Example 66 with PolicyException
use of com.sun.identity.policy.PolicyException in project OpenAM by OpenRock.
the class AuthSchemeCondition method getConditionDecision.
/**
* Gets the decision computed by this condition object, based on the
* map of environment parameters
*
* @param token single sign on token of the user
*
* @param env request specific environment map of key/value pairs
* <code>AuthSchemeCondition</code> looks for value of key
* <code>REQUEST_AUTH_SCHEHMES</code> in the map. The value should
* be a String. If the <code>env</code> parameter is null or does not
* define the value for <code.REQUEST_AUTH_SCHEMES</code>, value for
* <code>REQUEST_AUTH_SCHEMES</code> is computed using
* <code>AuthMethod</code> obtained from single sign on token of
* the user.
*
* @return the condition decision. The condition decision encapsulates
* whether a policy applies for the request and advice messages
* generated by the condition.
* Policy framework continues evaluating a policy only if it applies
* to the request as indicated by the <code>ConditionDecision</code>.
* Otherwise, further evaluation of the policy is skipped.
* However, the advice messages encapsulated in the
* <code>ConditionDecision</code> are aggregated and passed up, encapsulated
* in the policy decision.
*
* @throws PolicyException if the condition has not been initialized with a
* successful call to <code>setProperties(Map)</code> and/or the
* value of <code>REQUEST_AUTH_SCHEMES</code> could not be
* determined.
* @throws SSOException if the token is invalid
*
* @see #setProperties(Map)
* @see #AUTH_SCHEME
* @see #REQUEST_AUTH_SCHEMES
* @see com.sun.identity.policy.ConditionDecision
*/
public ConditionDecision getConditionDecision(SSOToken token, Map env) throws PolicyException, SSOException {
if (DEBUG.messageEnabled()) {
DEBUG.message("At AuthSchemeCondition." + "getConditionDecision():entering:" + "authSchemes=" + authSchemes + ", appName=" + appName + ", appIdleTimeout=" + appIdleTimeout);
}
boolean allowed = false;
Set requestAuthSchemes = null;
Set requestAuthSchemesIgnoreRealm = null;
if ((env != null) && (env.get(REQUEST_AUTH_SCHEMES) != null)) {
try {
requestAuthSchemes = (Set) env.get(REQUEST_AUTH_SCHEMES);
if (DEBUG.messageEnabled()) {
DEBUG.message("At AuthSchemeCondition." + "getConditionDecision(): " + "requestAuthSchemes from env= " + requestAuthSchemes);
}
} catch (ClassCastException e) {
String[] args = { REQUEST_AUTH_SCHEMES };
throw new PolicyException(ResBundleUtils.rbName, "property_is_not_a_Set", args, e);
}
} else {
if (token != null) {
requestAuthSchemes = AMAuthUtils.getRealmQualifiedAuthenticatedSchemes(token);
requestAuthSchemesIgnoreRealm = AMAuthUtils.getAuthenticatedSchemes(token);
if (DEBUG.messageEnabled()) {
DEBUG.message("At AuthSchemeCondition." + "getConditionDecision(): " + "requestAuthSchemes from ssoToken= " + requestAuthSchemes);
DEBUG.message("At AuthSchemeCondition." + "getConditionDecision(): " + "requestAuthSchemesIgnoreRealm from ssoToken= " + requestAuthSchemesIgnoreRealm);
}
}
}
if (requestAuthSchemes == null) {
requestAuthSchemes = Collections.EMPTY_SET;
}
if (requestAuthSchemesIgnoreRealm == null) {
requestAuthSchemesIgnoreRealm = Collections.EMPTY_SET;
}
Iterator authSchemesIter = authSchemes.iterator();
String authScheme = null;
allowed = true;
Set adviceMessages = new HashSet(authSchemes.size());
while (authSchemesIter.hasNext()) {
authScheme = (String) authSchemesIter.next();
if (!requestAuthSchemes.contains(authScheme)) {
String realm = AMAuthUtils.getRealmFromRealmQualifiedData(authScheme);
if ((realm != null) && (realm.length() != 0)) {
allowed = false;
adviceMessages.add(authScheme);
if (DEBUG.messageEnabled()) {
DEBUG.message("At AuthSchemeCondition." + "getConditionDecision():" + "authScheme not satisfied = " + authScheme);
}
break;
} else if ((realm == null) || (realm.length() == 0)) {
if (!requestAuthSchemesIgnoreRealm.contains(authScheme)) {
allowed = false;
adviceMessages.add(authScheme);
if (DEBUG.messageEnabled()) {
DEBUG.message("At AuthSchemeCondition." + "getConditionDecision():" + "authScheme not satisfied = " + authScheme);
}
break;
}
}
}
}
if (DEBUG.messageEnabled()) {
DEBUG.message("At AuthSchemeCondition.getConditionDecision():" + "authSchemes = " + authSchemes + "," + " requestAuthSchemes = " + requestAuthSchemes + ", " + " allowed before appIdleTimeout check = " + allowed);
}
Map advices = new HashMap();
if (!allowed) {
advices.put(AUTH_SCHEME_CONDITION_ADVICE, adviceMessages);
}
long timeToLive = Long.MAX_VALUE;
//following additions are to support application idle timeout
long currentTimeMillis = System.currentTimeMillis();
//a collector
Set expiredAuthSchemes = new HashSet();
if (appIdleTimeoutEnabled) {
if (allowed) {
//condition satisfied pending idletimeout check
//do idletimeout check
long idleTimesOutAtMillis = getApplicationIdleTimesoutAt(token, expiredAuthSchemes, currentTimeMillis);
if (idleTimesOutAtMillis <= currentTimeMillis) {
allowed = false;
}
if (DEBUG.messageEnabled()) {
DEBUG.message("At AuthSchemeCondition." + "getConditionDecision():" + "currentTimeMillis = " + currentTimeMillis + ", idleTimesOutAtMillis = " + idleTimesOutAtMillis + ", expiredAuthSchemes = " + expiredAuthSchemes + ", allowed after appIdleTimeout check = " + allowed);
}
}
if (allowed) {
//condition satisfied
long appIdleTimesoutAt = currentTimeMillis + appIdleTimeout;
token.setProperty(appIdleTimesoutAtSessionKey, Long.toString(appIdleTimesoutAt));
timeToLive = appIdleTimesoutAt;
if (DEBUG.messageEnabled()) {
DEBUG.message("At AuthSchemeCondition." + "getConditionDecision():" + "app access allowed, revised appIdleTimesOutAt=" + appIdleTimesoutAt + ", currentTimeMillis=" + currentTimeMillis);
}
} else {
//condiiton not satisifed
adviceMessages.addAll(expiredAuthSchemes);
advices.put(AUTH_SCHEME_CONDITION_ADVICE, adviceMessages);
Set forceAuthAdvices = new HashSet();
forceAuthAdvices.add(TRUE);
advices.put(FORCE_AUTH_ADVICE, forceAuthAdvices);
}
}
if (DEBUG.messageEnabled()) {
DEBUG.message("At AuthSchemeCondition.getConditionDecision():" + "just before return:" + "allowed = " + allowed + ", timeToLive = " + timeToLive + ", advices = " + advices);
}
return new ConditionDecision(allowed, timeToLive, advices);
}
Also used :
Set(java.util.Set)
HashSet(java.util.HashSet)
PolicyException(com.sun.identity.policy.PolicyException)
HashMap(java.util.HashMap)
Iterator(java.util.Iterator)
HashMap(java.util.HashMap)
Map(java.util.Map)
ConditionDecision(com.sun.identity.policy.ConditionDecision)
HashSet(java.util.HashSet)
Example 67 with PolicyException
use of com.sun.identity.policy.PolicyException in project OpenAM by OpenRock.
the class AuthSchemeCondition method validateProperties.
/**
* Checks the properties set using setProperties() method for
* validity like, not null, presence of AUTH_SCHEME property,
* and no other invalid property.
*/
private boolean validateProperties() throws PolicyException {
if ((properties == null) || (properties.keySet() == null)) {
throw new PolicyException(ResBundleUtils.rbName, "properties_can_not_be_null_or_empty", null, null);
}
Set keySet = properties.keySet();
//Check if the required key(s) are defined
if (!keySet.contains(AUTH_SCHEME)) {
String[] args = { AUTH_SCHEME };
throw new PolicyException(ResBundleUtils.rbName, "property_value_not_defined", args, null);
}
//Check if all the keys are valid
Iterator keys = keySet.iterator();
while (keys.hasNext()) {
String key = (String) keys.next();
if (!AUTH_SCHEME.equals(key) && !APPLICATION_NAME.equals(key) && !APPLICATION_IDLE_TIMEOUT.equals(key)) {
String[] args = { key };
throw new PolicyException(ResBundleUtils.rbName, "attempt_to_set_invalid_property ", args, null);
}
}
//validate AUTH_SCHEME
Set authSchemeSet = (Set) properties.get(AUTH_SCHEME);
if (authSchemeSet != null) {
validateAuthSchemes(authSchemeSet);
}
//appIdleTimeoutEnabled
appIdleTimeoutEnabled = false;
//cache app name
appName = null;
appIdleTimesoutAtSessionKey = null;
Set appNameSet = (Set) properties.get(APPLICATION_NAME);
if ((appNameSet != null) && !appNameSet.isEmpty()) {
appName = (String) (appNameSet.iterator().next());
appName = appName.trim();
if (appName.length() == 0) {
appName = null;
} else {
appIdleTimesoutAtSessionKey = APPLICATION_IDLE_TIMESOUT_AT_PREFIX + appName;
}
}
//cache appIdleTimeout
Set appIdleTimeoutSet = (Set) properties.get(APPLICATION_IDLE_TIMEOUT);
if ((appIdleTimeoutSet != null) && !appIdleTimeoutSet.isEmpty()) {
String appIdleTimeoutString = (String) (appIdleTimeoutSet.iterator().next());
appIdleTimeoutString = appIdleTimeoutString.trim();
if (appIdleTimeoutString.length() == 0) {
appIdleTimeoutString = null;
} else {
try {
appIdleTimeout = Integer.parseInt(appIdleTimeoutString);
//convert timeout in minutes to milliseconds
appIdleTimeout = appIdleTimeout * 60 * 1000;
} catch (NumberFormatException nfe) {
//debug warning
if (DEBUG.warningEnabled()) {
DEBUG.warning("At AuthSchemeCondition." + "validateProperties():" + "can not parse appIdleTeimout" + "defaulting to " + Integer.MAX_VALUE);
}
appIdleTimeout = Integer.MAX_VALUE;
}
}
}
if ((appName != null) && (appIdleTimeout != Integer.MAX_VALUE)) {
appIdleTimeoutEnabled = true;
}
return true;
}
Also used :
Set(java.util.Set)
HashSet(java.util.HashSet)
PolicyException(com.sun.identity.policy.PolicyException)
Iterator(java.util.Iterator)
Example 68 with PolicyException
use of com.sun.identity.policy.PolicyException in project OpenAM by OpenRock.
the class AuthSchemeCondition method validateAuthSchemes.
/**
* Validates the module instance names provided to the setProperties()
* call for the AUTH_SCHEME key. Checks for null and throws
* Exception if null or not a String.
*/
private boolean validateAuthSchemes(Set authSchemeSet) throws PolicyException {
if (authSchemeSet.isEmpty()) {
String[] args = { AUTH_SCHEME };
throw new PolicyException(ResBundleUtils.rbName, "property_does_not_allow_empty_values", args, null);
}
Iterator authSchemeSetIter = authSchemeSet.iterator();
authSchemes.clear();
while (authSchemeSetIter.hasNext()) {
try {
String authScheme = (String) authSchemeSetIter.next();
authSchemes.add(authScheme);
} catch (ClassCastException e) {
String[] args = { AUTH_SCHEME };
throw new PolicyException(ResBundleUtils.rbName, "property_is_not_a_String", args, null);
}
}
return true;
}
Also used :
PolicyException(com.sun.identity.policy.PolicyException)
Iterator(java.util.Iterator)
Example 69 with PolicyException
use of com.sun.identity.policy.PolicyException in project OpenAM by OpenRock.
the class AuthenticateToRealmCondition method validateAuthnToRealms.
/**
* Validates the realm names provided to the setProperties()
* call for the AUTHENTICATE_TO_REALM key. Checks for null and throws
* Exception if null or not a String.
*/
private boolean validateAuthnToRealms(Set authnToRealmSet) throws PolicyException {
if (authnToRealmSet.isEmpty()) {
String[] args = { AUTHENTICATE_TO_REALM };
throw new PolicyException(ResBundleUtils.rbName, "property_does_not_allow_empty_values", args, null);
}
authenticateToRealm = null;
Iterator authnToRealmSetIter = authnToRealmSet.iterator();
try {
authenticateToRealm = (String) authnToRealmSetIter.next();
} catch (ClassCastException e) {
String[] args = { AUTHENTICATE_TO_REALM };
throw new PolicyException(ResBundleUtils.rbName, "property_is_not_a_String", args, null);
}
return true;
}
Also used :
PolicyException(com.sun.identity.policy.PolicyException)
Iterator(java.util.Iterator)
Example 70 with PolicyException
use of com.sun.identity.policy.PolicyException in project OpenAM by OpenRock.
the class AMIdentityMembershipCondition method isMember.
/**
* Determines if the user is a member of this instance of the
* <code>Subject</code> object.
*
* @param token single sign on token of the user
*
* @return <code>true</code> if the user is member of
* this subject; <code>false</code> otherwise.
*
* @exception SSOException if SSO token is not valid
* @exception PolicyException if an error occured while
* checking if the user is a member of this subject
*/
private boolean isMember(String invocatorUuid) throws SSOException, PolicyException {
boolean subjectMatch = false;
if (invocatorUuid == null) {
if (DEBUG.warningEnabled()) {
DEBUG.warning("AMIdentityMembershipCondition.isMember():" + "invocatorUuid is null");
DEBUG.warning("AMIdentityMembershipCondition.isMember():" + "returning false");
}
return false;
}
if (DEBUG.messageEnabled()) {
DEBUG.warning("AMIdentityMembershipCondition.isMember():" + "invocatorUuid:" + invocatorUuid);
}
if (!nameValues.isEmpty()) {
Iterator valueIter = nameValues.iterator();
while (valueIter.hasNext()) {
String nameValue = (String) valueIter.next();
if (DEBUG.messageEnabled()) {
DEBUG.message("AMIndentityMembershipCondition.isMember(): " + "checking membership with nameValue = " + nameValue + ", invocatorUuid = " + invocatorUuid);
}
try {
AMIdentity invocatorIdentity = IdUtils.getIdentity(getAdminToken(), invocatorUuid);
if (invocatorIdentity == null) {
if (DEBUG.messageEnabled()) {
DEBUG.message("AMidentityMembershipCondition.isMember():" + "invocatorIdentity is null for " + "invocatorUuid = " + invocatorUuid);
DEBUG.message("AMidentityMembershipCondition.isMember():" + "returning false");
}
return false;
}
AMIdentity nameValueIdentity = IdUtils.getIdentity(getAdminToken(), nameValue);
if (nameValueIdentity == null) {
if (DEBUG.messageEnabled()) {
DEBUG.message("AMidentityMembershipCondition.isMember():" + "nameValueidentity is null for " + "nameValue = " + nameValue);
DEBUG.message("AMidentityMembershipCondition.isMember():" + "returning false");
}
return false;
}
IdType invocatorIdType = invocatorIdentity.getType();
IdType nameValueIdType = nameValueIdentity.getType();
Set allowedMemberTypes = null;
if (invocatorIdentity.equals(nameValueIdentity)) {
if (DEBUG.messageEnabled()) {
DEBUG.message("AMidentityMembershipCondition.isMember():" + "invocatorIdentity equals " + " nameValueIdentity:" + "membership=true");
}
subjectMatch = true;
} else if (((allowedMemberTypes = nameValueIdType.canHaveMembers()) != null) && allowedMemberTypes.contains(invocatorIdType)) {
subjectMatch = invocatorIdentity.isMember(nameValueIdentity);
if (DEBUG.messageEnabled()) {
DEBUG.message("AMIdentityMembershipCondition.isMember():" + "invocatorIdentityType " + invocatorIdType + " can be a member of " + " nameValueIdentityType " + nameValueIdType + ":membership=" + subjectMatch);
}
} else {
subjectMatch = false;
if (DEBUG.messageEnabled()) {
DEBUG.message("AMIdentityMembershipCondition.isMember():" + "invocatoridentityType " + invocatorIdType + " can be a member of " + " nameValueIdentityType " + nameValueIdType + ":membership=" + subjectMatch);
}
}
if (subjectMatch) {
break;
}
} catch (IdRepoException ire) {
DEBUG.warning("AMidentityMembershipCondition.isMember():" + "can not check membership for invocator " + invocatorUuid + ", nameValue " + nameValue, ire);
String[] args = { invocatorUuid, nameValue };
throw (new PolicyException(ResBundleUtils.rbName, "am_id_subject_membership_evaluation_error", args, ire));
}
}
}
if (DEBUG.messageEnabled()) {
DEBUG.message("AMIdentityMembershipCondition.isMember():" + "invocatorUuidr=" + invocatorUuid + ",nameValues=" + nameValues + ",subjectMatch=" + subjectMatch);
}
return subjectMatch;
}
Also used :
PolicyException(com.sun.identity.policy.PolicyException)
AMIdentity(com.sun.identity.idm.AMIdentity)
IdRepoException(com.sun.identity.idm.IdRepoException)
IdType(com.sun.identity.idm.IdType)
Aggregations
PolicyException (com.sun.identity.policy.PolicyException)151
SSOException (com.iplanet.sso.SSOException)64
HashSet (java.util.HashSet)63
Set (java.util.Set)57
Iterator (java.util.Iterator)50
PolicyManager (com.sun.identity.policy.PolicyManager)35
NameNotFoundException (com.sun.identity.policy.NameNotFoundException)32
HashMap (java.util.HashMap)28
Map (java.util.Map)27
AMConsoleException (com.sun.identity.console.base.model.AMConsoleException)26
ByteString (org.forgerock.opendj.ldap.ByteString)16
EntitlementException (com.sun.identity.entitlement.EntitlementException)14
LdapException (org.forgerock.opendj.ldap.LdapException)13
ResultCode (org.forgerock.opendj.ldap.ResultCode)13
Connection (org.forgerock.opendj.ldap.Connection)12
SearchResultEntry (org.forgerock.opendj.ldap.responses.SearchResultEntry)12
InvalidNameException (com.sun.identity.policy.InvalidNameException)11
ValidValues (com.sun.identity.policy.ValidValues)11
IOException (java.io.IOException)11
ConnectionEntryReader (org.forgerock.opendj.ldif.ConnectionEntryReader)11
