IdServicesImpl.java revision 6340439720654d76109888406a64026599d7142f
1324N/A* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. 1324N/A* Copyright (c) 2005 Sun Microsystems Inc. All Rights Reserved 1324N/A* The contents of this file are subject to the terms 1324N/A* of the Common Development and Distribution License 1324N/A* (the License). You may not use this file except in 1324N/A* compliance with the License. 1324N/A* You can obtain a copy of the License at 1324N/A* See the License for the specific language governing 1324N/A* permission and limitations under the License. 1324N/A* When distributing Covered Code, include this CDDL 1324N/A* Header Notice in each file and include the License file 1324N/A* If applicable, add the following below the CDDL Header, 1324N/A* with the fields enclosed by brackets [] replaced by 1324N/A* your own identifying information: 3232N/A* "Portions Copyrighted [year] [name of copyright owner]" 1324N/A * Portions Copyrighted [2011] [ForgeRock AS] // Cache to hold special identities stored in SpecialRepo +
"Creating new Instance of IdServicesImpl()");
* Returns the set of fully qualified names for the identity. * The fully qualified names would be unique for a given datastore. * @param token SSOToken that can be used by the datastore * to determine the fully qualified name * @param type type of the identity * @param name name of the identity * @return fully qualified names for the identity * @throws IdRepoException If there are repository related error conditions * @throws SSOException If identity's single sign on token is invalid "called for type: " +
type +
" name: " +
name +
// to avoid calling other plugins for special users // Get the fully qualified names from IdRepo plugins // Skip users in Special Repo * Returns <code>true</code> if the data store has successfully * authenticated the identity with the provided credentials. In case the * data store requires additional credentials, the list would be returned * via the <code>IdRepoException</code> exception. * realm name to which the identity would be authenticated * Array of callback objects containing information such as * @return <code>true</code> if data store authenticates the identity; * else <code>false</code> "IdServicesImpl.authenticate: called for org: " +
orgName);
// Get the list of plugins and check if they support authN // Debug the message and return false "IdServicesImpl.authenticate: " +
"Error obtaining " +
"IdRepo plugins for the org: " +
orgName);
// Debug the message and return false "IdServicesImpl.authenticate: " +
"Error obtaining " +
"IdRepo plugins for the org: " +
orgName);
// Check for internal user. If internal user, use SpecialRepo only "AuthN success using special repo " +
// Invalid password used for internal user "AuthN failed using special repo " +
debug.
error(
"IdServicesImpl.authenticate: AuthN failed " +
"checking for special users",
ssoe);
"IdServicesImpl.authenticate: " +
"AuthN to " +
// Successfully authenticated "IdServicesImpl.authenticate: " +
// Save the exception to be thrown later if // all authentication calls fail "IdServicesImpl.authenticate: AuthN " +
// Wouldn't be a DN if it starts with "/" debug.
error(
"AMIdentityRepository.createIdentity() - " +
"Error occurred while creating " +
type.
getName() +
":" // First get the list of plugins that support the create operation. // Check permission first. If allowed then proceed, else the // checkPermission method throws an "402" exception. "IdServicesImpl.create: " +
"Unable to create identity in the" +
" following repository " // fatal ..throw it all the way up "IdServicesImpl.create: " +
"Create: Fatal Exception",
idf);
"IdServicesImpl.create: " +
"Unable to create identity in the following " "IdServicesImpl.create: " +
"Unable to create identity " +
type.
getName() +
" :: " +
name +
" in any of the configured data stores",
origEx);
// By default a Realm is not a leaf node, delete the // Check permission first. If allowed then proceed, else the // checkPermission method throws an "402" exception. // Get the list of plugins that support the delete operation. "IdServicesImpl.delete: " +
"Unable to delete identity in the following " // fatal ..throw it all the way up "IdServicesImpl.delete: Fatal Exception ",
idf);
"IdServicesImpl.delete: " +
"Unable to delete identity in the following " "IdServicesImpl.delete: " +
"Unable to delete identity " +
type.
getName() +
" :: " +
name +
" in any of the configured data stores",
origEx);
// Check permission first. If allowed then proceed, else the // checkPermission method throws an "402" exception. // Get the list of plugins that support the read operation // to avoid calling other plugins for special users // do stuff to map attr names. "IdServicesImpl.getAttributes: " +
"Unable to read identity in the following " // fatal ..throw it all the way up "IdServicesImpl.getAttributes: " +
"Unable to read identity in the following " "Unable to get attributes for identity " +
type.
getName() +
", " +
name +
" in any configured data store",
origEx);
// Check permission first. If allowed then proceed, else the // checkPermission method throws an "402" exception. // Get the list of plugins that support the read operation. // to avoid calling other plugins for special users "before reverseMapAttributeNames aMap=" +
"after before reverseMapAttributeNames attrMapsSet=" +
"IdServicesImpl.getAttributes: " +
"Unable to read identity in the following " // fatal ..throw it all the way up +
"Fatal Exception ",
idf);
+
"Unable to read identity in the following " +
"Unable to get attributes for identity " "::" +
name +
" in any configured data store",
origEx);
// Check permission first. If allowed then proceed, else the // checkPermission method throws an "402" exception. // Get the list of plugins that support the read operation. // IdRepo plugin does not support the idType for "IdServicesImpl.getMembers: " +
"Unable to read identity members in the following" // fatal ..throw it all the way up "IdServicesImpl.getMembers: " +
"Fatal Exception ",
idf);
"IdServicesImpl.getMembers: " +
"Unable to read identity members in the following" "IdServicesImpl.getMembers: " +
"Unable to get members for identity " +
type.
getName()
+
"::" +
name +
" in any configured data store",
origEx);
// Check permission first. If allowed then proceed, else the // checkPermission method throws an "402" exception. // Get the list of plugins that support the read operation. // If Special Identity, call SpecialRepo // IdRepo plugin does not support the idType for "IdServicesImpl.getMemberships: " +
"Unable to get memberships in the following " // fatal ..throw it all the way up "IdServicesImpl.getMemberships: " +
"Fatal Exception ",
idf);
"IdServicesImpl.getMemberships: " +
"Unable to read identity in the following " "IdServicesImpl.getMemberships: " +
"Unable to get members for identity " +
type.
getName()
+
"::" +
name +
" in any configured data store",
origEx);
// Check permission first. If allowed then proceed, else the // checkPermission method throws an "402" exception. // Get the list of plugins that support the read operation. // To avoid loading other plugins // Iterate through other plugins // Ignore the exception if not found in one plugin. // Iterate through all configured plugins and look for the // identity and if found break the loop, if not finally return // Check permission first. If allowed then proceed, else the // checkPermission method throws an "402" exception. // First get the list of plugins that support the create operation. // To avoid loading other plugins // Iterator through the plugins // fatal ..throw it all the way up +
"Unable to check isActive identity in the " +
"following repository " "IdServicesImpl.isActive: " +
"Unable to check if identity is active " +
type.
getName()
+
"::" +
name +
" in any configured data store",
origEx);
// Check permission first. If allowed then proceed, else the // checkPermission method throws an "402" exception. // First get the list of plugins that support the edit operation. +
"Unable to set attributes in the following " // fatal ..throw it all the way up "Unable to setActiveStatus in the " +
// 220 is entry not found. this error should have lower // precedence than other error because we search thru all // the ds and this entry might exist in one of the other ds. // Check permission first. If allowed then proceed, else the // checkPermission method throws an "402" exception. // First get the list of plugins that support the create operation. //check if the identity exist // IdRepo plugin does not support the idType for +
"Unable to modify memberships in the following" // fatal ..throw it all the way up +
"Fatal Exception ",
idf);
+
"Unable to modify memberships in the following" +
"Unable to modify members for identity " +
type.
getName()
+
"::" +
name +
" in any configured data store",
origEx);
// Check permission first. If allowed then proceed, else the // checkPermission method throws an "402" exception. // First get the list of plugins that support the create operation. // do stuff to map attr names. "IdServicesImpl.removeAttributes: " +
"Unable to modify identity in the following " // fatal ..throw it all the way up "Fatal Exception ",
idf);
+
"Unable to remove attributes in the following " // 220 is entry not found. this error should have lower // precedence than other errors because we search through // all the ds and this entry might exist in one of the other ds. "IdServicesImpl.removeAttributes: " +
"Unable to remove attributes for identity " +
" in any configured data store",
origEx);
// Check permission first. If allowed then proceed, else the // checkPermission method throws an "402" exception. // In the case of web services security (wss), a search is performed // with the identity of shared agent and a filter. // Since shared agents do not have search permissions, might have to // use admintoken and check permissions on matched objects. // If permission denied and control has search filters // perform the search and check permissions on the matched objects // Check permissions after obtaining the matched objects // First get the list of plugins that support the create operation. "IdServicesImpl.search: " +
"Unable to search in the following repository " // fatal ..throw it all the way up "IdServicesImpl.search: Fatal Exception ",
idf);
"IdServicesImpl.search: " +
"Unable to search identity in the following" "IdServicesImpl.search: " +
" in any configured data store",
origEx);
// Permission checked, add to newRes // get the "SpecialUser plugin // If no plugins found, return empty results // get the "SpecialUser plugin // Check permission first. If allowed then proceed, else the // checkPermission method throws an "402" exception. // Get the list of plugins that service/edit the create operation. // do stuff to map attr names. +
"Unable to set attributes in the following " // fatal ..throw it all the way up "IdServicesImpl.setAttributes: Fatal Exception ",
idf);
"IdServicesImpl.setAttributes: " +
"Unable to modify identity in the " +
"following repository " // 220 is entry not found. this error should have lower // precedence than other error because we search thru // all the ds and this entry might exist in one of the other ds. "IdServicesImpl.setAttributes: " +
"Unable to set attributes for identity " // Check permission first. If allowed then proceed, else the // checkPermission method throws an "402" exception. // Get the list of plugins that service/edit the create operation. +
"Unable to change password in the following " // fatal ..throw it all the way up "IdServicesImpl.changePassword: Fatal Exception ",
idf);
"IdServicesImpl.changePassword: " +
"Unable to change password " +
"following repository " // 220 is entry not found. this error should have lower // precedence than other error because we search thru // all the ds and this entry might exist in one of the other ds. "IdServicesImpl.changePassword: " +
"Unable to change password for identity " // Check permission first. If allowed then proceed, else the // checkPermission method throws an "402" exception. // Get the list of plugins that support the service operation. "IdServicesImpl.getAssignedServices: " +
"Services not supported for repository " // fatal ..throw it all the way up "Fatal Exception ",
idf);
+
"Unable to get services for identity " +
"in the following repository " +
"Unable to get assigned services for identity " +
" in any configured data store",
origEx);
// Check permission first. If allowed then proceed, else the // checkPermission method throws an "402" exception. // Get the list of plugins that support the service operation. +
"Assign Services not supported for repository " // fatal ..throw it all the way up "IdServicesImpl.assignService: FatalException ",
idf);
"IdServicesImpl.assignService: " +
"Unable to assign Service identity in " +
"the following repository " "IdServicesImpl.assignService: " +
"Unable to assign service for identity " +
"::" +
name +
" in any configured data store ",
origEx);
// Check permission first. If allowed then proceed, else the // checkPermission method throws an "402" exception. // Get the list of plugins that support the service operation. "IdServicesImpl.unassignService: " +
"Unassign Service not supported for repository " // fatal ..throw it all the way up "IdServicesImpl.unassignService: Fatal Exception ",
idf);
"IdServicesImpl.unassignService: " +
"Unable to unassign service in the " +
"following repository " "IdServicesImpl.unassignService: " +
"Unable to unassign Service for identity " * Non-javadoc, non-public methods * Get the service attributes of the name identity. Traverse to the global * configuration if necessary until all attributes are found or reached * the global area whichever occurs first. * @param token is the sso token of the person performing this operation. * @param type is the identity type of the name parameter. * @param name is the identity we are interested in. * @param serviceName is the service we are interested in * @param attrNames are the name of the attributes wer are interested in. * @param amOrgName is the orgname. * @param amsdkDN is the amsdkDN. * @throws IdRepoException if there are repository related error conditions. * @throws SSOException if user's single sign on token is invalid. // name is the name of AMIdentity object. will change as we move // attrNames is missingAttr and will change as we move up the tree. // amOrgname will change as we move up the tree. // amsdkDN will change as we move up the tree. +
"getServiceAttributesAscending:" // save the newly found attrs // amsdk returns emptyset when attrname is not present. // find the missing attributes // go up to the parent org // try the user or agent's currect realm. // get the rest from global. "IdServicesImpl(): getServiceAttributeAscending " +
" Failed to get global default.",
smse);
// Check permission first. If allowed then proceed, else the // checkPermission method throws an "402" exception. // First get the list of plugins that support the create operation. // use IdOperation.READ insteadof IdOperation.SERVICE. IdRepo for // AD doesn't support SERVICE because service object classes can't // exist in user entry. So IdRepo.getServiceAttributes won't get // user attributes. But IdRepo.getServiceAttributes will also read // realm service attributes. We should move the code that reads // ealm service attributes in IdRepo.getServiceAttributes to this class // later. Only after that we can use IdOperation.SERVICE. "IdServicesImpl.getServiceAttributes: " +
"Services not supported for repository " // fatal ..throw it all the way up "IdServicesImpl.getServiceAttributes: Fatal Exception ",
"IdServicesImpl.getServiceAttributes: " +
"Unable to get service " +
"attributes for the repository " "IdServicesImpl.getServiceAttributes: " +
"Unable to get service attributes for identity " +
" in any configured data store",
origEx);
// Check permission first. If allowed then proceed, else the // checkPermission method throws an "402" exception. // Get the list of plugins that support the service operation. +
"Modify Services not supported for repository " // fatal ..throw it all the way up "IdServicesImpl.modifyService: Fatal Exception ",
idf);
"IdServicesImpl.modifyService: " +
"Unable to modify service in the " +
"following repository " "IdServicesImpl.modifyService: " +
"Unable to modify service attributes for identity " +
" in any configured data store");
// Check if the supportedTypes is defined as supported in // First get the list of plugins that support the create operation. * create a new Set so that we do not alter the set * that is referenced in setOfMaps }
else {
// binary attributes // add to results, if not already there! // Config not migrated to 7.0 which means this is // in coexistence mode. Do not perform any delegation check // thisAction = readAction; // TODO This is a temporary fix where-in all users are // being allowed read permisions, till delegation component // is fixed to support "user self read" operations "Got Delegation Exception: ",
dex);