use of com.sun.identity.saml.assertion.Action in project OpenAM by OpenRock.
the class DefaultActionMapper method getAuthorizationDecisions.
/**
* This method first converts the AttributeStatements in Evidence to
* OpenAM Policy API environment variables. The Attributes in
* the AttributeStatement(s) are expected to be OpenAM
* attributes.
* It then query the Policy decision one action at a time. Currently,
* it handles actions defined in urn:oasis:names:tc:SAML:1.0:ghpp only.
* This action Namespace is mapped to OpenAM
* iPlanetAMWebAgentService.
*/
public Map getAuthorizationDecisions(AuthorizationDecisionQuery query, Object token, String sourceID) throws SAMLException {
if ((query == null) || (token == null)) {
SAMLUtils.debug.message("DefaultActionMapper: null input.");
throw new SAMLException(SAMLUtils.bundle.getString("nullInput"));
}
Evidence evidence = query.getEvidence();
Subject querySubject = query.getSubject();
Map envParameters = convertEvidence(evidence, querySubject, sourceID);
List permitActions = new ArrayList();
List denyActions = new ArrayList();
List actions = query.getAction();
Iterator iterator = actions.iterator();
PolicyEvaluator pe = null;
String resource = query.getResource();
Action action = null;
String actionNamespace = null;
while (iterator.hasNext()) {
action = (Action) iterator.next();
// get ActionNameSpace
actionNamespace = action.getNameSpace();
if ((actionNamespace != null) && (actionNamespace.equals(SAMLConstants.ACTION_NAMESPACE_GHPP))) {
try {
if (pe == null) {
pe = new PolicyEvaluator("iPlanetAMWebAgentService");
}
boolean result = pe.isAllowed((SSOToken) token, resource, action.getAction(), envParameters);
if (result) {
permitActions.add(action);
} else {
denyActions.add(action);
}
} catch (Exception e) {
if (SAMLUtils.debug.messageEnabled()) {
SAMLUtils.debug.message("DefaultActionMapper: " + "Exception from policy:" + e);
}
// indeterminate
continue;
}
}
}
// while loop for each action
Map resultMap = new HashMap();
if (!permitActions.isEmpty()) {
resultMap.put(ActionMapper.PERMIT, permitActions);
} else if (!denyActions.isEmpty()) {
resultMap.put(ActionMapper.DENY, denyActions);
} else {
resultMap.put(ActionMapper.INDETERMINATE, actions);
}
return resultMap;
}
Aggregations