Policy.java revision 8af80418ba1ec431c8027fa9668e5678658d3611
/**
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
*
* The contents of this file are subject to the terms
* of the Common Development and Distribution License
* (the License). You may not use this file except in
* compliance with the License.
*
* You can obtain a copy of the License at
* See the License for the specific language governing
* permission and limitations under the License.
*
* When distributing Covered Code, include this CDDL
* Header Notice in each file and include the License file
* at opensso/legal/CDDLv1.0.txt.
* If applicable, add the following below the CDDL Header,
* with the fields enclosed by brackets [] replaced by
* your own identifying information:
* "Portions Copyrighted [year] [name of copyright owner]"
*
* $Id: Policy.java,v 1.9 2010/01/10 01:19:35 veiming Exp $
*
*/
/*
* Portions Copyrighted [2011] [ForgeRock AS]
*/
/**
* The class <code>Policy</code> represents a policy definition.
* A policy contains a set of rules associated with a collection of
* users and conditions. The policy object is saved in the data store
* only when the <code>store</code> method of the <code>Policy</code> is
* called, or if the methods <code>addPolicy</code> or <code>replacePolicy
* </code> of <code>PolicyManager</code> instance is invoked with this policy.
* The <code>Policy</code> object is accessible to policy evaluation and
* enforcement points only after it is saved in data store.
*
* @supported.api
*/
private static final int SUBJECTS_CONDITIONS_RULES = 1;
private static final int CONDITIONS_SUBJECTS_RULES = 2;
private static final int RULES_SUBJECTS_CONDITIONS = 3;
private static final int RULES_CONDITIONS_SUBJECTS = 4;
private static final int SUBJECTS_RULES_CONDITIONS = 5;
private static final int CONDITIONS_RULES_SUBJECTS = 6;
private final static String EVALUATION_WEIGHTS_KEY
= "com.sun.identity.policy.Policy.policy_evaluation_weights";
private int evaluationOrder = RULES_SUBJECTS_CONDITIONS;
private static int ruleWeight;
private static int conditionWeight;
private static int subjectWeight;
private int prWeight;
private int pcWeight;
private int psWeight;
static {
}
private String origPolicyName;
private String policyName;
private String lastModifiedBy;
private long creationDate;
private long lastModifiedDate;
private boolean referralPolicy=false;
private boolean active = true;
private int priority;
private String organizationName;
private final static int MATCHED_RULE_RESULTS_CACHE_SIZE = 1000;
private final static int MATCHED_REFERRAL_RULES_CACHE_SIZE = 100;
private Cache matchRulesResultsCache
= new Cache(MATCHED_RULE_RESULTS_CACHE_SIZE);
private String subjectRealm;
/**
* No-arg constructor.
*/
private Policy() {
// do nothing
}
/**
* Constructs a policy given the policy name.
*
* @param policyName name of the policy
*
* @exception InvalidNameException if policy name is not valid
*
* @supported.api
*
*/
this(policyName, null);
}
/**
* Constructs a policy given the policy name and priority.
*
* @param policyName name of the policy
* @param priority priority assigned to the policy
*
* @exception InvalidNameException if policy name is not valid
*/
{
this.policyName = policyName;
// Set the policy priority
}
/**
* Constructs a policy given the policy name and description.
*
* @param policyName name of the policy
* @param description description for the policy
*
* @exception InvalidNameException if policy name is not valid
*
* @supported.api
*
*/
throws InvalidNameException {
this(policyName, description, false, true);
}
/**
* Constructs a policy given the policy name,description and a
* referralPolicy flag.
*
* @param policyName name of the policy
* @param description description for the policy
* @param referralPolicy indicates whether the policy is a
* referral policy or a standard policy.
* A referral policy is used only to delegate policy definitions to
* action values
*
*
* @exception InvalidNameException if policy name is not valid
*
* @supported.api
*
*/
boolean referralPolicy) throws InvalidNameException
{
}
/**
* Constructs a policy given the policy name , description,
* referralPolicy flag, and active flag
*
* @param policyName name of the policy
* @param description description for the policy
* @param referralPolicy indicates whether the policy is a
* referral policy or a standard policy.
* @param active indicates if the policy is active or not.
* A referral policy is used only to delegate policy definitions to
* action values
*
* @exception InvalidNameException if policy name is not valid
*
* @supported.api
*
*/
{
this.policyName = policyName;
if (description != null) {
this.description = description;
}
this.referralPolicy = referralPolicy;
}
/**
* Constructs a policy given the Policy Node.
* This is used by PolicyManager
* @param pm <code>PolicyManager</code> requesting the operation
*
* @param policyNode XML node in W3C DOM format representing
* the policy object which needs to be created.
* @exception InvalidFormatException, InvalidNameException,
* NameNotFoundException, PolicyException
*/
// Check if the node name is PolicyManager.POLICY_ROOT_NODE
"invalid policy xml blob given to construct policy");
}
}
// Get the policy name
// Get descrition, can be null
// Get referralPolicy flag
if ( (referralPolicy != null) &&
this.referralPolicy = true;
}
// Get active flag
this.active = false;
}
// Get priority
try {
} catch (NumberFormatException nfe) {
// write to debug and continue
}
}
// Get the rule nodes and instantiate them
}
}
if (!this.referralPolicy) {
// Get the users collection and instantiate Subjects
if ( subjectsNode != null ) {
}
// Get the conditions collection and instantiate Conditions
if ( conditionsNode != null ) {
}
// Get the respProviders collection and instantiate
// ResponseProviders
if ( respProvidersNode != null ) {
respProviders = new ResponseProviders(
}
} else {
// Get the referrals collection and instantiate Referrals
if ( referralsNode != null ) {
}
}
}
try {
} catch (NumberFormatException e) {
//ignore
}
}
if ((strLastModifiediDate != null) &&
) {
try {
} catch (NumberFormatException e) {
//ignore
}
}
}
/**
* Gets the name of the policy.
*
* @return name of the policy
*/
return (policyName);
}
/**
* Sets the name of the policy.
*
* @param policyName name of the policy.
* @exception InvalidNameException if <code>policyName</code> is an invalid
* name.
*
* @supported.api
*
*/
return;
}
if (origPolicyName == null) {
origPolicyName = this.policyName;
}
this.policyName = policyName;
}
/**
* Gets the original policy name.
* This is used to track policies called via
* <code>PolicyManager::replacePolicy()</code>
* with the changed policy name.
*
* @return the policy name that was present when
* the object was instantiated
*/
protected String getOriginalName() {
return (origPolicyName);
}
/**
* Sets the organization name under which the policy is created
* This would be set only for policies that have been read from data store.
* Otherwise this would be <code>null</code>
*
* @param organizationName name of the organization name in which the
* policy is created.
*/
this.organizationName = organizationName;
}
/**
* Gets the organization name under which the policy is created
* This would be set only for policies that have been read from data store.
* Otherwise this would be <code>null</code>
*
* @return the organization name under which the policy is created
*
* @supported.api
*
*/
public String getOrganizationName() {
return organizationName;
}
/**
* Resets the original policy name
*/
protected void resetOriginalName() {
}
/**
* Gets the description for the policy.
* If the description for the policy has not been set
* the method will return an empty string; not <code>
* null</code>.
*
* @return description of the policy
*
* @supported.api
*
*/
public String getDescription() {
return description;
}
/**
* Sets the description for the policy.
*
* @param description description for the policy
* @exception InvalidNameException if the description is invalid
*
* @supported.api
*
*/
throws InvalidNameException {
if (description != null) {
this.description = description;
}
}
/**
* Checks whether the policy is a referral policy.
* A referral policy is used only to delegate policy definitions to
* action values
*
* @return <code>true</code> if this is a referral policy.
* Otherwise returns <code>false</code>
*
* @supported.api
*
*/
public boolean isReferralPolicy() {
return referralPolicy;
}
/**
* Checks whether the policy is active or inactive
* An inactive policy is not used to make policy evaluations.
*
* @return <code>true</code> if this is an active policy.
* Otherwise returns <code>false</code>
*
* @supported.api
*
*/
public boolean isActive() {
return active;
}
/**
* Set the active flag for policy.
* An inactive policy is not used to make policy evaluations.
* @param active <code>boolean</code> representing active or inactive.
*
* @supported.api
*
*/
}
/**
* Gets the priority of the policy.
*
* @return priority of the policy
*/
public int getPriority() {
return (priority);
}
/**
* Sets a priority of the policy.
*
* @param priority priority of the policy
*/
public void setPriority(int priority) {
}
/**
* Gets the set of rule names associated with the policy.
*
* @return <code>Set</code> of rule names
*
* @supported.api
*
*/
public Set getRuleNames() {
}
/**
* Gets the rule object identified by name.
*
* @param ruleName name of rule.
*
* @return <code>Rule</code> object.
*
* @exception NameNotFoundException if a <code>Rule</code> with the given
* name does not exist
* @supported.api
*
*/
}
return (rule);
}
/**
* Adds a new policy rule.
*
* @param rule rule object to be added to the policy
* @exception NameAlreadyExistsException a rule with the given name
* already exists
* @exception InvalidNameException if the rule name is invalid
* same service name as the policy
* @supported.api
*
*/
// Since 5.0 does not support rule name, it can be null
// Assign a name dynamically
}
// Check if the rule name or rule itself already exists
}
}
/**
* Replaces an existing rule with the same name by the
* current one. If a <code>Rule</code> with the same name does not exist,
* it will be added.
*
* @param rule <code>Rule</code> that will replace an existing rule
* with the same name
*
* @exception InvalidNameException if <code>Rule</code> name is invalid
*
* @supported.api
*
*/
// Since 5.0 does not support rule name, it can be null
// Assign a name dynamically
}
}
/**
* Removes the <code>Rule</code> with the given name.
*
* @param ruleName name of the rule
*
* @return returns the <code>Rule</code> object being removed;
* if not present returns <code>null</code>
*
* @supported.api
*
*/
}
/**
* Returns a <code>Subjects</code> object that contains
* a set of <code>Subject</code> instances for which the
* policy is applied.
*
* @return Subjects object of the policy
*/
Subjects getSubjects() {
return (users);
}
/**
* Get the <code>Set</code> of subject names associated with the policy.
*
* @return <code>Set</code> of String objects representing subject names
*
* @supported.api
*
*/
public Set getSubjectNames() {
return users.getSubjectNames();
}
/**
* Gets the Subject object identified by name.
*
* @param subjectName name of subject.
*
* @return <code>Subject</code> object
*
* @exception NameNotFoundException if a Subject with the given name
* does not exist
*
* @supported.api
*
*/
}
/**
* Adds a new policy subject.
* The subject is added as a normal (non exclusive) subject.
* So, policy will apply to members of the subject.
* The policy will apply to a user if he is a member of
* any normal (non exclusive) subject in the policy
* or not a member of any exclusive subject in the policy.
*
* @param name name of the Subject instance
* @param subject Subject object to be added to the policy
*
* @exception NameAlreadyExistsException if a Subject with the given name
* already exists
* @exception InvalidNameException if the subject name is invalid
*
* @supported.api
*
*/
}
/**
* Adds a reference in the policy to a Subject defined at the realm.
*
*
* @param token SSOToken of the user adding the subject
* @param subjectName name of the Subject as defined at the realm
* @param realmName name of the realm in which the subject is defined
*
* @exception NameAlreadyExistsException if a Subject with the given name
* already exists in the policy
* @exception InvalidNameException if the subject name is invalid
* or the subject is not found at the realm
* @exception SSOException if the SSO token is invalid
* @exception PolicyException if the subject could not be added
* for any other reason
*
* @supported.api
*
*/
}
/**
* Adds a reference in the policy to a Subject defined at the realm.
*
*
* @param subjectName name of the Subject as defined at the realm
* @param stm <code>SubjectTypeManager<code> of the realm.
* You have to pass the SubjectTypeManager of realm in which
* you would save the policy. Trying to save the policy at
* a different realm would throw PolicyException.
*
* @exception NameAlreadyExistsException if a Subject with the given name
* already exists in the policy
* @exception InvalidNameException if the subject name is invalid
* or the subject is not found at the realm
* @exception SSOException if the SSO token is invalid
* @exception PolicyException if the subject could not be added
* for any other reason
*
* @supported.api
*
*/
boolean exclusive)
if (DEBUG.messageEnabled()) {
+ " realm subject " + subjectName
+ " , from realm : " + realmName
+ " , policy already has subject from different realm:"
+ subjectRealm);
}
}
if (subjectRealm == null) {
}
/**
* would result in NameNotFoundException if the subject does not exist
* we would propogate the exception without catching
*/
if (DEBUG.messageEnabled()) {
+ " realm subject " + subjectName
+ " , from realm : " + realmName);
}
}
/**
* Adds a new policy subject.
* The policy will apply to a user if he is a member of
* any normal (non exclusive) subject in the policy
* or not a member of any exclusive subject in the policy.
*
* @param name name of the Subject instance
* @param subject Subject object to be added to the policy
*
* @param exclusive boolean flag indicating whether the subject
* is to be exclusive subject. If subject is exclusive,
* policy applies to users who are not members of the
* subject. Otherwise, policy applies to members of the subject.
*
* @exception NameAlreadyExistsException if a Subject with the given name
* already exists
* @exception InvalidNameException if the subject name is invalid
*
* @supported.api
*
*/
}
/**
* Replaces an existing subject with the same name by the
* current one. If a subject with the same name does not exist,
* it will be added.
* The subject is replaced as a normal (non exclusive) subject.
* So, policy will apply to members of the subject.
* The policy will apply to a user if he is a member of
* any normal (non exclusive) subject subject in the policy
* or not a member of any exclusive subject subject in the policy.
*
* @param name name of the Subject instance
* @param subject Subject that will replace an existing Subject
* with the same name
*
* @exception NameNotFoundException if a Subject instance
* with the given name is not present
*
* @supported.api
*
*/
throws NameNotFoundException {
}
/**
* Replaces an existing subject with the same name by the
* current one. If a subject with the same name does not exist,
* it will be added.
* The policy will apply to a user if he is a member of
* any normal (non exclusive) subject in the policy
* or not a member of any exclusive subject in the policy.
*
* @param name name of the Subject instance
* @param subject Subject that will replace an existing Subject
* with the same name
*
* @param exclusive boolean flag indicating whether the subject
* is to be exclusive subject. If subject is exclusive,
* policy applies to users who are not members of the
* subject. Otherwise, policy applies to members of the subject.
*
* @exception NameNotFoundException if a Subject instance
* with the given name is not present
*
* @supported.api
*
*/
throws NameNotFoundException {
}
/**
* Removes the subject with the given name.
*
* @param subjectName name of the Subject
*
* @return returns the Subject object being removed.
* if not present returns <code>null</code>
*
* @supported.api
*
*/
}
/**
* Removes the <code>Subject</code> object identified by
* object's <code>equals</code> method. If a Subject instance
* does not exist, the method will return silently.
*
* @param subject Subject object that
* will be removed from the user collection
*
* @supported.api
*
*/
if (subjectName != null) {
}
}
/**
* Checks if the subject is exclusive.
* If subject is exclusive, policy applies to users who are not members of
* the subject. Otherwise, policy applies to members of the subject.
* The policy will apply to a user if he is a member of
* any normal (non exclusive) subject in the policy
* or not a member of any exclusive subject in the policy.
*
* @param subjectName name of the subject
* @return <code>true</code> if the subject is exclusive, <code>false</code>
* otherwise.
* @exception NameNotFoundException if the subject with the given
* <code>subjectName</code> does not exist in the policy.
*
* @supported.api
*
*/
throws NameNotFoundException {
}
/**
* Checks if the subjectName is a reference to a Subject
* defined at the realm
*
* @param subjectName name of the subject
* @return <code>true</code> if the subject is a reference to a
* Subject defined at the realm, <code>false</code>
* otherwise.
* @exception NameNotFoundException if the subject with the given
* <code>subjectName</code> does not exist in the policy.
*
* @supported.api
*
*/
throws NameNotFoundException {
}
/**
* Returns a <code>Referrals</code> object that contains
* a set of <code>Referral</code> instances for whom the
* policy is applied.
*
* @return Referrals object of the policy
*/
return (referrals);
}
/**
* Get the <code>Set</code> of referral names associated with the policy.
*
* @return <code>Set</code> of referral names
*
* @supported.api
*
*/
public Set getReferralNames() {
return referrals.getReferralNames();
}
/**
* Gets the Referral object identified by name.
*
* @param referralName name of referral.
*
* @return <code>Referral</code> object
*
* @exception NameNotFoundException if a Referral with the given name
* does not exist
*
* @supported.api
*
*/
{
}
/**
* Adds a new policy referral.
*
* @param name name of the <code>Referral</code> instance
* @param referral <code>Referral</code> object to be added to the policy
*
* @exception NameAlreadyExistsException if a Referral with the given name
* already exists
* @exception InvalidNameException if the referral name is invalid
*
* @supported.api
*
*/
}
/**
* Replaces an existing referral with the same name by the
* current one. If a referral with the same name does not exist,
* it will be added.
*
* @param name name of the <code>Referral</code> instance
* @param referral <code>Referral</code> that will replace an existing
* Referral with the same name
*
* @exception NameNotFoundException if a Referral instance
* with the given name is not present
*
* @supported.api
*
*/
throws NameNotFoundException {
}
/**
* Removes the referral with the given name.
*
* @param referralName name of the <code>Referral</code>
*
* @return returns the <code>Referral</code> object being removed;
* if not present returns <code>null</code>
*
* @supported.api
*
*/
}
/**
* Removes the <code>Referral</code> object identified by
* object's <code>equals</code> method. If a Referral instance
* does not exist, the method will return silently.
*
* @param referral Referral object that will be removed
*
* @supported.api
*
*/
if (referralName != null) {
}
}
/**
* Returns a <code>Conditions</code> object that contains
* a set of <code>Condition</code> objects that apply
* to the policy
*
* @return <code>Conditions</code> object of the policy
*/
return (conditions);
}
/**
* Get the set of condition names associated with the policy.
*
* @return <code>Set</code> of condition names
*
* @supported.api
*
*/
public Set getConditionNames() {
return conditions.getConditionNames();
}
/**
* Gets the condition object identified by name.
*
* @param condition name of condition.
*
* @return <code>Condition</code> object.
*
* @exception NameNotFoundException if a Condition with the given name
* does not exist.
*
* @supported.api
*
*/
{
}
/**
* Adds a new policy condition.
*
* @param name name of the Condition instance
* @param condition Condition object to be added to the policy
*
* @exception NameAlreadyExistsException if a Condition with the given name
* already exists
* @exception InvalidNameException if the condition name is invalid
*
* @supported.api
*
*/
}
/**
* Replaces an existing condition with the same name by the
* current one. If a condition with the same name does not exist,
* it will be added.
*
* @param name name of the <code>Condition</code> instance
* @param condition <code>Condition</code> that will replace an
* existing Condition with the same name
*
* @exception NameNotFoundException if a Condition instance
* with the given name is not present
*
* @supported.api
*
*/
throws NameNotFoundException {
}
/**
* Removes the condition with the given name.
*
* @param condition name of the <code>Condition</code>
*
* @return returns the Condition object being removed;
* if not present returns <code>null</code>
*
* @supported.api
*
*/
}
/**
* Removes the <code>Condition</code> object identified by
* object's <code>equals</code> method. If a condition instance
* does not exist, the method will return silently.
*
* @param condition Condition object that will be removed
*
* @supported.api
*
*/
if (conditionName != null) {
}
}
/**
* Returns a <code>ResponseProviders</code> object that contains
* a set of <code>ResponseProvider</code> objects that apply
* to the policy
*
* @return <code>ResponseProviders</code> object found in the policy
*/
return (respProviders);
}
/**
* Get a <code>Set</code> of <code>String</code> objects representing
* the responseProvider names associated with the policy.
*
* @return <code>Set</code> of responseProvider names
*
*
*/
public Set getResponseProviderNames() {
return respProviders.getResponseProviderNames();
}
/**
* Gets the <code>ResponseProvider</code> object identified by name.
*
* @param respProvider name of <code>ResponseProvider</code>.
*
* @return <code>ResponseProvider</code> object.
*
* @exception NameNotFoundException if a ResponseProvider with the given
* name does not exist.
*
*
*/
throws NameNotFoundException {
}
/**
* Adds a new <code>ResponseProvider</code> to the policy.
*
* @param name name of the <code>ResponseProvider</code> instance
* @param respProvider <code>ResponseProvider</code> object to be added to
* the policy
*
* @exception NameAlreadyExistsException if a ResponseProvider with the
* given name already exists
* @exception InvalidNameException if the <code>respProvider</code>
* name is invalid
*
*
*/
throws NameAlreadyExistsException {
}
/**
* Replaces an existing <code>ResponseProvider</code> with the same name
* by the current one. If a respProvider with the same name does not exist,
* it will be added.
*
* @param name name of the ResponseProvider instance
* @param respProvider ResponseProvider that will replace an existing
* ResponseProvider with the same name
*
* @exception NameNotFoundException if a ResponseProvider instance
* with the given name is not present.
*
*
*/
}
/**
* Removes the <code>ResponseProvider</code> with the given name.
*
* @param respProvider name of the ResponseProvider
*
* @return returns the ResponseProvider object being removed;
* if not present returns null.
*
*
*/
}
/**
* Removes the <code>ResponseProvider</code> object.
* If a respProvider instance does not exist, the method will
* return silently.
*
* @param respProvider ResponseProvider object that
* will be removed
*
*
*/
if (respProviderName != null) {
}
}
/**
* Stores the policy object in a persistent data store
* under the organization, sub-organization or a container
* object, specified as a parameter. The organization,
* sub-organization, or the container can be either
* a LDAP distinguished name (<code>dn</code>) or slash "/" separated
* as per SMS. This method
* uses the <code>SSOToken</code> provided to perform the store
* operation, and hence if the single sign token has expired
* <code>SSOException</code> will be thrown, and if the
* user does not have the required privileges
* <code>NoPermissionException</code> exception will be thrown.
* <p>
* If a policy with the same name exists for the organization
* the method will throw <code>NameAlreadyExistsException</code>.
* And if the organization name does not exist, the method
* will throw <code>NameNotFoundException</code>.
*
* @param token SSO token of the user managing policy
* @param name name of the organization, sub-organization or
* a container in which the policy will be stored.
*
* @exception SSOException invalid or expired single-sign-on token
* @exception NoPermissionException user does not have sufficient
* privileges to add policy
*
* @exception NameAlreadyExistsException a policy with the same
* name already exists
*
* @exception NameNotFoundException the given organization name
* does not exist
*
* @exception PolicyException for any other abnormal condition
*
* @supported.api
*
*/
}
/**
* Checks if two policy objects are equal.
* This method does not check the policy name and description
* for equality.
*
* @param obj object againt which the policy object
* will be checked for equality
*
* @return <code>true</code> if policies are equal,
* <code>false</code> otherwise.
*/
return (true);
}
}
return (false);
}
/**
* Creates and returns a copy of this object. The returned
* <code>Policy</code> object will have the same policy
* name, rules, subjects, referrals and conditions
* such that <code>x.clone().equals(x)</code> will be
* <code>true</code>. However <code>x.clone()</code>
* will not be the same as <code>x</code>, i.e.,
* <code>x.clone() != x</code>.
*
* @return a copy of this object
*/
try {
} catch (CloneNotSupportedException se) {
}
// Copy state variables
// Copy rules
}
// Copy subjects
// Copy referrals
// Copy responseProviders
// Copy conditions
return (answer);
}
/**
* Returns the serialized policy in XML
* @return serialized policy in XML
*
* @supported.api
*
*/
return toXML(true);
}
if (withHeader) {
}
}
.append("=\"")
}
.append("=\"")
}
if (creationDate > 0) {
.append("=\"")
}
if (lastModifiedDate > 0) {
.append("=\"")
}
try {
} catch (Exception e) {
// Ignore the exception
}
}
if (!this.referralPolicy) {
// Add the users
}
// Add the conditions
}
// Add the responseProviders
}
} else {
// Add the referrals
}
}
}
/**
* Gets string representation of the policy object.
*
* @return XML string representation of the policy object
*
* @supported.api
*/
return (toXML());
}
/**
* Checks for the char <code>c</code> in the String
* @param name String in which the character needs to be checked for.
* @param c <code>char</code> which needs to be checked.
* @exception InvalidNameException if <code>c</code> does not occur
* anywhere in <code>name</code>.
*/
throws InvalidNameException {
}
}
/**
* Gets policy decision
* @param token sso token identifying the user for who the policy has to
* be evaluated.
* @param resourceTypeName resourceType name
* @param resourceName resourceName
* @param actionNames a set of action names for which policy results
* are to be evaluated. Each element of the set should be a
* String
* @param envParameters a <code>Map</code> of environment parameters
* Each key of the <code>Map</code> is a String valued parameter name
* Each value of the map is a <code>Set</code> of String values
* @return a <code>PolicyDecision</code>
* @exception NameNotFoundException if the action name or resource name
* is not found
* @exception SSOException if token is invalid
* @exception PolicyException for any other exception condition
*/
{
/**
* get the evaluation order that is likely to be least expensive
* in terms of cpu.
*/
} else {
}
if (DEBUG.messageEnabled()) {
+ " is Using Policy evaluation order :" + evaluationOrder);
}
//process referrals irrespective subjects and conditions
if (referralDecision != null) {
}
if (DEBUG.messageEnabled()) {
new StringBuffer("at Policy.getPolicyDecision()")
.append(" after processing referrals only:")
.append(" principal, resource name, action names,")
.append(" policyName, referralResults = ")
}
} else if (evaluationOrder == SUBJECTS_CONDITIONS_RULES) {
if (DEBUG.messageEnabled()) {
+ "SUBJECTS_CONDITIONS_RULES");
}
} else if (evaluationOrder == CONDITIONS_SUBJECTS_RULES) {
if (DEBUG.messageEnabled()) {
+ "CONDITIONS_SUBJECTS_RULES");
}
} else if (evaluationOrder == RULES_SUBJECTS_CONDITIONS) {
if (DEBUG.messageEnabled()) {
+ "RULES_SUBJECTS_CONDITIONS");
}
} else if (evaluationOrder == RULES_CONDITIONS_SUBJECTS) {
if (DEBUG.messageEnabled()) {
+ "RULES_CONDITIONS_SUBJECTS");
}
} else if (evaluationOrder == SUBJECTS_RULES_CONDITIONS) {
if (DEBUG.messageEnabled()) {
+ "SUBJECTS_RULES_CONDITIONS");
}
} else if (evaluationOrder == CONDITIONS_RULES_SUBJECTS) {
if (DEBUG.messageEnabled()) {
+ "CONDITIONS_RULES_SUBJECTS");
}
} else { //default:RULES_CONDITIONS_SUBJECTS
if (DEBUG.messageEnabled()) {
+ "RULES_CONDITIONS_SUBJECTS");
}
}
if (DEBUG.messageEnabled()) {
new StringBuffer("at Policy.getPolicyDecision()")
.append(" principal, resource name, action names,")
.append(" policyName, policyDecision = ")
}
{
!actionDecisions.isEmpty()) {
{ // put the response Attrs in the PolicyDecision
break;/**
* even if one action Value found, set the
* resp attributes
*/
}
}
}
}
return policyDecision;
}
/** Gets matched rule results given resource type, resource name and
* action names
* @param resourceType resource type(<code>ServiceType</code> of resource
* @param resourceName resource name for which to get action values
* @param actionNames action names for which to get values
* @return <code>Map</code> of action values keyed by action names
* @exception NameNotFoundException
*/
//Process rules
while (ruleIterator.hasNext()) {
}
try {
} catch(InvalidNameException e) {
"can not find action schmea for action = "
+ action, e );
}
actionSyntax)) {
}
}
}
// Add to cache
}
return cloneRuleResults(answer);
}
/**Gets resource names that are exact matches, sub resources or
* wild card matches of argument resource name.
* To determine whether to include a
* resource name of a resource, we compare argument resource name and
* policy resource name, treating wild characters in the policy
* resource name as wild. If the comparsion resulted in EXACT_MATCH,
* WILD_CARD_MATCH or SUB_RESOURCE_MATCH, the resource result would be
* included.
*
* @param token sso token
* @param serviceTypeName service type name
* @param resourceName resource name
* @param followReferrals indicates whether to follow the referrals to
* compute the resources
* @return resource names that match to be exact match, sub
* resource match or wild card match of the argument
* resourceName
*
* @exception PolicyException
* @exception SSOException
*
* @see ResourceMatch#EXACT_MATCH
* @see ResourceMatch#SUB_RESOURCE_MATCH
* @see ResourceMatch#WILDCARD_MATCH
*
*/
throws PolicyException, SSOException {
while (ruleIterator.hasNext()) {
ruleResource, true); // interpret wild char
}
if ( DEBUG.messageEnabled() ) {
}
}
}
}
if ( DEBUG.messageEnabled() ) {
}
return resourceNames;
}
/** Gets the resource names of a given serviceType managed by this
* policy.
* @param serviceTypeName name of service type for which to
* find resource names
* @return a set of resource names of serviceTypeName managed
* by this policy
* @exception SSOException
* @exception NameNotFoundException
*/
while (ruleIterator.hasNext()) {
}
}
return resourceNames;
}
// public String getServiceTypeName() {
/* com.iplanet.am.admin.cli uses this method.
* Need to clean up cli not to use this
* method. Without this method build breaks - 03/05/02 */
// return null;
// }
/**
* Gets organizations referred to in this policy by OrgReferral(s)
* defined in this policy.
*
* @return names of organization (DNs) of organizations referred
* to in this policy via <code>OrgReferral</code>(s) defined in
* this policy.
* Please note that <code>PeerOrgReferral</code> and
* <code>SubOrgReferral</code> extend <code>OrgReferral</code>
* and hence qualify as OrgReferral.
* @exception PolicyException
*/
while ( referralNames.hasNext() ) {
if ( referral instanceof OrgReferral ) {
}
}
}
return referredToOrgs;
}
/** Sets time to live for Subjects result.
* @param ttl time to live for Subjects result
*/
void setSubjectsResultTtl(long ttl) {
}
/**
* validates the String <code>name</code>.
* @param name String to be validated.
* @exception throws InvalidNameException is name is null or
* does contain invalid character "/".
*/
}
}
/** Gets policy decision computing Subjects, Conditions and Rules
* in this order. Referrals in the policy are ignored.
*
* @param token sso token identifying the user for who the policy has to
* be evaluated.
* @param resourceType service type
* @param resourceName resource name
* @param actionNames a set of action names for which policy results
* are to be evaluated. Each element of the set should be a
* String
* @param envParameters a map of environment parameters
* Each key of the map is a String valued parameter name
* Each value of the map is a set of String values
* @param policyDecision a collecting argument. Computed policy decisions
* in this method are merged to this policy decision
* @return computed and merged policy decision
* @exception NameNotFoundException if the action name or resource name
* is not found
* @exception SSOException if token is invalid
* @exception PolicyException for any other exception condition
*/
boolean resourceMatched = false;
boolean allowedByConditions = false;
boolean allowedBySubjects = false;
} else {
allowedBySubjects = true;
}
if (allowedBySubjects) { //subjects+
if ( conditionsTtl < timeToLive ) {
}
if (allowedByConditions) { //subjects+, conditions+
if (resourceMatched) { //subjects+,conditions+,resourceMatch+
while ( resultActionNames.hasNext() ) {
/* ActionDecision to include values, no advices
*/
= new ActionDecision(resultActionName,
}
} else { // subjects+,conditions+,resourceMatch-
}
} else { //subjects+,conditions-
//ActionDecision to include advices only
if (!advicesFromConditions.isEmpty()) {
while ( resultActionNames.hasNext() ) {
/* ActionDecision to include advices, no values
*/
= new ActionDecision(resultActionName,
}
} else {
}
}
} else { //subjects-
}
return policyDecision;
}
/** Gets policy decision computing Subjects, Rules and Conditions
* in this order. Referrals in the policy are ignored.
*
* @param token sso token identifying the user for who the policy has to
* be evaluated.
* @param resourceType service type
* @param resourceName resourceName
* @param actionNames a set of action names for which policy results
* are to be evaluated. Each element of the set should be a
* String
* @param envParameters a map of environment parameters
* Each key of the map is a String valued parameter name
* Each value of the map is a set of String values
* @param policyDecision a collecting argument. Computed policy decisions
* in this method are merged to this policy decision
* @return computed and merged policy decision
* @exception NameNotFoundException if the action name or resource name
* is not found
* @exception SSOException if token is invalid
* @exception PolicyException for any other exception condition
*/
boolean resourceMatched = false;
boolean allowedByConditions = false;
boolean allowedBySubjects = false;
} else {
allowedBySubjects = true;
}
if (allowedBySubjects) { //subjects+
if (resourceMatched) { //subjects+, resourceMatch+
if ( conditionsTtl < timeToLive ) {
}
if (allowedByConditions) {
//subjects+, resourceMatch+,conditions+
while ( resultActionNames.hasNext() ) {
/* ActionDecision to include values, no advices
*/
= new ActionDecision(resultActionName,
}
} else { //subjects+, resourceMatch+,conditions-
if (!advicesFromConditions.isEmpty()) {
while ( resultActionNames.hasNext() ) {
/* ActionDecision to include advices, no values
*/
= new ActionDecision(resultActionName,
}
} else {
}
}
} else { //subjects+,resourceMatch-
}
} else { //subjects-
}
return policyDecision;
}
/** Gets policy decision computing Conditions, Subject and Rules
* in this order. Referrals in the policy are ignored.
*
* @param token sso token identifying the user for who the policy has to
* be evaluated.
* @param resourceType service type
* @param resourceName resourceName
* @param actionNames a set of action names for which policy results
* are to be evaluated. Each element of the set should be a
* String
* @param envParameters a map of environment parameters
* Each key of the map is a String valued parameter name
* Each value of the map is a set of String values
* @param policyDecision a collecting arugment. Computed policy decisions
* in this method are merged to this policy decision
* @return computed and merged policy decision
* @exception NameNotFoundException if the action name or resource name
* is not found
* @exception SSOException if token is invalid
* @exception PolicyException for any other exception condition
*/
boolean resourceMatched = false;
boolean allowedByConditions = false;
boolean allowedBySubjects = false;
if (allowedByConditions) { //conditions+
if (subjectsTtl < timeToLive) {
}
if (allowedBySubjects) { //conditions+, subjects+
if (resourceMatched) {
//conditions+, subjects+, resourceMatched+
while ( resultActionNames.hasNext() ) {
/* ActionDecision to include values, no advices
*/
= new ActionDecision(resultActionName,
}
} else { //conditions+, subjects+, resourceMatched-
}
} else { //conditions+,subjects-
}
} else { //conditions-
boolean reportAdvices = false;
if (!advicesFromConditions.isEmpty()) {
if (subjectsTtl < timeToLive) {
}
}
if (reportAdvices) {
while ( resultActionNames.hasNext() ) {
/* ActionDecision to include advices, no values
*/
= new ActionDecision(resultActionName,
}
} else { //no advices to report
}
}
return policyDecision;
}
/** Gets policy decision computing Conditions, Rules and Subjects
* in this order. Referrals in the policy are ignored.
*
* @param token sso token identifying the user for who the policy has to
* be evaluated.
* @param resourceType service type
* @param resourceName resourceName
* @param actionNames a set of action names for which policy results
* are to be evaluated. Each element of the set should be a
* String
* @param envParameters a map of environment parameters
* Each key of the map is a String valued parameter name
* Each value of the map is a set of String values
* @param policyDecision a collecting arugment. Computed policy decisions
* in this method are merged to this policy decision
* @return computed and merged policy decision
* @exception NameNotFoundException if the action name or resource name
* is not found
* @exception SSOException if token is invalid
* @exception PolicyException for any other exception condition
*/
boolean resourceMatched = false;
boolean allowedByConditions = false;
boolean allowedBySubjects = false;
if (allowedByConditions) { //conditions+
if (resourceMatched) { ///conditions+, resourceMatched+
if (subjectsTtl < timeToLive) {
}
if (allowedBySubjects) {
//conditions+, resourceMatched+, subjects+
while ( resultActionNames.hasNext() ) {
/* ActionDecision to include values, no advices
*/
= new ActionDecision(resultActionName,
}
} else { //conditions+, resourceMatched+, subjects-
}
} else { //conditions+, resourceMatched-
}
} else { //conditions-
boolean reportAdvices = false;
if (!advicesFromConditions.isEmpty()) {
if (subjectsTtl < timeToLive) {
}
}
if (reportAdvices) {
while ( resultActionNames.hasNext() ) {
/* ActionDecision to include advices, no values
*/
= new ActionDecision(resultActionName,
}
} else { //no advices to report
}
}
return policyDecision;
}
/** Gets policy decision computing Rules, Subjects and Conditions
* in this order. Referrals in the policy are ignored.
*
* @param token sso token identifying the user for who the policy has to
* be evaluated.
* @param resourceType service type
* @param resourceName resourceName
* @param actionNames a set of action names for which policy results
* are to be evaluated. Each element of the set should be a
* String
* @param envParameters a map of environment parameters
* Each key of the map is a String valued parameter name
* Each value of the map is a set of String values
* @param policyDecision a collecting arugment. Computed policy decisions
* in this method are merged to this policy decision
* @return computed and merged policy decision
* @exception NameNotFoundException if the action name or resource name
* is not found
* @exception SSOException if token is invalid
* @exception PolicyException for any other exception condition
*/
boolean resourceMatched = false;
boolean allowedByConditions = false;
boolean allowedBySubjects = false;
if (resourceMatched) { //resourceMatched+
if (allowedBySubjects) { //resourceMatched+, subjects+
if (conditionsTtl < timeToLive) {
}
if (allowedByConditions) {
//resourceMatched+, subjects+, conditions+
while ( resultActionNames.hasNext() ) {
/* ActionDecision to include values, no advices
*/
= new ActionDecision(resultActionName,
}
} else { //resourceMatched+, subjects+, conditions-
if (!advicesFromConditions.isEmpty()) {
while ( resultActionNames.hasNext() ) {
/* ActionDecision to include advices, no values
*/
= new ActionDecision(resultActionName,
}
} else {
}
}
} else { //resourceMatched+, subjects-
}
} else { //resourceMached-
}
return policyDecision;
}
/** Gets policy decision computing Rules, Conditions and Subjects
* in this order. Referrals in the policy are ignored.
*
* @param token sso token identifying the user for who the policy has to
* be evaluated.
* @param resourceType service type
* @param resourceName resourceName
* @param actionNames a set of action names for which policy results
* are to be evaluated. Each element of the set should be a
* String
* @param envParameters a map of environment parameters
* Each key of the map is a String valued parameter name
* Each value of the map is a set of String values
* @param policyDecision a collecting argument. Computed policy decisions
* in this method are merged to this policy decision
* @return computed and merged policy decision
* @exception NameNotFoundException if the action name or resource name
* is not found
* @exception SSOException if token is invalid
* @exception PolicyException for any other exception condition
*/
boolean resourceMatched = false;
boolean allowedByConditions = false;
boolean allowedBySubjects = false;
if (resourceMatched) { //resourceMatch+
if (allowedByConditions) { //resourceMatch+, conditions+
if (subjectsTtl < timeToLive) {
}
if (allowedBySubjects) {
//resourceMatch+, conditions+, subjects+
while ( resultActionNames.hasNext() ) {
/* ActionDecision to include values, no advices
*/
= new ActionDecision(resultActionName,
}
} else { //resourceMatch+, conditions+, subjects-
}
} else { //resourceMatch+, conditions-
boolean reportAdvices = false;
if (!advicesFromConditions.isEmpty()) {
if (subjectsTtl < timeToLive) {
}
}
if (reportAdvices) {
while ( resultActionNames.hasNext() ) {
/* ActionDecision to include advices, no values
*/
= new ActionDecision(resultActionName,
}
} else { //no advices to report
}
}
} else { //resourceMatch-
}
return policyDecision;
}
/** Gets evaluation order of Subjects, Rules and Conditions for this policy
* that is likely to be least expensive in terms of cpu.
*
* @return int representing preferred evaluation order for this policy
*/
//treat subject weight as 0, if sub result is in cache
}
return evaluationOrder;
}
/** Initializes global values of evaluation weight
* per Subject, per Condition and per Rule element
* of the policies by reading value of property
* <code>EVALUATION_WEIGHTS_KEY</code> from AMConfig.properties.
* If the value is not defined in AMConfig.properties, the value defaults
* to <code>DEFAULT_EVALUATION_WEIGHTS</code>.
* @see #DEFAULT_EVALUATION_WEIGHTS
*/
private static void initializeStaticEvaluationWeights() {
if ( tokenCount != 3) {
"Policy.initializeStaticEvaluationWeights:"
+ " invalid evaulationWeights defined, "
+ " defaulting to " + DEFAULT_EVALUATION_WEIGHTS);
}
} else {
try {
} catch (NumberFormatException nfe) {
"Policy.initializeStaticEvaluationWeights:"
+ " invalid subjectWeight defined, defaulting to 0");
}
subjectWeight = 0;
}
try {
} catch (NumberFormatException nfe) {
"Policy.initializeStaticEvaluationWeights:"
+ " invalid ruleWeight defined, defaulting to 0");
}
ruleWeight = 0;
}
try {
} catch (NumberFormatException nfe) {
"Policy.initializeStaticEvaluationWeights:"
+ " invalid conditionWeight defined, defaulting to 0");
}
conditionWeight = 0;
}
}
}
/** Initializes evaluation weights for
* Subjects, Conditions and rules of this policy object.
*/
void initializeEvaluationWeights() {
}
/**
* Checks whether the policy is applicable to user identified by sso token
* @return <code>true</code> if the policy is applicable to the user
* identified by sso token, else <code>false</code>
*/
throws PolicyException, SSOException
{
}
}
}
return clonedResults;
}
/*
* We track the subject realm when a realm subject is added to the policy.
* We use this information to enforce that a policy has
* realm subjects only from one realm. We also use this information
* to enforce that policy is not saved into a different realm.
*/
return subjectRealm;
}
/**
* Clears the cached membership evaluation results corresponding
* to the <code>tokenIdString</code>. This is triggered through
* <code>PolicySSOTokenListener</code> and <code>PolicyCache</code>
* when session property
* of a logged in user is changed
*
* @param tokenIdString sessionId of the user whose session property changed
*/
if (DEBUG.messageEnabled()) {
+ " clearing cached subject evaluation result for "
+ " tokenId XXXXX");
}
}
/**
* Returns creation date.
*
* @return creation date.
*/
public long getCreationDate() {
return creationDate;
}
/**
* Sets the creation date.
*
* @param creationDate creation date.
*/
public void setCreationDate(long creationDate) {
this.creationDate = creationDate;
}
/**
* Returns last modified date.
*
* @return last modified date.
*/
public long getLastModifiedDate() {
return lastModifiedDate;
}
/**
* Sets the last modified date.
*
* @param lastModifiedDate last modified date.
*/
public void setLastModifiedDate(long lastModifiedDate) {
this.lastModifiedDate = lastModifiedDate;
}
/**
* Returns the user ID who last modified the policy.
*
* @return user ID who last modified the policy.
*/
public String getLastModifiedBy() {
return lastModifiedBy;
}
/**
* Sets the user ID who last modified the policy.
*
* @param lastModifiedBy user ID who last modified the policy.
*/
this.lastModifiedBy = lastModifiedBy;
}
/**
* Returns the user ID who created the policy.
*
* @return user ID who created the policy.
*/
public String getCreatedBy() {
return createdBy;
}
/**
* Sets the user ID who created the policy.
*
* @param createdBy user ID who created the policy.
*/
}
}