Example 76 with PolicyException
use of com.sun.identity.policy.PolicyException in project OpenAM by OpenRock.
the class WebServicesClients method getValidValues.
/**
* Returns certificate subject DNs in the KeyStore as possible values.
*
* @param token the <code>SSOToken</code>
* @param pattern the pattern to match with valid values.
*
* @return <code>ValidValues</code> object wiht certificate subject DNs.
*
* @exception SSOException if SSO token is not valid
* @exception PolicyException if unable to get the list of valid names.
*/
public ValidValues getValidValues(SSOToken token, String pattern) throws SSOException, PolicyException {
// TODO: ignoring the pattern for now. Do we need to take care of it?
// probably we can ignore for this subject.
Set subjects = new HashSet();
try {
KeyProvider kp = null;
try {
kp = (KeyProvider) Class.forName(SystemConfigurationUtil.getProperty(SAMLConstants.KEY_PROVIDER_IMPL_CLASS, SAMLConstants.JKS_KEY_PROVIDER)).newInstance();
} catch (ClassNotFoundException cnfe) {
debug.error("WebServicesClients.getValidValues(): " + " Couldn't find the class.", cnfe);
kp = null;
} catch (InstantiationException ie) {
debug.error("WebServicesClients.getValidValues(): " + " Couldn't instantiate the key provider instance.", ie);
kp = null;
} catch (IllegalAccessException iae) {
debug.error("WebServicesClients.getValidValues(): " + " Couldn't access the default constructor.", iae);
kp = null;
}
if (kp != null) {
KeyStore ks = kp.getKeyStore();
if (ks != null) {
Enumeration aliases = ks.aliases();
while (aliases.hasMoreElements()) {
String alias = (String) aliases.nextElement();
if (debug.messageEnabled()) {
debug.message("WSClient.getValidValues: alias=" + alias);
}
// TODO: need to take care of certificate chaining
if (ks.isCertificateEntry(alias)) {
debug.message("WSClient.getValidValues: " + "alias is trusted.");
X509Certificate cert = (X509Certificate) ks.getCertificate(alias);
if (cert != null) {
debug.message("WSClient.getValidValues:cert " + "not null");
String name = CertUtils.getSubjectName(cert);
if (name != null && name.length() != 0) {
subjects.add(name);
}
} else {
debug.message("WSClient.getValidValues: " + "cert is null");
}
} else {
debug.message("WSClient.getValidValues:alias " + "not trusted.");
}
}
}
}
} catch (KeyStoreException kse) {
if (debug.warningEnabled()) {
debug.warning("WebServicesClients: couldn't get subjects", kse);
}
String[] objs = { kse.getMessage() };
throw (new PolicyException(ResBundleUtils.rbName, "can_not_get_subject_values", objs, kse));
}
return (new ValidValues(ValidValues.SUCCESS, subjects));
}
Also used :
KeyProvider(com.sun.identity.saml.xmlsig.KeyProvider)
HashSet(java.util.HashSet)
Set(java.util.Set)
Enumeration(java.util.Enumeration)
ValidValues(com.sun.identity.policy.ValidValues)
KeyStoreException(java.security.KeyStoreException)
KeyStore(java.security.KeyStore)
X509Certificate(java.security.cert.X509Certificate)
PolicyException(com.sun.identity.policy.PolicyException)
HashSet(java.util.HashSet)
Example 77 with PolicyException
use of com.sun.identity.policy.PolicyException in project OpenAM by OpenRock.
the class PolicyCondition method evaluate.
/**
* Returns condition decision.
*
* @param realm Realm name.
* @param subject Subject to be evaluated.
* @param resourceName Resource name.
* @param environment Environment map.
* @return condition decision.
* @throws com.sun.identity.entitlement.EntitlementException if error occur.
*/
public ConditionDecision evaluate(String realm, Subject subject, String resourceName, Map<String, Set<String>> environment) throws EntitlementException {
try {
SSOToken token = (subject != null) ? getSSOToken(subject) : null;
Condition cond = getPolicyCondition();
com.sun.identity.policy.ConditionDecision dec = cond.getConditionDecision(token, environment);
return new ConditionDecision(dec.isAllowed(), dec.getAdvices(), dec.getTimeToLive());
} catch (SSOException ex) {
throw new EntitlementException(510, ex);
} catch (PolicyException ex) {
throw new EntitlementException(510, ex);
}
}
Also used :
Condition(com.sun.identity.policy.interfaces.Condition)
EntitlementException(com.sun.identity.entitlement.EntitlementException)
SSOToken(com.iplanet.sso.SSOToken)
PolicyException(com.sun.identity.policy.PolicyException)
SSOException(com.iplanet.sso.SSOException)
ConditionDecision(com.sun.identity.entitlement.ConditionDecision)
Example 78 with PolicyException
use of com.sun.identity.policy.PolicyException in project OpenAM by OpenRock.
the class AMIdentitySubject method isMember.
/**
* Determines if the user is a member of this instance of the
* <code>Subject</code> object.
*
* @param token single sign on token of the user
*
* @return <code>true</code> if the user is member of
* this subject; <code>false</code> otherwise.
*
* @exception SSOException if SSO token is not valid
* @exception PolicyException if an error occured while
* checking if the user is a member of this subject
*/
public boolean isMember(SSOToken token) throws SSOException, PolicyException {
String tokenID = null;
String userDN = null;
if (token != null) {
Object tokenIDObject = token.getTokenID();
if (tokenIDObject != null) {
tokenID = tokenIDObject.toString();
}
}
if (tokenID == null) {
if (debug.warningEnabled()) {
debug.warning("AMIdentitySubject.isMember():" + "tokenID is null");
debug.warning("AMIdentitySubject.isMember():" + "returning false");
}
return false;
} else {
Principal principal = token.getPrincipal();
if (principal != null) {
userDN = principal.getName();
}
if (userDN == null) {
if (debug.warningEnabled()) {
debug.warning("AMIdentitySubject.isMember():" + "userDN is null");
debug.warning("AMIdentitySubject.isMember():" + "returning false");
}
return false;
}
}
boolean listenerAdded = false;
boolean subjectMatch = false;
if (debug.messageEnabled()) {
debug.message("AMIndentitySubject.isMember(): " + "entering with userDN = " + userDN);
}
if (subjectValues.size() > 0) {
Iterator valueIter = subjectValues.iterator();
while (valueIter.hasNext()) {
Boolean matchFound = null;
/* Actually this is universal id of AMIdentity object
*
*/
String subjectValue = (String) valueIter.next();
if (debug.messageEnabled()) {
debug.message("AMIndentitySubject.isMember(): " + "checking membership with userDN = " + userDN + ", subjectValue = " + subjectValue);
}
if ((matchFound = SubjectEvaluationCache.isMember(tokenID, "AMIdentitySubject", subjectValue)) != null) {
if (debug.messageEnabled()) {
debug.message("AMIdentitySubject.isMember():" + "got membership from SubjectEvaluationCache " + " for userDN = " + userDN + ", subjectValue = " + subjectValue + ", result = " + matchFound.booleanValue());
}
boolean result = matchFound.booleanValue();
if (result) {
if (debug.messageEnabled()) {
debug.message("AMIndentitySubject.isMember(): " + " returning membership status = " + result);
}
return result;
} else {
continue;
}
}
// got here so entry not in subject evalauation cache
if (debug.messageEnabled()) {
debug.message("AMIdentitySubject:isMember():entry for " + subjectValue + " not in subject evaluation " + "cache, so compute using IDRepo api");
}
try {
AMIdentity subjectIdentity = IdUtils.getIdentity(getAdminToken(), subjectValue);
if (subjectIdentity == null) {
if (debug.messageEnabled()) {
debug.message("AMidentitySubject.isMember():" + "subjectIdentity is null for " + "subjectValue = " + subjectValue);
debug.message("AMidentitySubject.isMember():" + "returning false");
}
return false;
}
AMIdentity tmpIdentity = IdUtils.getIdentity(token);
String univId = IdUtils.getUniversalId(tmpIdentity);
AMIdentity userIdentity = IdUtils.getIdentity(getAdminToken(), univId);
if (userIdentity == null) {
if (debug.messageEnabled()) {
debug.message("AMidentitySubject.isMember():" + "userIdentity is null");
debug.message("AMidentitySubject.isMember():" + "returning false");
}
return false;
}
if (debug.messageEnabled()) {
debug.message("AMidentitySubject.isMember():" + "user uuid = " + IdUtils.getUniversalId(userIdentity) + ", subject uuid = " + IdUtils.getUniversalId(subjectIdentity));
}
IdType userIdType = userIdentity.getType();
IdType subjectIdType = subjectIdentity.getType();
Set allowedMemberTypes = null;
if (userIdentity.equals(subjectIdentity)) {
if (debug.messageEnabled()) {
debug.message("AMidentitySubject.isMember():" + "userIdentity equals subjectIdentity:" + "membership=true");
}
subjectMatch = true;
} else if (((allowedMemberTypes = subjectIdType.canHaveMembers()) != null) && allowedMemberTypes.contains(userIdType)) {
subjectMatch = userIdentity.isMember(subjectIdentity);
if (debug.messageEnabled()) {
debug.message("AMIdentitySubject.isMember():" + "userIdentity type " + userIdType + " can be a member of " + "subjectIdentityType " + subjectIdType + ":membership=" + subjectMatch);
}
} else {
subjectMatch = false;
if (debug.messageEnabled()) {
debug.message("AMIdentitySubject.isMember():" + "userIdentity type " + userIdType + " can not be a member of " + "subjectIdentityType " + subjectIdType + ":membership=" + subjectMatch);
}
}
if (debug.messageEnabled()) {
debug.message("AMIdentitySubject.isMember: adding " + "entry in SubjectEvaluationCache for " + ", for userDN = " + userDN + ", subjectValue = " + subjectValue + ", subjectMatch = " + subjectMatch);
}
SubjectEvaluationCache.addEntry(tokenID, "AMIdentitySubject", subjectValue, subjectMatch);
if (!listenerAdded) {
if (!PolicyEvaluator.ssoListenerRegistry.containsKey(tokenID)) {
token.addSSOTokenListener(PolicyEvaluator.ssoListener);
PolicyEvaluator.ssoListenerRegistry.put(tokenID, PolicyEvaluator.ssoListener);
if (debug.messageEnabled()) {
debug.message("AMIdentitySubject.isMember():" + " sso listener added ");
}
listenerAdded = true;
}
}
if (subjectMatch) {
break;
}
} catch (IdRepoException ire) {
debug.warning("AMidentitySubject.isMember():" + "can not check membership for user " + userDN + ", subject " + subjectValue, ire);
String[] args = { userDN, subjectValue };
throw (new PolicyException(ResBundleUtils.rbName, "am_id_subject_membership_evaluation_error", args, ire));
}
}
}
if (debug.messageEnabled()) {
if (!subjectMatch) {
debug.message("AMIdentitySubject.isMember(): user " + userDN + " is not a member of this subject");
} else {
debug.message("AMIdentitySubject.isMember(): User " + userDN + " is a member of this subject");
}
}
return subjectMatch;
}
Also used :
HashSet(java.util.HashSet)
Set(java.util.Set)
PolicyException(com.sun.identity.policy.PolicyException)
AMIdentity(com.sun.identity.idm.AMIdentity)
Iterator(java.util.Iterator)
IdRepoException(com.sun.identity.idm.IdRepoException)
Principal(java.security.Principal)
IdType(com.sun.identity.idm.IdType)
Example 79 with PolicyException
use of com.sun.identity.policy.PolicyException in project OpenAM by OpenRock.
the class IDRepoResponseProvider method parseDynamicAttrName.
private String[] parseDynamicAttrName(String dynamicAttrName) throws PolicyException {
String[] parsedNames = new String[2];
if (dynamicAttrName != null) {
int delimiterIndex = dynamicAttrName.indexOf(ATTR_DELIMITER);
if (delimiterIndex == 0) {
clearProperties();
String[] args = { dynamicAttrName };
throw new PolicyException(ResBundleUtils.rbName, "invalid_dynamic_property_being_set", args, null);
} else if (delimiterIndex < 0) {
String value = dynamicAttrName.trim();
if (value.length() == 0) {
clearProperties();
String[] args = { dynamicAttrName };
throw new PolicyException(ResBundleUtils.rbName, "invalid_dynamic_property_being_set", args, null);
}
parsedNames[0] = value;
parsedNames[1] = value;
} else {
String value1 = dynamicAttrName.substring(0, delimiterIndex).trim();
String value2 = dynamicAttrName.substring(delimiterIndex + 1).trim();
if ((value1.length() == 0) || (value2.length() == 0)) {
clearProperties();
String[] args = { dynamicAttrName };
throw new PolicyException(ResBundleUtils.rbName, "invalid_dynamic_property_being_set", args, null);
}
parsedNames[0] = value1;
parsedNames[1] = value2;
}
}
return parsedNames;
}
Also used :
PolicyException(com.sun.identity.policy.PolicyException)
Example 80 with PolicyException
use of com.sun.identity.policy.PolicyException in project OpenAM by OpenRock.
the class AuthenticateToServiceCondition method validateAuthnToServices.
/**
* Validates the module chain names provided to the setProperties()
* call for the AUTHENTICATE_TO_SERVICE key. Checks for null and throws
* Exception if null or not a String.
*/
private boolean validateAuthnToServices(Set authnToServiceSet) throws PolicyException {
if (authnToServiceSet.isEmpty()) {
String[] args = { AUTHENTICATE_TO_SERVICE };
throw new PolicyException(ResBundleUtils.rbName, "property_does_not_allow_empty_values", args, null);
}
authenticateToService = null;
Iterator authnToServiceSetIter = authnToServiceSet.iterator();
try {
authenticateToService = (String) authnToServiceSetIter.next();
} catch (ClassCastException e) {
String[] args = { AUTHENTICATE_TO_SERVICE };
throw new PolicyException(ResBundleUtils.rbName, "property_is_not_a_String", args, null);
}
if (authenticateToService != null) {
String realm = AMAuthUtils.getRealmFromRealmQualifiedData(authenticateToService);
if ((realm == null) || (realm.length() == 0)) {
realmEmpty = true;
}
}
return true;
}
Also used :
PolicyException(com.sun.identity.policy.PolicyException)
Iterator(java.util.Iterator)
Aggregations
PolicyException (com.sun.identity.policy.PolicyException)151
SSOException (com.iplanet.sso.SSOException)64
HashSet (java.util.HashSet)63
Set (java.util.Set)57
Iterator (java.util.Iterator)50
PolicyManager (com.sun.identity.policy.PolicyManager)35
NameNotFoundException (com.sun.identity.policy.NameNotFoundException)32
HashMap (java.util.HashMap)28
Map (java.util.Map)27
AMConsoleException (com.sun.identity.console.base.model.AMConsoleException)26
ByteString (org.forgerock.opendj.ldap.ByteString)16
EntitlementException (com.sun.identity.entitlement.EntitlementException)14
LdapException (org.forgerock.opendj.ldap.LdapException)13
ResultCode (org.forgerock.opendj.ldap.ResultCode)13
Connection (org.forgerock.opendj.ldap.Connection)12
SearchResultEntry (org.forgerock.opendj.ldap.responses.SearchResultEntry)12
InvalidNameException (com.sun.identity.policy.InvalidNameException)11
ValidValues (com.sun.identity.policy.ValidValues)11
IOException (java.io.IOException)11
ConnectionEntryReader (org.forgerock.opendj.ldif.ConnectionEntryReader)11
