a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * The contents of this file are subject to the terms
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * of the Common Development and Distribution License
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * (the License). You may not use this file except in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * compliance with the License.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * You can obtain a copy of the License at
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * https://opensso.dev.java.net/public/CDDLv1.0.html or
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * See the License for the specific language governing
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * permission and limitations under the License.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * When distributing Covered Code, include this CDDL
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Header Notice in each file and include the License file
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * If applicable, add the following below the CDDL Header,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * with the fields enclosed by brackets [] replaced by
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * your own identifying information:
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * "Portions Copyrighted [year] [name of copyright owner]"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * $Id: Action.java,v 1.2 2008/06/25 05:47:31 qcheng Exp $
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.common.SAMLUtilsCommon;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.common.SAMLConstants;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.common.SAMLException;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.common.SAMLRequesterException;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *This class is designed for <code>Action</code> element in SAML core
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *assertion. This element specifies an action on specified resource for
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *which permission is sought.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *@supported.all.api
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster //An action sought to be performed on the specified resource
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster //represent the attribute NameSpace of the <code>Action</code> element
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster protected String _namespace = SAMLConstants.ACTION_NAMESPACE_NEGATION;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Constructs an action element from an existing XML block.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param element representing a DOM tree element.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @exception SAMLException f there is an error in the sender or in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * the element definition.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public Action(Element element) throws SAMLException{
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // make sure that the input xml block is not null
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.debug.message("Action: Input is null.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.bundle.getString("nullInput"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Make sure this is as Action.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((tag == null) || (!tag.equals("Action"))) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.debug.message("Action: wrong input");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.bundle.getString("wrongInput"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // handle the attribute of <code>Action</code> element
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Note: element attributes are not children of ELEMENT_NODEs but
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // are properties of their associated ELEMENT_NODE.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster NamedNodeMap atts = ((Node)element).getAttributes();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (att.getNodeType() == Node.ATTRIBUTE_NODE) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (attName == null || attName.length() == 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.debug.message("Action: Attribute Name" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "is either null or empty.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.bundle.getString("nullInput"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((_namespace == null) || (_namespace.length() == 0)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster _namespace = SAMLConstants.ACTION_NAMESPACE_NEGATION;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster //handle the children elements of <code>Action</code>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (currentNode.getNodeType() == Node.ELEMENT_NODE) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.debug.message("Action: Wrong input");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.bundle.getString("wrongInput"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // check if the action is null.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.debug.message("Action is null.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.bundle.getString("missingElementValue"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.debug.message("Action is invalid");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.bundle.getString("invalidAction"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Convenience constructor of <Action>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param namespace The attribute "namespace" of
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code><Action></code> element
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param action A String representing an action
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @exception SAMLException if there is an error in the sender or in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * the element definition.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public Action(String namespace, String action) throws SAMLException {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (namespace == null || namespace.length() == 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.debug.message("Action:Take default " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "Attribute Namespace.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.debug.message("Action:Action is " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "null or empty.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.bundle.getString("nullInput"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.debug.message("Action is invalid");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.bundle.getString("invalidAction"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *Check if the input action string is valid within its specified namespace.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *@param action A String representing the action
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *@param nameSpace The Actions element's namespace. There are four
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * namespaces that are pre-defined. Action will be checked against
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * these namespaces.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *(1) urn:oasis:names:tc:SAML:1.0:action:rwedc
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *String used in the ActionNamespace attribute to refer to common sets of
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *actions to perform on resources.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *Defined actions: Read Write Execute Delete Control
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *These actions are interpreted in the normal manner, i.e.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Read: The subject may read the resource
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Write: The subject may modify the resource
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Execute: The subject may execute the resource
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Delete: The subject may delete the resource
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Control: The subject may specify the access control policy for the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *(2) urn:oasis:names:tc:SAML:1.0:action:rwedc-negation
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *String used in the ActionNamespace attribute to refer to common sets of
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *actions to perform on resources.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *Title: Read/Write/Execute/Delete/Control with Negation
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *Defined actions:
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *Read Write Execute Delete Control ~Read ~Write ~Execute ~Delete ~Control
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Read: The subject may read the resource
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Write: The subject may modify the resource
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Execute: The subject may execute the resource
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Delete: The subject may delete the resource
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Control: The subject may specify the access control policy for the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * ~Read: The subject may NOT read the resource
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * ~Write: The subject may NOT modify the resource
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * ~Execute: The subject may NOT execute the resource
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * ~Delete: The subject may NOT delete the resource
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * ~Control: The subject may NOT specify the access control policy for
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * the resource
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *An application MUST NOT authorize both an action and its negated form.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *(3) urn:oasis:names:tc:SAML:1.0:ghpp
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *String used in the ActionNamespace attribute to refer to common sets of
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *actions to perform on resources.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *Defined actions:
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * GET HEAD PUT POST
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *These actions bind to the corresponding HTTP operations. For example a
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *subject authorized to perform the GET action on a resource is authorized
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *to retrieve it. The GET and HEAD actions loosely correspond to the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *conventional read permission and the PUT and POST actions to the write
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *permission. The correspondence is not exact however since a HTTP GET
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *operation may cause data to be modified and a POST operation may cause
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *modification to a resource other than the one specified in the request.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *For this reason a separate Action URI specifier is provided.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *(4) urn:oasis:names:tc:SAML:1.0:action:unix
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *String used in the ActionNamespace attribute to refer to common sets of
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *actions to perform on resources.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *Title: UNIX File Permissions
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *Defined actions:
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *The defined actions are the set of UNIX file access permissions expressed
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *in the numeric (octal) notation. The action string is a four digit numeric
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *code: extended user group world
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *Where the extended access permission has the value
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * +2 if sgid is set
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * +4 if suid is set
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *The user group and world access permissions have the value
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * +1 if execute permission is granted
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * +2 if write permission is granted
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * +4 if read permission is granted
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *For example 0754 denotes the UNIX file access permission:
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *user read, write
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *and execute, group read and execute and world read.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *@return A boolean representation if the action is valid within its
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * specified name space. If the namespace param is not one of the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * four defined actions namespaces, true is returned.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private boolean isValid(String action, String namespace) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (namespace.equals(SAMLConstants.ACTION_NAMESPACE)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (action.equals("Read")|| action.equals("Write") ||
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster action.equals("Execute") || action.equals("Delete") ||
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return true;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (namespace.equals(SAMLConstants.ACTION_NAMESPACE_NEGATION)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (action.equals("Read") || action.equals("~Read") ||
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster action.equals("Write") || action.equals("~Write") ||
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster action.equals("Execute") || action.equals("~Execute") ||
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster action.equals("Delete") || action.equals("~Delete") ||
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster action.equals("Control") || action.equals("~Control")) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return true;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (namespace.equals(SAMLConstants.ACTION_NAMESPACE_GHPP)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (action.equals("GET") || action.equals("HEAD") ||
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster action.equals("PUT") || action.equals("POST")) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return true;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (namespace.equals(SAMLConstants.ACTION_NAMESPACE_UNIX)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtilsCommon.debug.message("Actions: Unix " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "file permissions " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (quota == 0 || quota == 2 || quota == 4 || quota == 6) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } // end of for loop
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return true;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return true;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *Gets the action string
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *@return A String representing the action
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *Gets the namespace of Action
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *@return A String representing the name space of the action
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *Creates a String representation of the <code>saml:Action</code> element
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *@return A string containing the valid XML for this element
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return (this.toString(true, false));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *Creates a String representation of the <code>saml:Action</code> element
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *@param includeNS : Determines whether or not the namespace qualifier
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * is prepended to the Element when converted
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *@param declareNS : Determines whether or not the namespace
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * is declared within the Element.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *@return A string containing the valid XML for this element
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public String toString(boolean includeNS, boolean declareNS) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster result.append("<").append(prefix).append("Action ").
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster append(uri).append(" Namespace=\"").append(_namespace).
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster result.append("</").append(prefix).append("Action>\n");