PolicyDecisionUtils.java revision 9644fbf8b87fe880e0ad41affe1a687fef2772dc
/**
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2009 Sun Microsystems Inc. All Rights Reserved
*
* The contents of this file are subject to the terms
* of the Common Development and Distribution License
* (the License). You may not use this file except in
* compliance with the License.
*
* You can obtain a copy of the License at
* See the License for the specific language governing
* permission and limitations under the License.
*
* When distributing Covered Code, include this CDDL
* Header Notice in each file and include the License file
* at opensso/legal/CDDLv1.0.txt.
* If applicable, add the following below the CDDL Header,
* with the fields enclosed by brackets [] replaced by
* your own identifying information:
* "Portions Copyrighted [year] [name of copyright owner]"
*
* $Id: PolicyDecisionUtils.java,v 1.3 2009/06/19 20:39:09 qcheng Exp $
*
* Portions Copyrighted 2011-2015 ForgeRock AS.
*/
/**
* The class provides some policy utility methods to be used by authentication
* service for Resource/IP/Environment based authentication.
*/
public class PolicyDecisionUtils {
private static final String WEB_AGENT_SERVICE_NAME =
"iPlanetAMWebAgentService";
public static final String AUTH_REDIRECTION_ADVICE =
"AuthRedirectionConditionAdvice";
private static ProxyPolicyEvaluator pe;
static {
try {
} catch (PolicyException p) {
p);
errorMsg = p.getMessage();
} catch (SSOException ssoe) {
ssoe);
}
}
/**
* Performs Resource/IP/Environment based authentication. This method
* is used by auth login viewbean.
* @param resourceUrl Resource URL for policy evaluation.
* @param realm The realm which is used in authentication.
* @param envParameters Environment map for policy evaluation.
* Keys of the map are Strings, values of the map are Set of Strings.
* @throws PolicyException if policy processing error occurs.
* @return a list which may be contain empty, one or two values.
* If the returned List size is two, first value is an instance of
* <code>AuthContext.IndexType</code>, second value is a String which
* indicates the value of the <code>AuthContext.IndexType</code>.
* If the returned List size is one, the value is a String which indicates
* the redirection URL (this is the redirection advice case).
* If the return List is empty, it means that there is no policy advice for
* the resource to be accessed.
*
*/
if (resourceUrl != null) {
} else {
return Collections.EMPTY_LIST;
}
}
private static ActionDecision getActionDecision(
try {
} catch (PolicyException e) {
return null;
} catch (SSOException ssoe) {
return null;
}
if (actionDecisions != null) {
}
}
} else {
throw new PolicyException(errorMsg);
}
return ad;
}
/**
* Returns the matching policy advice. The method finds the advice
* for the specified realm first, if none found, return anyone
* <code>ActionDecision</code>.
*/
// Problem is policy evaluation?
return Collections.EMPTY_LIST;
}
// Check is the resource is allowed
return Collections.EMPTY_LIST;
if (debug.messageEnabled()) {
}
// check if realm equals root suffix
realm = "/";
}
// convert DN to realm
}
// TBD : may want handle composite advice later??
} else if (findAdviceValue(advices,
} else if (findAdviceValue(advices,
} else if (findAdviceValue(advices,
} else {
// there is no advice for this specific realm, just pick anyone.
// That advice will be for a different realm
}
}
return answer;
} else {
// case without advices
return Collections.EMPTY_LIST;
}
}
// find first advice which matches the given advice type and realm
if (debug.messageEnabled()) {
}
// value contains two part : <realm>:<value>, e.g. /realm:4
// realm present, remove string before ":" from the
// advice to get actual value
if (col != -1) {
// This requires authentication at different realm,
// but we can't change realm once authentication
// started, so ignore this advice
continue;
}
// ":" exists in the value
} else {
// ":" is the last string, error advice case, ignore
continue;
}
} else {
// no realm parameter
}
} else {
// no realm parameter
}
// found first match, out of the loop
break;
}
}
if (debug.messageEnabled()) {
}
return true;
} else {
return false;
}
}
/**
* Returns one advice from the advices as redirection URL.
* returns null if no valid advice found.
* for authentication.
*/
return null;
}
// loop through all advices to find
boolean found = false;
// this is authenticate to realm
found = true;
break;
found = true;
break;
found = true;
break;
} else if (AuthenticateToServiceCondition.
found = true;
break;
} else if (AuthSchemeCondition.AUTH_SCHEME_CONDITION_ADVICE.
equals(adviceType)) {
found = true;
break;
} else if (AuthLevelCondition.AUTH_LEVEL_CONDITION_ADVICE.
equals(adviceType)) {
found = true;
break;
}
}
if (!found) {
// no matching advice type found
return null;
}
// value contains one or two part : <realm>[:<value>], e.g. /realm:4
if (debug.messageEnabled()) {
", indexName=" + value);
}
return null;
}
StringBuilder sb = new StringBuilder(SystemProperties.get(Constants.AM_SERVICES_DEPLOYMENT_DESCRIPTOR));
} else {
}
} else {
return null;
}
}
}