/**
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2005 Sun Microsystems Inc. All Rights Reserved
*
* The contents of this file are subject to the terms
* of the Common Development and Distribution License
* (the License). You may not use this file except in
* compliance with the License.
*
* You can obtain a copy of the License at
* See the License for the specific language governing
* permission and limitations under the License.
*
* When distributing Covered Code, include this CDDL
* Header Notice in each file and include the License file
* at opensso/legal/CDDLv1.0.txt.
* If applicable, add the following below the CDDL Header,
* with the fields enclosed by brackets [] replaced by
* your own identifying information:
* "Portions Copyrighted [year] [name of copyright owner]"
*
* $Id: AMAuthenticationManager.java,v 1.9 2009/08/05 19:57:27 qcheng Exp $
*
* Portions Copyrighted 2011-2015 ForgeRock AS.
* Portions Copyrighted 2014 Nomura Research Institute, Ltd
*/
/**
* This class provides interfaces to manage authentication module instances.
*/
public class AMAuthenticationManager {
private static final Map<String, String> MODULE_SERVICE_NAMES = new ConcurrentHashMap<String, String>();
private static final Map<String, Map<String, Set<String>>> MODULE_INSTANCE_TABLE = Collections.synchronizedMap(
static {
}
/**
* Constructs an instance of <code>AMAuthenticationManager</code> for the specified realm to manage the
* authentication module instances available to this realm.
*
* @param token Single sign on token of the user identity on whose behalf the operations are performed.
* @param org The realm in which the module instance management is performed.
* @throws AMConfigurationException if Service Management related error occurs.
*/
try {
if (orgServiceConfig == null) {
}
synchronized (AMAuthenticationManager.class) {
}
}
} catch (SMSException e) {
throw new AMConfigurationException(e);
}
}
}
/**
* Re-initializes the module services.
* This method is meant for global authentication configuration change.
*/
public static synchronized void reInitializeAuthServices() {
AUTH_TYPES.clear();
}
/**
* Returns a Set contains all the authentication types that are plugged in
* this server.
* @return Set of String values of the authentication types available on
* this server.
*/
return AUTH_TYPES;
}
/**
* Returns a Set contains all the module service names that are plugged in
* this server.
* @return Set of String values of the module service names available on
* this server.
*/
if (DEBUG.messageEnabled()) {
}
return names;
}
/**
* Returns authentication service name of a module.
*
* @param moduleName Name of authentication module.
* @return authentication service name of a module.
*/
}
/**
* This code makes the authentication type list static. In case the list
* is expanded or shrinked, the server needs to be restarted.
*/
private static void initAuthenticationService() {
try {
if (index != -1) {
}
// Application is not one of the selectable instance type.
}
if (serviceName == null) {
try {
} catch (Exception e) {
}
}
}
if (DEBUG.messageEnabled()) {
}
}
}
}
/**
* build the module instance table for the realm.
* format of this table:
* Table: key = realm, value = module Map for the realm.
* module Map for the realm:
* key = module type, value = Set of module instances
*/
try {
if (DEBUG.messageEnabled()) {
"buildModuleInstanceTable: realm = " + realm);
}
}
} catch (Exception e) {
if (DEBUG.messageEnabled()) {
}
}
}
/**
* Updates the static module instance table for the specified service in
* the realm.
*
* @param realm The realm in which the operation is processed.
* @param serviceName the service for which the table is built.
*/
private static synchronized void buildModuleInstanceForService(
if (DEBUG.messageEnabled()) {
}
try {
if (DEBUG.messageEnabled()) {
}
if (DEBUG.messageEnabled()) {
"buildModuleInstanceForService: Service="
}
}
synchronized (MODULE_INSTANCE_TABLE) {
/*
* this code is to not manipulate the hashmap that might
* be in iteration by other threads
*/
}
}
}
}
}
if (!instanceSet.isEmpty()){
}
/*
* this operation is safe as moduleMap is a local object
* now.
*/
}
}
}
}
} catch (Exception e) {
if (DEBUG.messageEnabled()) {
}
}
if (DEBUG.messageEnabled()) {
}
}
/**
* Updates the module instance table for the authentication service if the module instance table was already
* cached for the provided realm.
*
* @param realm The realm where the configuration has changed.
* @param serviceName The authentication module's service name.
*/
}
}
// get the module name from its service name.
return moduleName;
}
}
return null;
}
/**
* Returns an <code>AMAuthenticationSchema</code> object for the specified
* authentication type.
*
* @param authType Type of the authentication module instance.
* @return <code>AMAuthenticationSchema</code> object of the specified
* authentication type.
* @throws AMConfigurationException if error occurred during retrieving
* the service schema.
*/
throws AMConfigurationException {
}
if (DEBUG.messageEnabled()) {
}
try {
token);
// using the sub schema in new auth config.
} else {
// fall back to the org schema if the DIT is old.
}
return amschema;
} catch (Exception e) {
throw new AMConfigurationException(e);
}
}
/**
* Returns the <code>AMAuthenticationInstance</code> object whose name is
* as specified.
* Name uniqueness is required for the instances among the same realm, as
* well as the instances that are available to this realm.
*
* @param authName Authentication instance name.
* @return The <code>AMAuthenticationInstance</code> object that is
* associated with the authentication instance name.
*/
return null;
}
}
/**
* Returns an <code>AMAuthenticationInstance</code> object with the give
* authentication name and type.
*/
// for global authentication modules
}
try {
} catch (SMSException e) {
if (DEBUG.messageEnabled()) {
}
return null;
} catch (SSOException ee) {
return null;
}
try {
}
} catch (SMSException e) {
// normal exception for some schemas without global configuration.
// no need to log anything.
}
try {
// Must check if there is a sub-config with the auth
// type as the name otherwise it will not be returned.
} else {
}
}
}
} catch (SSOException e) {
if (DEBUG.warningEnabled()) {
}
} catch (SMSException e) {
// normal exception for global service configuration.
// no need to log anything.
}
if (DEBUG.messageEnabled()) {
}
else {
}
}
}
}
} else {
return null;
}
}
/**
* Returns the type of the authentication module instance with the
* specified instance name.
*/
} else {
returnValue = type;
break;
}
}
}
}
return returnValue;
}
/**
* Returns a Set of all registered module instance names for a module type,
* including both the old instances from 6.3 DIT and the new instances
* in 7.0.
*/
}
}
}
}
if (DEBUG.messageEnabled()) {
}
return instances;
}
/**
* Returns a Set of all registered module instance names, including
* both the old instances from 6.3 DIT and the new instances in 7.0.
*/
}
}
if (!GLOBAL_MODULE_NAMES.isEmpty()){
}
}
if (DEBUG.messageEnabled()) {
}
return instances;
}
/**
* Returns a Set of module instance names that is allowed for this
* organization.
* Since this is only needed for 6.3 and earlier, for 7.0 it returns an
* empty set.
* @return a Set of String values for module instance names.
*/
} else {
}
}
}
return retVal;
}
/* return true if this module is from 6.3 DIT */
return true;
}
return false;
}
try {
} catch (Exception e) {
e.getMessage());
}
return null;
}
}
/**
* Returns the authentication module instances that are available to this
* realm except the Application instance which is for internal use only.
*
* @return A Set of <code>AMAuthenticationInstance</code> objects that are
* available to this realm.
*/
if (!GLOBAL_MODULE_NAMES.isEmpty()) {
continue;
}
}
}
}
}
}
}
}
}
return instanceSet;
}
/**
* Creates an <code>AMAuthenticationInstance</code> instance with the
* specified parameters.
*
* @param name Name of the authentication module instance.
* @param type Type of the authentication module instance.
* @param attributes A Map of parameters for this module instance.
* @return <code>AMAuthenticationInstance</code> object is newly created.
* @throws AMConfigurationException if error occurred during the
* authentication creation.
*/
) throws AMConfigurationException {
throw new AMConfigurationException(BUNDLE_NAME,
"invalidAuthenticationInstanceName", null);
}
}
throw new AMConfigurationException(BUNDLE_NAME,
} else {
throw new AMConfigurationException(BUNDLE_NAME,
}
}
try {
} catch (SSOException e) {
if (DEBUG.warningEnabled()) {
}
} catch (SMSException e) {
// normal exception for service without global configuration.
// no need to log anything.
}
try {
// Check if service is assigned
}
}
0, attributes);
} else {
// if the module instance name equals to its type, set the
// the attributes in its organization config, not sub config.
}
//In case of server mode AMAuthLevelManager will update AMAuthenticationManager about the change, and
//there is no need to reinitialize the configuration twice. In client mode it is less likely that
//AMAuthLevelManager listeners are in place, so let's reinitialize to be on the safe side.
if (!SystemProperties.isServerMode()) {
}
} catch (Exception e) {
throw new AMConfigurationException(e);
}
}
/**
* Deletes a specified authentication module instance.
* @param name Name of the authentication module instance going to be
* deleted.
* @throws AMConfigurationException if it fails to delete the
* authentication instance.
*/
throws AMConfigurationException {
throw new AMConfigurationException(BUNDLE_NAME,
}
if (isModuleInstanceInUse(name)) {
throw new AMConfigurationException(BUNDLE_NAME,
}
if (serviceConfig == null) {
throw new AMConfigurationException(BUNDLE_NAME,
}
try {
// no subconfig
}
} else {
// remove sub config
serviceName, token);
}
if (isInheritedAuthInstance(name)) {
}
//In case of server mode AMAuthLevelManager will update AMAuthenticationManager about the change, and
//there is no need to reinitialize the configuration twice. In client mode it is less likely that
//AMAuthLevelManager listeners are in place, so let's reinitialize to be on the safe side.
if (!SystemProperties.isServerMode()) {
}
} catch (Exception e) {
throw new AMConfigurationException(e);
}
}
/**
* Returns <code>true</code> if this authentication module instance editable
*
* @param instance The authentication module instance.
* @return <code>true</code> if editable.
*/
return true;
}
}
/**
* Returns <code>true</code> if the module instance with the specified
* name is being used by any named configurations or not.
*
* @param moduleInstance Name of the module instance.
* @return <code>true</code> if the module instance in use.
*/
boolean returnValue = false;
try {
if (namedConfig != null) {
}
}
} catch (Exception e) {
if (DEBUG.messageEnabled()) {
}
}
if (DEBUG.messageEnabled()) {
}
if (DEBUG.messageEnabled()) {
}
returnValue = true;
break;
}
}
return returnValue;
}
/**
* Checks if the module instance name appears in the named configuration
* definition.
* @param serviceName String value for the name of the named configuration.
* @param moduleInstance String value for the name of the module instance.
* @return <code>true</code> if the module instance is in the service.
*/
boolean returnValue = false;
if (serviceName != null) {
try {
} catch (Exception e) {
if (DEBUG.messageEnabled()) {
}
}
}
if (DEBUG.messageEnabled()) {
+ xmlConfig);
}
returnValue = true;
break;
}
}
}
}
}
}
return returnValue;
}
}
}