Example 1 with DelegationEvaluator
use of com.sun.identity.delegation.DelegationEvaluator in project OpenAM by OpenRock.
the class DelegationConfigNode method hasPermission.
boolean hasPermission(String realmName, String serviceName, String action, SSOToken ssoToken) throws DelegationException {
if (realmName == null) {
try {
realmName = DNMapper.orgNameToRealmName(ssoToken.getProperty(Constants.ORGANIZATION));
} catch (SSOException e) {
throw new DelegationException(e);
}
}
DelegationEvaluator delegationEvaluator = new DelegationEvaluatorImpl();
DelegationPermission delegationPermission = getDelegationPermission(realmName, action);
boolean allowed = false;
if (serviceName != null) {
allowed = isAllowed(delegationEvaluator, delegationPermission, ssoToken, serviceName);
} else {
Set actions = (Set) permissions.get(AMAdminConstants.PERMISSION_MODIFY);
for (Iterator i = actions.iterator(); i.hasNext() && !allowed; ) {
allowed = isAllowed(delegationEvaluator, delegationPermission, ssoToken, (String) i.next());
}
}
return allowed;
}
Also used :
DelegationEvaluatorImpl(com.sun.identity.delegation.DelegationEvaluatorImpl)
Set(java.util.Set)
HashSet(java.util.HashSet)
Iterator(java.util.Iterator)
DelegationEvaluator(com.sun.identity.delegation.DelegationEvaluator)
SSOException(com.iplanet.sso.SSOException)
DelegationException(com.sun.identity.delegation.DelegationException)
DelegationPermission(com.sun.identity.delegation.DelegationPermission)
Example 2 with DelegationEvaluator
use of com.sun.identity.delegation.DelegationEvaluator in project OpenAM by OpenRock.
the class SessionService method hasTopLevelAdminRole.
/**
* Returns true if the user has top level admin role
*
* @param tokenUsedForSearch Single Sign on token used to do the search.
* @param clientID Client ID of the login user.
* @throws SessionException
* @throws SSOException
*/
private boolean hasTopLevelAdminRole(SSOToken tokenUsedForSearch, String clientID) throws SessionException, SSOException {
boolean topLevelAdmin = false;
Set actions = CollectionUtils.asSet(PERMISSION_READ, PERMISSION_MODIFY, PERMISSION_DELEGATE);
try {
DelegationPermission perm = new DelegationPermission("/", "*", "*", "*", "*", actions, Collections.EMPTY_MAP);
DelegationEvaluator evaluator = new DelegationEvaluatorImpl();
topLevelAdmin = evaluator.isAllowed(tokenUsedForSearch, perm, Collections.EMPTY_MAP);
} catch (DelegationException de) {
sessionDebug.error("SessionService.hasTopLevelAdminRole: failed to check the delegation permission.", de);
}
return topLevelAdmin;
}
Also used :
DelegationEvaluatorImpl(com.sun.identity.delegation.DelegationEvaluatorImpl)
Set(java.util.Set)
HashSet(java.util.HashSet)
DelegationEvaluator(com.sun.identity.delegation.DelegationEvaluator)
DelegationException(com.sun.identity.delegation.DelegationException)
DelegationPermission(com.sun.identity.delegation.DelegationPermission)
Example 3 with DelegationEvaluator
use of com.sun.identity.delegation.DelegationEvaluator in project OpenAM by OpenRock.
the class XACMLUtils method hasPermission.
public static boolean hasPermission(String realm, SSOToken adminToken, String action) {
try {
DelegationEvaluator de = new DelegationEvaluatorImpl();
DelegationPermission dp = new DelegationPermission(realm, "rest", "1.0", "policies", action, asSet(action), Collections.<String, String>emptyMap());
return de.isAllowed(adminToken, dp, Collections.EMPTY_MAP);
} catch (DelegationException de) {
DEBUG.error("XACMLUtils.hasPermission", de);
return false;
} catch (SSOException ssoe) {
DEBUG.error("XACMLUtils.hasPermission", ssoe);
return false;
}
}
Also used :
DelegationEvaluatorImpl(com.sun.identity.delegation.DelegationEvaluatorImpl)
DelegationEvaluator(com.sun.identity.delegation.DelegationEvaluator)
DelegationException(com.sun.identity.delegation.DelegationException)
SSOException(com.iplanet.sso.SSOException)
DelegationPermission(com.sun.identity.delegation.DelegationPermission)
Example 4 with DelegationEvaluator
use of com.sun.identity.delegation.DelegationEvaluator in project OpenAM by OpenRock.
the class IdServicesImpl method checkPermission.
private boolean checkPermission(SSOToken token, String realm, String name, Set attrs, IdOperation op, IdType type) throws IdRepoException, SSOException {
if (!ServiceManager.isConfigMigratedTo70()) {
// in coexistence mode. Do not perform any delegation check
return true;
}
Set thisAction = null;
if (op.equals(IdOperation.READ)) {
// thisAction = readAction;
// TODO This is a temporary fix where-in all users are
// being allowed read permisions, till delegation component
// is fixed to support "user self read" operations
thisAction = READ_ACTION;
} else {
thisAction = WRITE_ACTION;
}
try {
DelegationEvaluator de = new DelegationEvaluatorImpl();
String resource = type.getName();
if (name != null) {
resource += "/" + name;
}
DelegationPermission dp = new DelegationPermission(realm, IdConstants.REPO_SERVICE, "1.0", "application", resource, thisAction, Collections.EMPTY_MAP);
Map envMap = Collections.EMPTY_MAP;
if (attrs != null) {
envMap = new HashMap();
envMap.put(DELEGATION_ATTRS_NAME, attrs);
}
if (!de.isAllowed(token, dp, envMap)) {
Object[] args = { op.getName(), token.getPrincipal().getName() };
throw new IdRepoException(IdRepoBundle.BUNDLE_NAME, IdRepoErrorCode.ACCESS_DENIED, args);
}
return true;
} catch (DelegationException dex) {
DEBUG.error("IdServicesImpl.checkPermission Got Delegation Exception: ", dex);
Object[] args = { op.getName(), token.getPrincipal().getName() };
throw new IdRepoException(IdRepoBundle.BUNDLE_NAME, IdRepoErrorCode.ACCESS_DENIED, args);
}
}
Also used :
DelegationEvaluatorImpl(com.sun.identity.delegation.DelegationEvaluatorImpl)
Set(java.util.Set)
OrderedSet(com.sun.identity.shared.datastruct.OrderedSet)
CaseInsensitiveHashSet(com.sun.identity.common.CaseInsensitiveHashSet)
HashSet(java.util.HashSet)
AMHashMap(com.iplanet.am.sdk.AMHashMap)
HashMap(java.util.HashMap)
CaseInsensitiveHashMap(com.sun.identity.common.CaseInsensitiveHashMap)
IdRepoException(com.sun.identity.idm.IdRepoException)
DelegationEvaluator(com.sun.identity.delegation.DelegationEvaluator)
DelegationException(com.sun.identity.delegation.DelegationException)
Map(java.util.Map)
AMHashMap(com.iplanet.am.sdk.AMHashMap)
HashMap(java.util.HashMap)
CaseInsensitiveHashMap(com.sun.identity.common.CaseInsensitiveHashMap)
DelegationPermission(com.sun.identity.delegation.DelegationPermission)
Example 5 with DelegationEvaluator
use of com.sun.identity.delegation.DelegationEvaluator in project OpenAM by OpenRock.
the class SSOTokenAuthZ method doFilter.
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
int statusCode = HttpServletResponse.SC_OK;
String statusMessage = null;
Principal clientPrincipal = ((HttpServletRequest) request).getUserPrincipal();
if (clientPrincipal instanceof ISubjectable) {
try {
Subject clientSubject = ((ISubjectable) clientPrincipal).createSubject();
DelegationEvaluator eval = new DelegationEvaluatorImpl();
SSOToken token = SubjectUtils.getSSOToken(clientSubject);
String action = mapMethodToAction.get(((HttpServletRequest) request).getMethod());
if (action == null) {
statusCode = HttpServletResponse.SC_UNAUTHORIZED;
statusMessage = "Unable to get HTTP method for request.";
} else {
Set<String> setAction = new HashSet<String>();
setAction.add(action);
DelegationPermission permission = new DelegationPermission("/", "sunEntitlementService", "1.0", "application", getURI(request), setAction, null);
if (!eval.isAllowed(token, permission, Collections.EMPTY_MAP)) {
statusCode = HttpServletResponse.SC_UNAUTHORIZED;
statusMessage = "Unauthorized.";
}
}
} catch (Exception e) {
statusCode = HttpServletResponse.SC_UNAUTHORIZED;
statusMessage = e.getMessage();
}
} else {
statusCode = HttpServletResponse.SC_UNAUTHORIZED;
statusMessage = "Unable to obtain subject.";
}
if (statusCode == HttpServletResponse.SC_OK) {
statusCode = validateTokenId((HttpServletRequest) request);
if (statusCode == HttpServletResponse.SC_OK) {
chain.doFilter(request, response);
} else {
statusMessage = "SSO token is invalid or has expired.";
}
}
if (statusCode != HttpServletResponse.SC_OK) {
((HttpServletResponse) response).sendError(statusCode, statusMessage);
return;
}
}
Also used :
SSOToken(com.iplanet.sso.SSOToken)
DelegationEvaluator(com.sun.identity.delegation.DelegationEvaluator)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
Subject(javax.security.auth.Subject)
DelegationPermission(com.sun.identity.delegation.DelegationPermission)
ServletException(javax.servlet.ServletException)
IOException(java.io.IOException)
RestException(com.sun.identity.rest.RestException)
SSOException(com.iplanet.sso.SSOException)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
DelegationEvaluatorImpl(com.sun.identity.delegation.DelegationEvaluatorImpl)
Principal(java.security.Principal)
ISubjectable(com.sun.identity.rest.ISubjectable)
HashSet(java.util.HashSet)
Aggregations
DelegationEvaluator (com.sun.identity.delegation.DelegationEvaluator)14
DelegationPermission (com.sun.identity.delegation.DelegationPermission)14
DelegationEvaluatorImpl (com.sun.identity.delegation.DelegationEvaluatorImpl)12
SSOException (com.iplanet.sso.SSOException)11
DelegationException (com.sun.identity.delegation.DelegationException)11
HashSet (java.util.HashSet)8
Set (java.util.Set)8
SSOToken (com.iplanet.sso.SSOToken)7
IOException (java.io.IOException)3
Iterator (java.util.Iterator)3
Test (org.testng.annotations.Test)3
EntitlementException (com.sun.identity.entitlement.EntitlementException)2
IdRepoException (com.sun.identity.idm.IdRepoException)2
SMSException (com.sun.identity.sm.SMSException)2
HashMap (java.util.HashMap)2
Map (java.util.Map)2
RestLog (org.forgerock.openam.forgerockrest.utils.RestLog)2
PrepareForTest (org.powermock.core.classloader.annotations.PrepareForTest)2
ResourceException (org.restlet.resource.ResourceException)2
AMHashMap (com.iplanet.am.sdk.AMHashMap)1
