use of com.sun.identity.policy.PolicyException in project OpenAM by OpenRock.
the class DSAMERole method getValidValues.
/**
* Returns a list of possible values for the <code>Subject
* </code> that matches the pattern.
*
* @param token the <code>SSOToken</code> that will be used
* to determine the possible values
*
* @return <code>ValidValues</code> object
*
* @exception SSOException if SSO token is not valid
* @exception PolicyException if unable to get the list of valid
* names.
*/
public ValidValues getValidValues(SSOToken token, String pattern) throws SSOException, PolicyException {
if (!initialized) {
throw (new PolicyException(ResBundleUtils.rbName, "role_subject_not_yet_initialized", null, null));
}
try {
AMStoreConnection amConnection = new AMStoreConnection(token);
AMOrganization orgObject = amConnection.getOrganization(organizationDN);
AMSearchControl sc = new AMSearchControl();
sc.setMaxResults(maxResults);
sc.setTimeOut(timeLimit);
sc.setSearchScope(roleSearchScope);
AMSearchResults results = orgObject.searchAllRoles(pattern, sc);
int status;
switch(results.getErrorCode()) {
case AMSearchResults.SUCCESS:
status = ValidValues.SUCCESS;
break;
case AMSearchResults.SIZE_LIMIT_EXCEEDED:
status = ValidValues.SIZE_LIMIT_EXCEEDED;
break;
case AMSearchResults.TIME_LIMIT_EXCEEDED:
status = ValidValues.TIME_LIMIT_EXCEEDED;
break;
default:
status = ValidValues.SUCCESS;
}
return new ValidValues(status, results.getSearchResults());
} catch (AMException e) {
LdapException lde = e.getLDAPException();
if (lde != null) {
ResultCode ldapErrorCode = lde.getResult().getResultCode();
if (ResultCode.INVALID_CREDENTIALS.equals(ldapErrorCode)) {
throw new PolicyException(ResBundleUtils.rbName, "ldap_invalid_password", null, null);
} else if (ResultCode.NO_SUCH_OBJECT.equals(ldapErrorCode)) {
String[] objs = { organizationDN };
throw new PolicyException(ResBundleUtils.rbName, "no_such_am_roles_base_dn", objs, null);
}
String errorMsg = lde.getResult().getDiagnosticMessage();
String additionalMsg = lde.getResult().getResultCode().getName().toString(Locale.ROOT);
if (additionalMsg != null) {
throw new PolicyException(errorMsg + ": " + additionalMsg);
} else {
throw new PolicyException(errorMsg);
}
}
throw new PolicyException(e);
}
}
use of com.sun.identity.policy.PolicyException in project OpenAM by OpenRock.
the class AuthenticateToRealmCondition method validateProperties.
/**
* Checks the properties set using setProperties() method for
* validity like, not null, presence of AUTHENTICATE_TO_REALM property,
* and no other invalid property.
*/
private boolean validateProperties() throws PolicyException {
if ((properties == null) || (properties.keySet() == null)) {
throw new PolicyException(ResBundleUtils.rbName, "properties_can_not_be_null_or_empty", null, null);
}
Set keySet = properties.keySet();
//Check if the required key(s) are defined
if (!keySet.contains(AUTHENTICATE_TO_REALM)) {
String[] args = { AUTHENTICATE_TO_REALM };
throw new PolicyException(ResBundleUtils.rbName, "property_value_not_defined", args, null);
}
//Check if all the keys are valid
Iterator keys = keySet.iterator();
while (keys.hasNext()) {
String key = (String) keys.next();
if (!AUTHENTICATE_TO_REALM.equals(key)) {
String[] args = { key };
throw new PolicyException(ResBundleUtils.rbName, "attempt_to_set_invalid_property ", args, null);
}
}
//validate AUTHENTICATE_TO_REALM
Set authnToRealmSet = null;
try {
authnToRealmSet = (Set) properties.get(AUTHENTICATE_TO_REALM);
} catch (ClassCastException e) {
String[] args = { REQUEST_AUTHENTICATED_TO_REALMS };
throw new PolicyException(ResBundleUtils.rbName, "property_is_not_a_Set", args, e);
}
if (authnToRealmSet != null) {
validateAuthnToRealms(authnToRealmSet);
}
return true;
}
use of com.sun.identity.policy.PolicyException in project OpenAM by OpenRock.
the class AuthenticateToRealmCondition method getConditionDecision.
/**
* Returns the decision computed by this condition object, based on the
* map of environment parameters
*
* @param token single sign on token of the user
*
* @param env request specific environment map of key/value pairs
* <code>AuthenticateToRealmCondition</code> looks for value of key
* <code>REQUEST_AUTHENTICATED_TO_REALMS</code> in the map.
* The value should be a <code>Set</code> with <code>String</code>
* elements.
* If the <code>env</code> parameter is <code>null</code> or does not
* define the value for
* <code>REQUEST_AUTHENTICATED_TO_REALMS</code>, value for
* <code>REQUEST_AUTHENTICATED_TO_REALMS</code> is computed
* from sso token.
*
* @return the condition decision. The condition decision encapsulates
* whether a policy applies for the request and advice messages
* generated by the condition.
*
* Policy framework continues evaluating a policy only if it applies
* to the request as indicated by the <code>ConditionDecision</code>.
* Otherwise, further evaluation of the policy is skipped.
* However, the advice messages encapsulated in the
* <code>ConditionDecision</code> are aggregated and passed up, encapsulated
* in the policy decision.
*
* @throws PolicyException if the condition has not been initialized with a
* successful call to <code>setProperties(Map)</code> and/or the
* value of <code>REQUEST_AUTHENTICATED_TO_REALMS</code> could not be
* determined.
* @throws SSOException if the token is invalid
*
* @see #setProperties(Map)
* @see #AUTHENTICATE_TO_REALM
* @see #REQUEST_AUTHENTICATED_TO_REALMS
* @see com.sun.identity.policy.ConditionDecision
*/
public ConditionDecision getConditionDecision(SSOToken token, Map env) throws PolicyException, SSOException {
// We don't care about case of the realm when doing the comparison so use a CaseInsensitiveHashSet
Set requestAuthnRealms = new CaseInsensitiveHashSet();
if ((env != null) && (env.get(REQUEST_AUTHENTICATED_TO_REALMS) != null)) {
try {
requestAuthnRealms.addAll((Set) env.get(REQUEST_AUTHENTICATED_TO_REALMS));
if (debugMessageEnabled) {
DEBUG.message("At AuthenticateToRealmCondition." + "getConditionDecision(): " + "requestAuthnRealms, from request = " + requestAuthnRealms);
}
} catch (ClassCastException e) {
String[] args = { REQUEST_AUTHENTICATED_TO_REALMS };
throw new PolicyException(ResBundleUtils.rbName, "property_is_not_a_Set", args, e);
}
} else {
if (token != null) {
Set authenticatedRealms = AMAuthUtils.getAuthenticatedRealms(token);
if (authenticatedRealms != null) {
requestAuthnRealms.addAll(authenticatedRealms);
}
if (debugMessageEnabled) {
DEBUG.message("At AuthenticateToRealmCondition." + "getConditionDecision(): " + "requestAuthnRealms, from ssoToken = " + requestAuthnRealms);
}
}
}
boolean allowed = true;
Set adviceMessages = new HashSet(1);
if (!requestAuthnRealms.contains(authenticateToRealm)) {
allowed = false;
adviceMessages.add(authenticateToRealm);
if (debugMessageEnabled) {
DEBUG.message("At AuthenticateToRealmCondition." + "getConditionDecision():" + "authenticateToRealm not satisfied = " + authenticateToRealm);
}
}
if (debugMessageEnabled) {
DEBUG.message("At AuthenticateToRealmCondition." + "getConditionDecision():authenticateToRealm = " + authenticateToRealm + "," + "requestAuthnRealms = " + requestAuthnRealms + ", " + " allowed = " + allowed);
}
Map advices = new HashMap();
if (!allowed) {
advices.put(AUTHENTICATE_TO_REALM_CONDITION_ADVICE, adviceMessages);
}
return new ConditionDecision(allowed, advices);
}
use of com.sun.identity.policy.PolicyException in project OpenAM by OpenRock.
the class AuthenticateToServiceCondition method validateProperties.
/**
* Checks the properties set using setProperties() method for
* validity like, not null, presence of AUTHENTICATE_TO_SERVICE property,
* and no other invalid property.
*/
private boolean validateProperties() throws PolicyException {
if ((properties == null) || (properties.keySet() == null)) {
throw new PolicyException(ResBundleUtils.rbName, "properties_can_not_be_null_or_empty", null, null);
}
Set keySet = properties.keySet();
//Check if the required key(s) are defined
if (!keySet.contains(AUTHENTICATE_TO_SERVICE)) {
String[] args = { AUTHENTICATE_TO_SERVICE };
throw new PolicyException(ResBundleUtils.rbName, "property_value_not_defined", args, null);
}
//Check if all the keys are valid
Iterator keys = keySet.iterator();
while (keys.hasNext()) {
String key = (String) keys.next();
if (!AUTHENTICATE_TO_SERVICE.equals(key)) {
String[] args = { key };
throw new PolicyException(ResBundleUtils.rbName, "attempt_to_set_invalid_property ", args, null);
}
}
//validate AUTHENTICATE_TO_SERVICE
Set authnToServiceSet = null;
try {
authnToServiceSet = (Set) properties.get(AUTHENTICATE_TO_SERVICE);
} catch (ClassCastException e) {
String[] args = { REQUEST_AUTHENTICATED_TO_SERVICES };
throw new PolicyException(ResBundleUtils.rbName, "property_is_not_a_Set", args, e);
}
if (authnToServiceSet != null) {
validateAuthnToServices(authnToServiceSet);
}
return true;
}
use of com.sun.identity.policy.PolicyException in project OpenAM by OpenRock.
the class AuthSchemeCondition method getConditionDecision.
/**
* Gets the decision computed by this condition object, based on the
* map of environment parameters
*
* @param token single sign on token of the user
*
* @param env request specific environment map of key/value pairs
* <code>AuthSchemeCondition</code> looks for value of key
* <code>REQUEST_AUTH_SCHEHMES</code> in the map. The value should
* be a String. If the <code>env</code> parameter is null or does not
* define the value for <code.REQUEST_AUTH_SCHEMES</code>, value for
* <code>REQUEST_AUTH_SCHEMES</code> is computed using
* <code>AuthMethod</code> obtained from single sign on token of
* the user.
*
* @return the condition decision. The condition decision encapsulates
* whether a policy applies for the request and advice messages
* generated by the condition.
* Policy framework continues evaluating a policy only if it applies
* to the request as indicated by the <code>ConditionDecision</code>.
* Otherwise, further evaluation of the policy is skipped.
* However, the advice messages encapsulated in the
* <code>ConditionDecision</code> are aggregated and passed up, encapsulated
* in the policy decision.
*
* @throws PolicyException if the condition has not been initialized with a
* successful call to <code>setProperties(Map)</code> and/or the
* value of <code>REQUEST_AUTH_SCHEMES</code> could not be
* determined.
* @throws SSOException if the token is invalid
*
* @see #setProperties(Map)
* @see #AUTH_SCHEME
* @see #REQUEST_AUTH_SCHEMES
* @see com.sun.identity.policy.ConditionDecision
*/
public ConditionDecision getConditionDecision(SSOToken token, Map env) throws PolicyException, SSOException {
if (DEBUG.messageEnabled()) {
DEBUG.message("At AuthSchemeCondition." + "getConditionDecision():entering:" + "authSchemes=" + authSchemes + ", appName=" + appName + ", appIdleTimeout=" + appIdleTimeout);
}
boolean allowed = false;
Set requestAuthSchemes = null;
Set requestAuthSchemesIgnoreRealm = null;
if ((env != null) && (env.get(REQUEST_AUTH_SCHEMES) != null)) {
try {
requestAuthSchemes = (Set) env.get(REQUEST_AUTH_SCHEMES);
if (DEBUG.messageEnabled()) {
DEBUG.message("At AuthSchemeCondition." + "getConditionDecision(): " + "requestAuthSchemes from env= " + requestAuthSchemes);
}
} catch (ClassCastException e) {
String[] args = { REQUEST_AUTH_SCHEMES };
throw new PolicyException(ResBundleUtils.rbName, "property_is_not_a_Set", args, e);
}
} else {
if (token != null) {
requestAuthSchemes = AMAuthUtils.getRealmQualifiedAuthenticatedSchemes(token);
requestAuthSchemesIgnoreRealm = AMAuthUtils.getAuthenticatedSchemes(token);
if (DEBUG.messageEnabled()) {
DEBUG.message("At AuthSchemeCondition." + "getConditionDecision(): " + "requestAuthSchemes from ssoToken= " + requestAuthSchemes);
DEBUG.message("At AuthSchemeCondition." + "getConditionDecision(): " + "requestAuthSchemesIgnoreRealm from ssoToken= " + requestAuthSchemesIgnoreRealm);
}
}
}
if (requestAuthSchemes == null) {
requestAuthSchemes = Collections.EMPTY_SET;
}
if (requestAuthSchemesIgnoreRealm == null) {
requestAuthSchemesIgnoreRealm = Collections.EMPTY_SET;
}
Iterator authSchemesIter = authSchemes.iterator();
String authScheme = null;
allowed = true;
Set adviceMessages = new HashSet(authSchemes.size());
while (authSchemesIter.hasNext()) {
authScheme = (String) authSchemesIter.next();
if (!requestAuthSchemes.contains(authScheme)) {
String realm = AMAuthUtils.getRealmFromRealmQualifiedData(authScheme);
if ((realm != null) && (realm.length() != 0)) {
allowed = false;
adviceMessages.add(authScheme);
if (DEBUG.messageEnabled()) {
DEBUG.message("At AuthSchemeCondition." + "getConditionDecision():" + "authScheme not satisfied = " + authScheme);
}
break;
} else if ((realm == null) || (realm.length() == 0)) {
if (!requestAuthSchemesIgnoreRealm.contains(authScheme)) {
allowed = false;
adviceMessages.add(authScheme);
if (DEBUG.messageEnabled()) {
DEBUG.message("At AuthSchemeCondition." + "getConditionDecision():" + "authScheme not satisfied = " + authScheme);
}
break;
}
}
}
}
if (DEBUG.messageEnabled()) {
DEBUG.message("At AuthSchemeCondition.getConditionDecision():" + "authSchemes = " + authSchemes + "," + " requestAuthSchemes = " + requestAuthSchemes + ", " + " allowed before appIdleTimeout check = " + allowed);
}
Map advices = new HashMap();
if (!allowed) {
advices.put(AUTH_SCHEME_CONDITION_ADVICE, adviceMessages);
}
long timeToLive = Long.MAX_VALUE;
//following additions are to support application idle timeout
long currentTimeMillis = System.currentTimeMillis();
//a collector
Set expiredAuthSchemes = new HashSet();
if (appIdleTimeoutEnabled) {
if (allowed) {
//condition satisfied pending idletimeout check
//do idletimeout check
long idleTimesOutAtMillis = getApplicationIdleTimesoutAt(token, expiredAuthSchemes, currentTimeMillis);
if (idleTimesOutAtMillis <= currentTimeMillis) {
allowed = false;
}
if (DEBUG.messageEnabled()) {
DEBUG.message("At AuthSchemeCondition." + "getConditionDecision():" + "currentTimeMillis = " + currentTimeMillis + ", idleTimesOutAtMillis = " + idleTimesOutAtMillis + ", expiredAuthSchemes = " + expiredAuthSchemes + ", allowed after appIdleTimeout check = " + allowed);
}
}
if (allowed) {
//condition satisfied
long appIdleTimesoutAt = currentTimeMillis + appIdleTimeout;
token.setProperty(appIdleTimesoutAtSessionKey, Long.toString(appIdleTimesoutAt));
timeToLive = appIdleTimesoutAt;
if (DEBUG.messageEnabled()) {
DEBUG.message("At AuthSchemeCondition." + "getConditionDecision():" + "app access allowed, revised appIdleTimesOutAt=" + appIdleTimesoutAt + ", currentTimeMillis=" + currentTimeMillis);
}
} else {
//condiiton not satisifed
adviceMessages.addAll(expiredAuthSchemes);
advices.put(AUTH_SCHEME_CONDITION_ADVICE, adviceMessages);
Set forceAuthAdvices = new HashSet();
forceAuthAdvices.add(TRUE);
advices.put(FORCE_AUTH_ADVICE, forceAuthAdvices);
}
}
if (DEBUG.messageEnabled()) {
DEBUG.message("At AuthSchemeCondition.getConditionDecision():" + "just before return:" + "allowed = " + allowed + ", timeToLive = " + timeToLive + ", advices = " + advices);
}
return new ConditionDecision(allowed, timeToLive, advices);
}
Aggregations