Example 1 with PolicyDecision
use of com.sun.identity.policy.PolicyDecision in project OpenAM by OpenRock.
the class ResourceResultCache method getPolicyDecision.
/**
* Returns policy decision
* @param appToken application sso token to identify the client to policy
* service
* @param serviceName name of service for which to get policy decision
* @param token session token of user for whom to get policy decision
* @param resourceName resource name for which to get policy decision
* @param actionNames action names for which to get policy decision
* @param env environment map to use to get policy decision
* @param retryCount try this many times before giving up if received policy
* decision is found to have expired
* @return policy decision
* @throws PolicyException if can not get policy decision
* @throws SSOException if user session token is not valid
* @throws InvalidAppSSOTokenException if application session token
* is not valid
*/
PolicyDecision getPolicyDecision(SSOToken appToken, String serviceName, SSOToken token, String resourceName, Set actionNames, Map env, int retryCount) throws InvalidAppSSOTokenException, PolicyException, SSOException {
int count = 0;
boolean validTtl = false;
PolicyDecision pd = getPolicyDecision(appToken, serviceName, token, resourceName, actionNames, env, //use cache
true);
if (pd.getTimeToLive() > System.currentTimeMillis()) {
validTtl = true;
}
while (!validTtl && (count < retryCount)) {
count++;
if (debug.messageEnabled()) {
debug.message("ResourceResultCache.getPolicyDecision():" + "Received expired decision, " + "Getting decision again, repeat attempt=" + count);
}
pd = getPolicyDecision(appToken, serviceName, token, resourceName, actionNames, env, //do not use cache
false);
if (pd.getTimeToLive() > System.currentTimeMillis()) {
validTtl = true;
break;
}
}
if (!validTtl) {
if (debug.warningEnabled()) {
debug.warning("ResourceResultCache.getPolicyDecision():" + "Received expired decision from server");
}
Object[] args = { resourceName };
throw new PolicyEvaluationException(ResBundleUtils.rbName, "received_expired_decision", args, null);
}
if (actionNames != null) {
PolicyDecision pd1 = new PolicyDecision();
Iterator nameIter = actionNames.iterator();
while (nameIter.hasNext()) {
String actionName = (String) nameIter.next();
Map actionDecisions = pd.getActionDecisions();
ActionDecision ad = (ActionDecision) actionDecisions.get(actionName);
if (ad != null) {
pd1.addActionDecision(ad);
}
}
Map mergedReponseAttrsMap = new HashMap();
PolicyUtils.appendMapToMap(pd.getResponseAttributes(), mergedReponseAttrsMap);
pd1.setResponseAttributes(mergedReponseAttrsMap);
pd = pd1;
} else {
pd = (PolicyDecision) pd.clone();
}
return pd;
}
Also used :
PolicyDecision(com.sun.identity.policy.PolicyDecision)
HashMap(java.util.HashMap)
Iterator(java.util.Iterator)
ActionDecision(com.sun.identity.policy.ActionDecision)
PolicyEvaluationException(com.sun.identity.policy.remote.PolicyEvaluationException)
JSONObject(org.json.JSONObject)
Map(java.util.Map)
HashMap(java.util.HashMap)
Example 2 with PolicyDecision
use of com.sun.identity.policy.PolicyDecision in project OpenAM by OpenRock.
the class PolicyEvaluator method isAllowed.
/**
* Evaluates simple privileges of boolean type. The privilege indicates
* if the user can perform specified action on the specified resource.
* The evaluation also depends on user's application environment parameters.
*
* @param token single sign on token of the user evaluating policies.
* @param resourceName name of the resource the user is trying to access
* @param actionName name of the action the user is trying to perform on
* the resource
* @param envParameters run time environment parameters
*
* @return the result of the evaluation as a boolean value
*
* @throws PolicyException if result could not be computed for
* reason other than single sign on token problem.
* @throws SSOException if single sign on token is not valid
*
* @supported.api
*/
public boolean isAllowed(SSOToken token, String resourceName, String actionName, Map envParameters) throws PolicyException, SSOException {
if (debug.messageEnabled()) {
debug.message("PolicyEvaluator:isAllowed():" + "token=" + token.getPrincipal().getName() + ":resourceName=" + resourceName + ":actionName=" + actionName + ":envParameters) : entering");
}
boolean actionAllowed = false;
Set actionNames = new HashSet(1);
actionNames.add(actionName);
PolicyDecision policyDecision = getPolicyDecision(token, resourceName, actionNames, envParameters);
ActionDecision actionDecision = (ActionDecision) policyDecision.getActionDecisions().get(actionName);
String trueValue = policyProperties.getTrueValue(serviceName, actionName);
String falseValue = policyProperties.getFalseValue(serviceName, actionName);
if ((actionDecision != null) && (trueValue != null) && (falseValue != null)) {
Set set = (Set) actionDecision.getValues();
if ((set != null)) {
if (set.contains(falseValue)) {
actionAllowed = false;
} else if (set.contains(trueValue)) {
actionAllowed = true;
}
}
}
String result = actionAllowed ? "ALLOW" : "DENY";
String[] objs = { resourceName, actionName, result };
if (PolicyProperties.ALLOW.equals(logActions) && actionAllowed) {
logAccessMessage(Level.INFO, ResBundleUtils.getString("policy_eval_allow", objs), token);
} else if (PolicyProperties.DENY.equals(logActions) && !actionAllowed) {
logAccessMessage(Level.INFO, ResBundleUtils.getString("policy_eval_deny", objs), token);
} else if (PolicyProperties.BOTH.equals(logActions) || PolicyProperties.DECISION.equals(logActions)) {
logAccessMessage(Level.INFO, ResBundleUtils.getString("policy_eval_result", objs), token);
}
if (debug.messageEnabled()) {
debug.message("PolicyEvaluator.isAllowed():" + "token=" + token.getPrincipal().getName() + ":resourceName=" + resourceName + ":actionName=" + actionName + ":returning: " + actionAllowed);
}
return actionAllowed;
}
Also used :
PolicyDecision(com.sun.identity.policy.PolicyDecision)
Set(java.util.Set)
HashSet(java.util.HashSet)
ActionDecision(com.sun.identity.policy.ActionDecision)
HashSet(java.util.HashSet)
Example 3 with PolicyDecision
use of com.sun.identity.policy.PolicyDecision in project OpenAM by OpenRock.
the class ResourceResultCache method jsonEntitlementToResourceResult.
ResourceResult jsonEntitlementToResourceResult(JSONObject jsonEntitlement, String serviceName) throws JSONException {
String resultResourceName = jsonEntitlement.optString(JSON_RESOURCE_NAME);
Map<String, Set<String>> actionsValues = JSONUtils.getMapStringSetString(jsonEntitlement, JSON_ACTIONS_VALUES);
Map<String, Set<String>> advices = JSONUtils.getMapStringSetString(jsonEntitlement, JSON_ADVICES);
Map<String, Set<String>> attributes = JSONUtils.getMapStringSetString(jsonEntitlement, JSON_ATTRIBUTES);
Set<String> actNames = (actionsValues != null) ? actionsValues.keySet() : null;
PolicyDecision pd = new PolicyDecision();
if (actNames != null) {
for (String actName : actNames) {
Set<String> actValues = actionsValues.get(actName);
actValues = mapActionBooleanToString(serviceName, actName, actValues);
ActionDecision ad = new ActionDecision(actName, actValues);
ad.setAdvices(advices);
pd.addActionDecision(ad);
}
}
pd.setResponseDecisions(attributes);
ResourceResult resourceResult = new ResourceResult(resultResourceName, pd);
return resourceResult;
}
Also used :
PolicyDecision(com.sun.identity.policy.PolicyDecision)
ResourceResult(com.sun.identity.policy.ResourceResult)
Set(java.util.Set)
HashSet(java.util.HashSet)
RequestSet(com.iplanet.services.comm.share.RequestSet)
ActionDecision(com.sun.identity.policy.ActionDecision)
Example 4 with PolicyDecision
use of com.sun.identity.policy.PolicyDecision in project OpenAM by OpenRock.
the class EvaluatePolicyServlet method processRequest.
/**
* Reads the resource which the user needs to access from the servlet
* request parameter <code>resource</code>.
* if the user's session is invalid, the user gets redirected to the
* amserver login page to log in first.
* Once the session is valid, the access permissions for the requested
* resource is computed and sent back in the servlet response.
*
* @param request servlet request
* @param response servlet response
* @throws ServletException
* @throws java.io.IOException
*/
protected void processRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, java.io.IOException {
try {
SSOTokenManager mgr = SSOTokenManager.getInstance();
SSOToken ssoToken = mgr.createSSOToken(request);
if (mgr.isValidToken(ssoToken)) {
if (ssoToken.getProperty(Constants.UNIVERSAL_IDENTIFIER) != null) {
debug.message("UNIV ID in ssoToken:" + ssoToken.getProperty(Constants.UNIVERSAL_IDENTIFIER));
} else {
debug.message("univ id is null");
if (debug.messageEnabled()) {
debug.message("principal:" + ssoToken.getPrincipal().getName());
}
}
String resource = request.getParameter("resource");
PolicyEvaluator pe = new PolicyEvaluator(WEB_AGENT_SERVICE);
Set actions = new HashSet();
actions.add("GET");
PolicyDecision pd = pe.getPolicyDecision(ssoToken, resource, actions, null);
boolean allowed = pe.isAllowed(ssoToken, resource, "GET", null);
StringBuffer message = new StringBuffer("<pre>");
message.append("isAllowed() for ").append(resource).append(" action:GET is: ");
message = message.append(allowed);
message.append(NEWLINE);
message.append(NEWLINE);
message.append("getPolicyDecision() for ").append(resource).append(" action:GET is:");
message.append(NEWLINE);
message.append(XMLUtils.escapeSpecialCharacters(pd.toXML()));
message.append("</pre>");
sendResponse(response, message.toString());
}
} catch (Exception ire) {
debug.error("processRequest::exception:", ire);
String requestUrl = request.getRequestURL().toString();
String redirectUrl = serverUrl + "?goto=" + requestUrl;
response.sendRedirect(redirectUrl);
return;
}
}
Also used :
SSOTokenManager(com.iplanet.sso.SSOTokenManager)
PolicyDecision(com.sun.identity.policy.PolicyDecision)
SSOToken(com.iplanet.sso.SSOToken)
Set(java.util.Set)
HashSet(java.util.HashSet)
PolicyEvaluator(com.sun.identity.policy.PolicyEvaluator)
ServletException(javax.servlet.ServletException)
IOException(java.io.IOException)
HashSet(java.util.HashSet)
Example 5 with PolicyDecision
use of com.sun.identity.policy.PolicyDecision in project OpenAM by OpenRock.
the class PolicyClientServlet method doGet.
public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
// Get query parameters
String orgname = request.getParameter("orgname");
if ((orgname == null) || (orgname.length() == 0)) {
orgname = "/";
}
String username = request.getParameter("username");
String password = request.getParameter("password");
String servicename = request.getParameter("servicename");
String resource = request.getParameter("resource");
response.setContentType("text/html");
PrintWriter out = response.getWriter();
out.println(SampleConstants.HTML_HEADER);
if ((username == null) || (password == null) || (servicename == null) || (resource == null)) {
out.println(displayXML("Usage: " + request.getRequestURL() + "?username=<username>&password=<password>&orgname=<orgname>" + "&servicename=<servicename>&resource=<resource>"));
out.println("</body></html>");
return;
}
try {
PolicyEvaluatorFactory pef = PolicyEvaluatorFactory.getInstance();
PolicyEvaluator pe = pef.getPolicyEvaluator(servicename);
AuthContext lc = authenticate(orgname, username, password, out);
if (lc != null) {
SSOToken token = lc.getSSOToken();
Set actions = new HashSet();
actions.add("GET");
actions.add("POST");
Map env = new HashMap();
Set attrSet = new HashSet();
attrSet.add("mail");
env.put("Get_Response_Attributes", attrSet);
out.println("<h5>USERID: " + username + "<br>");
out.println("ORG: " + orgname + "<br>");
out.println("SERVICE NAME: " + servicename + "<br>");
out.println("RESOURCE: " + resource + "<br>");
out.println("</h5><br>");
out.println("----------getPolicyDecision() Test-----------");
out.println("<br>");
PolicyDecision pd = pe.getPolicyDecision(token, resource, actions, env);
out.println(displayXML(pd.toXML()));
out.println("End of Test.<br>");
}
} catch (Exception e) {
e.printStackTrace(out);
}
out.println("</body></html>");
}
Also used :
PolicyDecision(com.sun.identity.policy.PolicyDecision)
SSOToken(com.iplanet.sso.SSOToken)
Set(java.util.Set)
HashSet(java.util.HashSet)
PolicyEvaluator(com.sun.identity.policy.client.PolicyEvaluator)
HashMap(java.util.HashMap)
AuthContext(com.sun.identity.authentication.AuthContext)
HashMap(java.util.HashMap)
Map(java.util.Map)
PolicyEvaluatorFactory(com.sun.identity.policy.client.PolicyEvaluatorFactory)
ServletException(javax.servlet.ServletException)
IOException(java.io.IOException)
PrintWriter(java.io.PrintWriter)
HashSet(java.util.HashSet)
Aggregations
PolicyDecision (com.sun.identity.policy.PolicyDecision)22
HashSet (java.util.HashSet)14
Set (java.util.Set)13
Map (java.util.Map)12
HashMap (java.util.HashMap)11
SSOToken (com.iplanet.sso.SSOToken)8
ActionDecision (com.sun.identity.policy.ActionDecision)8
ResourceResult (com.sun.identity.policy.ResourceResult)6
PolicyEvaluator (com.sun.identity.policy.client.PolicyEvaluator)6
PolicyEvaluator (com.sun.identity.policy.PolicyEvaluator)5
Test (org.testng.annotations.Test)5
Parameters (org.testng.annotations.Parameters)4
PolicyException (com.sun.identity.policy.PolicyException)3
ResourceName (com.sun.identity.policy.interfaces.ResourceName)3
IOException (java.io.IOException)3
Iterator (java.util.Iterator)3
ServletException (javax.servlet.ServletException)3
RequestSet (com.iplanet.services.comm.share.RequestSet)2
SSOException (com.iplanet.sso.SSOException)2
AuthContext (com.sun.identity.authentication.AuthContext)2
