8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Copyright (c) 2005 Sun Microsystems Inc. All Rights Reserved
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The contents of this file are subject to the terms
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * of the Common Development and Distribution License
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * (the License). You may not use this file except in
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * compliance with the License.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * You can obtain a copy of the License at
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * https://opensso.dev.java.net/public/CDDLv1.0.html or
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * See the License for the specific language governing
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * permission and limitations under the License.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * When distributing Covered Code, include this CDDL
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Header Notice in each file and include the License file
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * If applicable, add the following below the CDDL Header,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * with the fields enclosed by brackets [] replaced by
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * your own identifying information:
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * "Portions Copyrighted [year] [name of copyright owner]"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * $Id: DelegationPolicyImpl.java,v 1.12 2010/01/16 06:35:25 dillidorai Exp $
ccf9d4a5c6453fa9f8b839baeee25147865fbb7dJames Phillpotts * Portions Copyrighted 2011-2016 ForgeRock AS.
ccf9d4a5c6453fa9f8b839baeee25147865fbb7dJames Phillpottsimport static org.forgerock.openam.utils.Time.*;
148523d04fdcfe87d91bd164ec866100a73115d3Tom Rumseyimport com.sun.identity.authentication.util.ISAuthConstants;
148523d04fdcfe87d91bd164ec866100a73115d3Tom Rumseyimport com.sun.identity.delegation.DelegationEvaluator;
148523d04fdcfe87d91bd164ec866100a73115d3Tom Rumseyimport com.sun.identity.delegation.DelegationEvaluatorImpl;
148523d04fdcfe87d91bd164ec866100a73115d3Tom Rumseyimport com.sun.identity.delegation.DelegationException;
148523d04fdcfe87d91bd164ec866100a73115d3Tom Rumseyimport com.sun.identity.delegation.DelegationManager;
148523d04fdcfe87d91bd164ec866100a73115d3Tom Rumseyimport com.sun.identity.delegation.DelegationPermission;
148523d04fdcfe87d91bd164ec866100a73115d3Tom Rumseyimport com.sun.identity.delegation.DelegationPrivilege;
148523d04fdcfe87d91bd164ec866100a73115d3Tom Rumseyimport com.sun.identity.delegation.ResBundleUtils;
148523d04fdcfe87d91bd164ec866100a73115d3Tom Rumseyimport com.sun.identity.delegation.interfaces.DelegationInterface;
7d295d1f0e4e6d47bb9ead464460abeeaa6149a1Mark de Reeperimport com.sun.identity.policy.SubjectEvaluationCache;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.policy.interfaces.PolicyListener;
148523d04fdcfe87d91bd164ec866100a73115d3Tom Rumseyimport com.sun.identity.policy.interfaces.Subject;
148523d04fdcfe87d91bd164ec866100a73115d3Tom Rumseyimport com.sun.identity.security.AdminTokenAction;
148523d04fdcfe87d91bd164ec866100a73115d3Tom Rumseyimport com.sun.identity.sm.OrganizationConfigManager;
f81a15932b06758b7789a972ff384f02105d2856Tony Bamfordimport org.forgerock.openam.identity.idm.IdentityUtils;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The class <code>DelegationPolicyImpl</code> implements the interface
d9c675444dd986b540c8ccb0ebf6214fa40de15fPeter Major * <code>DelegationInterface</code> using OpenAM Policy
e710e3cfc97f46830f93445dadc56d85d90b7507Tony Bamford * Management and Evaluation APIs. It provides access control for access
d9c675444dd986b540c8ccb0ebf6214fa40de15fPeter Major * manager using the OpenAM's internal policy framework.
d9c675444dd986b540c8ccb0ebf6214fa40de15fPeter Majorpublic class DelegationPolicyImpl implements DelegationInterface, ServiceListener, IdEventListener, PolicyListener {
e710e3cfc97f46830f93445dadc56d85d90b7507Tony Bamford private static final String POLICY_REPOSITORY_REALM =
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private static final String NAME_DELIMITER = "^^";
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private static final char REPLACEMENT_FOR_COMMA = '^';
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private static final String ACTION_ALLOW = "allow";
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private static final String ACTION_DENY = "deny";
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private static final String DELEGATION_RULE = "delegation-rule";
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private static final String DELEGATION_SUBJECT = "delegation-subject";
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private static final String POLICY_SUBJECT = "AMIdentitySubject";
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "id=All Authenticated Users,ou=role," +
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster com.sun.identity.sm.ServiceManager.getBaseDN();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private static final String DELEGATION_AUTHN_USERS = "AuthenticatedUsers";
e710e3cfc97f46830f93445dadc56d85d90b7507Tony Bamford private static final String AUTHENTICATED_USERS_SUBJECT =
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "AuthenticatedUsers";
148523d04fdcfe87d91bd164ec866100a73115d3Tom Rumsey static final String GLOBALCONFIG = "globalconfig";
f81a15932b06758b7789a972ff384f02105d2856Tony Bamford static final String SERVERINFO_VERSION = "serverinfo/version";
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * To configure the delegation cache size, specify the attribute
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * "com.sun.identity.delegation.cache.size" in AMConfig.properties.
d9c675444dd986b540c8ccb0ebf6214fa40de15fPeter Major private static final String CONFIGURED_CACHE_SIZE = "com.sun.identity.delegation.cache.size";
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private static final int DEFAULT_CACHE_SIZE = 20000;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster /** delegation cache structure:
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * usertokenidstr (key) ---> resource names (value)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * resource name (key) ---> arraylist of two elements (value)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * arraylist(0) contains a <code>Map</code> object of env parameters
e710e3cfc97f46830f93445dadc56d85d90b7507Tony Bamford * arraylist(1) contains a <code>PolicyDecision</code> regarding the
e710e3cfc97f46830f93445dadc56d85d90b7507Tony Bamford * The cache is a LRU one and is updated based on subject change
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * notification and policy change notification.
d9c675444dd986b540c8ccb0ebf6214fa40de15fPeter Major private Map<String, Map<String, List<Object>>> delegationCache;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private static int maxCacheSize = DEFAULT_CACHE_SIZE;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private static Map idRepoListeners = new HashMap();
148523d04fdcfe87d91bd164ec866100a73115d3Tom Rumsey * Initialize (or configure) the <code>DelegationInterface</code>
148523d04fdcfe87d91bd164ec866100a73115d3Tom Rumsey * object. Usually it will be initialized with the environmrnt
148523d04fdcfe87d91bd164ec866100a73115d3Tom Rumsey * parameters set by the system administrator via Service management service.
148523d04fdcfe87d91bd164ec866100a73115d3Tom Rumsey * @param token <code>SSOToken</code> of an administrator
148523d04fdcfe87d91bd164ec866100a73115d3Tom Rumsey * @param configParams configuration parameters as a <code>Map</code>.
148523d04fdcfe87d91bd164ec866100a73115d3Tom Rumsey * The values in the <code>Map</code> is <code>java.util.Set</code>,
148523d04fdcfe87d91bd164ec866100a73115d3Tom Rumsey * which contains one or more configuration parameters.
148523d04fdcfe87d91bd164ec866100a73115d3Tom Rumsey * @throws DelegationException if an error occurred during
148523d04fdcfe87d91bd164ec866100a73115d3Tom Rumsey * initialization of <code>DelegationInterface</code> instance
d9c675444dd986b540c8ccb0ebf6214fa40de15fPeter Major public void initialize(SSOToken token, Map configParams) throws DelegationException {
d9c675444dd986b540c8ccb0ebf6214fa40de15fPeter Major maxCacheSize = SystemProperties.getAsInt(CONFIGURED_CACHE_SIZE, DEFAULT_CACHE_SIZE);
d9c675444dd986b540c8ccb0ebf6214fa40de15fPeter Major // specifying cache size as 0 would virtually disable the delegation cache.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (DelegationManager.debug.messageEnabled()) {
d9c675444dd986b540c8ccb0ebf6214fa40de15fPeter Major DelegationManager.debug.message("DelegationPolicyImpl.initialize(): cache size=" + maxCacheSize);
d9c675444dd986b540c8ccb0ebf6214fa40de15fPeter Major pe = new PolicyEvaluator(POLICY_REPOSITORY_REALM, DelegationManager.DELEGATION_SERVICE);
e710e3cfc97f46830f93445dadc56d85d90b7507Tony Bamford // listen on delegation policy changes. once there is
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // delegation policy change, we need to update the cache.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // listen on root realm subject changes.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (DelegationManager.debug.messageEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "DelegationPolicyImpl: IdRepo event listener added "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "for root realm.");
e710e3cfc97f46830f93445dadc56d85d90b7507Tony Bamford // listen on sub realm subject changes.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Set orgNames = ocm.getSubOrganizationNames("*", true);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if ((orgNames != null) && (!orgNames.isEmpty())) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (DelegationManager.debug.messageEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "DelegationPolicyImpl: IdRepo event listener "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster //DelegationManager.DELEGATION_SERVICE, token);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * listen on org config changes. once there is realm added,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * or removed, we need to add or remove listeners on the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * affected realm accordingly.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "DelegationPolicyImpl: initialize() failed");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns all the delegation privileges associated with a realm.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param token The <code>SSOToken</code> of the requesting user
e710e3cfc97f46830f93445dadc56d85d90b7507Tony Bamford * @param orgName The name of the realm from which the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * delegation privileges are fetched.
e710e3cfc97f46830f93445dadc56d85d90b7507Tony Bamford * @return <code>Set</code> of <code>DelegationPrivilege</code> objects
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * associated with the realm.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @throws SSOException invalid or expired single-sign-on token
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @throws DelegationException for any abnormal condition
e710e3cfc97f46830f93445dadc56d85d90b7507Tony Bamford public Set getPrivileges(SSOToken token, String orgName)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Need to check if user has "delegate" permissions for org
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (hasDelegationPermissionsForRealm(token, orgName)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Replace token with AdminToken
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster token = (SSOToken) AccessController.doPrivileged(
e710e3cfc97f46830f93445dadc56d85d90b7507Tony Bamford /* the name of the policy is in the form of
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * orgName^^privilegeName, the privilegeName is the
e710e3cfc97f46830f93445dadc56d85d90b7507Tony Bamford * name of the delegation privilege that the policy
e710e3cfc97f46830f93445dadc56d85d90b7507Tony Bamford * is corresponding to. In case the orgName is in a
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * DN format, the special char ',' is replaced to avoid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * saving problem.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster prefix = orgName.toLowerCase() + NAME_DELIMITER;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster prefix = prefix.replace(',', REPLACEMENT_FOR_COMMA);
e710e3cfc97f46830f93445dadc56d85d90b7507Tony Bamford // converts the policy to its corresponding
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // delegation privilege
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "unable to get privileges from realm " + orgName);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Adds a delegation privilege to a specific realm. The permission will be
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * added to the existing privilege in the event that this method is trying
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * to add to an existing privilege.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param token The <code>SSOToken</code> of the requesting user
e710e3cfc97f46830f93445dadc56d85d90b7507Tony Bamford * @param orgName The name of the realm to which the delegation privilege
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * is to be added.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param privilege The delegation privilege to be added.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @throws SSOException invalid or expired single-sign-on token
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @throws DelegationException if any abnormal condition occurred.
e710e3cfc97f46830f93445dadc56d85d90b7507Tony Bamford public void addPrivilege(SSOToken token, String orgName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster DelegationPrivilege privilege) throws SSOException, DelegationException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Need to check if user has "delegate" permissions for org
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (hasDelegationPermissionsForRealm(token, orgName)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Replace token with AdminToken
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster token = (SSOToken) AccessController.doPrivileged(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Policy p = privilegeToPolicy(pm, privilege, orgName);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Set<String> subjectNames = p.getSubjectNames();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if ((subjectNames == null) || subjectNames.isEmpty()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Set<String> subjectNames = p.getSubjectNames();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if ((subjectNames != null) && !subjectNames.isEmpty()){
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw new DelegationException(ResBundleUtils.rbName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Removes a delegation privilege from a specific realm.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param token The <code>SSOToken</code> of the requesting user
e710e3cfc97f46830f93445dadc56d85d90b7507Tony Bamford * @param orgName The name of the realm from which the delegation
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * privilege is to be removed.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param privilegeName The name of the delegation privilege to be removed.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @throws SSOException invalid or expired single-sign-on token
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @throws DelegationException for any abnormal condition
e710e3cfc97f46830f93445dadc56d85d90b7507Tony Bamford public void removePrivilege(SSOToken token, String orgName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String privilegeName) throws SSOException, DelegationException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Need to check if user has "delegate" permissions for org
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (hasDelegationPermissionsForRealm(token, orgName)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Replace token with AdminToken
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster token = (SSOToken) AccessController.doPrivileged(
e710e3cfc97f46830f93445dadc56d85d90b7507Tony Bamford /* the name of the policy is in the form of
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * orgName^^privilegeName, the privilegeName is the
e710e3cfc97f46830f93445dadc56d85d90b7507Tony Bamford * name of the delegation privilege that the policy
e710e3cfc97f46830f93445dadc56d85d90b7507Tony Bamford * is corresponding to. In case the orgName is in a
e710e3cfc97f46830f93445dadc56d85d90b7507Tony Bamford * DN format, the special char ',' is replaced to
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * avoid saving problem.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster prefix = orgName.toLowerCase() + NAME_DELIMITER;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster prefix = prefix.replace(',', REPLACEMENT_FOR_COMMA);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns a set of selected subjects of specified types matching the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * pattern in the given realm. The pattern accepts "*" as the wild card for
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * searching subjects. For example, "a*c" matches with any subject starting
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * with a and ending with c.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param token The <code>SSOToken</code> of the requesting user
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param orgName The name of the realm from which the subjects are fetched.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param types a set of subject types. e.g. ROLE, GROUP.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param pattern a filter used to select the subjects.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return a set of subjects associated with the realm.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @throws SSOException invalid or expired single-sign-on token
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @throws DelegationException for any abnormal condition
e710e3cfc97f46830f93445dadc56d85d90b7507Tony Bamford * @return <code>Set</code> of universal Ids of the subjects associated
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * with the realm.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @throws SSOException invalid or expired single-sign-on token
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @throws DelegationException for any abnormal condition
e710e3cfc97f46830f93445dadc56d85d90b7507Tony Bamford public Set getSubjects(SSOToken token, String orgName, Set types,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String pattern) throws SSOException, DelegationException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // All Authenticated Users would be returned only if pattern is *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if ((pattern != null) && pattern.equals("*")) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (DelegationManager.debug.messageEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "DelegationPolicyImpl.getSubjects(): types=" + types);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Set supportedTypes = idRepo.getSupportedIdTypes();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (DelegationManager.debug.messageEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "DelegationPolicyImpl.getSubjects(): " +
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if ((supportedTypes != null) && (!supportedTypes.isEmpty())
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster IdType idType = IdUtils.getType((String)it.next());
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster IdSearchResults idsr = idRepo.searchIdentities(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns a set of realm names, based on the input parameter
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>organizationNames</code>, in which the "user" has some
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * delegation permissions.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param token The <code>SSOToken</code> of the requesting user
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param organizationNames a <code>Set</code> of realm names.
e710e3cfc97f46830f93445dadc56d85d90b7507Tony Bamford * @return a <code>Set</code> of realm names in which the user has some
e710e3cfc97f46830f93445dadc56d85d90b7507Tony Bamford * delegation permissions. It is a subset of
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>organizationNames</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @throws SSOException invalid or expired single-sign-on token
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @throws DelegationException for any abnormal condition
e710e3cfc97f46830f93445dadc56d85d90b7507Tony Bamford public Set getManageableOrganizationNames(SSOToken token,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Set organizationNames) throws SSOException, DelegationException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns a boolean value; if a user has the specified
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * permission returns true, false otherwise.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param token Single sign on token of the user evaluating permission.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param permission Delegation permission to be evaluated
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param envParams Run-time environment parameters.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return the result of the evaluation as a boolean value
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @throws SSOException single-sign-on token invalid or expired.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @throws DelegationException for any other abnormal condition.
e710e3cfc97f46830f93445dadc56d85d90b7507Tony Bamford public boolean isAllowed(SSOToken token, DelegationPermission permission,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Map envParams) throws SSOException, DelegationException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster boolean result = false;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (DelegationManager.debug.messageEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "DelegationPolicyImpl.isAllowed() is called");
e710e3cfc97f46830f93445dadc56d85d90b7507Tony Bamford if ((token != null) && ((tokenId = token.getTokenID()) != null)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if ((actions != null) && (!actions.isEmpty())) {
f81a15932b06758b7789a972ff384f02105d2856Tony Bamford // If the user has delegated admin permissions in the realm they are currently logged in to,
f81a15932b06758b7789a972ff384f02105d2856Tony Bamford // they have read access to global-config endpoints
f81a15932b06758b7789a972ff384f02105d2856Tony Bamford if (GLOBALCONFIG.equals(permission.getConfigType()) && actions.equals(Collections.singleton(READ))) {
e710e3cfc97f46830f93445dadc56d85d90b7507Tony Bamford if (hasDelegationPermissionsForRealm(token, token.getProperty(ISAuthConstants.ORGANIZATION))) {
e710e3cfc97f46830f93445dadc56d85d90b7507Tony Bamford return true;
f81a15932b06758b7789a972ff384f02105d2856Tony Bamford } else if (SERVERINFO_VERSION.equals(permission.getConfigType())
f81a15932b06758b7789a972ff384f02105d2856Tony Bamford // Allow the C and Java Agents read access to the serverinfo endpoint
f81a15932b06758b7789a972ff384f02105d2856Tony Bamford return true;
d9c675444dd986b540c8ccb0ebf6214fa40de15fPeter Major pd = getResultFromCache(tokenIdStr, resource, envParams);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (DelegationManager.debug.messageEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "got delegation evaluation result from cache.");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // decision not found in the cache. compute it.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // add the result in the cache.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (DelegationManager.debug.messageEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "put delegation evaluation result into cache.");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (DelegationManager.debug.messageEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "DelegationPolicyImpl.isAllowed(): " +
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns a policy decision given a resource and the user's token,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * for the resource from the delegation cache.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param tokenIdStr <code>String</code> representation of user's token
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param resource resource for which results are sought.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param envParams <code>Map</code> of environment params to be
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * used to fetch the decisions.
e710e3cfc97f46830f93445dadc56d85d90b7507Tony Bamford * @return policy decision
d9c675444dd986b540c8ccb0ebf6214fa40de15fPeter Major private PolicyDecision getResultFromCache(String tokenIdStr, String resource, Map envParams)
d9c675444dd986b540c8ccb0ebf6214fa40de15fPeter Major Map<String, List<Object>> items = delegationCache.get(tokenIdStr);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (DelegationManager.debug.messageEnabled()) {
d9c675444dd986b540c8ccb0ebf6214fa40de15fPeter Major DelegationManager.debug.message("DelegationPolicyImpl: delegation decision "
d9c675444dd986b540c8ccb0ebf6214fa40de15fPeter Major + "expired. TTL=" + pdTTL + "; current time=" + currentTime);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * adds the data in the delegation cache.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param tokenIdStr <code>String</code> representation of user's token
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param resource resource for which results are being put in cache.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param envParams <code>Map</code> of environment params applicable
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster for the decision.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param pd policy decision being cached.
d9c675444dd986b540c8ccb0ebf6214fa40de15fPeter Major private void putResultIntoCache(String tokenIdStr, String resource, Map envParams, PolicyDecision pd)
d9c675444dd986b540c8ccb0ebf6214fa40de15fPeter Major synchronized (delegationCache) {
d9c675444dd986b540c8ccb0ebf6214fa40de15fPeter Major Map<String, List<Object>> items = delegationCache.get(tokenIdStr);
d9c675444dd986b540c8ccb0ebf6214fa40de15fPeter Major items = Collections.synchronizedMap(new HashMap<String, List<Object>>());
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Cleans up the entire delegation cache, gets called
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * when any identity gets changed in the repository.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (DelegationManager.debug.messageEnabled()) {
d9c675444dd986b540c8ccb0ebf6214fa40de15fPeter Major DelegationManager.debug.message("DelegationPolicyImpl.cleanupCache(): cache cleared");
7d295d1f0e4e6d47bb9ead464460abeeaa6149a1Mark de Reeper // Clear the SubjectEvaluationCache on any identity changes if active and not empty.
7d295d1f0e4e6d47bb9ead464460abeeaa6149a1Mark de Reeper if (SubjectEvaluationCache.subjectEvalCacheTTL > 0 && !SubjectEvaluationCache.subjectEvaluationCache.isEmpty()) {
7d295d1f0e4e6d47bb9ead464460abeeaa6149a1Mark de Reeper SubjectEvaluationCache.subjectEvaluationCache.clear();
7d295d1f0e4e6d47bb9ead464460abeeaa6149a1Mark de Reeper if (DelegationManager.debug.messageEnabled()) {
7d295d1f0e4e6d47bb9ead464460abeeaa6149a1Mark de Reeper "DelegationPolicyImpl.cleanupCache(): subjectEvaluationCache cleared");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns a set of permissions that a user has.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param token sso token of the user requesting permissions
e710e3cfc97f46830f93445dadc56d85d90b7507Tony Bamford * @param orgName The name of the realm from which the delegation
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * permissions are fetched.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return a <code>Set</code> of permissions that a user has
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @throws SSOException if single-sign-on token invalid or expired
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @throws DelegationException for any other abnormal condition
e710e3cfc97f46830f93445dadc56d85d90b7507Tony Bamford public Set getPermissions(SSOToken token, String orgName)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (DelegationManager.debug.warningEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "DelegationPolicyImpl.getPermissions():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "user sso token is null");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (DelegationManager.debug.warningEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "DelegationPolicyImpl.getPermissions():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "could not get user's identity from token");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Set privileges = getPrivileges(appToken, orgName);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if ((privileges != null) && (!privileges.isEmpty())) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if ((subjects != null) && (!subjects.isEmpty())) {
bee2440354b4bc8796e1de0b6cbd60e1f68deba0Phill Cunnington String subjectId = LDAPUtils.rdnValueFromDn(subject);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Converts a delegation privilege to a policy.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param pm PolicyManager object to be used to create the <code>Policy
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * </code> object.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param priv <code>DelegationPrivilege</code> which needs to be
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return policy object.
e710e3cfc97f46830f93445dadc56d85d90b7507Tony Bamford /* the name of the policy is in the form of
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * orgName^^privilegeName, the privilegeName is the
e710e3cfc97f46830f93445dadc56d85d90b7507Tony Bamford * name of the delegation privilege that the policy
e710e3cfc97f46830f93445dadc56d85d90b7507Tony Bamford * is corresponding to. In case the orgName is in a
e710e3cfc97f46830f93445dadc56d85d90b7507Tony Bamford * DN format, the special char ',' is replaced to
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * avoid saving problem.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster prefix = orgName.toLowerCase() + NAME_DELIMITER;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster prefix = prefix.replace(',', REPLACEMENT_FOR_COMMA);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if ((permissions != null) && (!permissions.isEmpty())) {
e710e3cfc97f46830f93445dadc56d85d90b7507Tony Bamford if ((sv != null) && (sv.contains(AUTHN_USERS_ID))) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster policy.addSubject(DELEGATION_AUTHN_USERS, allauthNUsers);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster pm.getSubjectTypeManager().getSubject(POLICY_SUBJECT);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster policy.addSubject(DELEGATION_SUBJECT, subject);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "unable to convert a privilege to a policy", e);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Converts a policy to a delegation privilege.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param policy policy to be converted
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return priv <code>DelegationPrivilege</code> represting policy.
e710e3cfc97f46830f93445dadc56d85d90b7507Tony Bamford private DelegationPrivilege policyToPrivilege(Policy policy)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // get policy name, which is the privilege name as well
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // get privilege subjects
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Subject subject = policy.getSubject(DELEGATION_SUBJECT);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (DelegationManager.debug.messageEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if ((ruleNames != null) && (!ruleNames.isEmpty())) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // now try to get resource and action names
e710e3cfc97f46830f93445dadc56d85d90b7507Tony Bamford // parse the resource to get information
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // required to construct a delegation permission
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (DelegationManager.debug.messageEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "DelegationPolicyImpl.policyToPrivilege(): "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "create DelegationPermission object with: "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster DelegationPermission dp = new DelegationPermission(
e710e3cfc97f46830f93445dadc56d85d90b7507Tony Bamford return new DelegationPrivilege(pname, permissions, svalues);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * gets a resource string based on a delegation permission object
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param perm <code>DelegationPermission</code> from which resource
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster name needs to be determined.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return resource name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private String getResourceName(DelegationPermission perm) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String subConfigName = perm.getSubConfigName();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // The following three methods implement ServiceListener interface
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * This method will be invoked when a service's schema has been changed.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param serviceName name of the service
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param version version of the service
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public void schemaChanged(String serviceName, String version) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * This method will be invoked when a service's global configuration
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * data has been changed. The parameter <code>groupName</code> denote
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * the name of the configuration grouping (e.g. default) and
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>serviceComponent</code> denotes the service's sub-component
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * that changed (e.g. <code>/NamedPolicy</code>, <code>/Templates</code>).
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param serviceName name of the service.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param version version of the service.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param groupName name of the configuration grouping.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param serviceComponent name of the service components that
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param type change type, i.e., ADDED, REMOVED or MODIFIED.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public void globalConfigChanged(String serviceName, String version,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String groupName, String serviceComponent, int type) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * This method will be invoked when a service's organization
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * configuration data has been changed. The parameters orgName,
e710e3cfc97f46830f93445dadc56d85d90b7507Tony Bamford * groupName and serviceComponent denotes the organization name,
e710e3cfc97f46830f93445dadc56d85d90b7507Tony Bamford * configuration grouping name and service's sub-component that
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * are changed respectively.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param serviceName name of the service
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param version version of the service
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param orgName organization name as DN
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param groupName name of the configuration grouping
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param serviceComponent the name of the service components that
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param type change type, i.e., ADDED, REMOVED or MODIFIED
e710e3cfc97f46830f93445dadc56d85d90b7507Tony Bamford public void organizationConfigChanged(String serviceName,
e710e3cfc97f46830f93445dadc56d85d90b7507Tony Bamford String version, String orgName, String groupName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (DelegationManager.debug.messageEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "DelegationPolicyImpl: org config changed: " + orgName);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster synchronized(idRepoListeners) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (DelegationManager.debug.messageEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "DelegationPolicyImpl: IdRepo event listener"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "DelegationPolicyImpl: failed to process " +
e710e3cfc97f46830f93445dadc56d85d90b7507Tony Bamford "organization config changes. ", e);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (DelegationManager.debug.messageEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "DelegationPolicyImpl: IdRepo event listener"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // The following four methods implement IdEventListener interface
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * This method is called back for all identities that are
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * modified in a repository.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param universalId Universal Identifier of the identity.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public void identityChanged(String universalId) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (DelegationManager.debug.messageEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "DelegationPolicyImpl: changed universalId=" + universalId);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * This method is called back for all identities that are
e710e3cfc97f46830f93445dadc56d85d90b7507Tony Bamford * deleted from a repository. The universal identifier
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * of the identity is passed in as an argument
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param universalId Univerval Identifier
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public void identityDeleted(String universalId) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (DelegationManager.debug.messageEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "DelegationPolicyImpl: deleted universalId=" + universalId);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * This method is called for all identities that are
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * renamed in a repository. The universal identifier
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * of the identity is passed in as an argument
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param universalId Universal Identifier
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public void identityRenamed(String universalId) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (DelegationManager.debug.messageEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "DelegationPolicyImpl: renamed universalId=" + universalId);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The method is called when all identities in the repository are
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * changed. This could happen due to a organization deletion or
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * permissions change etc
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (DelegationManager.debug.messageEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "DelegationPolicyImpl: all identities changed.");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // The following two methods implement PolicyListener interface.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster /** Gets the service type name for which this listener wants to get
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * notifications
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return delegation service name
e710e3cfc97f46830f93445dadc56d85d90b7507Tony Bamford /** This method is called by the policy framework whenever
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * a policy is added, removed or changed. The notification
e710e3cfc97f46830f93445dadc56d85d90b7507Tony Bamford * is sent only if the policy has any rule that has the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>serviceTypeName</code> of this listener
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param policyEvent event object sent by the policy framework
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @see com.sun.identity.policy.PolicyEvent
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public void policyChanged(PolicyEvent policyEvent) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (DelegationManager.debug.messageEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "DelegationPolicyImpl: delegation policy changed.");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns true if the user has delegation permissions for the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * organization
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private boolean hasDelegationPermissionsForRealm(SSOToken token,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String orgName) throws SSOException, DelegationException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Construct delegation permission object
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster DelegationPermission de = new DelegationPermission(orgName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "sunAMRealmService", "1.0", "organizationconfig", null,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Call DelegationEvaluator to handle super and internal users
ba07e74da87b2caf40d3397e50523632daeb4cacAndrew Forrest DelegationEvaluator evaluator = new DelegationEvaluatorImpl();