AMObjectImpl.java revision f48118365a7f4f1240516dbe66e47b24a896ff16
/*
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2005 Sun Microsystems Inc. All Rights Reserved
*
* The contents of this file are subject to the terms
* of the Common Development and Distribution License
* (the License). You may not use this file except in
* compliance with the License.
*
* You can obtain a copy of the License at
* See the License for the specific language governing
* permission and limitations under the License.
*
* When distributing Covered Code, include this CDDL
* Header Notice in each file and include the License file
* at opensso/legal/CDDLv1.0.txt.
* If applicable, add the following below the CDDL Header,
* with the fields enclosed by brackets [] replaced by
* your own identifying information:
* "Portions Copyrighted [year] [name of copyright owner]"
*
* $Id: AMObjectImpl.java,v 1.14 2009/11/20 23:52:51 ww203982 Exp $
*
* Portions Copyrighted 2011-2016 ForgeRock AS.
*/
/**
* This class implements the AMObject interface.
* <p>
*
* Each instance of AMObjectImpl (essentially a instance of its subclass which
* inherits all the features if this class) has a Set of private listeners
* <code>listeners</code> which holds the list of all registered
* <code>AMEventListener</code> instances. Apart from this class has a static
* <code>
* objImplListeners</code> table which holds the list of all *Impl
* instances which are interested in receiving notifications for entry
* instance is added to particular *Impl instance, invoking the method
* *ImplObj.addEventListener (dpEventListener) it is checked to see if *Impl
* instance has already been registered itself to the
* <code>objImplListeners</code> table. If not already registered then it is
* added to the <code>
* objImplListeners</code> table. The verification is done
* by the means of boolean variable <code>isRegistered</code> which exists for
* each instance. So when ever a event notification is received, then
* <code>objImplListener</code> is looked into to figure out the interested
* *Impl instances and then notifications are sent to each of their private Set
* of listeners.
*
* @deprecated As of Sun Java System Access Manager 7.1.
*/
class AMObjectImpl implements AMObject {
// ~ Static fields/initializers
// ---------------------------------------------
// Private Constants
private static final String POLICY_ADMIN_ROLE_NAME =
"Organization Policy Admin Role";
private static final String POLICY_ADMIN_ROLE_PERMISSION =
"Organization Policy Admin";
private static final String ROLE_DISPLAY_ATTR =
"iplanet-am-role-display-options";
/**
* <code>objImplListeners</code> holds the list of all registered
* "*Impl's" that are interested in receiving notifications. The DN is the
* key and value is a Set of *Impl instances interested in receiving
* notifications for that DN.
*/
/**
* Hash table used to keep track of elements that need to be removed from
* objImplListeners table when a SSOToken is no longer valid. The key is
* SSOTokenId & the value is a Set of DN's.
*/
// ~ Instance fields
// --------------------------------------------------------
protected IDirectoryServices dsServices;
protected int profileType;
// Don't initialize until needed
private AMHashMap byteValueModMap;
private AMHashMap stringValueModMap;
/**
* A private Set <code>listeners</code> holds the list of all registered
* listeners. thread saftety, 'listeners' should be enclosed in a
* synchronized block.
*/
/**
* This varible is to make sure that the AMObjectImpl instance is not added
* more than once to profileNameTable and the objImplListeners
*/
private boolean isRegistered = false;
// ~ Constructors
// -----------------------------------------------------------
profileType = type;
stringValueModMap = new AMHashMap(false);
byteValueModMap = new AMHashMap(true);
}
// ~ Methods
// ----------------------------------------------------------------
/**
*
* @return The Set of service names that are assigned to the user.
*
* @throws AMException
* if there is an internal error in the AM Store
* @throws SSOException
* if the sign on is no longer valid
*/
// TODO: UnsupportedOperationException should move to the sub classes
// No check here!
throw new UnsupportedOperationException();
}
if (!serviceOCs.isEmpty()) {
boolean serviceAssigned = true;
// Do we have to check if all the service object classes are
// present? Why can't we do the opposite? exit if 1 present
{
serviceAssigned = false;
break;
}
}
if (serviceAssigned) {
}
}
}
return result;
}
throws AMException, SSOException {
}
}
throws AMException, SSOException {
}
throws AMException, SSOException {
return values; // Could be null, but thats what we return
}
}
return getAttributes(null);
}
/* preserve the attribute map's key with the attribute name passed in */
return attributes;
}
return getAttributesFromDataStore(null);
}
throws AMException, SSOException {
/* preserve the attribute map's key with the attribute name passed in */
return attributes;
}
}
return getAttributesByteArray(null);
}
/* preserve the attribute map's key with the attribute name passed in */
return attributes;
}
throws AMException, SSOException {
if (value) {
} else {
}
}
throws AMException, SSOException {
return true;
}
return false;
}
}
if (attributeValue.isEmpty()) {
}
}
return entryDN;
}
/**
* Checks if the entry exists in the directory or not. First a syntax check
* is done on the DN string corresponding to the entry. If the DN syntax is
* valid, a directory call will be made to check for the existence of the
* entry.
* <p>
*
* <b>NOTE:</b> This method internally invokes a call to the directory to
* verify the existence of the entry. There could be a performance overhead.
* Hence, please use your discretion while using this method.
*
* @return false if the entry does not have a valid DN syntax or if the
* entry does not exists in the Directory. True otherwise.
*
* @throws SSOException
* if the sign-on is no longer valid.
*/
public boolean isExists() throws SSOException {
// First check if DN syntax is valid. Avoid making iDS call
return false; // would be better here.
}
if (debug.messageEnabled()) {
}
}
throws AMException, SSOException {
}
try {
} catch (NumberFormatException nfex) {
"152");
}
}
if (attributeValue.isEmpty()) {
}
}
/**
* Gets the object's organization.
*
* @return The object's organization DN.
*
* @throws AMException
* if there is an internal error in the AM Store or the object
* doesn't have organzation DN.
* @throws SSOException
* if the sign on is no longer valid
*/
if (organizationDN == null) {
if (profileType == USER) {
startDN = getParentDN();
}
}
return organizationDN;
}
public String getParentDN() {
return null;
} else {
}
}
if (debug.messageEnabled()) {
+ entryDN);
}
try {
return map;
} catch (SMSException smsex) {
if (debug.messageEnabled()) {
smsex);
}
}
}
}
if (debug.messageEnabled()) {
+ "): DN=" + entryDN);
}
try {
if (serviceAttributeNames.isEmpty()) {
} else {
}
}
if (serviceAttributeNames.isEmpty()) {
} else {
}
}
return getAttributes(serviceAttributeNames);
} catch (SMSException smsex) {
if (debug.messageEnabled()) {
}
}
}
throws AMException, SSOException {
throw new UnsupportedOperationException();
}
// validate that this service is assigned to this entity.
}
try {
}
} catch (SMSException se) {
// throw new AMException
se);
}
if (stAttributeName == null) {
}
// TODO validate service attribute value.
store();
}
throw new UnsupportedOperationException();
}
try {
token);
}
}
} catch (SMSException se) {
// throw new AMException
se);
}
if (stAttributeName != null) {
return null;
} else {
}
}
return (null);
}
/**
* Sets string type attribute value.
*
* @param attributeName
* Attribute name
* @param value
* value to be set for the attributeName
* @throws AMException
* if there is an internal problem with AM Store.
* @throws SSOException
* if the sign-on is no longer valid.
*/
throws AMException, SSOException {
}
return "";
} else {
}
}
// TODO: The right way to do these checks is to override the getTemplate()
// methods in AMOrgTemplate, AMTemplate etc.
&& (profileType != ORGANIZATIONAL_UNIT)
&& (profileType != FILTERED_ROLE)) {
throw new UnsupportedOperationException();
}
// Organization template
if ((profileType != ORGANIZATIONAL_UNIT)
&& (profileType != ORGANIZATION)) {
throw new UnsupportedOperationException();
}
throw new AMException(AMSDKBundle
}
rfcDN);
}
if (debug.messageEnabled()) {
}
}
/**
* Register a AMEventListener that needs to be invoked when a relevant event
* occurs. If the listener was already registered, then it is registered
* only once; no duplicate registration is allowed.
* <p>
* {@link Object#equals Object.equals()} method on the listener object is
* used to determine duplicates. <BR>
* NOTE: This method does not check if the listener implementation object
* exists in the directory, since it is brought from directory itself.
*
* @param listener
* listener object that will be called upon when an event occurs.
*
* @throws SSOException
* if errors were encountered in adding a new SSOTokenListener
* instance
*/
// Check if this AMObjectImpl has been added to the objImplListeners
// Map.
// if not added previously, then add one.
if (!isRegistered) {
// Make an entry for this SSOToken and dn in Profile Name table
if (debug.messageEnabled()) {
+ "registering this instance to obj*Impl table");
}
try {
} catch (SSOException se) {
throw se;
}
synchronized (objImplListeners) {
entryDN.toLowerCase());
}
// Since, this AMObjectImpl is registered, set isRegistered:true
this.isRegistered = true;
}
}
// Add the listener to this AMObjectImpl's list of registered listener
// that need to be notifed.
synchronized (listeners) {
}
}
// TODO: deprecated remove next release
/**
* Assigns the given policies to this object.
*
* @param serviceName
* serviceName
* @param policyDNs
* Set of policy DN string
*
* @throws AMException
* if there is an internal problem with AM Store.
* @throws SSOException
* if the sign-on is no longer valid.
*/
throws AMException, SSOException {
throw new UnsupportedOperationException();
}
/**
* Assigns a set of services and the attributes for a service to the user.
*
* @param serviceNamesAndAttr
* Set of service names and the attributes for a service.
* @throws AMException
* if there is an internal error in the AM Store
* @throws SSOException
* if the sign on is no longer valid
* @see com.iplanet.am.sdk.AMUserImpl#assignServices(java.util.Set)
*/
assignServices(serviceNamesAndAttr, true);
}
/**
* Assigns a set of services and the attributes for a service to the user.
*
* @param serviceNamesAndAttr
* Set of service names and the attributes for a service.
* @param store
* A boolean value. If the boolean value is 'true', 1) Checks if
* there is already an assigned service. 2) Checks if any of the
* assigned services are registered with the parent organization.
* 3) Combines the old Object Classes and the new Object classes
* and assigns them for a service. If the boolean value is
* 'false', 1) Assigns services without any check for existence
* of already assigned service. 2) Assigns only the new object
* classes.
*
* @throws AMException
* if there is an internal error in the AM Store
* @throws SSOException
* if the sign on is no longer valid
* @see com.iplanet.am.sdk.AMUserImpl#assignServices( java.util.Set
* serviceNames)
*/
throws AMException, SSOException {
throw new UnsupportedOperationException();
}
return;
}
if (store) {
// If already assigned service, then do nothing,
// else add the servicename to services to be
// assigned.
} else {
if (debug.warningEnabled()) {
+ thisService + " is already assigned to "
+ entryDN);
}
}
}
/*
* Check if any of the assigned services are registered with the
* parent organization. If not then throw an exception. We cannot
* assign a service which is not registered with the parent
* organization.
*/
if (profileType == ORGANIZATION) {
} else {
}
"126");
}
}
} else {
}
if (store) {
}
}
/*
* Check if the service has the schema type specified for the
* respective profile type. If not throw an exception. The object
* class is assigned above even if the schema type is not specified.
* The reason behind this is to support the "COS" type attributes.
*/
try {
thisService, token);
}
}
}
}
/*
* Below we iterate through the attribute map to remove any
* attribute that do not have values (empty set) This is because
* the default behaviour when doing "setAttributes" with
* attributes containing no values is to "delete" that attribute
* from the entry. this is not the behaviour we want so the
* below check is a precaution to avoid that behaviour.
*/
} catch (SMSException smse) {
+ "unable to validate attributes for " + thisService,
smse);
"908");
}
// TODO validate the attributes here...
}
if (store) {
store();
}
}
if (debug.messageEnabled()) {
}
throw new AMInvalidDNException(
}
// validateAttributeUniqueness(true);
if (profileType == USER) {
.getName());
}
}
if ((profileType == ORGANIZATION)
|| (profileType == ORGANIZATIONAL_UNIT)) {
+ "=People," + entryDN;
try {
peopleDN);
if (debug.messageEnabled()) {
+ "Unable to create admin role for " + peopleDN
+ ex);
}
}
}
if ((profileType == ORGANIZATION)
|| (profileType == ORGANIZATIONAL_UNIT)) {
if (profileType == ORGANIZATION) {
adminRoleName = "Organization Admin Role";
helpRoleName = "Organization Help Desk Admin Role";
adminRolePermission = "Organization Admin";
helpRolePermission = "Organization Help Desk Admin";
} else {
adminRoleName = "Container Admin Role";
helpRoleName = "Container Help Desk Admin Role";
adminRolePermission = "Container Admin";
helpRolePermission = "Container Help Desk Admin";
}
try {
if (debug.messageEnabled()) {
+ "Unable to set aci or org admin role. ", ex);
}
}
try {
if (debug.warningEnabled()) {
+ "managed dn for org admin role.", ex);
}
}
}
try {
if (debug.messageEnabled()) {
+ " to set aci or org help desk admin role. ",
ex);
}
}
try {
if (debug.warningEnabled()) {
+ "managed dn for org help role.", ex);
}
}
}
if (policyAdminRole.isExists()) {
try {
if (debug.messageEnabled()) {
+ "or org policy admin role. ", ex);
}
}
try {
if (debug.warningEnabled()) {
+ "managed dn for org policy admin role.", ex);
}
}
}
|| (profileType == ASSIGNABLE_DYNAMIC_GROUP)
|| (profileType == PEOPLE_CONTAINER)) {
try {
if (!AMDCTree.isRequired()) {
}
if (debug.messageEnabled()) {
}
}
setAciForRole((AMRole) this);
}
|| (profileType == ASSIGNABLE_DYNAMIC_GROUP)) {
try {
if (!AMDCTree.isRequired()) {
}
if (debug.messageEnabled()) {
+ "Unable to set aci based on "
}
}
}
if (!byteValueModMap.isEmpty()) {
}
}
// TODO: deprecated remove next release
}
}
}
null);
}
// TODO: TBD these createTemplate API's should be moved to Org, OrgUnit,
// Role etc. Also, The right way to do these checks is to override the
// getTemplate() methods in AMOrgTemplate, AMTemplate etc.
&& (profileType != ORGANIZATIONAL_UNIT)
&& (profileType != FILTERED_ROLE)) {
throw new UnsupportedOperationException();
}
// If template type is an Org template
if ((profileType != ORGANIZATIONAL_UNIT)
&& (profileType != ORGANIZATION)) {
throw new UnsupportedOperationException();
}
entryDN);
}
if (debug.messageEnabled()) {
}
// If the template type is DYNAMIC
if (attributes == null) {
try {
} catch (SMSException smsex) {
if (debug.messageEnabled()) {
smsex);
}
"451");
}
}
try {
} catch (SMSException sme) {
}
}
if (debug.messageEnabled()) {
+ "encrypted: " + attributes);
}
// Fix for comms integration (locale integration)
// Only Dynamic template needs to be created
}
/**
* Deletes object. This method takes a boolean parameter, if its value is
* true, will remove all sub entries and the object itself, otherwise, will
* try to remove the object only. Two notes on recursive delete. First, be
* aware of the PERFORMANCE hit when large amount of child objects present.
* Second, it won't follow referral.
*
* @throws AMException
* if there is an internal problem with AM Store.
* @throws SSOException
* if the sign-on is no longer valid.
*/
switch (profileType) {
case ORGANIZATION:
case ORGANIZATIONAL_UNIT:
case USER:
case ASSIGNABLE_DYNAMIC_GROUP:
case DYNAMIC_GROUP:
case STATIC_GROUP:
case GROUP:
case RESOURCE:
// %%% TODO Notification
return;
case ROLE:
case FILTERED_ROLE:
return;
case PEOPLE_CONTAINER:
// Entities can be created under people container.
// If that's used extensively, the search filter should
// include all managed objects under this node.
try {
} catch (AMException ame) {
{
locale), "977");
} else {
if (debug.messageEnabled()) {
+ "container " + ame);
}
throw ame;
}
}
"977");
} else {
return;
}
case GROUP_CONTAINER:
try {
} catch (AMException ame) {
{
locale), "977");
} else {
if (debug.messageEnabled()) {
+ ame);
}
throw ame;
}
}
"977");
} else {
return;
}
default:
/*
* If none of the above, then this case is for Printers, other
* devices, Agents etc., This is for the dynamic
* objects-AMEntities, configured through DAI service.
*/
return;
}
} else {
}
}
/**
* Removes and destroys the object.
*
* @throws AMException
* if there is an internal problem with AM Store.
* @throws SSOException
* if the sign-on is no longer valid.
*/
delete(false);
}
throw new UnsupportedOperationException();
}
return;
}
}
try {
}
} catch (SMSException smse) {
"976", args);
}
// TODO validate the attributes here...
store();
}
/**
* Method to hard Delete an object.
*
*/
if (debug.messageEnabled()) {
+ graceperiod);
}
}
if ((graceperiod > -1)
entryDN))) {
// Return with a logged message. Cannot purge till grace period
// has expired.
if (debug.messageEnabled()) {
+ "will not be purged. Grace period= " + graceperiod
+ " has not expired");
}
}
|| (profileType == ASSIGNABLE_DYNAMIC_GROUP)
|| (profileType == PEOPLE_CONTAINER)) {
try {
} catch (Exception e) {
if (debug.messageEnabled()) {
+ "admin role aci." + e);
}
}
try {
// remove the group admin role
} catch (Exception e) {
// probably because admin role does not exist, ignore
if (debug.messageEnabled()) {
}
}
}
"iplanet-am-role-aci-list"));
+ "\"))";
}
}
recursive, false);
}
}
if (!byteValueModMap.isEmpty()) {
}
}
if (debug.messageEnabled()) {
+ "\n" + attrNames);
}
}
}
}
// Removing attributes we don't care if they are string valued or byte
// valued
false);
// Fix for comms backward compatibility. If this operation causes
// exceptions (due to the attribute not being there etc.) we ignore
// them.
if (!altAttributes.isEmpty()) {
try {
altAttributes, null, false);
} catch (Exception e) {
// ignore exceptions
}
}
// Remove the attribute names from the local copy of these maps
if (!byteValueModMap.isEmpty()) {
}
}
/**
* UnRegister a previously registered event listener. If the
* <code>listener</code> was not registered, the method simply returns
* without doing anything.
* <p>
*
* @param listener
* listener object that will be removed or unregistered.
*/
// Remove the listener from the AMObjectImpl's private listener list
boolean removed = false;
synchronized (listeners) {
}
// Remove this AMObjectImpl from the objImplListeners table if
// it does not have any private listeners
if (debug.messageEnabled()) {
+ "private listener table empty for this instance");
}
synchronized (objImplListeners) {
entryDN.toLowerCase());
}
}
// Since, this AMObjectImpl does'nt have any private listeners
// set isRegistered:false
this.isRegistered = false;
}
// Remove the (SSOToken,dn) for this AMObjectImpl from the
// Profile Name table.
}
}
if (debug.messageEnabled()) {
+ "): DN=" + entryDN);
}
}
if (debug.messageEnabled()) {
+ mapToString(avPairs));
}
}
if (debug.messageEnabled()) {
}
}
store(false);
}
try {
if (debug.messageEnabled()) {
} else {
}
}
// If name space is enabled, verify that the attributes
// being set are allowed by name space constrictions.
// validateAttributeUniqueness(false);
// if ORGANIZATION then you might need to add the
// sunISManagedOrganization OC
if (profileType == ORGANIZATION
} else {
}
// object class are case insensitive.
boolean hasIt = false;
hasIt = true;
break;
}
}
if (!hasIt) {
}
}
// Fix for comms integration of user locale.
try {
"iplanet-am-role-aci-list"));
if (debug.messageEnabled()) {
+ "to get old iplanet-am-role-aci-list");
}
}
}
if ((profileType == GROUP)
try {
if (debug.messageEnabled()) {
+ "to get old uniquemember");
}
}
}
try {
if (debug.messageEnabled()) {
+ "to remove old acis");
}
}
try {
if (debug.messageEnabled()) {
+ "to add new acis");
}
}
}
if ((profileType == GROUP)
}
}
} finally {
}
}
// TODO: deprecated remove next release
/**
* Unassigns the given policies from this object.
*
* @param serviceName
* serviceName
* @param policyDNs
* Set of policy DN string
*
* @throws AMException
* if there is an internal problem with AM Store.
* @throws SSOException
* if the sign-on is no longer valid.
*/
throws AMException, SSOException {
}
/**
* Unassigns services from the user.
*
* @param serviceNames
* Set of service names
* @throws AMException
* if there is an internal error in the AM Store
* @throws SSOException
* if the sign on is no longer valid
*/
return;
}
// TODO: UnsupportedOperationException should move to the sub classes
// No check here!
throw new UnsupportedOperationException();
}
// Verify if you are trying to remove an unassigned service
"126");
}
}
// Get the object classes that need to be remove from Service Schema
// Get the attributes that need to be removed
// SchemaManager sm = SchemaManager.getSchemaManager(token);
// TODO: Modify SchemaManager.getAttributes() to return
// lowercase attribute names.
}
}
// Will be AMHashMap, So the attr names will be in lower case
try {
// remove attribute one at a time, so if the first
// one fails, it will keep continue to remove
// other attributes.
if (debug.messageEnabled()) {
+ "Error occured while removing attribute: "
+ attrName);
}
}
}
}
// Now update the object class attribute
store();
}
if (index == -1) {
return objectClassFilter;
}
if (index2 == -1) {
} else {
.append("*")
}
}
return (objectClassFilter);
} else {
while (index != -1) {
filterSB = new StringBuffer();
}
// int index2 = objectClassFilter.indexOf("%V");
while (vIndex != -1) {
filterSB = new StringBuffer();
}
}
return objectClassFilter;
}
}
}
}
}
try {
getOrganizationDN(), searchTempName, false);
}
}
/**
* Notifies ACI Change. This method will be called by the
* <code>AMIdRepoListener to send
* notifications to all interested AMObjectImp's whenever an ACI
* change occurs.
*
* @param dn name of the object changed
* @param eventType type of modification
*/
// NOTE: COS related events do not come here..
if (debug.messageEnabled()) {
}
synchronized (objImplListeners) {
if (objImplListeners.isEmpty()) {
return;
}
// Create a new AMEvent type object
// Based on event type, send notifications to required
// registered listeners
switch (eventType) {
case AMEvent.OBJECT_CHANGED:
case AMEvent.OBJECT_RENAMED:
if (debug.messageEnabled()) {
}
break;
if (debug.messageEnabled()) {
+ "ACI Entry removed event");
}
if (objImplSet == null) {
return;
}
}
break;
default:
; // This should not occur. Ignore if they occur
}
}
// End synchronized
}
/**
* This method will be called EntryEventListener to send notifications to
* all interested AMObjectImp's whenever an Entry Event occurs.
* <p>
*
* @param dn
* the object that is modified
* @param eventType
* type of modification
* @param cosType -
* true if it is a cosrelated event; false otherwise
*/
boolean cosType) {
synchronized (objImplListeners) {
if (objImplListeners.isEmpty()) {
return;
}
// Create a new AMEvent type object
// Based on event type, send notifications to required
// registered listeners
switch (eventType) {
case AMEvent.OBJECT_ADDED:
if (cosType) { // Need to notify affected DNs if true
if (debug.messageEnabled()) {
}
}
break;
case AMEvent.OBJECT_CHANGED:
case AMEvent.OBJECT_REMOVED:
if (cosType) { // Need to notify affected DNs if true
if (debug.messageEnabled()) {
}
if (debug.messageEnabled()) {
}
dn.toLowerCase());
if (objImplSet == null) {
return;
}
// clone to provide ConcurrentModificationException
}
}
break;
case AMEvent.OBJECT_RENAMED:
// Notify all affected with this dn, since it is a rename
if (debug.messageEnabled()) {
+ "rename entry event!" + dn);
}
break;
default:
; // This should not occur.
}
}
// End synchronized
}
if (debug.messageEnabled()) {
}
if (objectImplSet != null) {
synchronized (objectImplSet) { // Lock, so that no more objects
// Note: This is a hack, we can't create a DSEvent object, so we
// just pass the sourceDN here.
}
}
}
}
/**
* This method removes the entry corresponding to SSOTokenID supplied.
*
* @return Set of DN's for the given SSOTokenID or null if not present
* <p>
*
* @param ssoToken -
* a SSOToken
*
*/
return null;
}
if (debug.messageEnabled()) {
+ "removeFromProfilefNameTable(SSOTokenID)..");
}
synchronized (pTable) {
// Check if the entry exists corresponding to this session
try {
} catch (SSOException ssoe) {
+ "Could not update PFN table");
return null;
}
}
// Note dnList could be null if there was no key with ssoTokenID
return dnList;
}
/**
* Method that removes all the entries that correspond ("dn",ssoTokenId)
* supplied. This is done for all the DN's in the set of DN's supplied.
*
* @param dnSet -
* a set of DNs
* @param ssoTokenId -
* the SSO token Id
*/
if (debug.messageEnabled()) {
}
synchronized (objImplListeners) {
continue;
}
}
}
}
}
}
// End Synchronized
}
/**
* Substitutes the macros in the set of DN:ACI.
*
* @param aciSet
* Set of DN:ACI
* @param roleDN
* Role DN to replace macro ROLENAME
* @param orgDN
* Organization DN to replace macro ORGANIZATION
* @param groupDN
* Group DN to replace macro GROUPNAME
* @param pcDN
* People container DN to replace PCNAME
*/
}
return resultSet;
}
return aci;
}
while (true) {
if (index == -1) {
break;
}
}
}
if (profileType == DYNAMIC_GROUP) {
try {
} catch (LocalizedIllegalArgumentException ex) {
if (debug.messageEnabled()) {
+ "Invalid member url " + memberurl);
}
}
}
}
} else if ((profileType == ASSIGNABLE_DYNAMIC_GROUP)
|| (profileType == GROUP)) {
}
}
return result;
}
}
if (debug.messageEnabled()) {
}
}
}
if (debug.messageEnabled()) {
+ searchControl.getSearchScope());
}
}
}
if (debug.messageEnabled()) {
+ searchControl.getSearchScope());
}
}
.getNamingAttr(objectTypes[i]);
wildcard));
}
}
if (debug.messageEnabled()) {
}
}
.getNamingAttr(objectTypes[i]);
wildcard));
}
}
if (debug.messageEnabled()) {
}
}
/**
* Sets aci based on the "iplanet-am-admin-console-group-pclist" and
* "iplanet-am-admin-console-group-default-pc" attributes
*
* @throws AMException
* if there is an internal problem with AM Store.
* @throws SSOException
* if the sign-on is no longer valid.
*/
try {
.getAttribute("iplanet-am-admin-console-group-pclist");
if (debug.messageEnabled()) {
+ "iplanet-am-admin-console-group-pclist "
+ setToString(groupPclist));
}
if (index == -1) {
continue;
}
}
}
"iplanet-am-admin-console-group-default-pc");
}
}
}
} catch (AMException ex) {
if (debug.messageEnabled()) {
+ "Unable to get template for "
}
}
+ "=People," + orgDN);
}
// Role does not exists, do not set the acis
return;
}
+ "(targetattr=\"nsroledn\")"
+ "(targattrfilters=\"add=nsroledn:(!(nsroledn=*)),"
+ "del=nsroledn:(!(nsroledn=*))\")"
+ "(version 3.0; acl \"Group admin's right to add user "
+ "to people container\"; allow (add) roledn = \""
}
}
/**
* Gets set of DN:ACI in attribute "iplanet-am-role-aci-list" in the role
* and sets aci accordingly.
*
* @param role
* Role
* @throws AMException
* if there is an internal problem with AM Store.
* @throws SSOException
* if the sign-on is no longer valid.
*/
boolean needUpdate = false;
boolean denied = false;
if (index != -1) {
try {
needUpdate = true;
}
if (debug.messageEnabled()) {
+ " read access denied." + ex);
}
denied = true;
}
needUpdate = true;
}
} else {
if ((!denied) && needUpdate) {
try {
if (debug.messageEnabled()) {
+ " write access denied." + ex);
}
}
}
needUpdate = false;
denied = false;
try {
needUpdate = true;
}
if (debug.messageEnabled()) {
+ " read access denied." + ex);
}
denied = true;
}
}
}
}
if (needUpdate) {
}
}
/**
* Gets the aci description and DN:ACI of the role type that matches the
* permission
*
* @param permission
* Permission in the role type
* @param aciDesc
* StringBuffer to store aci description
* @return Set of DN:ACI
* @throws AMException
* if there is an internal problem with AM Store.
* @throws SSOException
* if the sign-on is no longer valid.
*/
throws AMException, SSOException {
try {
} catch (SMSException smsex) {
}
.get("iplanet-am-admin-console-dynamic-aci-list");
aci = defaultAci;
break;
}
}
}
}
while (stz.hasMoreTokens()) {
}
return aciSet;
}
// TODO: deprecated remove next release
/**
* Set template attributes according to policy DNs.
*
* @param serviceName
* serviceName
* @param policyDNs
* Set of policy DN string
*
* @throws AMException
* if there is an internal problem with AM Store.
* @throws SSOException
* if the sign-on is no longer valid.
*/
throws AMException, SSOException {
throw new UnsupportedOperationException();
}
/**
* Sets attributes "iplanet-am-role-aci-description" and
* "iplanet-am-role-aci-list" for role based on the role type that matches
* the permission
*
* @param role
* Role that sets attributes
* @param permission
* Permission in the role type
* @throws AMException
* if there is an internal problem with AM Store.
* @throws SSOException
* if the sign-on is no longer valid.
*/
throws AMException, SSOException {
} else if (debug.messageEnabled()) {
+ "Display Options for permision = " + permission
+ " are not defined");
}
}
try {
token, permission);
} catch (SMSException smse) {
}
return displayOptions;
}
if (debug.messageEnabled()) {
}
.toString());
if (profileType == PEOPLE_CONTAINER) {
permission = "People Container Admin";
} else {
permission = "Group Admin";
}
}
throws SSOException, AMException {
if (profileType == PEOPLE_CONTAINER) {
} else {
}
} else if (debug.messageEnabled()) {
+ "Display Options for permision = " + permission
+ " are not defined");
}
}
/**
* Gets the DN:ACI that is not shared by more that 1 role.
*
* @param aciList
* Set of DN:ACI
* @return Set of DN:ACI that are in attribute "iplanet-am-role-aci-list" in
* less than 2 roles so that we can remove it
* @throws AMException
* if there is an internal problem with AM Store.
* @throws SSOException
* if the sign-on is no longer valid.
*/
return resultSet;
}
}
}
return resultSet;
}
/**
* Removes aci based on the set of DN:ACI.
*
* @param aciList
* Set of DN:ACI
* @throws AMException
* if there is an internal problem with AM Store.
* @throws SSOException
* if the sign-on is no longer valid.
*/
return;
}
return;
}
boolean needUpdate = false;
boolean denied = false;
if (index != -1) {
try {
needUpdate = true;
}
if (debug.messageEnabled()) {
+ " read access denied." + ex);
}
denied = true;
}
if (!denied) {
needUpdate = true;
}
}
} else {
if ((!denied) && needUpdate) {
try {
if (debug.messageEnabled()) {
+ " write access denied." + ex);
}
}
}
needUpdate = false;
denied = false;
try {
needUpdate = true;
}
if (debug.messageEnabled()) {
+ " read access denied." + ex);
}
denied = true;
}
}
}
}
if (needUpdate) {
}
}
/**
* Removes the aci for the admin roles
*
* @param recursive
* true if removing admin roles for whole subtree
* @throws AMException
* if there is an internal problem with AM Store.
* @throws SSOException
* if the sign-on is no longer valid.
*/
{
if (index == -1) {
continue;
}
if (index == -1) {
continue;
}
if (index == -1) {
continue;
}
if (!recursive) {
}
} else {
}
}
} else {
}
}
}
// TODO: deprecated remove next release
/**
* Unassigns the given policies from this object.
*
* @param serviceName
* serviceName
* @param policyDNs
* Set of policy DN string
* @param toVerify
* if true, check if the given policies DN exist
*
* @throws AMException
* if there is an internal problem with AM Store.
* @throws SSOException
* if the sign-on is no longer valid.
*/
throws AMException, SSOException {
return;
}
}
// TODO: deprecated remove next release
/**
* Unassigns the given policies from this object.
*
* @param template
* policy template
* @param policyDNs
* Set of policy DN string
* @param toVerify
* if true, check if the given policies DN exist
*
* @throws AMException
* if there is an internal problem with AM Store.
* @throws SSOException
* if the sign-on is no longer valid.
*/
throws AMException, SSOException {
throw new UnsupportedOperationException();
}
/**
* Method that replace the map key with key found set
*/
if (attributeNames != null) {
}
}
}
return attributes;
}
/**
* Method that returns the SSOToken for this AMObjectImpl
*
* @return SSOToken of this AMObjectImpl
*/
private SSOToken getSSOToken() {
return token;
}
return "";
}
}
}
/**
* Adds a "dn"(value) entry to the ProfileName table corresponding to the
* SSOTokenID (key). If no entry exists for the given SSOTokenID the creates
* a new ent and adds a new SSOTokenListener for the SSOTokenID
*
* @param ssoToken -
* a SSOToken
* @param dn -
* a dn String
*/
throws SSOException {
if (debug.messageEnabled()) {
+ "addToProfileNameTable(SSOToken,dn)..");
}
synchronized (pTable) {
// Check if the entry exists corresponding to this session
// No entry corressponding to session
// Add a new SSOTokenListener
try {
} catch (SSOTokenListenersUnsupportedException ex) {
}
}
}
}
return "";
}
continue;
}
}
}
}
/**
* Sends event notifications to all the listeners that correspond to a DN
* whose suffix which ends with affectedDN in the objImpListeners.
* <p>
*
* @param affectedDN -
* String which has been stripped to reflect the subtree of DN's
* that will be affected in case of cos related changes
* @param dpEvent -
* a AMEvent
*
*/
{
if (debug.messageEnabled()) {
}
synchronized (objImplListeners) { // To double check (synchronized)
}
}
}
}
}
/**
* Removes the entry corresponding to given SSO token and distinguished name
* from the profile name table.
*
* @param ssoToken
* Single-Sign-On Token.
* @param dn
* distinguished name.
*/
{
// Remove the dn from the profileNameTable corresponding to
// this session.
if (debug.messageEnabled()) {
+ "removeFromProfileNameTable(SSOToken,dn)..");
}
return; // Silent return;
}
synchronized (pTable) {
// Check if the entry exists corresponding to this session
try {
} catch (SSOException ssoe) {
+ "Could not update PFN table");
return;
}
// Do we need to remove the PSSOTokenListner added here?
// How?
}
}
}
}
/**
* This method sends the event to all the event listeners.
*
* @param dpEvent -
* a AMEvent generated
*/
synchronized (listeners) {
try {
switch (dpEvent.getEventType()) {
case AMEvent.OBJECT_CHANGED:
case AMEvent.OBJECT_EXPIRED:
break;
case AMEvent.OBJECT_REMOVED:
break;
case AMEvent.OBJECT_RENAMED:
break;
default:
// print some error message and continue
}
} catch (Throwable t) {
// even if one listener misbehaves this code should
// not crash; just ignore the bad listener
}
}
}
}
// If USER or DYNAMIC template, then check to see if
// preferredLocale is being set (and accordingly set
// preferredLanguage too. Fix for comms backward compatibility!
// Set prefLang = new HashSet();
}
// Make sure this attribute exists in the entry, before trying
// to
// delete it.
}
} else {
}
}
// vice-versa of above Fix for comms backward compatibility
// Set prefLoc = new HashSet();
}
// Check to see if preferredLocale exists
// before trying to delete it.
}
} else {
}
}
// }
return stringValueModMap;
}
if (AMCommonUtils.integrateLocale) {
}
}
}
attributes.clear();
}
return attributes;
}
}