sso.SSOException)1
SSOToken (com.iplanet.sso.SSOToken)1
PolicyEvaluator (com.sun.identity.policy.PolicyEvaluator)1
PolicyException (com.sun.identity.policy.PolicyException)1
ResourceResult (com.sun.identity.policy.ResourceResult)1
SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)1
Action (com.sun.identity.xacml.context.Action)1
Environment (com.sun.identity.xacml.context.Environment)1
Status (com.sun.identity.xacml.context.Status)1
StatusCode (com.sun.identity.xacml.context.StatusCode)1
