SMSEntry.java revision b17299af8860b54c3cb17a5564f17acd11c76080
/**
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2005 Sun Microsystems Inc. All Rights Reserved
*
* The contents of this file are subject to the terms
* of the Common Development and Distribution License
* (the License). You may not use this file except in
* compliance with the License.
*
* You can obtain a copy of the License at
* See the License for the specific language governing
* permission and limitations under the License.
*
* When distributing Covered Code, include this CDDL
* Header Notice in each file and include the License file
* at opensso/legal/CDDLv1.0.txt.
* If applicable, add the following below the CDDL Header,
* with the fields enclosed by brackets [] replaced by
* your own identifying information:
* "Portions Copyrighted [year] [name of copyright owner]"
*
* $Id: SMSEntry.java,v 1.53 2009/12/07 19:46:47 veiming Exp $
*
*/
/*
* Portions Copyrighted 2010-2014 ForgeRock AS.
*/
/**
* This object represents a SMS entry in datastore, similar to UMS's equivalent
* class called PersistentObject.
* <p>
* This class is used both to read and write information into the datastore.
*/
// Name of place holder nodes
// Debug instance & SSOTokenManager
public static SSOTokenManager tm;
// Variable for caching parse organization names
/**
* Flat File Configuration Data Store
*/
/**
* Sun Directory Server Configuration Data Store
*/
/**
* Active Directory Configuration Data Store
*/
static boolean cacheSMSEntries;
public static ResourceBundle bundle;
static String servicesDN;
static String amsdkbaseDN;
static int baseDNCount;
static SMSException initializationException;
// DataStore Implementation Object
static final String SMS_OBJECT_PROPERTY =
"com.sun.identity.sm.sms_object_class_name";
static final String DEFAULT_SMS_CLASS_NAME =
"com.sun.identity.sm.ldap.SMSLdapObject";
static final String JAXRPC_SMS_CLASS_NAME =
"com.sun.identity.sm.jaxrpc.SMSJAXRPCObject";
static final String FLATFILE_SMS_CLASS_NAME =
"com.sun.identity.sm.flatfile.SMSEnhancedFlatFileObject";
// Flag to enable LDAP's proxy support
public static final String DB_PROXY_ENABLE =
"com.sun.identity.sm.ldap.enableProxy";
// Variables for checking delegation permission
static final String AUTH_SUPER_USER =
"com.sun.identity.authentication.super.user";
/**
* Avoid loading the DelegationEvaluator unless needed to prevent exceptions in client-side code.
*/
static class DelegationEvaluatorHolder {
}
static boolean SMSJAXRPCObjectFlg;
static boolean backendProxyEnabled;
static SSOToken adminSSOToken;
// Notification handlers
static int LOCAL_CHANGES_MAX_SIZE = 25;
static {
// Initialize for checking delegation permissions
// initialize case sensitive attributes
// Resource bundle
}
public static void initializeClass() {
// Initialize the system properties
// Get an instance of SMSObject(can be SMSLDAP or SMSJAXRPC)
// after the properties for cache/resourcebundle/internal users
// are retrieved/initialized.
}
protected static void initializeProperties() {
// Check if backend has permission check enabled
if (debug.messageEnabled()) {
}
// Check if SMSEntries can be cached
cacheSMSEntries = true;
} else { // Global Property - set to false. Check component property
}
if (debug.messageEnabled()) {
}
// Initialize SSOTokenManager
try {
} catch (SSOException ex) {
// Ignore the exception, should not happen
}
// Cache internal users, only after SMSObject is initialized
.toLowerCase());
}
}
if (SystemProperties.isServerMode()) {
// Add adminDN from serverconfig.xml (available only on the server)
// to the specialUserSet
.toLowerCase());
}
}
if (debug.messageEnabled()) {
}
}
private static void initSMSObject() {
// If smsObject already present, shutdown first
}
// Create the SMSObject, based on the configuration
try {
SMSJAXRPCObjectFlg = true;
}
if (debug.messageEnabled()) {
}
} catch (ClassNotFoundException cfe) {
if (debug.warningEnabled()) {
}
"sms-init-no-class-found");
} catch (Exception e) {
if (debug.warningEnabled()) {
}
initializationException = new SMSException(e,
"sms-instantiation-failed");
}
// Check if smsObject is null
try {
if (debug.messageEnabled()) {
+ "implementation");
}
SMSJAXRPCObjectFlg = true;
if (debug.messageEnabled()) {
+ "implementation");
}
SMSJAXRPCObjectFlg = true;
if (debug.messageEnabled()) {
+ "implementation");
}
} else {
if (debug.messageEnabled()) {
+ "implementation");
}
}
+ "SMSObject", initializationException);
}
}
// Get the baseDN
} else {
baseDN = "o=unknown-suffix";
}
// Problem in getting base DN
} else {
}
// Get the amsdkbaseDN
if (SMSJAXRPCObjectFlg) {
boolean checkForJAXRPCVersion = false;
/*
* Check for the SMSObject (JAXRPC) version
* (which is 10 in AM 7.0 patch 5 and 11 in AM 7.1 patch1 & opensso)
* and determine whether to make calls for new APIs implemented
* in the latest AM server, but not in older version.
* This is to take care of the compatibility issue between
* latest web service APIs(SDK) on the server side and the old SDK
* Anytime we add new interfaces, we need to increment the
* version number SMSJAXRPCObject.java and handle the client
* accordingly.
*/
try {
/*
* This clientsdk change is only for AM server 7.1 RTM which
* for latest agents to work with it.
* The checkForJAXRPCVersion is set to
* true to use the newly introduced api on the server side.
*/
if (versionMap == null) {
checkForJAXRPCVersion = true;
} else {
/*
* Since getAMSdkBaseDN() got introduced in AM 7.1 &
* opensso, check the version for > 10.
*/
}
}
} catch (NumberFormatException nfe) {
} catch (SSOException ssoe) {
} catch (SMSException e) {
}
if (checkForJAXRPCVersion) {
} else {
}
} else {
}
} else {
amsdkbaseDN = "o=unknown-suffix";
}
if (amsdkbaseDN == null) {
// Problem in getting amsdk base DN
"sms-invalid-dn"), "sms-invalid-dn");
}
// If not client, add AdminToken DN to specialUser's set
if (!SMSJAXRPCObjectFlg) {
try {
} catch (SSOException e) {
}
// Initialize super user also
.toLowerCase());
}
}
}
/**
* Constructor for a persistent SMS object given an authenticated SSOToken
* and DN. The entry is read from the directory.
*/
if (initializationException != null)
throw (initializationException);
read();
}
/**
* Returns the read attributes
*/
public Map getAttributes() {
return (attrSet);
}
/**
* Returns the attribute values for the given attribute name. The values are
* returned from the cached attribute set. It is not read from the
* directory.
*/
return getAttributeValues(attrName, false);
}
if (ignoreCache || !cacheSMSEntries) {
try {
read();
} catch (SMSException e) {
// this should not happen
} catch (SSOException ssoe) {
// this should not happen
+ "in reading attrs: " + ssoe);
}
}
.size()]));
}
/**
* Adds the attribute value to the given attribute name. It is stored
* locally and is not written to the directory.
*/
attrSet = new CaseInsensitiveHashMap();
// Value is already present
if (debug.messageEnabled()) {
}
"sms-ATTR_OR_VAL_EXISTS"));
}
}
// Add the attribute to attrset
if (attrValues == null) {
attrValues = new HashSet();
}
// Check if the modification set exists, and add the attribute
}
}
/**
* Set the attribute values. <code>save()</code> must be called to make
* the changes persistant
*/
// Attribute Values to be Set and BasicAttribute
}
// Check if attrSet, modSet is present, if not create
// Check if the attribute exists, if not present add, else replace
// Not present: add it, update modset
} else {
// Remove old attrbute and add the new attribute, update modset
}
// Update attrset
}
/**
* Modify the attribute values. <code>save()</code> must be called to make
* the changes persistant. This does not affect the existing attributes
* already read.
*/
}
}
}
/**
* Set the attributes. <code>save()</code> must be called to make
* the changes persistant
*/
// Obtain attribute names and values and set them
}
}
}
}
/**
* Removes the attribute value from the attribute.
*
* @param attrName Name of attribute.
* @param value Value to be removed.
* @throws SMSException if value cannot be removed.
*/
throws SMSException {
"sms-ATTR_OR_VAL_EXISTS"));
}
// Update attr and attrSet --> will not be null
// Update modification set
}
}
/**
* Remove the attribute from the entry.
*/
"sms-ATTR_OR_VAL_EXISTS"));
}
}
}
/**
* Checks if the attribute value exists in the attribute
*/
}
}
return (false);
}
/**
* Reads in the object from persistent store, assuming that the guid and the
* principal are valid
*/
}
/**
* Reads in the object from persistent store using the given ssoToken
*/
// If backend has proxy enabled, check for delegation
// permissions and use admin token
if (backendProxyEnabled) {
if (adminSSOToken == null) {
.getInstance());
}
}
} else {
// Check for delegation permission throws exception if
// permission is denied
}
newEntry = true;
} else {
newEntry = false;
}
}
/**
* Save the modification(s) to the object. Save the changes made so far to
* the datastore.
*/
if (readOnly) {
if (debug.warningEnabled()) {
+ "is marked as read-only: " + dn);
}
"sms-INSUFFICIENT_ACCESS_RIGHTS"));
}
}
/**
* Save the modification(s) to the object. Save the changes made so far to
* the datastore using the given SSOToken
*/
// If backend has proxy enabled, check for delegation
// permissions and use admin token
if (backendProxyEnabled) {
if (adminSSOToken == null) {
.getInstance());
}
}
} else {
// Check for delegation permission throws exception if
// permission is denied
}
// send object change notification
// send object change notification
} else {
// %%% throw an exception, since nothing has changed
}
newEntry = false;
}
/**
* Delete the entry in the datastore. This will delete sub-entries also!
*/
if (readOnly) {
if (debug.warningEnabled()) {
+ "is marked as read-only: " + dn);
}
"sms-INSUFFICIENT_ACCESS_RIGHTS"));
}
}
/**
* Delete the entry in the datastore. This will delete sub-entries also!
*
* TODO: There is no way to set read-only to false, we should see what we can
* about this.
*/
}
/**
* Delete the entry in the directory. This will delete sub-entries also!
*/
if (!newEntry) {
// If backend has proxy enabled, check for delegation
// permissions and use admin token
if (backendProxyEnabled) {
if (adminSSOToken == null) {
.getInstance());
}
}
} else {
// Check for delegation permission throws exception if
// permission is denied
}
newEntry = true;
// send object change notification
} else {
if (debug.warningEnabled()) {
+ "does not exist: " + dn);
}
}
}
/**
* Returns the subOrgNames. Returns a set of suborganization names (rdns).
* The paramter <code>numOfEntries</code> identifies the number of entries
* to return, if <code>0</code> returns all the entries. The paramter
* <code>recursive</code> determines if to return one level of entries
* beneath the entryDN or all the entries till the leaf node.
*/
throws SMSException, SSOException {
// If backend has proxy enabled, check for delegation
// permissions and use admin token. Also if JAXRPC is used,
// permission is checked at the server.
if (backendProxyEnabled && !SMSJAXRPCObjectFlg) {
if (adminSSOToken == null) {
.getInstance());
}
}
} else if (!SMSJAXRPCObjectFlg) {
// Check for delegation permission throws exception if
// permission is denied
}
// Check for remote client using JAX-RPC
if (SMSJAXRPCObjectFlg) {
// Since this is a JAX-RPC call, the permission checking and
// parsing would be done at the server
return (resultSet);
}
// Server side. Check for read permissions
}
}
if (debug.messageEnabled()) {
+ "suborganization names for : " + dn);
}
return (answer);
}
// If backend has proxy enabled, check for delegation
// permissions and use admin token. If remote, permission
// check will be done at the server
if (backendProxyEnabled && !SMSJAXRPCObjectFlg) {
if (adminSSOToken == null) {
.getInstance());
}
}
} else if (!SMSJAXRPCObjectFlg) {
// Check for delegation permission throws exception if
// permission is denied
}
// Check for remote client using JAX-RPC
if (SMSJAXRPCObjectFlg) {
// Since this is a JAX-RPC call, the permission checking and
// parsing would be done at the server
return (subEntries);
}
// Need to check if the user has permissions before returning
}
}
return (answer);
}
throws SMSException, SSOException {
// If backend has proxy enabled, check for delegation
// permissions and use admin token. Also if JAXRPC is used,
// permission is checked at the server.
if (backendProxyEnabled && !SMSJAXRPCObjectFlg) {
if (adminSSOToken == null) {
.getInstance());
}
}
} else if (!SMSJAXRPCObjectFlg) {
// Check for delegation permission throws exception if
// permission is denied
}
// Check for remote client using JAX-RPC
if (SMSJAXRPCObjectFlg) {
// Since this is a JAX-RPC call, the permission checking and
// parsing would be done at the server
return (subEntries);
}
// Need to check if the user has permissions before returning
}
}
return (answer);
}
/**
* Returns the Orgnization Names. Returns a set of organization names. The
* paramter <code>numOfEntries</code> identifies the number of entries to
* return, if <code>0</code> returns all the entries. The paramter
* <code>recursive</code> determines if to return one level of entries
* beneath the entryDN or all the entries till the leaf node.
*/
// If backend has proxy enabled, check for delegation
// permissions and use admin token. Also if JAXRPC is used,
// permission is checked at the server.
if (backendProxyEnabled && !SMSJAXRPCObjectFlg) {
if (adminSSOToken == null) {
.getInstance());
}
}
} else if (!SMSJAXRPCObjectFlg) {
// Check for delegation permission throws exception if
// permission is denied
}
// Check for remote client using JAX-RPC
if (SMSJAXRPCObjectFlg) {
// Since this is a JAX-RPC call, the permission checking and
// parsing would be done at the server
return (resultSet);
}
// Check for read permissions
}
}
return allowedSet;
if (debug.messageEnabled()) {
+ "organization names for : " + dn);
}
return answer;
}
/**
* Returns the DNs that match the filter. The search is performed from the
* root suffix ie., DN. It searchs for SMS objects only.
*
* @param token Single-Sign On token.
* @param dn Base DN
* @param filter Search Filter.
* @param numOfEntries number of max entries, 0 means unlimited
* @param timeLimit maximum number of seconds for the search to spend, 0
* means unlimited
* @param sortResults <code>true</code> to have result sorted.
* @param ascendingOrder <code>true</code> to have result sorted in
* ascending order.
*/
boolean ascendingOrder) throws SMSException {
try {
} catch (SSOException ssoe) {
ssoe, "sms-error-in-searching");
}
}
/**
* Returns the DNs and its attribute values that match the filter. The
* search is performed from the root suffix ie., DN. It searchs for SMS
* objects only.
*
* @param token Single-Sign On token.
* @param dn Base DN
* @param filter Search Filter.
* @param numOfEntries number of max entries, 0 means unlimited
* @param timeLimit maximum number of seconds for the search to spend, 0
* means unlimited
* @param sortResults <code>true</code> to have result sorted.
* @param ascendingOrder <code>true</code> to have result sorted in
* ascending order.
* @param exclude List of DN to exclude.
*/
throws SMSException {
try {
} catch (SSOException ssoe) {
ssoe, "sms-error-in-searching");
}
}
/**
* Returns the DNs that match the filter. The search is performed from the
* root suffix ie., DN. It searchs for SMS objects only.
*/
try {
} catch (SSOException ssoe) {
ssoe, "sms-error-in-searching");
}
}
/**
* Updates the attribute set from the provided SMSEntry
*/
} else {
}
}
/**
* Checks if the provided DN exists. Used by PolicyManager.
*/
try {
} catch (Exception e) {
+ dn, e);
}
return (false);
}
/**
* Returns the DN of the entity
*/
return (dn);
}
/**
* Returns the principal used to access the entry
*/
try {
return (ssoToken.getPrincipal());
} catch (SSOException ssoe) {
return (null);
}
}
/**
* Returns the ssoToken used to access the entry
*/
SSOToken getSSOToken() {
return (ssoToken);
}
/**
* Sets the SMSEntry to be read only. Can be changed only by explicitly
* providing the principal name.
*/
void setReadOnly() {
readOnly = true;
}
/**
* Returns <code>true</code> if the entry does not exist in the data store
*/
public boolean isNewEntry() {
return (newEntry);
}
/**
* Returns the SMSObject
*/
static SMSObject getSMSObject() {
return (smsObject);
}
try {
} catch (SSOException ssoe) {
}
}
} else {
}
if (debug.messageEnabled()) {
}
return (answer);
}
if (newEntry) {
}
}
public static String getRootSuffix() {
return baseDN;
}
public static String getAMSdkBaseDN() {
return amsdkbaseDN;
}
// This has to be called only if the backend datastore is
// based on LDAP protocol. Should not be for JDBC.
} else {
dataStore = "flatfile";
}
if (debug.messageEnabled()) {
}
}
return dataStore;
}
/**
* @return true if the given attribute's value is case sensitive.
*/
}
/**
* @return the service filter pattern string
*/
public static String getFilterPatternService() {
return SMSEntry.FILTER_PATTERN_SERVICE;
}
// Parse the DNs and return as "/" seperated, but does not
// include the current DN
}
// Parse the DNs and return as "/" seperated
boolean includeThisDN) {
/*
* Search results based on scope 'SCOPE_SUB' returns all entries beneath
* the entry DN, and adding to the set. This piece of code iterates
* through the list, gets the suborganization names, replaces the
* namingattribute 'o' with '/' and reverses the result string to be
* displayed in the slash '/' seperated format. eg., Search for suborgs
* from 'o=coke' in o=fanta,o=pepsi,o=coke,ou=services,dc=iplanet,dc=com
*/
/*
* Need to include current DN for search operations.
* Required by AuthN to login to root organization
*/
if (includeThisDN) {
}
continue;
}
/*
* To handle such a case. eg., ou=policy1,
* ou=Policies,ou=default,ou=OrganizationConfig,
* ou=1.0,ou=iPlanetAMPolicyService,ou=services,
* o=engg,o=coke,ou=services,dc=iplanet,dc=com in which case
*/
+ EQUALS;
if (debug.messageEnabled()) {
+ orgAttr);
}
if (i > 0) {
}
if (debug.messageEnabled()) {
}
if (indx < 0) {
}
if (!ServiceManager.isRealmEnabled()) {
// Continue in the case of Containers in the node in
// legacy install.
// eg., o=coke,ou=ContainerOne,dc=planet,dc=com
COMMA);
while (strtok.hasMoreElements()) {
if (debug.messageEnabled()) {
+ token);
}
}
}
}
if (debug.messageEnabled()) {
+ "Container node: " + origStr);
}
continue;
}
}
// If orgAttr is not null,replace with the org naming
// attribute which is defined for legacy mode.
// Replace orgAttr= to '/' and ',' to "" (or)
// Replace 'o=' to '/' and ',' to ""
if (debug.messageEnabled()) {
+ origStr);
}
"");
if (debug.messageEnabled()) {
+ origStr);
}
// Logic here is to reverse the string from dn format to
// slash format.
if (id >= 0) {
}
}
/*
*/
}
}
}
}
return answer;
}
// Check in cache first.
return (answer);
}
// Not in cache, parse the DN
if (debug.messageEnabled()) {
}
// This is an invalid DN, return "*"s
return (answer);
}
/*
* We assume "ou=services" seperate the organization name from the rest
* of the service components Hence if the full DN is: ou=subconfig1,
* ou=default,ou=OrganizationConfig,
* ou=1.0,ou=iPlanetAMPolicyService,ou=services,
* o=engg,o=coke,ou=services,dc=iplanet,dc=com the orgDN would be:
* o=engg,o=coke,ou=services,dc=iplanet,dc=com And if the full DN is:
* ou=subconfig1, ou=default, ou=OrganizationConfig, ou=1.0,
* ou=iPlanetAMPolicyService,ou=services, dc=iplanet, dc=com the orgDN
* would be: dc=iplanet,dc=com
*/
// Get the index to the first occurance of ",ou=services,"
// The DN must be for root suffix for realm mode
// and orgname in the case of legacy mode.
restOfDN = "";
} else if (ServiceManager.isRealmEnabled()) {
// In realm mode there will be 2 ou=services, except
// for the root org and in Legacy mode, there will be
// only one "ou=services" for the root org.
// Hence remove baseDN and check if rfcDN contains realm name
// Invalid DN or base DN, return base DN as org
restOfDN = "";
} else {
// Since services node is not present, it
// must be root realm.
answer[0] =
restOfDN = "";
// In case of subrealms say,
// o=a3,o=a2,o=a1,o=etat-de-vaud,ou=services,o=smsnode
restOfDN = "";
} else {
// In realm mode, "ou=services" seperates service name
// from realm name.
}
}
} else {
// In Legacy mode, there will be only one "ou=services"
}
if (debug.messageEnabled()) {
+ " restOfDN: " + restOfDN);
}
// Parse restOfDN to get servicename, version, type and subconfig
}
// store serviceName,version,configType,subConfigNames
// from restOfDN which will be of the format:
// ou=default,ou=globalconfig,ou=1.0,ou=iPlanetAMAdminConsoleService
// The subconfig names should be "/" separated and left to right
if (size >= 4) {
}
} else {
}
// Add to cache
return answer;
}
try {
} catch (SMSException smse) {
if (debug.messageEnabled()) {
try {
.message("SMSEntry::hasReadPermission Denied user: "
+ " for dn: " + dn);
} catch (SSOException ssoe) {
}
}
return (false);
}
if (debug.messageEnabled()) {
try {
} catch (SSOException ssoe) {
// This should not happen
}
}
return (true);
}
// call this API in SMSEntry::write,read,delete... methods.
// If true proceed writing and reading.
boolean delPermFlag = true;
/*
* No delegation checked for the following : Allow them for all
* operations. 1) Since client SDK uses JAXRPC, bypass delegation
* permission check in client SDK. Else it would done twice once on the
* client and another at the server. if SMSJAXRPCObject is used then
* bypass delegation check.
*
* 2) Allow the users in the special users set.This is configurable
* using the following 2 properties in AMConfig.properties.
* 'com.sun.identity.authentication.super.user'
* 'com.sun.identity.authentication.special.users'
* ou=default node, bypass the delegation check for the nodes above
* that. This is to avoid unnecessary parsing and delegation checking.
* bypass dnNames : ou=services,dc=iplanet,dc=com dc=iplanet,dc=com
* ou=GlobalConfig ou=OrganizationConfig ou=PluginConfig
*/
if (SMSJAXRPCObjectFlg || backendProxyEnabled ||
/*
if (debug.messageEnabled()) {
debug.message("SMSEntry:getDelegationPermission :"
+ "No delegation check needed for client sdk, "
+ "db proxy enabled and for baseDNs: " + baseDN);
}
*/
return delPermFlag;
}
// Check for special and admin users
try {
// Normalize the user name from the token and compare it
// against the special user set and if equal returns true
// allowing the user to perform all operations.
// eg., if root_suffix is dn=iplanet, dn=com then the normalized
// dn is dc=iplanet,dc=com.
/*
if (debug.messageEnabled()) {
debug.message("SMSEntry.getDelegationPermission: No "
+ "delegation check needed for special users."
+ normTok);
}
*/
return delPermFlag;
}
}
} catch (SSOException se) {
"sms-INVALID_SSO_TOKEN"));
}
// If running in co-existence mode, return true if backend
// has proxy enabled
if (!ServiceManager.isConfigMigratedTo70()) {
// Make sure Backend Datastore Proxy is enabled
if (!backendProxyEnabled) {
+ "Must enable LDAP proxy support if configuration "
+ "(DIT) is not migrated to AM 7.0");
// Throw permission denied exception
"sms-INSUFFICIENT_ACCESS_RIGHTS"));
}
// Since backend would check permissions, return true
return (delPermFlag);
}
// Perform delgation check
if (debug.messageEnabled()) {
+ "Calling delegation service for dnName: " + dnName
+ " for permissions: " + actions);
}
"sms-INSUFFICIENT_ACCESS_RIGHTS"));
}
return (delPermFlag);
}
throws SMSException {
// If JAXRPC return false
if (SMSJAXRPCObjectFlg) {
return (false);
}
// Return true for base DN and base services node
return (true);
}
// Check for special and admin users
try {
// Normalize the user name from the token and compare it
// against the special user set and if equal returns true
// allowing the user to perform all operations.
// eg., if root_suffix is dn=iplanet, dn=com then the normalized
// dn is dc=iplanet,dc=com.
/*
if (debug.messageEnabled()) {
debug.message("SMSEntry.isAllowed : No delegation "
+ "check needed for special users." + normTok);
}
*/
return (true);
}
}
} catch (SSOException se) {
"sms-INVALID_SSO_TOKEN"));
}
// If running in co-existence mode, return false since
// delegation service would not have been initialized
if (!ServiceManager.isConfigMigratedTo70()) {
return (false);
}
}
boolean delPermFlag = true;
// Parse the DN
// Ignore permission checks for DN that donot have config type
// and subConfigName, except for sunAMRealmService and for read only
return (delPermFlag);
}
try {
// get orgName,serviceName,subConfigName from the parsed result.
// Call DelegatedPermission's constructor
// Perform delegation check
if (!delPermFlag) {
// Debug the message
if (debug.warningEnabled()) {
try {
+ " has no permissions");
} catch (SSOException ssoe) {
}
}
}
} catch (SSOException se) {
"sms-INVALID_SSO_TOKEN"));
} catch (DelegationException de) {
+ "Invalid DelegationPermission: ", de);
throw (new SMSException(bundle
.getString("sms-invalid_delegation_privilege"),
"sms-invalid_delegation_privilege"));
}
return delPermFlag;
}
// Instance variables
protected String normalizedDN;
private boolean newEntry;
private boolean readOnly;
// Static global variables
// Attributes with defined positions
// Constructs for placeholder nodes
+ SERVICES_NODE + COMMA;
static final int DELEGATION_SERVICES_RDN_WITH_COMMA_LEN =
// Types of SMS objects
static final int ORG_UNIT_OBJECT = 1;
static final int SERVICE_OBJECT = 2;
static final int SERVICE_COMP_OBJECT = 3;
// Pre-defined SMS ATTRIBUTE names
// Object classes to identify the objects
// Internal hidden realms used for storing delegation policies
// Service name for Realm management used for delegation
// Pre-defined filters
+ "={1}))";
}