4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * Copyright (c) 2007 Sun Microsystems Inc. All Rights Reserved
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * The contents of this file are subject to the terms
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * of the Common Development and Distribution License
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * (the License). You may not use this file except in
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * compliance with the License.
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * You can obtain a copy of the License at
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * https://opensso.dev.java.net/public/CDDLv1.0.html or
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * See the License for the specific language governing
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * permission and limitations under the License.
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * When distributing Covered Code, include this CDDL
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * Header Notice in each file and include the License file
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * If applicable, add the following below the CDDL Header,
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * with the fields enclosed by brackets [] replaced by
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * your own identifying information:
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * "Portions Copyrighted [year] [name of copyright owner]"
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * $Id: FMSubjectMapper.java,v 1.4 2009/09/22 22:57:43 madan_ranganath Exp $
a4544a5a0e622ef69e38641f87ab1b5685e05911Phill Cunnington * Portions Copyrighted 2015 ForgeRock AS.
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Fosterimport com.sun.identity.authentication.server.AuthContextLocal;
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Fosterimport com.sun.identity.authentication.service.AuthException;
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Fosterimport com.sun.identity.authentication.service.AuthUtils;
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Fosterimport com.sun.identity.plugin.session.SessionException;
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Fosterimport com.sun.identity.plugin.session.SessionProvider;
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Fosterimport com.sun.identity.plugin.session.impl.FMSessionProvider;
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Fosterimport com.sun.identity.xacml.context.Attribute;
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Fosterimport com.sun.identity.xacml.common.XACMLException;
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Fosterimport com.sun.identity.xacml.common.XACMLConstants;
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Fosterimport com.sun.identity.xacml.common.XACMLSDKUtils;
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Fosterimport com.sun.identity.xacml.spi.SubjectMapper;
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Fosterimport javax.security.auth.login.LoginException;
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * This class implements SubjectMapper to map between XACML context
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * Subject and native subject
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * This mapper recognises only the following XACML specification defined
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * attributeId
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * urn:oasis:names:tc:xacml:1.0:subject:subject-id
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * Only following dataTypes would be understood for subject-id
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * urn:oasis:names:tc:xacml:1.0:data-type:x500Name
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * urn:sun:names:xacml:2.0:data-type:opensso-session-id
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * urn:sun:names:xacml:2.0:data-type:openfm-sp-nameid
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * Only following value would be accepted for subject-category attribute
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * of Subject
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * urn:oasis:names:tc:xacml:1.0:subject-category:access-subject
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * If the attribute or the value is not specified in the request, it would
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * default to this value. The Subject would map to null if a different
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * value has been specified
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * in error condition.
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Fosterpublic class FMSubjectMapper implements SubjectMapper {
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster FMSessionProvider fmSessionProvider = new FMSessionProvider();
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * Initializes the mapper implementation. This would be called immediately
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * after constructing an instance of the implementation.
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * @param pdpEntityId EntityID of PDP
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * @param pepEntityId EntityID of PEP
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * @param properties configuration properties
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * @exception XACMLException if can not initialize
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster public void initialize(String pdpEntityId, String pepEntityId, Map properties)
8d3140b524c0e28c0a49dc7c7d481123ef3cfe11Chris Lee * Returns native subject, OpenAM SSOToken
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * @param xacmlContextSubjects XACML context Subject(s) from the
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * xacml-context:Request
8d3140b524c0e28c0a49dc7c7d481123ef3cfe11Chris Lee * @return native subject, OpenAM SSOToken, returns null if
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * Subject did not match
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * @exception XACMLException if can not map to native subject
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster public Object mapToNativeSubject(List xacmlContextSubjects)
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster // Method curently supports only
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster // urn:sun:names:xacml:2.0:data-type:opensso-session-id
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster // TODO : Support for
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster // urn:oasis:names:tc:xacml:1.0:data-type:x500Name
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster // urn:sun:names:xacml:2.0:data-type:openfm-sp-nameid
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster //for (int subCount=0;subCount<xacmlContextSubjects.length;subCount++) {
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster for (Iterator iter = xacmlContextSubjects.iterator(); iter.hasNext(); ) {
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster //Subject subject = xacmlContextSubjects[subCount];
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster URI subjectCategory = subject.getSubjectCategory();
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster if ((subjectCategory != null) && (!subjectCategory.toString().
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster for (int count = 0; count < attributes.size(); count++) {
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster Attribute attr = (Attribute) attributes.get(count);
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster Element sidElement = (Element)attr.getAttributeValues()
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster Element sidElement = (Element)attr.getAttributeValues()
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster userName = XMLUtils.getElementValue(sidElement);
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster Element sidElement = (Element)attr.getAttributeValues()
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster String nameID = XMLUtils.getElementValue(sidElement);
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster IDPCache.userIDByTransientNameIDValue.get(nameID);
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster // TODO:Need to support non-transient nameid format
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster if (sid != null) { //create ssoToken based on sessionId
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster SSOTokenManager tokenManager = SSOTokenManager.getInstance();
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster "FMSubjectMapper.mapToNativeSubject()"
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster //create ssoToken based on x500name (userName)
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster if ((ssoToken == null) && (userName != null)) {
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster "FMSubjectMapper.mapToNativeSubject()"
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster private SSOToken createFMSession(String userName) throws SessionException {
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster info.put(SessionProvider.PRINCIPAL_NAME, userName);