PolicyRequestHandler.java revision be367fb48c4c5a05214aab48aea9f09703b63a97
/**
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
*
* The contents of this file are subject to the terms
* of the Common Development and Distribution License
* (the License). You may not use this file except in
* compliance with the License.
*
* You can obtain a copy of the License at
* See the License for the specific language governing
* permission and limitations under the License.
*
* When distributing Covered Code, include this CDDL
* Header Notice in each file and include the License file
* at opensso/legal/CDDLv1.0.txt.
* If applicable, add the following below the CDDL Header,
* with the fields enclosed by brackets [] replaced by
* your own identifying information:
* "Portions Copyrighted [year] [name of copyright owner]"
*
* $Id: PolicyRequestHandler.java,v 1.8 2008/12/04 00:38:52 dillidorai Exp $
*
*/
/*
* Portions Copyrighted 2010-2015 ForgeRock AS
*/
/**
* The <code>PolicyRequestHandler</code> class handles the policy
* related service requests sent by the Policy Enforcers.
* Currently it supports two types of requests. One is PolicyRequest
* which requests for the policy evaluation decisions, the other is
* AddPolicyListener which adds a policy listener to a service to
* receive policy notifications which include policy change
* notification and subject change notification.
*/
public class PolicyRequestHandler implements RequestHandler {
private static final String EVALUATION_REALM = "org.forgerock.openam.agents.config.policy.evaluation.realm";
private static final String EVALUATION_APPLICATION = "org.forgerock.openam.agents.config.policy.evaluation.application";
// serviceName: PolicyEvaluator
/*
* Cache to keep the policy change listener registration info
* notificationUrl: PolicyListenerRequest
*/
// PolicyService revision number
/**
* Process the requests aÎnd return the responses.
*
* @param requests Requests specified in the policy request
* @return the set of the response
*/
) {
try {
} catch (PolicyEvaluationException pe) {
if (debug.messageEnabled()) {
+ " caught PolicyEvaluationException:",
pe);
}
try {
} catch (PolicyEvaluationException pee) {
+ " can not get service revision number, "
+ ",revision defaulting to :"
pee);
}
}
}
}
return resSet;
}
/**
* Processes a request and return its corresponding response.
*
* @param req the request.
* @param auditor the auditor helper
* @return the corresponding response.
*/
throws PolicyEvaluationException {
if (debug.messageEnabled()) {
content);
}
if (debug.messageEnabled()) {
}
if (debug.messageEnabled()) {
}
}
/**
* Processes a policy service request and return a policy service
* response.
*
* @param psReq a policy service request.
* @param auditor the auditor helper
* @return its corresponding policy service response.
*/
throws PolicyEvaluationException {
+ "processPolicyServiceRequest(): "
+ " null psReq");
}
// This is a PolicyRequest request
+ "processPolicyServiceRequest(): "
+ " null policyRequest");
}
psRes = new PolicyService();
return psRes;
}
// The method is not valid for a request
"invalid policy request type");
}
/**
* Processes a policy request and return a policy response.
*
* @param req a policy request
* @return its corresponding policy response
*/
throws PolicyEvaluationException
{
if (debug.messageEnabled()) {
}
try {
} catch (PolicyException pe) {
if (debug.warningEnabled()) {
}
throw new PolicyEvaluationException(
}
// set the app token into the ThreadLocal
if (req.getMethodID() ==
if (addListener) {
} else {
"failed.add.policy.listener", objs);
}
return policyRes;
}
if (req.getMethodID() ==
if (removeListener) {
} else {
"failed.remove.policy.listener", objs );
}
return policyRes;
}
if (req.getMethodID() ==
if (debug.messageEnabled()) {
+ " advicesHandleableByAM");
}
try {
} catch (PolicyException pe) {
if (debug.warningEnabled()) {
+ " advicesHandleableByAM", pe);
}
}
if (debug.messageEnabled()) {
+ " advicesHandleableByAM policy response");
}
return policyRes;
}
if (req.getMethodID() ==
// Get the user's SSO token id string from the request
if ((userSSOTokenIDStr != null) &&
) {
try {
} catch (PolicyException pe) {
if (debug.warningEnabled()) {
"PolicyRequestHandler: Invalid user sso token, " +
}
}
}
// check if the request contains user response attributes
if (debug.messageEnabled()) {
"PolicyRequestHandler.processPolicyRequest(): "
+ "respAttrs=\n"
+ respAttrs);
}
// get the response decisions wrt the attributes
}
// Get the service name and resource name of the request
// Get the resource scope of the request
if ((resourceScope != null)
&& resourceScope.equals(
// need not to evaluate policies, do attributes only
resourceName, new PolicyDecision());
} else {
// Get the environment parameters of the request
try {
} catch (PolicyException pe) {
"PolicyRequestHandler: Invalid env parameters", pe);
}
try {
// Get an instance of the policy evaluator
// Get the resource result from the policy evaluator
resourceRst = new ResourceResults(
if (debug.messageEnabled()) {
"PolicyRequestHandler.processPolicyRequest():"
+ " resource result:\n"
+ resourceRst.toXML());
}
}
}
return policyRes;
}
}
/**
* Returns the response decisions based on the response attributes.
*
* @param token the user's SSO token
* @param attrs a set of response attributes
* @return a map which contains the response decisions.
*/
throws PolicyEvaluationException
{
return null;
}
try {
} catch (IdRepoException ie) {
"failed to get user attributes.", ie);
throw new PolicyEvaluationException(ie);
} catch (SSOException se) {
throw new PolicyEvaluationException(se);
}
return userAttrMap;
}
/*
* Register a policy change listener to the policy framework.
*/
if (policyListenerReq == null) {
"invalid policy listener request received");
return false;
}
if (debug.messageEnabled()) {
"policy listener for service " + serviceTypeName +
" has already been registered; the notification URL is " +
notiURL);
}
return true;
}
try {
// Get an instance of the policy evaluator
if (policyEvaluator != null) {
// add the policy listener to the policy framework
if (debug.messageEnabled()) {
"policy listener for service " + serviceTypeName +
" added");
}
}
} catch (PolicyException e) {
"failed to add policy change listener", e);
return false;
}
/* Temporarily used for testing notification receiving */
/*
try {
com.iplanet.services.comm.client.PLLClient.addNotificationHandler(
PolicyService.POLICY_SERVICE,
(new PolicyNotificationHandler()));
} catch (Exception e) {
if (debug.messageEnabled()) {
debug.message("PolicyRequestHandler: notification handler "
+"has already been registered");
}
}
*/
return true;
}
/*
* Remove a policy change listener from the policy framework.
*/
if (removeListenerReq == null) {
"invalid remove policy listener request received");
return false;
}
if (debug.messageEnabled()) {
"policy listener to be removed for service " +
" has not been registered yet; the notification URL is " +
notiURL);
}
return true;
}
if (policyListener == null) {
return true;
}
try {
// Get an instance of the policy evaluator
if (policyEvaluator != null) {
// remove the policy listener from the policy framework
if (debug.messageEnabled()) {
"policy listener for service " + serviceTypeName +
" removed");
}
}
} catch (PolicyException e) {
"failed to remove policy change listener", e);
return false;
}
return true;
}
/**
* Convert the environment parameters from sets to their proper
* data types and put back into the map
*/
throws PolicyException
{
return;
}
// convert REQUEST_IP from a set to a String
} else {
}
}
if (debug.messageEnabled()) {
}
if (reqTimeSet != null) {
if (!reqTimeSet.isEmpty()) {
} else {
}
}
if (debug.messageEnabled()) {
}
// convert REQUEST_TIME_ZONE from a set to a TimeZone
try {
if (reqTimeZoneSet != null) {
if (!reqTimeZoneSet.isEmpty()) {
} else {
}
}
if (debug.messageEnabled()) {
}
} catch (Exception e) {
"invalid_request_time_zone_in_request", null, e);
}
}
/**
* Provides an instance of a policy evaluator.
* <p/>
* It is understood that serviceName == serviceTypeName == applicationTypeName.
* <p/>
* First attempts to provide an evaluator based on a configured realm and application for the subject making
* the request. If the realm and application are present, then the application's type is retrieved and passed
* through as the serviceTypeName to the evaluator along with the realm and application name.
* <p/>
* If the application name does not exist then the logic falls back to the old behaviour whereby the
* applicationName is set to the serviceTypeName. This legacy behaviour assumes that an application exists with a
* name that maps to the passed serviceTypeName.
*
* @param appToken
* the SSO token of the requester
* @param serviceTypeName
* the service type name
*
* @return an policy evaluator
*
* @throws PolicyException
* should an error occur during the retrieval of an appropriate policy evaluator
*/
private PolicyEvaluator getPolicyEvaluator(
try {
@SuppressWarnings("unchecked")
final Application application = ApplicationManager.getApplication(appSubject, realm, applicationName);
if (application == null) {
throw new PolicyException(
null);
}
synchronized (policyEvaluators) {
}
}
}
} catch (IdRepoException idrE) {
} catch (SSOException ssoE) {
} catch (EntitlementException eE) {
}
}
/**
* Returns sso token based on the sso token id string.
*/
throws PolicyException
{
// Get the user's SSO token based on the token id string
try {
} catch (Exception e) {
"invalid_sso_token", null, e);
}
return token;
}
/**
* Returns policy service revision number
*/
synchronized String getPolicyServiceRevision()
throws PolicyEvaluationException {
if (policyServiceRevision == null) {
try {
} catch (SMSException e) {
+ "Unable to get policy service revision", e);
} catch (PolicyException e) {
+ "Unable to get policy service revision", e);
} catch (SSOException e) {
+ "Unable to get policy service revision", e);
}
}
return policyServiceRevision;
}
/* record stats for policyEvaluators, listenerRegistry */
+ " in cache : "
+ policyEvaluators.size());
}
}