a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster/**
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Copyright (c) 2009 Sun Microsystems Inc. All Rights Reserved
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * The contents of this file are subject to the terms
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * of the Common Development and Distribution License
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * (the License). You may not use this file except in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * compliance with the License.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * You can obtain a copy of the License at
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * https://opensso.dev.java.net/public/CDDLv1.0.html or
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * opensso/legal/CDDLv1.0.txt
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * See the License for the specific language governing
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * permission and limitations under the License.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * When distributing Covered Code, include this CDDL
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Header Notice in each file and include the License file
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * at opensso/legal/CDDLv1.0.txt.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * If applicable, add the following below the CDDL Header,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * with the fields enclosed by brackets [] replaced by
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * your own identifying information:
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * "Portions Copyrighted [year] [name of copyright owner]"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * $Id: XACMLQueryUtil.java,v 1.1 2009/09/22 22:50:14 madan_ranganath Exp $
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
1b49125c5fbcee4ac3052f0831212bbb6feae221Mark Craig/*
1b49125c5fbcee4ac3052f0831212bbb6feae221Mark Craig * Portions copyright 2013 ForgeRock, Inc.
1b49125c5fbcee4ac3052f0831212bbb6feae221Mark Craig */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterpackage com.sun.identity.saml2.profile;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport java.net.URI;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport java.net.URISyntaxException;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport java.util.ArrayList;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport java.util.List;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport javax.servlet.http.HttpServletRequest;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.plugin.session.SessionException;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.plugin.session.SessionManager;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.plugin.session.SessionProvider;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.common.SAML2Exception;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.common.SAML2Utils;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.xacml.client.XACMLRequestProcessor;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.xacml.common.XACMLConstants;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.xacml.common.XACMLException;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.xacml.context.Action;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.xacml.context.Attribute;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.xacml.context.ContextFactory;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.xacml.context.Decision;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.xacml.context.Environment;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.xacml.context.Request;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.xacml.context.Resource;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.xacml.context.Response;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.xacml.context.Result;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.xacml.context.Subject;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster/**
1b49125c5fbcee4ac3052f0831212bbb6feae221Mark Craig * This class provides methods to send or process <code>AttributeQuery</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @supported.api
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterpublic class XACMLQueryUtil {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static SessionProvider sessionProvider = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sessionProvider = SessionManager.getProvider();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch (SessionException se) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("Error retrieving session provider.", se);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private XACMLQueryUtil() {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /**
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Sends the XACML query to specifiied PDP, gets the policy decision
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * and sends it back to the Fedlet
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param request HTTP Servlet Request
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param pepEntityID PEP entity ID
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param pdpEntityID PDP entity ID
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param nameIDValue NameID value
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param serviceName Service Name
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param resource Resource URL
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param action Action
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return the <code>String</code> object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @exception SAML2Exception if the operation is not successful
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @supported.api
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static String getPolicyDecisionForFedlet(HttpServletRequest request,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String pepEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String pdpEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String nameIDValue,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String serviceName,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String resource,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String action)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throws SAML2Exception {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Request Xrequest = ContextFactory.getInstance().createRequest();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Response xacmlResponse=null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster //Subject
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Subject subject = ContextFactory.getInstance().createSubject();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster subject.setSubjectCategory(new URI(XACMLConstants.ACCESS_SUBJECT));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster //set subject id
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Attribute attribute = ContextFactory.getInstance().createAttribute();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attribute.setAttributeId(new URI(XACMLConstants.SUBJECT_ID));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attribute.setDataType(new URI(XACMLConstants.SAML2_NAMEID));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List valueList = new ArrayList();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster valueList.add(nameIDValue);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attribute.setAttributeStringValues(valueList);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List attributeList = new ArrayList();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attributeList.add(attribute);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster subject.setAttributes(attributeList);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Set Subject in Request
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List subjectList = new ArrayList();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster subjectList.add(subject);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Xrequest.setSubjects(subjectList);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Resource
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Resource xacml_resource =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ContextFactory.getInstance().createResource();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Set resource id
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attribute = ContextFactory.getInstance().createAttribute();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attribute.setAttributeId(new URI(XACMLConstants.RESOURCE_ID));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attribute.setDataType( new URI(XACMLConstants.XS_STRING));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster valueList = new ArrayList();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster valueList.add(resource);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attribute.setAttributeStringValues(valueList);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attributeList = new ArrayList();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attributeList.add(attribute);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Set serviceName
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attribute = ContextFactory.getInstance().createAttribute();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attribute.setAttributeId(new URI(XACMLConstants.TARGET_SERVICE));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attribute.setDataType(new URI(XACMLConstants.XS_STRING));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster valueList = new ArrayList();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster valueList.add(serviceName);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attribute.setAttributeStringValues(valueList);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attributeList.add(attribute);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster xacml_resource.setAttributes(attributeList);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Set Resource in Request
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List resourceList = new ArrayList();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster resourceList.add(xacml_resource);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Xrequest.setResources(resourceList);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Action
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Action xacml_action = ContextFactory.getInstance().createAction();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attribute = ContextFactory.getInstance().createAttribute();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attribute.setAttributeId(new URI(XACMLConstants.ACTION_ID));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attribute.setDataType(new URI(XACMLConstants.XS_STRING));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Set actionID
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster valueList = new ArrayList();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster valueList.add(action);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attribute.setAttributeStringValues(valueList);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attributeList = new ArrayList();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attributeList.add(attribute);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster xacml_action.setAttributes(attributeList);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Set Action in Request
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Xrequest.setAction(xacml_action);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Environment environment =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ContextFactory.getInstance().createEnvironment();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Xrequest.setEnvironment(environment);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster xacmlResponse =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster XACMLRequestProcessor.getInstance().processRequest(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Xrequest, pdpEntityID, pepEntityID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (xacmlResponse != null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List results = xacmlResponse.getResults();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (results.size() > 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Result policy_result = (Result)results.get(0);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (policy_result != null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Decision decision =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (Decision)policy_result.getDecision();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (decision != null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String policy_decision = decision.getValue();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (policy_decision != null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return policy_decision;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch (URISyntaxException uriexp){
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SAML2Utils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("XACMLQueryUtil." +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "getPolicyDecisionForFedlet: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "URI Exception while sending the XACML Request");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch (XACMLException xacmlexp){
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SAML2Utils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("XACMLQueryUtil." +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "getPolicyDecisionForFedlet: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "Error while processing the XACML Response");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster}
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster