IdentityServicesImpl.java revision fd69813fc439cfb124430495f88f78b42995dcb5
/**
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2007 Sun Microsystems Inc. All Rights Reserved
*
* The contents of this file are subject to the terms
* of the Common Development and Distribution License
* (the License). You may not use this file except in
* compliance with the License.
*
* You can obtain a copy of the License at
* See the License for the specific language governing
* permission and limitations under the License.
*
* When distributing Covered Code, include this CDDL
* Header Notice in each file and include the License file
* at opensso/legal/CDDLv1.0.txt.
* If applicable, add the following below the CDDL Header,
* with the fields enclosed by brackets [] replaced by
* your own identifying information:
* "Portions Copyrighted [year] [name of copyright owner]"
*
* $Id: IdentityServicesImpl.java,v 1.20 2010/01/06 19:11:17 veiming Exp $
*
*/
/**
* Portions Copyrighted 2010-2012 ForgeRock AS
*/
/**
* Web Service to provide security based on authentication and authorization
* support.
*/
public class IdentityServicesImpl
{
// Debug
private static Pattern RESOURCE_PATTERN =
/**
* @param username Subject's user name.
* @param password Subject's password
* @param uri Subject's context such as module, organization, etc.
* @return Subject's token if authenticated.
* @throws UserNotFound if user not found.
* @throws InvalidPassword if password is invalid.
* @throws NeedMoreCredentials if additional credentials are needed for
* authentication.
* @throws InvalidCredentials if credentials are invalid.
* @throws GeneralFailure on other errors.
*/
try {
// Parse the URL to get realm, module, service, etc
while (st.hasMoreTokens()) {
realm = v;
} else if (k.equals("module") &&
(authIndexType == null)) {
authIndexValue = v;
} else if (k.equals("service") &&
(authIndexType == null)) {
authIndexValue = v;
}
}
}
}
realm = "/";
}
if (authIndexType != null) {
} else {
}
while (lc.hasMoreRequirements()) {
// loop through the requires setting the needs..
if (callbacks[i] instanceof NameCallback) {
} else if (callbacks[i] instanceof PasswordCallback) {
} else {
}
}
// there's missing requirements not filled by this
// need add the missing later..
throw new InvalidCredentials("");
}
}
// Without this property defined the default will be false which is
// backwards compatable.
boolean useGenericAuthenticationException =
debug.message("IdentityServicesImpl:authenticate returning an InvalidCredentials exception for invalid passwords.");
}
// validate the password..
// We can't use the error message as it is for invalid password
throw new InvalidCredentials("");
} else {
throw new InvalidPassword(em);
}
throw new UserNotFound(em);
throw new UserInactive(em);
throw new UserLocked(em);
throw new AccountExpired(em);
// We can't use the error message to be consistent with the invalid password case
throw new InvalidCredentials("");
} else {
throw new InvalidCredentials(em);
}
throw new MaximumSessionReached(em);
throw new GeneralFailure(em);
}
} else {
try {
// package up the token for transport..
} catch (Exception e) {
"Unable to get SSOToken", e);
// we're going to throw a generic error
// because the system is likely down..
throw new GeneralFailure(e.getMessage());
}
}
} catch (AuthLoginException le) {
}
// we're going to throw a generic error
// because the system is likely down..
}
return ret;
}
/**
* Close session referenced by the subject token.
* @param subject Token identifying the session to close.
* @throws GeneralFailure errors.
*/
throws GeneralFailure, RemoteException
{
try {
}
} catch (TokenExpired te) {
} catch (SSOException ex) {
}
return new LogoutResponse();
}
/**
* Attempt to authorize the subject for the optional action on the
* requested URI.
* @param uri URI for which authorization is required
* @param action Optional action for which subject is being authorized
* @param subject Token identifying subject to be authorized
* @return boolean <code>true</code> if allowed; <code>false</code>
* otherwise
* @throws NeedMoreCredentials when more credentials are required for
* authorization.
* @throws TokenExpired when subject's token has expired.
* @throws GeneralFailure on other errors.
*/
boolean isAllowed = false;
// Check policy
try {
// create the SSOToken
// Evaluate policy
// Check if service name is encoded in uri
// Format of uri with service name:
// service://<sevicename>/?resource=<resourcename>
}
action = "GET";
}
// Evaluate policy decisions
isAllowed = true;
}
} catch (SSOException e) {
throw new TokenExpired(e.getMessage());
} catch (PolicyException ex) {
}
return isAllowed;
}
/**
* Logs a message on behalf of the authenticated app.
*
* @param app Token corresponding to the authenticated application.
* @param subject Optional token identifying the subject for which the
* log record pertains.
* @param logName Identifier for the log file, e.g. "MyApp.access"
* @param message String containing the message to be logged
* @throws AccessDenied if app token is not specified
* @throws GeneralFailure on error
*/
throw new AccessDenied("No logging application token specified");
}
try {
// todo Support internationalization via a resource bundle
// specification
} catch (AMLogException e) {
throw new GeneralFailure(e.getMessage());
}
return new LogResponse();
}
/**
* Retrieve user details (roles, attributes) for the subject.
* @param attributeNames Optional array of attributes to be returned
* @param subject Token for subject.
* @return User details for the subject.
* @throws TokenExpired when Token has expired.
* @throws GeneralFailure on other errors.
* @throws AccessDenied if reading of attributes for the user is disallowed.
*/
}
}
/**
* Retrieve user details (roles, attributes) for the subject.
* @param attributeNames Optional list of attributes to be returned
* @param subject Token for subject.
* @return User details for the subject.
* @throws TokenExpired when Token has expired.
* @throws GeneralFailure on other errors.
*/
try {
if (refresh) {
}
if (attributeNames != null) {
} else {
s.add(propertyNext);
}
}
}
// Obtain user memberships (roles and groups)
if (isSpecialUser(userIdentity)) {
throw new AccessDenied(
"Cannot retrieve attributes for this user.");
}
// Determine the types that can have members
}
}
// Determine the roles and groups
try {
}
} catch (IdRepoException ire) {
if (debug.messageEnabled()) {
}
// Ignore and continue
}
}
if (attributeNames != null) {
} else {
}
} else {
}
}
} else if (sessionAttributes != null) {
}
if (userAttributes != null) {
// Convert the set to a List of String
}
}
}
}
}
} catch (IdRepoException e) {
throw new GeneralFailure(e.getMessage());
} catch (SSOException e) {
throw new GeneralFailure(e.getMessage());
}
// todo handle token translation
return details;
}
/**
* Retrieve a list of identities which match the input criteria.
*
* @param filter Optional filter to use as search against identity names.
* @param admin Token identifying the administrator to be used to authorize
* the request.
* @param attributes Optional list of Attribute objects which provide
* additional search criteria for the search.
* @return List The list of identities matching the input criteria.
* @throws NeedMoreCredentials when more credentials are required for
* authorization.
* @throws TokenExpired when subject's token has expired.
* @throws GeneralFailure on other errors.
*/
{
searchAttrsList = new ArrayList();
}
if (!identities.isEmpty()) {
}
return rv;
}
private String attractValues(
) {
} else {
return defaultValue;
}
}
{
try {
if (searchModifiers != null) {
"User");
}
filter = "*";
}
}
}
}
} else {
throw new GeneralFailure("search unsupported IdType: " +
}
} catch (IdRepoException e) {
throw new GeneralFailure(e.getMessage());
} catch (SSOException e) {
throw new GeneralFailure(e.getMessage());
}
return rv;
}
) throws SSOException, IdRepoException {
if (identityExists(identity)) {
}
}
}
}
return names;
}
false;
}
try {
return results.getSearchResults();
} catch (IdRepoException e) {
} catch (SSOException e) {
}
return Collections.EMPTY_SET;
}
}
}
return identities;
}
/**
* Creates an identity object with the specified attributes.
*
* @param admin Token identifying the administrator to be used to authorize
* the request.
* @param identity object containing the attributes of the object
* to be created.
* @throws NeedMoreCredentials when more credentials are required for
* authorization.
* @throws DuplicateObject if an object matching the name, type and
* realm already exists.
* @throws TokenExpired when subject's token has expired.
* @throws GeneralFailure on other errors.
*/
throws NeedMoreCredentials, DuplicateObject,
// Verify valid information is provided
// Obtain identity details & verify
// TODO: add a message to the exception
throw new GeneralFailure("Identity name not provided");
}
idType = "user";
}
realm = "/";
}
try {
// Obtain IdRepo to create validate IdType & operations
// TODO: add message to exception
throw new UnsupportedOperationException("Unsupported: " +
}
// Obtain creation attributes
// Create the identity, special case of Agents to merge
// and validate the attributes
// Get agenttype, serverurl & agenturl
/*
* To be backward compatible, look for 'AgentType' attribute
* in the attribute map which is passed as a parameter and if
* and then assume that it is '2.2_Agent' type to create
* that agent under the 2.2_Agent node.
*/
agentType = "2.2_Agent";
} else {
throw new UnsupportedOperationException("Unsupported: " +
"Agent Type required for " + idType);
}
}
}
} else {
agentUrl);
}
} else {
} else {
agentUrl);
}
}
} else {
// Create other identites like User, Group, Role, etc.
// Process roles, groups & memberships
IdOperation.EDIT)) {
// TODO: localize message
throw new UnsupportedOperationException(
" Operation: EDIT");
}
roleNames[i], false);
if (identityExists(role)) {
}
}
}
IdOperation.EDIT)) {
// TODO: localize message
throw new UnsupportedOperationException(
" Operation: EDIT");
}
if (identityExists(group)) {
}
}
}
}
IdOperation.EDIT)) {
// TODO: Add message to exception
throw new NeedMoreCredentials("");
}
IdOperation.EDIT)) {
// TODO: Add message to exception
throw new NeedMoreCredentials("");
}
memberNames[i], false);
if (identityExists(user)) {
}
}
amIdentity.store();
}
}
}
} catch (IdRepoException ex) {
} catch (SSOException ex) {
} catch (SMSException ex) {
} catch (ConfigurationException ex) {
} catch (MalformedURLException ex) {
}
return new CreateResponse();
}
/**
* Retrieves an identity object matching input criteria.
*
* @param name The name of identity to retrieve.
* @param attributes Attribute objects specifying criteria for the object
* to retrieve.
* @param admin Token identifying the administrator to be used to authorize
* the request.
* @return IdentityDetails of the subject.
* @throws NeedMoreCredentials when more credentials are required for
* authorization.
* @throws ObjectNotFound if no subject is found that matches the input
* criteria.
* @throws TokenExpired when subject's token has expired.
* @throws GeneralFailure on other errors.
* @throws AccessDenied if reading of attributes for the user is disallowed.
*/
{
}
}
{
if (attributes != null) {
}
}
} else {
if (attrsToGet == null) {
attrsToGet = new ArrayList();
}
}
}
}
repoRealm = "/";
} else {
}
identityType = "User";
}
try {
if (isSpecialUser(amIdentity)) {
throw new AccessDenied(
"Cannot retrieve attributes for this user.");
}
if (!identityExists(amIdentity)) {
throw new ObjectNotFound(name);
}
// use the realm specified by the request
}
} catch (IdRepoException e) {
throw new GeneralFailure(e.getMessage());
} catch (SSOException e) {
throw new GeneralFailure(e.getMessage());
}
return rv;
}
/**
* Updates an identity object with the specified attributes.
*
* @param admin Token identifying the administrator to be used to authorize
* the request.
* @param identity object containing the attributes of the object to be
* updated.
* @throws NeedMoreCredentials when more credentials are required for
* authorization.
* @throws ObjectNotFound if an object matching the name, type and realm
* cannot be found.
* @throws TokenExpired when subject's token has expired.
* @throws GeneralFailure on other errors.
* @throws AccessDenied if reading of attributes for the user is disallowed
*/
{
// TODO: add a message to the exception
throw new GeneralFailure("");
}
idType="user";
}
realm = "";
}
try {
// TODO: add message to exception
throw new NeedMoreCredentials("");
}
if (!identityExists(amIdentity)) {
idType + "\' not found.'";
throw new ObjectNotFound(msg);
}
if (isSpecialUser(amIdentity)) {
throw new AccessDenied(
"Cannot update attributes for this user.");
}
// attribute to add or modify
}
} else {
// attribute to remove
if (removeAttrs == null) {
removeAttrs = new HashSet();
}
}
}
boolean storeNeeded = false;
storeNeeded = true;
}
if (removeAttrs != null) {
storeNeeded = true;
}
if (storeNeeded) {
amIdentity.store();
}
}
}
}
}
{
}
}
} catch (IdRepoException ex) {
} catch (SSOException ex) {
}
return new UpdateResponse();
}
/**
* Deletes an identity object matching input criteria.
*
* @param admin Token identifying the administrator to be used to authorize
* the request.
* @param identity Identity Details of the Subject
* @return boolean true if the identity object was deleted.
* @throws NeedMoreCredentials when more credentials are required for
* authorization.
* @throws ObjectNotFound if no subject is found that matches the input criteria.
* @throws TokenExpired when subject's token has expired.
* @throws GeneralFailure on other errors.
*/
{
throw new GeneralFailure("delete failed: identity object not specified.");
}
throw new ObjectNotFound("delete failed: null object name.");
}
realm = "/";
}
try {
realm);
if (identityExists(amIdentity)) {
if (isSpecialUser(amIdentity)) {
throw new AccessDenied("Cannot delete user.");
}
// First remove users from memberships
try {
} catch (IdRepoException ex) {
//ignore this, member maybe already removed.
}
}
}
} else {
"\' was not found.";
throw new ObjectNotFound(msg);
}
} catch (IdRepoException ex) {
} catch (SSOException ex) {
}
return new DeleteResponse();
}
throws SSOException, IdRepoException
{
}
throws IdRepoException, TokenExpired
{
realm = "/";
}
try {
} catch (SSOException ssoe) {
}
}
throws IdRepoException, TokenExpired
{
}
{
try {
} catch (IdRepoException ioe) {
// Ignore exception
}
return (null);
}
{
boolean rv = false;
try {
}
} catch (IdRepoException ex) {
// Ignore
} catch (SSOException ex) {
// Ignore
}
return rv;
}
throws IdRepoException, SSOException
{
}
throws IdRepoException, SSOException
{
}
}
return rv;
}
boolean fetchAllAttrs,
throws GeneralFailure, IdRepoException
{
try {
if (fetchAllAttrs) {
} else {
searchControl.setAllReturnAttributes(false);
}
if (searchModifiers != null) {
}
} catch (Exception e) {
throw new GeneralFailure(e.getMessage());
}
} else {
// A list is expected back
/*
* TODO: throw an exception instead of returning an empty list
*/
identities = new ArrayList();
}
return identities;
}
throws GeneralFailure, IdRepoException
{
}
return rv;
}
throws IdRepoException, SSOException
{
try {
} else {
}
} catch (IdRepoException ex) {
// If it is error code 215, ignore the error as this indicates
// an invalid uid.
throw ex;
}
}
}
return rv;
}
{
try {
} catch (SSOException ssoe) {
}
}
{
if (objectType != null) {
}
// First assume id is a universal id
if (!identityExists(rv)) {
// Not found through id lookup, try name lookup
}
} else {
}
return rv;
}
{
IdOperation.EDIT)) {
} else {
// TODO: Add message to exception
throw new NeedMoreCredentials("");
}
}
}
{
} else {
// TODO: Add message to exception
throw new NeedMoreCredentials("");
}
}
}
{
} else {
// TODO: add message to exception
throw new NeedMoreCredentials("");
}
}
{
}
throws SSOException
{
try {
} catch (IdRepoException ex) {
// This can be thrown if the identity is not a member
// in any object of idType.
}
return memberships;
}
throws SSOException
{
}
return rv;
}
{
}
if (membershipsToRemove != null) {
}
}
if (membershipsToAdd != null) {
}
}
}
{
}
if (membershipsToRemove != null) {
memberName, false);
}
}
}
if (membershipsToAdd != null) {
memberName, false);
}
}
}
}
{
} else {
String s;
}
if (s != null) {
}
}
}
}
return result;
}
throws IdRepoException, SSOException
{
if (amIdentity != null) {
boolean addUniversalId = false;
rv = new IdentityDetails();
}
}
}
}
}
}
}
}
addUniversalId = true;
} else {
}
}
}
} else {
addUniversalId = true;
}
if (addUniversalId) {
}
}
// Convert the set to a List of String
}
}
}
}
}
}
}
return rv;
}
try {
throw (new TokenExpired("Token is NULL"));
}
} catch (SSOException ex) {
// throw TokenExpired exception
}
return (token);
}
return (attributesToMap(attributes));
}
return (Collections.EMPTY_MAP);
}
} else {
}
}
} else {
}
return (idAttrs);
}
// Validate the token
return (false);
}
try {
mgr.validateToken(t);
mgr.refreshSession(t);
} catch (SSOException e) {
// Token is not valid
throw (new InvalidToken(e.getMessage()));
}
return (true);
}
"iPlanetDirectoryPro"));
}
if (lbCookieName == null) {
} else {
}
return (cookies);
}
}