Example 41 with PolicyException
use of com.sun.identity.policy.PolicyException in project OpenAM by OpenRock.
the class SessionCondition method getConditionDecision.
/**
* Gets the decision computed by this condition object, based on the
* map of environment parameters or the user token. If the value of
* <code>TERMINATE_SESSION</code> is true and the condition
* evaluation is false, it terminates the user session.
*
* @param token single-sign-on token of the user
* @param env request specific environment map of key/value pair. This
* condition looks for value of key
* <code>REQUEST_SESSION_CREATION_TIME</code> in the map. And the
* value should be a <code>Long</code>. If the <code>env</code> is
* null of does not define value for
* <code>REQUEST_SESSION_CREATION_TIME</code>, the
* value will be obtained from SSO token of the user
* @return The condition decision. The condition decision encapsulates
* whether a policy applies for the request and advice messages
* generated by the condition.
* Policy framework continues evaluating a policy only if it
* applies to the request as indicated by the condition decision.
* Otherwise, further evaluation of the policy is skipped.
* However, the advice messages encapsulated in the
* condition decision are aggregated and passed up, encapsulated in
* the policy decision
*
* @throws PolicyException if the condition has not been initialized
* @throws SSOException if the SSO token is invalid or there is error when
trying to destroy the SSO token
*
* @see com.sun.identity.policy.ConditionDecision
*/
public ConditionDecision getConditionDecision(SSOToken token, Map env) throws PolicyException, SSOException {
boolean allowed = false;
Long requestSessionCreationTime = null;
if (token == null) {
return new ConditionDecision(true, Long.MAX_VALUE);
}
if (env != null) {
try {
requestSessionCreationTime = (Long) env.get(REQUEST_SESSION_CREATION_TIME);
} catch (ClassCastException e) {
String[] args = { REQUEST_SESSION_CREATION_TIME };
throw new PolicyException(ResBundleUtils.rbName, "property_is_not_a_Long", args, null);
}
}
long tokenCreationTime;
if (requestSessionCreationTime != null) {
tokenCreationTime = requestSessionCreationTime.longValue();
} else {
try {
tokenCreationTime = (DateUtils.stringToDate(token.getProperty(SSOTOKEN_PROPERTY_AUTHINSTANT))).getTime();
} catch (ParseException e) {
throw new PolicyException(ResBundleUtils.rbName, "unable_to_parse_ssotoken_authinstant", null, e);
}
}
long currentTime = System.currentTimeMillis();
long timeToLive = Long.MAX_VALUE;
long expiredTime = tokenCreationTime + maxSessionTime;
if (debug.messageEnabled()) {
debug.message(new StringBuffer("SessionCondition.getConditionDecision():").append("\n currentTime: ").append(currentTime).append("\n expiredTime: ").append(expiredTime).toString());
}
ConditionDecision conditionDecision = null;
if (currentTime < expiredTime) {
allowed = true;
timeToLive = expiredTime;
conditionDecision = new ConditionDecision(allowed, timeToLive);
} else {
Map advices = new HashMap(1);
Set adviceMessages = null;
if (terminateSession) {
// set advice message
adviceMessages = new HashSet(2);
adviceMessages.add(ADVICE_DENY);
adviceMessages.add(ADVICE_TERMINATE_SESSION);
// terminate token session
try {
SSOTokenManager.getInstance().destroyToken(token);
if (debug.messageEnabled()) {
debug.message("SessionCondition.getConditionDecision(): " + "successfully terminated user session!");
}
} catch (SSOException ssoEx) {
if (debug.warningEnabled()) {
debug.warning("SessionCondition.getConditionDecision(): " + "failed to terminate user session!", ssoEx);
}
}
} else {
// set advice message
adviceMessages = new HashSet(1);
adviceMessages.add(ADVICE_DENY);
}
advices.put(SESSION_CONDITION_ADVICE, adviceMessages);
conditionDecision = new ConditionDecision(allowed, timeToLive, advices);
}
return conditionDecision;
}
Also used :
Set(java.util.Set)
HashSet(java.util.HashSet)
OrderedSet(com.sun.identity.shared.datastruct.OrderedSet)
HashMap(java.util.HashMap)
SSOException(com.iplanet.sso.SSOException)
ConditionDecision(com.sun.identity.policy.ConditionDecision)
PolicyException(com.sun.identity.policy.PolicyException)
ParseException(java.text.ParseException)
HashMap(java.util.HashMap)
Map(java.util.Map)
HashSet(java.util.HashSet)
Example 42 with PolicyException
use of com.sun.identity.policy.PolicyException in project OpenAM by OpenRock.
the class ResourceEnvIPCondition method getAuthLevel.
/**
* Extracts the integer auth level from String realm qualified
* ( realm:level) String.
*/
private int getAuthLevel(String qualifiedLevel) throws PolicyException {
int levelInt = 0;
String levelString = AMAuthUtils.getDataFromRealmQualifiedData(qualifiedLevel);
try {
levelInt = Integer.parseInt(levelString);
} catch (NumberFormatException nfe) {
if (DEBUG.warningEnabled()) {
DEBUG.warning("AuthLevelCondition.getAuthLevel(qualifiedLevel):" + "got NumberFormatException:" + "qualifiedLevel=" + qualifiedLevel + ", levelString = " + levelString);
}
Object[] args = { levelString };
throw new PolicyException(ResBundleUtils.rbName, "auth_level_not_integer", args, nfe);
}
return levelInt;
}
Also used :
PolicyException(com.sun.identity.policy.PolicyException)
Example 43 with PolicyException
use of com.sun.identity.policy.PolicyException in project OpenAM by OpenRock.
the class ResourceEnvIPCondition method getAdviceMessagesforAuthLevel.
/**
* Returns advice messages for Authentication Level condition.
*/
private Set getAdviceMessagesforAuthLevel(String adviceValue, SSOToken token, Map env) throws PolicyException, SSOException {
Set adviceMessages = new HashSet();
int maxRequestAuthLevel = Integer.MIN_VALUE;
String authLevel = adviceValue;
String authRealm = null;
int authLevelInt = Integer.MIN_VALUE;
try {
authRealm = AMAuthUtils.getRealmFromRealmQualifiedData(authLevel);
String authLevelIntString = AMAuthUtils.getDataFromRealmQualifiedData(authLevel);
authLevelInt = Integer.parseInt(authLevelIntString);
} catch (NumberFormatException e) {
String[] args = { AUTH_LEVEL };
throw new PolicyException(ResBundleUtils.rbName, "property_is_not_an_Integer", args, null);
}
maxRequestAuthLevel = getMaxRequestAuthLevel(env, authRealm, authLevel);
if ((maxRequestAuthLevel == Integer.MIN_VALUE) && (token != null)) {
maxRequestAuthLevel = getMaxRequestAuthLevel(token, authRealm, authLevel);
}
if (maxRequestAuthLevel < authLevelInt) {
adviceMessages.add(authLevel);
}
if (DEBUG.messageEnabled()) {
DEBUG.message("At ResourceEnvIPCondition." + "getAdviceMessagesforAuthLevel():" + "authLevel=" + authLevel + "authRealm=" + authRealm + ",maxRequestAuthLevel=" + maxRequestAuthLevel + ",adviceMessages=" + adviceMessages);
}
return adviceMessages;
}
Also used :
HashSet(java.util.HashSet)
Set(java.util.Set)
PolicyException(com.sun.identity.policy.PolicyException)
HashSet(java.util.HashSet)
Example 44 with PolicyException
use of com.sun.identity.policy.PolicyException in project OpenAM by OpenRock.
the class ResourceEnvIPCondition method setProperties.
/**
* Sets the properties of <code>ResourceEnvIPCondition</code>.
* Evaluation of ConditionDecision is influenced by these properties.
* @param properties the properties of the condition that governs
* whether a policy applies. The properties should
* define value for the key ENV_CONDITION_VALUE. The value should
* be a Set with multiple elements. Each element should be
* a String. Please note that properties is not cloned by the method.
*
* @throws PolicyException if properties is null or does not contain
* value for the key ENV_CONDITION_VALUE or the value of the key is
* not a Set with one String element that is parsable as
* an integer.
*/
public void setProperties(Map properties) throws PolicyException {
this.properties = properties;
envList.clear();
adviceList.clear();
if ((properties == null) || (properties.keySet() == null)) {
throw new PolicyException(ResBundleUtils.rbName, "null_properties", null, null);
}
// check if the value is valid
Set envCondVal = (Set) properties.get(ENV_CONDITION_VALUE);
if ((envCondVal == null) || envCondVal.isEmpty() || (envCondVal.isEmpty())) {
throw new PolicyException(ResBundleUtils.rbName, "null_env_cond_value", null, null);
}
if (DEBUG.messageEnabled()) {
DEBUG.message("ResourceEnvIPCondition:setProperties envCondVal : " + envCondVal);
}
Iterator envCondValIter = envCondVal.iterator();
int i = 0;
while (envCondValIter.hasNext()) {
String envKey = (String) envCondValIter.next();
if (envKey != null) {
int ifIndex = envKey.indexOf("IF");
if (ifIndex == -1) {
ifIndex = envKey.indexOf("if");
}
int adviceIndex = envKey.indexOf(THEN);
if (adviceIndex == -1) {
adviceIndex = envKey.indexOf("then");
}
String envVal = envKey.substring(ifIndex + 2, adviceIndex - 1);
String adviceVal = envKey.substring(adviceIndex + 5);
envList.add(i, envVal);
adviceList.add(i, adviceVal);
i++;
}
}
if (DEBUG.messageEnabled()) {
DEBUG.message("ResourceEnvIPCondition:setProperties envList : " + envList);
DEBUG.message("ResourceEnvIPCondition:setProperties adviceList : " + adviceList);
}
}
Also used :
HashSet(java.util.HashSet)
Set(java.util.Set)
PolicyException(com.sun.identity.policy.PolicyException)
Iterator(java.util.Iterator)
Example 45 with PolicyException
use of com.sun.identity.policy.PolicyException in project OpenAM by OpenRock.
the class ResourceEnvIPCondition method getAdviceMessagesforAuthService.
/**
* Returns advice messages for Authentication Service condition.
*/
private Set getAdviceMessagesforAuthService(String adviceValue, SSOToken token, Map env) throws PolicyException, SSOException {
Set adviceMessages = new HashSet();
Set requestAuthnServices = new HashSet();
boolean allow = false;
if ((env != null) && (env.get(REQUEST_AUTHENTICATED_TO_SERVICES) != null)) {
try {
requestAuthnServices = (Set) env.get(REQUEST_AUTHENTICATED_TO_SERVICES);
if (DEBUG.messageEnabled()) {
DEBUG.message("At ResourceEnvIPCondition." + "getAdviceMessagesforAuthService(): " + "requestAuthnServices from request = " + requestAuthnServices);
}
} catch (ClassCastException e) {
String[] args = { REQUEST_AUTHENTICATED_TO_SERVICES };
throw new PolicyException(ResBundleUtils.rbName, "property_is_not_a_Set", args, e);
}
} else {
if (token != null) {
Set authenticatedServices = AMAuthUtils.getRealmQualifiedAuthenticatedServices(token);
if (authenticatedServices != null) {
requestAuthnServices.addAll(authenticatedServices);
}
if (DEBUG.messageEnabled()) {
DEBUG.message("At ResourceEnvIPCondition." + "getAdviceMessagesforAuthService(): " + "requestAuthnServices from ssoToken = " + requestAuthnServices);
}
}
}
if (!requestAuthnServices.contains(adviceValue)) {
String realm = AMAuthUtils.getRealmFromRealmQualifiedData(adviceValue);
if ((realm != null) && (realm.length() != 0)) {
adviceMessages.add(adviceValue);
if (DEBUG.messageEnabled()) {
DEBUG.message("At ResourceEnvIPCondition." + "getAdviceMessagesforAuthService():" + "authService not satisfied = " + adviceValue);
}
} else if ((realm == null) || (realm.length() == 0)) {
for (Iterator iter = requestAuthnServices.iterator(); iter.hasNext(); ) {
String requestAuthnService = (String) iter.next();
String service = AMAuthUtils.getDataFromRealmQualifiedData(requestAuthnService);
if (adviceValue.equals(service)) {
allow = true;
break;
}
}
}
}
if (!allow) {
adviceMessages.add(adviceValue);
}
if (DEBUG.messageEnabled()) {
DEBUG.message("At ResourceEnvIPCondition." + "getAdviceMessagesforAuthService():authenticateToService = " + adviceValue + "," + " requestAuthnServices = " + requestAuthnServices + ", " + " adviceMessages = " + adviceMessages);
}
return adviceMessages;
}
Also used :
HashSet(java.util.HashSet)
Set(java.util.Set)
PolicyException(com.sun.identity.policy.PolicyException)
Iterator(java.util.Iterator)
HashSet(java.util.HashSet)
Aggregations
PolicyException (com.sun.identity.policy.PolicyException)151
SSOException (com.iplanet.sso.SSOException)64
HashSet (java.util.HashSet)63
Set (java.util.Set)57
Iterator (java.util.Iterator)50
PolicyManager (com.sun.identity.policy.PolicyManager)35
NameNotFoundException (com.sun.identity.policy.NameNotFoundException)32
HashMap (java.util.HashMap)28
Map (java.util.Map)27
AMConsoleException (com.sun.identity.console.base.model.AMConsoleException)26
ByteString (org.forgerock.opendj.ldap.ByteString)16
EntitlementException (com.sun.identity.entitlement.EntitlementException)14
LdapException (org.forgerock.opendj.ldap.LdapException)13
ResultCode (org.forgerock.opendj.ldap.ResultCode)13
Connection (org.forgerock.opendj.ldap.Connection)12
SearchResultEntry (org.forgerock.opendj.ldap.responses.SearchResultEntry)12
InvalidNameException (com.sun.identity.policy.InvalidNameException)11
ValidValues (com.sun.identity.policy.ValidValues)11
IOException (java.io.IOException)11
ConnectionEntryReader (org.forgerock.opendj.ldif.ConnectionEntryReader)11
