Example 1 with AMIdentityRepository
use of com.sun.identity.idm.AMIdentityRepository in project OpenAM by OpenRock.
the class DelegationPolicyImpl method organizationConfigChanged.
/**
* This method will be invoked when a service's organization
* configuration data has been changed. The parameters orgName,
* groupName and serviceComponent denotes the organization name,
* configuration grouping name and service's sub-component that
* are changed respectively.
*
* @param serviceName name of the service
* @param version version of the service
* @param orgName organization name as DN
* @param groupName name of the configuration grouping
* @param serviceComponent the name of the service components that
* changed
* @param type change type, i.e., ADDED, REMOVED or MODIFIED
*/
public void organizationConfigChanged(String serviceName, String version, String orgName, String groupName, String serviceComponent, int type) {
if (DelegationManager.debug.messageEnabled()) {
DelegationManager.debug.message("DelegationPolicyImpl: org config changed: " + orgName);
}
synchronized (idRepoListeners) {
if (type == ServiceListener.ADDED) {
if (idRepoListeners.get(orgName) == null) {
try {
AMIdentityRepository idRepo = new AMIdentityRepository(appToken, orgName);
idRepo.addEventListener(this);
idRepoListeners.put(orgName, idRepo);
if (DelegationManager.debug.messageEnabled()) {
DelegationManager.debug.message("DelegationPolicyImpl: IdRepo event listener" + " added for realm (" + orgName + ").");
}
} catch (Exception e) {
DelegationManager.debug.error("DelegationPolicyImpl: failed to process " + "organization config changes. ", e);
}
}
} else if (type == ServiceListener.REMOVED) {
idRepoListeners.remove(orgName);
if (DelegationManager.debug.messageEnabled()) {
DelegationManager.debug.message("DelegationPolicyImpl: IdRepo event listener" + " removed for realm (" + orgName + ").");
}
}
}
}
Also used :
AMIdentityRepository(com.sun.identity.idm.AMIdentityRepository)
DelegationException(com.sun.identity.delegation.DelegationException)
PolicyException(com.sun.identity.policy.PolicyException)
SSOException(com.iplanet.sso.SSOException)
IdRepoException(com.sun.identity.idm.IdRepoException)
Example 2 with AMIdentityRepository
use of com.sun.identity.idm.AMIdentityRepository in project OpenAM by OpenRock.
the class DelegationPolicyImpl method initialize.
/**
* Initialize (or configure) the <code>DelegationInterface</code>
* object. Usually it will be initialized with the environmrnt
* parameters set by the system administrator via Service management service.
*
* @param token <code>SSOToken</code> of an administrator
* @param configParams configuration parameters as a <code>Map</code>.
* The values in the <code>Map</code> is <code>java.util.Set</code>,
* which contains one or more configuration parameters.
*
* @throws DelegationException if an error occurred during
* initialization of <code>DelegationInterface</code> instance
*/
public void initialize(SSOToken token, Map configParams) throws DelegationException {
this.appToken = token;
try {
maxCacheSize = SystemProperties.getAsInt(CONFIGURED_CACHE_SIZE, DEFAULT_CACHE_SIZE);
// specifying cache size as 0 would virtually disable the delegation cache.
if (maxCacheSize < 0) {
maxCacheSize = DEFAULT_CACHE_SIZE;
}
delegationCache = new Cache(maxCacheSize);
if (DelegationManager.debug.messageEnabled()) {
DelegationManager.debug.message("DelegationPolicyImpl.initialize(): cache size=" + maxCacheSize);
}
pe = new PolicyEvaluator(POLICY_REPOSITORY_REALM, DelegationManager.DELEGATION_SERVICE);
// listen on delegation policy changes. once there is
// delegation policy change, we need to update the cache.
pe.addPolicyListener(this);
// listen on root realm subject changes.
AMIdentityRepository idRepo = new AMIdentityRepository(appToken, "/");
idRepo.addEventListener(this);
if (DelegationManager.debug.messageEnabled()) {
DelegationManager.debug.message("DelegationPolicyImpl: IdRepo event listener added " + "for root realm.");
}
// listen on sub realm subject changes.
OrganizationConfigManager ocm = new OrganizationConfigManager(appToken, "/");
Set orgNames = ocm.getSubOrganizationNames("*", true);
if ((orgNames != null) && (!orgNames.isEmpty())) {
Iterator it = orgNames.iterator();
while (it.hasNext()) {
String org = (String) it.next();
AMIdentityRepository idr = new AMIdentityRepository(appToken, org);
idr.addEventListener(this);
idRepoListeners.put(org, idRepo);
if (DelegationManager.debug.messageEnabled()) {
DelegationManager.debug.message("DelegationPolicyImpl: IdRepo event listener " + "added for realm (" + org + ").");
}
}
}
scm = new ServiceConfigManager(PolicyConfig.POLICY_CONFIG_SERVICE, token);
//DelegationManager.DELEGATION_SERVICE, token);
/**
* listen on org config changes. once there is realm added,
* or removed, we need to add or remove listeners on the
* affected realm accordingly.
*/
scm.addListener(this);
} catch (Exception e) {
DelegationManager.debug.error("DelegationPolicyImpl: initialize() failed");
throw new DelegationException(e);
}
}
Also used :
Set(java.util.Set)
HashSet(java.util.HashSet)
PolicyEvaluator(com.sun.identity.policy.PolicyEvaluator)
OrganizationConfigManager(com.sun.identity.sm.OrganizationConfigManager)
AMIdentityRepository(com.sun.identity.idm.AMIdentityRepository)
Iterator(java.util.Iterator)
DelegationException(com.sun.identity.delegation.DelegationException)
ServiceConfigManager(com.sun.identity.sm.ServiceConfigManager)
DelegationException(com.sun.identity.delegation.DelegationException)
PolicyException(com.sun.identity.policy.PolicyException)
SSOException(com.iplanet.sso.SSOException)
IdRepoException(com.sun.identity.idm.IdRepoException)
Cache(com.iplanet.am.util.Cache)
SubjectEvaluationCache(com.sun.identity.policy.SubjectEvaluationCache)
Example 3 with AMIdentityRepository
use of com.sun.identity.idm.AMIdentityRepository in project OpenAM by OpenRock.
the class DelegationPolicyImpl method getPermissions.
/**
* Returns a set of permissions that a user has.
*
* @param token sso token of the user requesting permissions
* @param orgName The name of the realm from which the delegation
* permissions are fetched.
*
* @return a <code>Set</code> of permissions that a user has
*
* @throws SSOException if single-sign-on token invalid or expired
* @throws DelegationException for any other abnormal condition
*/
public Set getPermissions(SSOToken token, String orgName) throws SSOException, DelegationException {
DelegationPrivilege dp;
Set perms = new HashSet();
Set subjects;
AMIdentity userIdentity = null;
AMIdentity subjectIdentity = null;
IdSearchResults results = null;
if (token == null) {
if (DelegationManager.debug.warningEnabled()) {
DelegationManager.debug.warning("DelegationPolicyImpl.getPermissions():" + "user sso token is null");
}
return perms;
}
try {
userIdentity = IdUtils.getIdentity(token);
if (userIdentity == null) {
if (DelegationManager.debug.warningEnabled()) {
DelegationManager.debug.warning("DelegationPolicyImpl.getPermissions():" + "could not get user's identity from token");
}
return perms;
}
Set privileges = getPrivileges(appToken, orgName);
if ((privileges != null) && (!privileges.isEmpty())) {
AMIdentityRepository idRepo = new AMIdentityRepository(appToken, orgName);
IdSearchControl ctrl = new IdSearchControl();
ctrl.setRecursive(true);
ctrl.setMaxResults(-1);
ctrl.setTimeOut(-1);
Iterator it = privileges.iterator();
while (it.hasNext()) {
dp = (DelegationPrivilege) it.next();
subjects = dp.getSubjects();
if ((subjects != null) && (!subjects.isEmpty())) {
Iterator sit = subjects.iterator();
while (sit.hasNext()) {
String subject = (String) sit.next();
String subjectId = LDAPUtils.rdnValueFromDn(subject);
if (subjectId != null) {
results = idRepo.searchIdentities(IdType.ROLE, subjectId, ctrl);
if (results != null) {
Set idSet = results.getSearchResults();
if ((idSet != null) && !idSet.isEmpty()) {
subjectIdentity = (AMIdentity) (idSet.iterator().next());
if (userIdentity.isMember(subjectIdentity)) {
perms.addAll(dp.getPermissions());
}
}
}
}
}
}
}
}
} catch (Exception e) {
throw new DelegationException(e);
}
return perms;
}
Also used :
DelegationPrivilege(com.sun.identity.delegation.DelegationPrivilege)
Set(java.util.Set)
HashSet(java.util.HashSet)
IdSearchResults(com.sun.identity.idm.IdSearchResults)
AMIdentity(com.sun.identity.idm.AMIdentity)
AMIdentityRepository(com.sun.identity.idm.AMIdentityRepository)
IdSearchControl(com.sun.identity.idm.IdSearchControl)
Iterator(java.util.Iterator)
DelegationException(com.sun.identity.delegation.DelegationException)
DelegationException(com.sun.identity.delegation.DelegationException)
PolicyException(com.sun.identity.policy.PolicyException)
SSOException(com.iplanet.sso.SSOException)
IdRepoException(com.sun.identity.idm.IdRepoException)
HashSet(java.util.HashSet)
Example 4 with AMIdentityRepository
use of com.sun.identity.idm.AMIdentityRepository in project OpenAM by OpenRock.
the class DelegationPolicyImpl method getSubjects.
/**
* Returns a set of selected subjects of specified types matching the
* pattern in the given realm. The pattern accepts "*" as the wild card for
* searching subjects. For example, "a*c" matches with any subject starting
* with a and ending with c.
*
* @param token The <code>SSOToken</code> of the requesting user
* @param orgName The name of the realm from which the subjects are fetched.
* @param types a set of subject types. e.g. ROLE, GROUP.
* @param pattern a filter used to select the subjects.
*
* @return a set of subjects associated with the realm.
*
* @throws SSOException invalid or expired single-sign-on token
* @throws DelegationException for any abnormal condition
*
* @return <code>Set</code> of universal Ids of the subjects associated
* with the realm.
*
* @throws SSOException invalid or expired single-sign-on token
* @throws DelegationException for any abnormal condition
*/
public Set getSubjects(SSOToken token, String orgName, Set types, String pattern) throws SSOException, DelegationException {
Set results = new HashSet();
// All Authenticated Users would be returned only if pattern is *
if ((pattern != null) && pattern.equals("*")) {
results.add(AUTHN_USERS_ID);
}
if (DelegationManager.debug.messageEnabled()) {
DelegationManager.debug.message("DelegationPolicyImpl.getSubjects(): types=" + types);
}
try {
AMIdentityRepository idRepo = new AMIdentityRepository(appToken, orgName);
Set supportedTypes = idRepo.getSupportedIdTypes();
if (DelegationManager.debug.messageEnabled()) {
DelegationManager.debug.message("DelegationPolicyImpl.getSubjects(): " + "supported subject types=" + supportedTypes);
}
if ((supportedTypes != null) && (!supportedTypes.isEmpty()) && (types != null) && (!types.isEmpty())) {
Iterator it = types.iterator();
while (it.hasNext()) {
IdType idType = IdUtils.getType((String) it.next());
if (supportedTypes.contains(idType)) {
IdSearchControl ctrl = new IdSearchControl();
ctrl.setRecursive(true);
ctrl.setMaxResults(-1);
ctrl.setTimeOut(-1);
IdSearchResults idsr = idRepo.searchIdentities(idType, pattern, ctrl);
if (idsr != null) {
Set searchRes = idsr.getSearchResults();
if ((searchRes != null) && (!searchRes.isEmpty())) {
Iterator iter = searchRes.iterator();
while (iter.hasNext()) {
AMIdentity id = (AMIdentity) iter.next();
results.add(IdUtils.getUniversalId(id));
}
}
}
}
}
}
return results;
} catch (IdRepoException ide) {
throw new DelegationException(ide);
}
}
Also used :
Set(java.util.Set)
HashSet(java.util.HashSet)
IdSearchResults(com.sun.identity.idm.IdSearchResults)
AMIdentity(com.sun.identity.idm.AMIdentity)
AMIdentityRepository(com.sun.identity.idm.AMIdentityRepository)
Iterator(java.util.Iterator)
IdSearchControl(com.sun.identity.idm.IdSearchControl)
IdRepoException(com.sun.identity.idm.IdRepoException)
DelegationException(com.sun.identity.delegation.DelegationException)
HashSet(java.util.HashSet)
IdType(com.sun.identity.idm.IdType)
Example 5 with AMIdentityRepository
use of com.sun.identity.idm.AMIdentityRepository in project OpenAM by OpenRock.
the class FSDefaultSPAdapter method postSSOFederationSuccess.
/**
* Invokes this method after the successful Single Sign-On or Federation.
* @param hostedEntityID provider ID for the hosted SP
* @param request servlet request
* @param response servlet response
* @param ssoToken user's SSO token
* @param authnRequest the original authentication request sent from SP
* @param authnResponse response from IDP if Browser POST or LECP profile
* is used for the request, value will be null if Browser Artifact
* profile is used.
* @param samlResponse response from IDP if Browser Artifact profile is used
* for the request, value will be null if Browser POST or LECP
* profile is used.
* @exception FederationException if user want to fail the process.
* @return true if browser redirection happened, false otherwise.
*/
public boolean postSSOFederationSuccess(String hostedEntityID, HttpServletRequest request, HttpServletResponse response, Object ssoToken, FSAuthnRequest authnRequest, FSAuthnResponse authnResponse, FSResponse samlResponse) throws FederationException {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSDefaultSPAdapter.postFedSuccess, " + "process " + hostedEntityID);
}
// find out if this is a federation request
boolean isFederation = false;
if (authnRequest == null) {
FSUtils.debug.error("FSDefaultSPAdapter.postFedSuccess null");
} else {
String nameIDPolicy = authnRequest.getNameIDPolicy();
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSDefaultSPAdapter.postSuccess " + nameIDPolicy);
}
if (nameIDPolicy.equals(IFSConstants.NAME_ID_POLICY_FEDERATED)) {
isFederation = true;
}
}
SSOToken adminToken = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance());
if (isFederation && adminToken != null) {
try {
// get name Identifier
String nameId = null;
List assertions = null;
String idpEntityId = null;
if (authnResponse != null) {
// POST profile
assertions = authnResponse.getAssertion();
idpEntityId = authnResponse.getProviderId();
} else {
// Artifact profile
assertions = samlResponse.getAssertion();
}
FSAssertion assertion = (FSAssertion) assertions.iterator().next();
if (idpEntityId == null) {
idpEntityId = assertion.getIssuer();
}
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAdapter.postSuccess: idp=" + idpEntityId);
}
Iterator stmtIter = assertion.getStatement().iterator();
while (stmtIter.hasNext()) {
Statement statement = (Statement) stmtIter.next();
int stmtType = statement.getStatementType();
if (stmtType == Statement.AUTHENTICATION_STATEMENT) {
FSAuthenticationStatement authStatement = (FSAuthenticationStatement) statement;
FSSubject subject = (FSSubject) authStatement.getSubject();
NameIdentifier ni = subject.getIDPProvidedNameIdentifier();
if (ni == null) {
ni = subject.getNameIdentifier();
}
if (ni != null) {
nameId = ni.getName();
}
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAdapter.postSuccess: " + "found name id =" + nameId);
}
break;
}
}
if (nameId == null) {
FSUtils.debug.warning("FSAdapter.postSuc : null nameID");
return false;
}
Map map = new HashMap();
Set set = new HashSet();
set.add("|" + hostedEntityID + "|" + nameId + "|");
map.put("iplanet-am-user-federation-info-key", set);
AMIdentityRepository idRepo = new AMIdentityRepository(adminToken, ((SSOToken) ssoToken).getProperty(ISAuthConstants.ORGANIZATION));
IdSearchControl searchControl = new IdSearchControl();
searchControl.setTimeOut(0);
searchControl.setMaxResults(0);
searchControl.setAllReturnAttributes(false);
searchControl.setSearchModifiers(IdSearchOpModifier.AND, map);
IdSearchResults searchResults = idRepo.searchIdentities(IdType.USER, "*", searchControl);
Set amIdSet = searchResults.getSearchResults();
if (amIdSet.size() > 1) {
String univId = ((SSOToken) ssoToken).getProperty(Constants.UNIVERSAL_IDENTIFIER);
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAdapter.postSuccess: found " + amIdSet.size() + " federation with same ID as " + univId);
}
String metaAlias = null;
try {
IDFFMetaManager metaManager = new IDFFMetaManager(ssoToken);
if (metaManager != null) {
SPDescriptorConfigElement spConfig = metaManager.getSPDescriptorConfig(realm, hostedEntityID);
if (spConfig != null) {
metaAlias = spConfig.getMetaAlias();
}
}
} catch (IDFFMetaException ie) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAdapter.postSuccess: " + "couldn't find meta alias:", ie);
}
}
FSAccountManager accManager = FSAccountManager.getInstance(metaAlias);
FSAccountFedInfoKey fedInfoKey = new FSAccountFedInfoKey(hostedEntityID, nameId);
// previous federation exists with different users
Iterator it = amIdSet.iterator();
while (it.hasNext()) {
AMIdentity amId = (AMIdentity) it.next();
// compare with the SSO token
String tmpUnivId = IdUtils.getUniversalId(amId);
if (univId.equalsIgnoreCase(tmpUnivId)) {
continue;
}
// remove federation information for this user
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAdapter.postSucces, " + "remove fed info for user " + tmpUnivId);
}
accManager.removeAccountFedInfo(tmpUnivId, fedInfoKey, idpEntityId);
}
}
} catch (FSAccountMgmtException f) {
FSUtils.debug.warning("FSDefaultSPAdapter.postSSOSuccess", f);
} catch (IdRepoException i) {
FSUtils.debug.warning("FSDefaultSPAdapter.postSSOSuccess", i);
} catch (SSOException e) {
FSUtils.debug.warning("FSDefaultSPAdapter.postSSOSuccess", e);
}
}
return false;
}
Also used :
SSOToken(com.iplanet.sso.SSOToken)
Set(java.util.Set)
HashSet(java.util.HashSet)
FSSubject(com.sun.identity.federation.message.FSSubject)
NameIdentifier(com.sun.identity.saml.assertion.NameIdentifier)
HashMap(java.util.HashMap)
IdSearchResults(com.sun.identity.idm.IdSearchResults)
SPDescriptorConfigElement(com.sun.identity.federation.jaxb.entityconfig.SPDescriptorConfigElement)
SSOException(com.iplanet.sso.SSOException)
FSAccountFedInfoKey(com.sun.identity.federation.accountmgmt.FSAccountFedInfoKey)
FSAccountManager(com.sun.identity.federation.accountmgmt.FSAccountManager)
FSAssertion(com.sun.identity.federation.message.FSAssertion)
Iterator(java.util.Iterator)
IdSearchControl(com.sun.identity.idm.IdSearchControl)
List(java.util.List)
HashSet(java.util.HashSet)
FSAuthenticationStatement(com.sun.identity.federation.message.FSAuthenticationStatement)
Statement(com.sun.identity.saml.assertion.Statement)
FSAuthenticationStatement(com.sun.identity.federation.message.FSAuthenticationStatement)
IDFFMetaException(com.sun.identity.federation.meta.IDFFMetaException)
IdRepoException(com.sun.identity.idm.IdRepoException)
IDFFMetaManager(com.sun.identity.federation.meta.IDFFMetaManager)
AMIdentity(com.sun.identity.idm.AMIdentity)
AMIdentityRepository(com.sun.identity.idm.AMIdentityRepository)
FSAccountMgmtException(com.sun.identity.federation.accountmgmt.FSAccountMgmtException)
Map(java.util.Map)
HashMap(java.util.HashMap)
Aggregations
AMIdentityRepository (com.sun.identity.idm.AMIdentityRepository)138
IdRepoException (com.sun.identity.idm.IdRepoException)103
SSOException (com.iplanet.sso.SSOException)94
AMIdentity (com.sun.identity.idm.AMIdentity)85
Set (java.util.Set)82
HashSet (java.util.HashSet)58
SSOToken (com.iplanet.sso.SSOToken)56
IdSearchControl (com.sun.identity.idm.IdSearchControl)36
IdSearchResults (com.sun.identity.idm.IdSearchResults)36
Iterator (java.util.Iterator)32
CLIException (com.sun.identity.cli.CLIException)29
HashMap (java.util.HashMap)29
IdType (com.sun.identity.idm.IdType)28
Map (java.util.Map)27
IOutput (com.sun.identity.cli.IOutput)26
SMSException (com.sun.identity.sm.SMSException)24
OrganizationConfigManager (com.sun.identity.sm.OrganizationConfigManager)20
List (java.util.List)13
AMConsoleException (com.sun.identity.console.base.model.AMConsoleException)12
Callback (javax.security.auth.callback.Callback)6
