use of com.sun.identity.xacml.context.Attribute in project OpenAM by OpenRock.
the class FMResourceMapper method mapToNativeResource.
/**
* Returns native resource and service name
* @param xacmlContextResource XACML context Resource
* @return native resource and service name.
* Returned object is an array of String objects.
* First element would be resource name.
* Second element would be service name.
* @exception XACMLException if can not map to native resource
* and service name
*/
public String[] mapToNativeResource(Resource xacmlContextResource) throws XACMLException {
String[] resourceService = new String[2];
String resourceName = null;
String serviceName = null;
List attributes = xacmlContextResource.getAttributes();
if (attributes != null) {
for (int count = 0; count < attributes.size(); count++) {
Attribute attr = (Attribute) attributes.get(count);
if (attr != null) {
URI tmpURI = attr.getAttributeId();
if (tmpURI.toString().equals(XACMLConstants.RESOURCE_ID)) {
tmpURI = attr.getDataType();
if (tmpURI.toString().equals(XACMLConstants.XS_STRING)) {
Element element = (Element) attr.getAttributeValues().get(0);
resourceName = XMLUtils.getElementValue(element);
}
} else if (tmpURI.toString().equals(XACMLConstants.TARGET_SERVICE)) {
tmpURI = attr.getDataType();
if (tmpURI.toString().equals(XACMLConstants.XS_STRING)) {
Element element = (Element) attr.getAttributeValues().get(0);
serviceName = XMLUtils.getElementValue(element);
}
}
}
}
}
resourceService[0] = resourceName;
resourceService[1] = serviceName;
return resourceService;
}
use of com.sun.identity.xacml.context.Attribute in project OpenAM by OpenRock.
the class FMSubjectMapper method mapToNativeSubject.
/**
* Returns native subject, OpenAM SSOToken
* @param xacmlContextSubjects XACML context Subject(s) from the
* xacml-context:Request
* @return native subject, OpenAM SSOToken, returns null if
* Subject did not match
* @exception XACMLException if can not map to native subject
*/
public Object mapToNativeSubject(List xacmlContextSubjects) throws XACMLException {
if (xacmlContextSubjects == null) {
return null;
}
String sid = null;
String userName = null;
//for (int subCount=0;subCount<xacmlContextSubjects.length;subCount++) {
for (Iterator iter = xacmlContextSubjects.iterator(); iter.hasNext(); ) {
//Subject subject = xacmlContextSubjects[subCount];
Subject subject = (Subject) iter.next();
if (subject == null) {
continue;
}
URI subjectCategory = subject.getSubjectCategory();
if ((subjectCategory != null) && (!subjectCategory.toString().equals(XACMLConstants.ACCESS_SUBJECT))) {
continue;
}
List attributes = subject.getAttributes();
if (attributes != null) {
for (int count = 0; count < attributes.size(); count++) {
Attribute attr = (Attribute) attributes.get(count);
if (attr != null) {
URI tmpURI = attr.getAttributeId();
if (tmpURI.toString().equals(XACMLConstants.SUBJECT_ID)) {
tmpURI = attr.getDataType();
if (tmpURI.toString().equals(XACMLConstants.OPENSSO_SESSION_ID)) {
Element sidElement = (Element) attr.getAttributeValues().get(0);
sid = XMLUtils.getElementValue(sidElement);
} else if (tmpURI.toString().equals(XACMLConstants.X500NAME)) {
Element sidElement = (Element) attr.getAttributeValues().get(0);
userName = XMLUtils.getElementValue(sidElement);
} else if (tmpURI.toString().equals(XACMLConstants.SAML2_NAMEID)) {
Element sidElement = (Element) attr.getAttributeValues().get(0);
String nameID = XMLUtils.getElementValue(sidElement);
if (nameID != null) {
userName = (String) IDPCache.userIDByTransientNameIDValue.get(nameID);
}
// TODO:Need to support non-transient nameid format
}
}
}
}
}
}
SSOToken ssoToken = null;
if (sid != null) {
//create ssoToken based on sessionId
try {
SSOTokenManager tokenManager = SSOTokenManager.getInstance();
ssoToken = tokenManager.createSSOToken(sid);
} catch (SSOException ssoExp) {
if (XACMLSDKUtils.debug.messageEnabled()) {
XACMLSDKUtils.debug.message("FMSubjectMapper.mapToNativeSubject()" + ":caught SSOException:", ssoExp);
}
}
}
//create ssoToken based on x500name (userName)
if ((ssoToken == null) && (userName != null)) {
try {
ssoToken = createFMSession(userName);
} catch (SessionException se) {
if (XACMLSDKUtils.debug.messageEnabled()) {
XACMLSDKUtils.debug.message("FMSubjectMapper.mapToNativeSubject()" + ":caught SessionException:", se);
}
}
}
return ssoToken;
}
use of com.sun.identity.xacml.context.Attribute in project OpenAM by OpenRock.
the class XACMLAuthzDecisionQueryHandler method handleQuery.
/**
* Processes an XACMLAuthzDecisionQuery and retruns a SAML2 Response.
*
* @param pdpEntityId EntityID of PDP
* @param pepEntityId EntityID of PEP
* @param samlpRequest SAML2 Request, an XAMLAuthzDecisionQuery
* @param soapMessage SOAPMessage that carried the SAML2 Request
* @return SAML2 Response with an XAMLAuthzDecisionStatement
* @exception SAML2Exception if the query can not be handled
*/
public com.sun.identity.saml2.protocol.Response handleQuery(String pdpEntityId, String pepEntityId, RequestAbstract samlpRequest, SOAPMessage soapMessage) throws SAML2Exception {
//TODO: logging, i18n
//TODO: long term, allow different mapper impls for different
//combination of pdp, pep
SubjectMapper subjectMapper = new FMSubjectMapper();
subjectMapper.initialize(pdpEntityId, pepEntityId, null);
ResourceMapper resourceMapper = new FMResourceMapper();
resourceMapper.initialize(pdpEntityId, pepEntityId, null);
ActionMapper actionMapper = new FMActionMapper();
actionMapper.initialize(pdpEntityId, pepEntityId, null);
EnvironmentMapper environmentMapper = new FMEnvironmentMapper();
environmentMapper.initialize(pdpEntityId, pepEntityId, null);
ResultMapper resultMapper = new FMResultMapper();
resultMapper.initialize(pdpEntityId, pepEntityId, null);
boolean evaluationFailed = false;
String statusCodeValue = null;
if (XACMLSDKUtils.debug.messageEnabled()) {
XACMLSDKUtils.debug.message("XACMLAuthzDecisionQueryHandler.handleQuery(), entering" + ":pdpEntityId=" + pdpEntityId + ":pepEntityId=" + pepEntityId + ":samlpRequest=\n" + samlpRequest.toXMLString(true, true) + ":soapMessage=\n" + soapMessage);
}
Request xacmlRequest = ((XACMLAuthzDecisionQuery) samlpRequest).getRequest();
boolean returnContext = ((XACMLAuthzDecisionQuery) samlpRequest).getReturnContext();
SSOToken ssoToken = null;
String resourceName = null;
String serviceName = null;
String actionName = null;
Map environment = null;
boolean booleanDecision = false;
try {
//get native sso token
ssoToken = (SSOToken) subjectMapper.mapToNativeSubject(xacmlRequest.getSubjects());
if (ssoToken == null) {
//TODO: log message and fill missing attribute details
statusCodeValue = XACMLConstants.STATUS_CODE_MISSING_ATTRIBUTE;
evaluationFailed = true;
} else {
if (XACMLSDKUtils.debug.messageEnabled()) {
XACMLSDKUtils.debug.message("XACMLAuthzDecisionQueryHandler.handleQuery()," + "created ssoToken");
}
}
if (ssoToken != null) {
//get native service name, resource name
List resources = xacmlRequest.getResources();
Resource resource = null;
if (!resources.isEmpty()) {
//We deal with only one resource for now
resource = (Resource) resources.get(0);
}
if (resource != null) {
String[] resourceService = resourceMapper.mapToNativeResource(resource);
if (resourceService != null) {
if (resourceService.length > 0) {
resourceName = resourceService[0];
}
if (resourceService.length > 1) {
serviceName = resourceService[1];
}
}
}
if (resourceName == null) {
//TODO: log message and fill missing attribute details
statusCodeValue = XACMLConstants.STATUS_CODE_MISSING_ATTRIBUTE;
evaluationFailed = true;
}
if (serviceName == null) {
//TODO: log message and fill missing attribute details
throw new SAML2Exception(XACMLSDKUtils.xacmlResourceBundle.getString("missing_attribute"));
}
}
if (serviceName != null) {
//get native action name
if (serviceName != null) {
actionName = actionMapper.mapToNativeAction(xacmlRequest.getAction(), serviceName);
}
if (actionName == null) {
//TODO: log message and fill missing attribute details
statusCodeValue = XACMLConstants.STATUS_CODE_MISSING_ATTRIBUTE;
evaluationFailed = true;
}
}
//get environment map
/*
environment = environmentMapper.mapToNativeEnvironment(
xacmlRequest.getEnvironment(),
xacmlRequest.getSubjects());
*/
} catch (XACMLException xe) {
statusCodeValue = XACMLConstants.STATUS_CODE_MISSING_ATTRIBUTE;
evaluationFailed = true;
if (XACMLSDKUtils.debug.warningEnabled()) {
XACMLSDKUtils.debug.warning("XACMLAuthzDecisionQueryHandler.handleQuery()," + "caught exception", xe);
}
}
//get native policy deicison using native policy evaluator
if (!evaluationFailed) {
try {
PolicyEvaluator pe = new PolicyEvaluator(serviceName);
booleanDecision = pe.isAllowed(ssoToken, resourceName, actionName, environment);
} catch (SSOException ssoe) {
if (XACMLSDKUtils.debug.warningEnabled()) {
XACMLSDKUtils.debug.warning("XACMLAuthzDecisionQueryHandler.handleQuery()," + "caught exception", ssoe);
}
evaluationFailed = true;
} catch (PolicyException pe) {
if (XACMLSDKUtils.debug.warningEnabled()) {
XACMLSDKUtils.debug.warning("XACMLAuthzDecisionQueryHandler.handleQuery()," + "caught exception", pe);
}
evaluationFailed = true;
}
}
//decision: Indeterminate, Deny, Permit, NotApplicable
//status code: missing_attribute, syntax_error, processing_error, ok
Decision decision = ContextFactory.getInstance().createDecision();
Status status = ContextFactory.getInstance().createStatus();
StatusCode code = ContextFactory.getInstance().createStatusCode();
StatusMessage message = ContextFactory.getInstance().createStatusMessage();
StatusDetail detail = ContextFactory.getInstance().createStatusDetail();
detail.getElement().insertBefore(detail.getElement().cloneNode(true), null);
if (evaluationFailed) {
decision.setValue(XACMLConstants.INDETERMINATE);
if (statusCodeValue == null) {
statusCodeValue = XACMLConstants.STATUS_CODE_PROCESSING_ERROR;
}
code.setValue(statusCodeValue);
//TODO: i18n
message.setValue("processing_error");
} else if (booleanDecision) {
decision.setValue(XACMLConstants.PERMIT);
code.setValue(XACMLConstants.STATUS_CODE_OK);
//TODO: i18n
message.setValue("ok");
} else {
decision.setValue(XACMLConstants.DENY);
code.setValue(XACMLConstants.STATUS_CODE_OK);
//TODO: i18n
message.setValue("ok");
}
Result result = ContextFactory.getInstance().createResult();
String resourceId = resourceName;
List resources = xacmlRequest.getResources();
Resource resource = null;
if (!resources.isEmpty()) {
//We deal with only one resource for now
resource = (Resource) resources.get(0);
if (resource != null) {
List attributes = resource.getAttributes();
if (attributes != null) {
for (int count = 0; count < attributes.size(); count++) {
Attribute attr = (Attribute) attributes.get(count);
if (attr != null) {
URI tmpURI = attr.getAttributeId();
if (tmpURI.toString().equals(XACMLConstants.RESOURCE_ID)) {
Element element = (Element) attr.getAttributeValues().get(0);
resourceId = XMLUtils.getElementValue(element);
break;
}
}
}
}
}
}
result.setResourceId(resourceId);
result.setDecision(decision);
status.setStatusCode(code);
status.setStatusMessage(message);
status.setStatusDetail(detail);
result.setStatus(status);
Response response = ContextFactory.getInstance().createResponse();
response.addResult(result);
XACMLAuthzDecisionStatement statement = ContextFactory.getInstance().createXACMLAuthzDecisionStatement();
statement.setResponse(response);
if (returnContext) {
statement.setRequest(xacmlRequest);
}
com.sun.identity.saml2.protocol.Response samlpResponse = createSamlpResponse(statement, status.getStatusCode().getValue());
if (XACMLSDKUtils.debug.messageEnabled()) {
XACMLSDKUtils.debug.message("XACMLAuthzDecisionQueryHandler.handleQuery(), returning" + ":samlResponse=\n" + samlpResponse.toXMLString(true, true));
}
return samlpResponse;
}
use of com.sun.identity.xacml.context.Attribute in project OpenAM by OpenRock.
the class SubjectImpl method toXMLString.
/**
* Returns a <code>String</code> representation of this object
* @param includeNSPrefix Determines whether or not the namespace qualifier
* is prepended to the Element when converted
* @param declareNS Determines whether or not the namespace is declared
* within the Element.
* @return a string representation of this object
* @exception XACMLException if conversion fails for any reason
*/
public String toXMLString(boolean includeNSPrefix, boolean declareNS) throws XACMLException {
StringBuffer sb = new StringBuffer(2000);
StringBuffer NS = new StringBuffer(100);
//TODO: remove the 2 following line
includeNSPrefix = false;
declareNS = false;
String appendNS = "";
if (declareNS) {
NS.append(XACMLConstants.CONTEXT_NS_DECLARATION).append(XACMLConstants.SPACE);
NS.append(XACMLConstants.XSI_NS_URI).append(XACMLConstants.SPACE).append(XACMLConstants.CONTEXT_SCHEMA_LOCATION);
}
if (includeNSPrefix) {
appendNS = XACMLConstants.CONTEXT_NS_PREFIX + ":";
}
sb.append("<").append(appendNS).append(XACMLConstants.SUBJECT).append(NS);
if (subjectCategory != null) {
sb.append(" ").append(XACMLConstants.SUBJECT_CATEGORY).append("=");
sb.append("\"").append(subjectCategory.toString()).append("\"");
}
sb.append(">");
int length = 0;
if (attributes != null) {
sb.append("\n");
length = attributes.size();
for (int i = 0; i < length; i++) {
Attribute attr = (Attribute) attributes.get(i);
sb.append(attr.toXMLString(includeNSPrefix, false));
}
}
/* if (needToCreateSubjectCategory && subjectCategoryAttribute != null) {
sb.append(subjectCategoryAttribute.toXMLString(
includeNSPrefix, false));
}// its already covered in the previous list of attrs.
*/
sb.append("</").append(appendNS).append(XACMLConstants.SUBJECT);
sb.append(">\n");
return sb.toString();
}
use of com.sun.identity.xacml.context.Attribute in project OpenAM by OpenRock.
the class ActionImpl method toXMLString.
/**
* Returns a <code>String</code> representation of this object
* @param includeNSPrefix Determines whether or not the namespace qualifier
* is prepended to the Element when converted
* @param declareNS Determines whether or not the namespace is declared
* within the Element.
* @return a string representation of this object
* @exception XACMLException if conversion fails for any reason
*/
public String toXMLString(boolean includeNSPrefix, boolean declareNS) throws XACMLException {
StringBuffer sb = new StringBuffer(2000);
StringBuffer namespaceBuffer = new StringBuffer(100);
String nsDeclaration = "";
if (declareNS) {
namespaceBuffer.append(XACMLConstants.CONTEXT_NS_DECLARATION).append(XACMLConstants.SPACE);
namespaceBuffer.append(XACMLConstants.XSI_NS_URI).append(XACMLConstants.SPACE).append(XACMLConstants.CONTEXT_SCHEMA_LOCATION);
}
if (includeNSPrefix) {
nsDeclaration = XACMLConstants.CONTEXT_NS_PREFIX + ":";
}
sb.append("<").append(nsDeclaration).append(XACMLConstants.ACTION).append(namespaceBuffer);
sb.append(">");
int length = 0;
if (attributes != null) {
sb.append("\n");
length = attributes.size();
for (int i = 0; i < length; i++) {
Attribute attr = (Attribute) attributes.get(i);
sb.append(attr.toXMLString(includeNSPrefix, false));
}
}
sb.append("</").append(nsDeclaration).append(XACMLConstants.ACTION);
sb.append(">\n");
return sb.toString();
}
Aggregations