/*
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
*
* The contents of this file are subject to the terms
* of the Common Development and Distribution License
* (the License). You may not use this file except in
* compliance with the License.
*
* You can obtain a copy of the License at
* See the License for the specific language governing
* permission and limitations under the License.
*
* When distributing Covered Code, include this CDDL
* Header Notice in each file and include the License file
* at opensso/legal/CDDLv1.0.txt.
* If applicable, add the following below the CDDL Header,
* with the fields enclosed by brackets [] replaced by
* your own identifying information:
* "Portions Copyrighted [year] [name of copyright owner]"
*
* $Id: ISPermission.java,v 1.5 2008/08/19 19:09:17 veiming Exp $
*
* Portions Copyrighted 2015 ForgeRock AS.
*/
/**
* This class provides the support for JAAS Authorization service
* Its a new JAAS <code>Permission</code> which extends the
* {@link java.security.Permission} class. This is the only
* API which gets used by an application/container to evaluate policy against
* the OpenAM Policy framework. This class provides implementations
* of all the required abstract methods of <code>java.security.Permission</code>
* , in a way that the policy evaluation is made against the OpenAM
* Policy service.
* <p>
* For example, one would use this class as follows to evaluate policy
* permissions:
* <pre>
* ISPermission perm = new ISPermission("iPlanetAMWebAgentService",
* "http://www.example.com:80","GET");
* AccessController.checkPermission(perm);
* </pre>
* If OpenAM has the policy service
* <code>iPlanetAMWebAgentService</code> which has a <code>Rule</code> defined
* for resource <code>http://www.example.com:80</code>
* with action "GET" with allow privilege, this call will return quietly, if
* such a policy is not found then access is denied and Exception thrown
* accordingly. Also <code>ISPermission</code> co-exists with the
* permissions specified in the JDK policy store ( by default file <code>
* sun.security.provider.PolicyFile</code> or defined on the command line
* using the -D option.
*
* <p>
* @see java.security.Permission
* @see javax.security.auth.Subject
* @see java.security.ProtectionDomain
* <p>
*
* @supported.all.api
*/
/**
* Constructs an <code>ISPermission</code> instance, with the specified
* <code>ProtectionDomain</code>.
*
* @param pd <code>ProtectionDomain</code> for which this
* <code>ISPermission</code> is being created.
*/
super("ISPermission");
if (debug.messageEnabled()) {
+ "called ");
}
this.protectionDomain = pd;
}
/**
* Constructs an <code>ISPermission</code> instance, with the specified
* <code>Subject</code> and the <code>CodeSource</code>.
*
* @param subject <code>Subject</code> for which this
* <code>ISPermission</code> is being created.
* @param codesource <code>CodeSource</code> for which this permission is
* being created.
*/
super("ISPermission");
if (debug.messageEnabled()) {
+ "called ");
}
this.codesource = codesource;
}
/**
* Constructs an <code>ISPermission</code> instance, with the specified
* <code>CodeSource</code>.
*
* @param codesource <code>CodeSource</code> for which this permission is
* being created.
*/
super("ISPermission");
if (debug.messageEnabled()) {
+ "called ");
}
this.codesource = codesource;
}
/**
* Constructs an <code>ISPermission</code> instance, with the specified
* service name, resource name and action name.
* @param serviceName name of service for which this
* <code>ISPermission</code> is being created. This name needs to be
* one of the loaded services in the OpenAM's policy
* engine. example: <code>iPlanetAMWegAgentService</code>
*
* @param resourceName name of the resource for which this
* <code>ISPermission</code> is being defined.
*
* @param actions name of the action that needs to be checked for. It
* may be a <code>String</code> like "GET", "POST" in case of
* service name <code>iPlanetAMWebAgentService</code>.
*/
{
super("ISPermission");
this.serviceName = serviceName;
this.resourceName = resourceName;
}
/**
* Constructs an <code>ISPermission</code> instance, with the specified
* service name, resource name and action name.
* @param serviceName name of service for which this
* <code>ISPermission</code> is being created. This name needs to be
* one of the loaded policy services in the OpenSSO.
* example:
* <code>iPlanetAMWegAgentService</code>
*
* @param resourceName name of the resource for which this
* <code>ISPermission</code> is being defined.
*
* @param actions name of the action that needs to be checked for. It
* may be a <code>String</code> like "GET", "POST" in case of
* service name <code>iPlanetAMWebAgentService</code>.
* @param envParams a <code>java.util.Map</code> of environment parameters
* which are used by the
* <code>com.sun.identity.policy.client.PolicyEvaluator</code>
* to evaluate the <code>com.sun.identity.policy.Conditions</code>
* associated with the policy. This is a Map of attribute-value pairs
* representing the environment under which the policy needs to be
* evaluated.
*/
{
super("ISPermission");
this.serviceName = serviceName;
this.resourceName = resourceName;
}
/**
* returns the name of the service associated with this <code>ISPermission
* </code>.
* @return <code>String</code> representing the name of the service for this
* permission.
*/
return serviceName;
}
/**
* returns the name of the resource associated with this <code>ISPermission
* </code>.
* @return <code>String</code> representing the name of the resource for
* this permission.
*/
return resourceName;
}
/**
* returns environment parameters and their values associated with this
* <code>ISPermission</code>.
* @return <code>Map</code> representing the environment parameters of
* this permission. The <code>Map</code> consists of attribute
* value pairs.
*/
return envParams;
}
/**
* returns a comma separated list of actions associated with this
* <code>ISPermission</code>.
* @return a comma separated <code>String</code> representing the name
* of the action for this object. For example for:
* <pre>
* ISPermission isp = new ISPermission("iPlanetAMWebAgentService,
* "http://www.sun.com:80", "GET, POST");
* getActions() would return "GET,POST"
* </pre>
*/
if (debug.messageEnabled()) {
}
return actions;
}
/**
* Returns true if two comma separated strings are equal.
*
* @param actions1 actions string.
* @param actions2 actions string.
* @return true if two comma separated strings are equal.
*/
while (st.hasMoreTokens()) {
}
}
while (st.hasMoreTokens()) {
}
}
}
/**
* Returns a <code>Set</code> of actions for this Permission.
* @param actions comma separated actions string.
* @return set of actions in this permsision.
*
*/
} else {
return actionSet;
}
while (st.hasMoreTokens()) {
}
}
return actionSet;
}
/**
* returns the <code>Subject</code>associated with this <code>ISPermission
* </code>.
* @return <code>javax.security.auth.Subject</code> representing the
* subject of this permission.
*/
return subject;
}
/**
* returns the <code>CodeSource</code>associated with this
* <code>ISPermission</code>.
* @return <code>java.security.CodeSource</code> representing the
* <code>codesource</code> of this permission.
*/
return codesource;
}
/**
* returns the <code>ProtectionDomain</code>associated with this
* <code>ISPermission</code>.
* @return <code>java.security.ProtectionDomain</code> representing the
* <code>protectionDomain</code> of this permission.
*/
return protectionDomain;
}
/**
* Returns true if two <code>ISPermission</code> objects for equality.
*
* @param obj <code>ISPermission</code> object.
* @return true if subject, <code>codesource</code>, service name, resource
* name actions and environment parameters of both objects are
* equal.
*/
boolean result = true;
if (obj == this) {
if (debug.messageEnabled()) {
}
return true;
}
if (obj instanceof ISPermission) {
} else {
result = false; // subject is null, while this.subject is
// not null.
}
}
if (debug.messageEnabled()) {
}
if (result) {
if (codesource != null) {
if (debug.messageEnabled()) {
}
} else {
if (this.codesource != null) {
result = false;
}
}
}
if (result) {
if (protectionDomain != null) {
if (debug.messageEnabled()) {
}
} else {
if (this.protectionDomain != null) {
result = false;
}
}
}
if (result) {
if (serviceName != null) {
if (debug.messageEnabled()) {
}
} else {
if (this.serviceName != null) {
result = false;
}
}
}
if (result) {
if (resourceName != null) {
if (debug.messageEnabled()) {
}
} else {
if (this.resourceName != null) {
result = false;
}
}
}
if (result) {
if (debug.messageEnabled()) {
}
} else {
result = false;
}
}
}
if (result) {
if (debug.messageEnabled()) {
}
} else {
result = false;
}
}
}
}
if (debug.messageEnabled()) {
}
return result;
}
/**
* Returns the hash code value for this Permission object.
* <P>
* The required <code>hashCode</code> behavior for Permission Objects is
* the following: <p>
* <ul>
* <li>Whenever it is invoked on the same Permission object more than
* once during an execution of a Java application, the
* <code>hashCode</code> method
* must consistently return the same integer. This integer need not
* remain consistent from one execution of an application to another
* execution of the same application. <p>
* <li>If two Permission objects are equal according to the
* <code>equals</code>
* method, then calling the <code>hashCode</code> method on each of the
* two Permission objects must produce the same integer result.
* </ul>
*
* @return a hash code value for this object.
*/
public int hashCode() {
int hash = 0;
}
if (codesource != null) {
}
if (protectionDomain != null) {
}
if (serviceName != null) {
}
if (resourceName != null) {
}
}
}
if (debug.messageEnabled()) {
}
return hash;
}
/**
* Checks if the specified permission's actions are "implied by"
* this object's actions.
* <P>
* The <code>implies</code> method is used by the
* <code>AccessController</code> to determine whether or not a requested
* permission is implied by another permission that is known to be valid
* in the current execution context.
*
* @param perm the permission to check against.
*
* @return true if the specified permission is implied by this object,
* false if not. The check is made against the OpenAM's
* policy service to determine this evaluation.
*/
boolean allowed = false;
if (perm instanceof ISPermission) {
if (protectionDomain != null) {
if (debug.messageEnabled()) {
+protectionDomain.toString());
}
final String resourceName =
if (debug.messageEnabled()) {
+resourceName);
+serviceName);
}
try {
// principals should have only one entry
+"authentication.service.SSOTokenPrincipal")) {
if (debug.messageEnabled()) {
}
}
if (tokenPrincipal == null) {
if (debug.messageEnabled()) {
+ " Principal is null");
}
} else {
/* TODO currently ISPermission uses remote policy
client API so if this class gets used from server side
, will always make remote call, need to make changes
*/
if (policyEvalFactory == null) {
}
if (debug.messageEnabled()) {
+ "PolicyEvaluator for "+serviceName);
}
while (st.hasMoreTokens()) {
if (!allowed) {
break; // the final result is not allowwed
}
if (debug.messageEnabled()) {
}
}
if (debug.messageEnabled()) {
}
} else {
if (debug.messageEnabled()) {
}
}
}
} catch (SSOException ssoe ) {
if (debug.messageEnabled()) {
+ssoe.getMessage());
}
} catch (Exception e ) {
if (debug.messageEnabled()) {
+e.getMessage());
e.printStackTrace();
}
}
} else {
}
}
if (debug.messageEnabled()) {
}
return allowed;
}
/**
* Returns a <code>java.security.PermissionCollection</code> to store this
* kind of Permission.
*
* @return an instance of <code>ISPermissionCollection</code>
*/
return new ISPermissionCollection();
}
/**
* Returns a string describing this Permission.
* @return <code>String</code> containing information about this Permission.
*/
}
if (codesource != null) {
}
}
}
}
.append("\n");
}
}
}