use of com.sun.identity.policy.PolicyDecision in project OpenAM by OpenRock.
the class ResourceResultCache method getPolicyDecision.
/**
* Returns policy decision
* @param appToken application sso token to identify the client to policy
* service
* @param serviceName name of service for which to get policy decision
* @param token session token of user for whom to get policy decision
* @param resourceName resource name for which to get policy decision
* @param actionNames action names for which to get policy decision
* @param env environment map to use to get policy decision
* @param retryCount try this many times before giving up if received policy
* decision is found to have expired
* @return policy decision
* @throws PolicyException if can not get policy decision
* @throws SSOException if user session token is not valid
* @throws InvalidAppSSOTokenException if application session token
* is not valid
*/
PolicyDecision getPolicyDecision(SSOToken appToken, String serviceName, SSOToken token, String resourceName, Set actionNames, Map env, int retryCount) throws InvalidAppSSOTokenException, PolicyException, SSOException {
int count = 0;
boolean validTtl = false;
PolicyDecision pd = getPolicyDecision(appToken, serviceName, token, resourceName, actionNames, env, //use cache
true);
if (pd.getTimeToLive() > System.currentTimeMillis()) {
validTtl = true;
}
while (!validTtl && (count < retryCount)) {
count++;
if (debug.messageEnabled()) {
debug.message("ResourceResultCache.getPolicyDecision():" + "Received expired decision, " + "Getting decision again, repeat attempt=" + count);
}
pd = getPolicyDecision(appToken, serviceName, token, resourceName, actionNames, env, //do not use cache
false);
if (pd.getTimeToLive() > System.currentTimeMillis()) {
validTtl = true;
break;
}
}
if (!validTtl) {
if (debug.warningEnabled()) {
debug.warning("ResourceResultCache.getPolicyDecision():" + "Received expired decision from server");
}
Object[] args = { resourceName };
throw new PolicyEvaluationException(ResBundleUtils.rbName, "received_expired_decision", args, null);
}
if (actionNames != null) {
PolicyDecision pd1 = new PolicyDecision();
Iterator nameIter = actionNames.iterator();
while (nameIter.hasNext()) {
String actionName = (String) nameIter.next();
Map actionDecisions = pd.getActionDecisions();
ActionDecision ad = (ActionDecision) actionDecisions.get(actionName);
if (ad != null) {
pd1.addActionDecision(ad);
}
}
Map mergedReponseAttrsMap = new HashMap();
PolicyUtils.appendMapToMap(pd.getResponseAttributes(), mergedReponseAttrsMap);
pd1.setResponseAttributes(mergedReponseAttrsMap);
pd = pd1;
} else {
pd = (PolicyDecision) pd.clone();
}
return pd;
}
use of com.sun.identity.policy.PolicyDecision in project OpenAM by OpenRock.
the class PolicyEvaluator method isAllowed.
/**
* Evaluates simple privileges of boolean type. The privilege indicates
* if the user can perform specified action on the specified resource.
* The evaluation also depends on user's application environment parameters.
*
* @param token single sign on token of the user evaluating policies.
* @param resourceName name of the resource the user is trying to access
* @param actionName name of the action the user is trying to perform on
* the resource
* @param envParameters run time environment parameters
*
* @return the result of the evaluation as a boolean value
*
* @throws PolicyException if result could not be computed for
* reason other than single sign on token problem.
* @throws SSOException if single sign on token is not valid
*
* @supported.api
*/
public boolean isAllowed(SSOToken token, String resourceName, String actionName, Map envParameters) throws PolicyException, SSOException {
if (debug.messageEnabled()) {
debug.message("PolicyEvaluator:isAllowed():" + "token=" + token.getPrincipal().getName() + ":resourceName=" + resourceName + ":actionName=" + actionName + ":envParameters) : entering");
}
boolean actionAllowed = false;
Set actionNames = new HashSet(1);
actionNames.add(actionName);
PolicyDecision policyDecision = getPolicyDecision(token, resourceName, actionNames, envParameters);
ActionDecision actionDecision = (ActionDecision) policyDecision.getActionDecisions().get(actionName);
String trueValue = policyProperties.getTrueValue(serviceName, actionName);
String falseValue = policyProperties.getFalseValue(serviceName, actionName);
if ((actionDecision != null) && (trueValue != null) && (falseValue != null)) {
Set set = (Set) actionDecision.getValues();
if ((set != null)) {
if (set.contains(falseValue)) {
actionAllowed = false;
} else if (set.contains(trueValue)) {
actionAllowed = true;
}
}
}
String result = actionAllowed ? "ALLOW" : "DENY";
String[] objs = { resourceName, actionName, result };
if (PolicyProperties.ALLOW.equals(logActions) && actionAllowed) {
logAccessMessage(Level.INFO, ResBundleUtils.getString("policy_eval_allow", objs), token);
} else if (PolicyProperties.DENY.equals(logActions) && !actionAllowed) {
logAccessMessage(Level.INFO, ResBundleUtils.getString("policy_eval_deny", objs), token);
} else if (PolicyProperties.BOTH.equals(logActions) || PolicyProperties.DECISION.equals(logActions)) {
logAccessMessage(Level.INFO, ResBundleUtils.getString("policy_eval_result", objs), token);
}
if (debug.messageEnabled()) {
debug.message("PolicyEvaluator.isAllowed():" + "token=" + token.getPrincipal().getName() + ":resourceName=" + resourceName + ":actionName=" + actionName + ":returning: " + actionAllowed);
}
return actionAllowed;
}
use of com.sun.identity.policy.PolicyDecision in project OpenAM by OpenRock.
the class ResourceResultCache method jsonEntitlementToResourceResult.
ResourceResult jsonEntitlementToResourceResult(JSONObject jsonEntitlement, String serviceName) throws JSONException {
String resultResourceName = jsonEntitlement.optString(JSON_RESOURCE_NAME);
Map<String, Set<String>> actionsValues = JSONUtils.getMapStringSetString(jsonEntitlement, JSON_ACTIONS_VALUES);
Map<String, Set<String>> advices = JSONUtils.getMapStringSetString(jsonEntitlement, JSON_ADVICES);
Map<String, Set<String>> attributes = JSONUtils.getMapStringSetString(jsonEntitlement, JSON_ATTRIBUTES);
Set<String> actNames = (actionsValues != null) ? actionsValues.keySet() : null;
PolicyDecision pd = new PolicyDecision();
if (actNames != null) {
for (String actName : actNames) {
Set<String> actValues = actionsValues.get(actName);
actValues = mapActionBooleanToString(serviceName, actName, actValues);
ActionDecision ad = new ActionDecision(actName, actValues);
ad.setAdvices(advices);
pd.addActionDecision(ad);
}
}
pd.setResponseDecisions(attributes);
ResourceResult resourceResult = new ResourceResult(resultResourceName, pd);
return resourceResult;
}
use of com.sun.identity.policy.PolicyDecision in project OpenAM by OpenRock.
the class EvaluatePolicyServlet method processRequest.
/**
* Reads the resource which the user needs to access from the servlet
* request parameter <code>resource</code>.
* if the user's session is invalid, the user gets redirected to the
* amserver login page to log in first.
* Once the session is valid, the access permissions for the requested
* resource is computed and sent back in the servlet response.
*
* @param request servlet request
* @param response servlet response
* @throws ServletException
* @throws java.io.IOException
*/
protected void processRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, java.io.IOException {
try {
SSOTokenManager mgr = SSOTokenManager.getInstance();
SSOToken ssoToken = mgr.createSSOToken(request);
if (mgr.isValidToken(ssoToken)) {
if (ssoToken.getProperty(Constants.UNIVERSAL_IDENTIFIER) != null) {
debug.message("UNIV ID in ssoToken:" + ssoToken.getProperty(Constants.UNIVERSAL_IDENTIFIER));
} else {
debug.message("univ id is null");
if (debug.messageEnabled()) {
debug.message("principal:" + ssoToken.getPrincipal().getName());
}
}
String resource = request.getParameter("resource");
PolicyEvaluator pe = new PolicyEvaluator(WEB_AGENT_SERVICE);
Set actions = new HashSet();
actions.add("GET");
PolicyDecision pd = pe.getPolicyDecision(ssoToken, resource, actions, null);
boolean allowed = pe.isAllowed(ssoToken, resource, "GET", null);
StringBuffer message = new StringBuffer("<pre>");
message.append("isAllowed() for ").append(resource).append(" action:GET is: ");
message = message.append(allowed);
message.append(NEWLINE);
message.append(NEWLINE);
message.append("getPolicyDecision() for ").append(resource).append(" action:GET is:");
message.append(NEWLINE);
message.append(XMLUtils.escapeSpecialCharacters(pd.toXML()));
message.append("</pre>");
sendResponse(response, message.toString());
}
} catch (Exception ire) {
debug.error("processRequest::exception:", ire);
String requestUrl = request.getRequestURL().toString();
String redirectUrl = serverUrl + "?goto=" + requestUrl;
response.sendRedirect(redirectUrl);
return;
}
}
use of com.sun.identity.policy.PolicyDecision in project OpenAM by OpenRock.
the class DelegationPolicyImpl method getResultFromCache.
/**
* Returns a policy decision given a resource and the user's token,
* for the resource from the delegation cache.
* @param tokenIdStr <code>String</code> representation of user's token
* @param resource resource for which results are sought.
* @param envParams <code>Map</code> of environment params to be
* used to fetch the decisions.
* @return policy decision
*/
private PolicyDecision getResultFromCache(String tokenIdStr, String resource, Map envParams) throws SSOException, DelegationException {
if (resource != null) {
Map<String, List<Object>> items = delegationCache.get(tokenIdStr);
if (items != null && !items.isEmpty()) {
List<Object> al = items.get(resource);
if (al != null) {
Map cachedEnv = (Map) al.get(0);
if (envParams == null || envParams.isEmpty()) {
envParams = Collections.EMPTY_MAP;
}
if (cachedEnv == null || cachedEnv.isEmpty()) {
cachedEnv = Collections.EMPTY_MAP;
}
if (envParams.equals(cachedEnv)) {
PolicyDecision pd = (PolicyDecision) al.get(1);
if (pd != null) {
long pdTTL = pd.getTimeToLive();
long currentTime = System.currentTimeMillis();
if (pdTTL > currentTime) {
return pd;
} else {
if (DelegationManager.debug.messageEnabled()) {
DelegationManager.debug.message("DelegationPolicyImpl: delegation decision " + "expired. TTL=" + pdTTL + "; current time=" + currentTime);
}
}
}
}
}
}
}
return null;
}
Aggregations