Example 6 with DelegationEvaluatorImpl
use of com.sun.identity.delegation.DelegationEvaluatorImpl in project OpenAM by OpenRock.
the class DelegationConfigNode method hasPermission.
boolean hasPermission(String realmName, String serviceName, String action, SSOToken ssoToken) throws DelegationException {
if (realmName == null) {
try {
realmName = DNMapper.orgNameToRealmName(ssoToken.getProperty(Constants.ORGANIZATION));
} catch (SSOException e) {
throw new DelegationException(e);
}
}
DelegationEvaluator delegationEvaluator = new DelegationEvaluatorImpl();
DelegationPermission delegationPermission = getDelegationPermission(realmName, action);
boolean allowed = false;
if (serviceName != null) {
allowed = isAllowed(delegationEvaluator, delegationPermission, ssoToken, serviceName);
} else {
Set actions = (Set) permissions.get(AMAdminConstants.PERMISSION_MODIFY);
for (Iterator i = actions.iterator(); i.hasNext() && !allowed; ) {
allowed = isAllowed(delegationEvaluator, delegationPermission, ssoToken, (String) i.next());
}
}
return allowed;
}
Also used :
DelegationEvaluatorImpl(com.sun.identity.delegation.DelegationEvaluatorImpl)
Set(java.util.Set)
HashSet(java.util.HashSet)
Iterator(java.util.Iterator)
DelegationEvaluator(com.sun.identity.delegation.DelegationEvaluator)
SSOException(com.iplanet.sso.SSOException)
DelegationException(com.sun.identity.delegation.DelegationException)
DelegationPermission(com.sun.identity.delegation.DelegationPermission)
Example 7 with DelegationEvaluatorImpl
use of com.sun.identity.delegation.DelegationEvaluatorImpl in project OpenAM by OpenRock.
the class SessionService method hasTopLevelAdminRole.
/**
* Returns true if the user has top level admin role
*
* @param tokenUsedForSearch Single Sign on token used to do the search.
* @param clientID Client ID of the login user.
* @throws SessionException
* @throws SSOException
*/
private boolean hasTopLevelAdminRole(SSOToken tokenUsedForSearch, String clientID) throws SessionException, SSOException {
boolean topLevelAdmin = false;
Set actions = CollectionUtils.asSet(PERMISSION_READ, PERMISSION_MODIFY, PERMISSION_DELEGATE);
try {
DelegationPermission perm = new DelegationPermission("/", "*", "*", "*", "*", actions, Collections.EMPTY_MAP);
DelegationEvaluator evaluator = new DelegationEvaluatorImpl();
topLevelAdmin = evaluator.isAllowed(tokenUsedForSearch, perm, Collections.EMPTY_MAP);
} catch (DelegationException de) {
sessionDebug.error("SessionService.hasTopLevelAdminRole: failed to check the delegation permission.", de);
}
return topLevelAdmin;
}
Also used :
DelegationEvaluatorImpl(com.sun.identity.delegation.DelegationEvaluatorImpl)
Set(java.util.Set)
HashSet(java.util.HashSet)
DelegationEvaluator(com.sun.identity.delegation.DelegationEvaluator)
DelegationException(com.sun.identity.delegation.DelegationException)
DelegationPermission(com.sun.identity.delegation.DelegationPermission)
Example 8 with DelegationEvaluatorImpl
use of com.sun.identity.delegation.DelegationEvaluatorImpl in project OpenAM by OpenRock.
the class XACMLUtils method hasPermission.
public static boolean hasPermission(String realm, SSOToken adminToken, String action) {
try {
DelegationEvaluator de = new DelegationEvaluatorImpl();
DelegationPermission dp = new DelegationPermission(realm, "rest", "1.0", "policies", action, asSet(action), Collections.<String, String>emptyMap());
return de.isAllowed(adminToken, dp, Collections.EMPTY_MAP);
} catch (DelegationException de) {
DEBUG.error("XACMLUtils.hasPermission", de);
return false;
} catch (SSOException ssoe) {
DEBUG.error("XACMLUtils.hasPermission", ssoe);
return false;
}
}
Also used :
DelegationEvaluatorImpl(com.sun.identity.delegation.DelegationEvaluatorImpl)
DelegationEvaluator(com.sun.identity.delegation.DelegationEvaluator)
DelegationException(com.sun.identity.delegation.DelegationException)
SSOException(com.iplanet.sso.SSOException)
DelegationPermission(com.sun.identity.delegation.DelegationPermission)
Example 9 with DelegationEvaluatorImpl
use of com.sun.identity.delegation.DelegationEvaluatorImpl in project OpenAM by OpenRock.
the class AccessControlModelImpl method canView.
/**
* Returns true if a page can be viewed.
*
* @param permissions Permissions associated to the page.
* @param accessLevel Level of access i.e. either global or realm level.
* @param realmName Currently view realm Name.
* @param delegateUI true if this is a delegation administration page.
* @return true if a page can be viewed.
*/
public boolean canView(Set permissions, String accessLevel, String realmName, boolean delegateUI) {
boolean canView = false;
if (ssoToken != null) {
if (permissions.isEmpty()) {
canView = true;
} else {
try {
DelegationEvaluator delegationEvaluator = new DelegationEvaluatorImpl();
DelegationPermission delegationPermission = new DelegationPermission();
delegationPermission.setVersion("*");
delegationPermission.setSubConfigName("default");
if ((accessLevel != null) && (accessLevel.trim().length() > 0)) {
delegationPermission.setConfigType(accessLevel);
delegationPermission.setOrganizationName("/");
} else {
delegationPermission.setOrganizationName(realmName);
}
if (delegateUI) {
Set actions = new HashSet();
actions.add(AMAdminConstants.PERMISSION_DELEGATE);
delegationPermission.setActions(actions);
canView = delegationEvaluator.isAllowed(ssoToken, delegationPermission, Collections.EMPTY_MAP);
}
if (!delegateUI || canView) {
for (Iterator i = permissions.iterator(); i.hasNext() && !canView; ) {
String serviceName = (String) i.next();
canView = hasPermission(delegationEvaluator, delegationPermission, serviceName, AMAdminConstants.PERMISSION_READ);
}
}
} catch (DelegationException e) {
AMModelBase.debug.error("AccessControlModelImpl.canView", e);
} catch (SSOException e) {
AMModelBase.debug.error("AccessControlModelImpl.canView", e);
}
}
}
return canView;
}
Also used :
DelegationEvaluatorImpl(com.sun.identity.delegation.DelegationEvaluatorImpl)
Set(java.util.Set)
HashSet(java.util.HashSet)
Iterator(java.util.Iterator)
DelegationEvaluator(com.sun.identity.delegation.DelegationEvaluator)
DelegationException(com.sun.identity.delegation.DelegationException)
SSOException(com.iplanet.sso.SSOException)
DelegationPermission(com.sun.identity.delegation.DelegationPermission)
HashSet(java.util.HashSet)
Example 10 with DelegationEvaluatorImpl
use of com.sun.identity.delegation.DelegationEvaluatorImpl in project OpenAM by OpenRock.
the class DelegationPolicyImpl method hasDelegationPermissionsForRealm.
/**
* Returns true if the user has delegation permissions for the
* organization
*/
private boolean hasDelegationPermissionsForRealm(SSOToken token, String orgName) throws SSOException, DelegationException {
// Construct delegation permission object
Set action = new HashSet();
action.add(DELEGATE);
DelegationPermission de = new DelegationPermission(orgName, "sunAMRealmService", "1.0", "organizationconfig", null, action, Collections.EMPTY_MAP);
// Call DelegationEvaluator to handle super and internal users
DelegationEvaluator evaluator = new DelegationEvaluatorImpl();
return (evaluator.isAllowed(token, de, Collections.EMPTY_MAP));
}
Also used :
DelegationEvaluatorImpl(com.sun.identity.delegation.DelegationEvaluatorImpl)
Set(java.util.Set)
HashSet(java.util.HashSet)
DelegationEvaluator(com.sun.identity.delegation.DelegationEvaluator)
DelegationPermission(com.sun.identity.delegation.DelegationPermission)
HashSet(java.util.HashSet)
Aggregations
DelegationEvaluator (com.sun.identity.delegation.DelegationEvaluator)12
DelegationEvaluatorImpl (com.sun.identity.delegation.DelegationEvaluatorImpl)12
DelegationPermission (com.sun.identity.delegation.DelegationPermission)12
SSOException (com.iplanet.sso.SSOException)9
DelegationException (com.sun.identity.delegation.DelegationException)9
HashSet (java.util.HashSet)8
Set (java.util.Set)8
SSOToken (com.iplanet.sso.SSOToken)5
Iterator (java.util.Iterator)3
IdRepoException (com.sun.identity.idm.IdRepoException)2
SMSException (com.sun.identity.sm.SMSException)2
HashMap (java.util.HashMap)2
Map (java.util.Map)2
AMHashMap (com.iplanet.am.sdk.AMHashMap)1
SSOTokenManager (com.iplanet.sso.SSOTokenManager)1
CaseInsensitiveHashMap (com.sun.identity.common.CaseInsensitiveHashMap)1
CaseInsensitiveHashSet (com.sun.identity.common.CaseInsensitiveHashSet)1
ISubjectable (com.sun.identity.rest.ISubjectable)1
RestException (com.sun.identity.rest.RestException)1
OrderedSet (com.sun.identity.shared.datastruct.OrderedSet)1
