8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The contents of this file are subject to the terms
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * of the Common Development and Distribution License
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * (the License). You may not use this file except in
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * compliance with the License.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * You can obtain a copy of the License at
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * https://opensso.dev.java.net/public/CDDLv1.0.html or
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * See the License for the specific language governing
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * permission and limitations under the License.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * When distributing Covered Code, include this CDDL
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Header Notice in each file and include the License file
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * If applicable, add the following below the CDDL Header,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * with the fields enclosed by brackets [] replaced by
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * your own identifying information:
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * "Portions Copyrighted [year] [name of copyright owner]"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * $Id: Policy.java,v 1.9 2010/01/10 01:19:35 veiming Exp $
bee2440354b4bc8796e1de0b6cbd60e1f68deba0Phill Cunnington * Portions Copyrighted 2011-2015 ForgeRock AS.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.policy.interfaces.Condition;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.policy.interfaces.Referral;
bee2440354b4bc8796e1de0b6cbd60e1f68deba0Phill Cunningtonimport com.sun.identity.policy.interfaces.ResponseProvider;
bee2440354b4bc8796e1de0b6cbd60e1f68deba0Phill Cunningtonimport com.sun.identity.policy.interfaces.Subject;
bee2440354b4bc8796e1de0b6cbd60e1f68deba0Phill Cunningtonimport com.sun.identity.policy.plugins.OrgReferral;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The class <code>Policy</code> represents a policy definition.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * A policy contains a set of rules associated with a collection of
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * users and conditions. The policy object is saved in the data store
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * only when the <code>store</code> method of the <code>Policy</code> is
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * called, or if the methods <code>addPolicy</code> or <code>replacePolicy
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * </code> of <code>PolicyManager</code> instance is invoked with this policy.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The <code>Policy</code> object is accessible to policy evaluation and
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * enforcement points only after it is saved in data store.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
0c9594d96d580b0cba488fa7d01802fbb49d8a3eCraig McDonnell * @deprecated since 12.0.0
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster static final String REFERRAL_POLICY = "referralPolicy";
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private static final int SUBJECTS_CONDITIONS_RULES = 1;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private static final int CONDITIONS_SUBJECTS_RULES = 2;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private static final int RULES_SUBJECTS_CONDITIONS = 3;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private static final int RULES_CONDITIONS_SUBJECTS = 4;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private static final int SUBJECTS_RULES_CONDITIONS = 5;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private static final int CONDITIONS_RULES_SUBJECTS = 6;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private static String EVALUATION_WEIGHTS = null;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private static String DEFAULT_EVALUATION_WEIGHTS = "10:10:10";
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private final static String EVALUATION_WEIGHTS_KEY
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster = "com.sun.identity.policy.Policy.policy_evaluation_weights";
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private static final Debug DEBUG = PolicyManager.debug;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private int evaluationOrder = RULES_SUBJECTS_CONDITIONS;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private Conditions conditions = new Conditions();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private ResponseProviders respProviders = new ResponseProviders();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private final static int MATCHED_RULE_RESULTS_CACHE_SIZE = 1000;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private final static int MATCHED_REFERRAL_RULES_CACHE_SIZE = 100;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * No-arg constructor.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // do nothing
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Constructs a policy given the policy name.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param policyName name of the policy
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception InvalidNameException if policy name is not valid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public Policy(String policyName) throws InvalidNameException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Constructs a policy given the policy name and priority.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param policyName name of the policy
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param priority priority assigned to the policy
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception InvalidNameException if policy name is not valid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private Policy(String policyName, int priority) throws InvalidNameException
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Set the policy priority
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Constructs a policy given the policy name and description.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param policyName name of the policy
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param description description for the policy
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception InvalidNameException if policy name is not valid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public Policy(String policyName, String description)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Constructs a policy given the policy name,description and a
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * referralPolicy flag.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param policyName name of the policy
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param description description for the policy
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param referralPolicy indicates whether the policy is a
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * referral policy or a standard policy.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * A referral policy is used only to delegate policy definitions to
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * sub/peer organizations. A referral policy does not make use of any
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * action values
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception InvalidNameException if policy name is not valid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public Policy(String policyName, String description,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster boolean referralPolicy) throws InvalidNameException
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster this(policyName, description, referralPolicy, true);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Constructs a policy given the policy name , description,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * referralPolicy flag, and active flag
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param policyName name of the policy
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param description description for the policy
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param referralPolicy indicates whether the policy is a
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * referral policy or a standard policy.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param active indicates if the policy is active or not.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * A referral policy is used only to delegate policy definitions to
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * sub/peer organizations. A referral policy does not make use of any
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * action values
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception InvalidNameException if policy name is not valid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public Policy(String policyName, String description,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster boolean referralPolicy, boolean active) throws InvalidNameException
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Constructs a policy given the Policy Node.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * This is used by PolicyManager
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param pm <code>PolicyManager</code> requesting the operation
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param policyNode XML node in W3C DOM format representing
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * the policy object which needs to be created.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception InvalidFormatException, InvalidNameException,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * NameNotFoundException, PolicyException
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public Policy(PolicyManager pm, Node policyNode)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throws InvalidFormatException, InvalidNameException,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Check if the node name is PolicyManager.POLICY_ROOT_NODE
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (!policyNode.getNodeName().equalsIgnoreCase(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "invalid policy xml blob given to construct policy");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw (new InvalidFormatException(ResBundleUtils.rbName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Get the policy name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster policyName = XMLUtils.getNodeAttributeValue(policyNode,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Get descrition, can be null
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster description = XMLUtils.getNodeAttributeValue(policyNode,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Get referralPolicy flag
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String referralPolicy = XMLUtils.getNodeAttributeValue(policyNode,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Get active flag
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String active = XMLUtils.getNodeAttributeValue(policyNode,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster this.active = false;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Get priority
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String pri = XMLUtils.getNodeAttributeValue(policyNode,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // write to debug and continue
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster PolicyManager.debug.error("Number format exception in " +
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Get the rule nodes and instantiate them
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Set ruleNodes = XMLUtils.getChildNodes(policyNode,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Get the users collection and instantiate Subjects
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Node subjectsNode = XMLUtils.getChildNode(policyNode,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Get the conditions collection and instantiate Conditions
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Node conditionsNode = XMLUtils.getChildNode(policyNode,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster conditions = new Conditions(pm.getConditionTypeManager(),
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Get the respProviders collection and instantiate
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // ResponseProviders
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Node respProvidersNode = XMLUtils.getChildNode(policyNode,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Get the referrals collection and instantiate Referrals
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Node referralsNode = XMLUtils.getChildNode(policyNode,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private void getModificationInfo(Node policyNode) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String strCreationDate = XMLUtils.getNodeAttributeValue(policyNode,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if ((strCreationDate != null) && (strCreationDate.length() > 0)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster creationDate = Long.parseLong(strCreationDate);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String strLastModifiediDate = XMLUtils.getNodeAttributeValue(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster policyNode, PolicyManager.LAST_MODIFIED_DATE_ATTRIBUTE);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster lastModifiedDate = Long.parseLong(strLastModifiediDate);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster createdBy = XMLUtils.getNodeAttributeValue(policyNode,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster lastModifiedBy = XMLUtils.getNodeAttributeValue(policyNode,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Gets the name of the policy.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return name of the policy
bfd57c44bf33e4330551ab8a179b26fe9dba86b9Mark Craig * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Sets the name of the policy.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param policyName name of the policy.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception InvalidNameException if <code>policyName</code> is an invalid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public void setName(String policyName) throws InvalidNameException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Gets the original policy name.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * This is used to track policies called via
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>PolicyManager::replacePolicy()</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * with the changed policy name.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return the policy name that was present when
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * the object was instantiated
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Sets the organization name under which the policy is created
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * This would be set only for policies that have been read from data store.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Otherwise this would be <code>null</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param organizationName name of the organization name in which the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * policy is created.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster void setOrganizationName(String organizationName) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Gets the organization name under which the policy is created
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * This would be set only for policies that have been read from data store.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Otherwise this would be <code>null</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return the organization name under which the policy is created
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Resets the original policy name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Gets the description for the policy.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * If the description for the policy has not been set
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * the method will return an empty string; not <code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * null</code>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return description of the policy
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Sets the description for the policy.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param description description for the policy
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception InvalidNameException if the description is invalid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Checks whether the policy is a referral policy.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * A referral policy is used only to delegate policy definitions to
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * sub/peer organizations. A referral policy does not make use of any
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * action values
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return <code>true</code> if this is a referral policy.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Otherwise returns <code>false</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Checks whether the policy is active or inactive
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * An inactive policy is not used to make policy evaluations.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return <code>true</code> if this is an active policy.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Otherwise returns <code>false</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Set the active flag for policy.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * An inactive policy is not used to make policy evaluations.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param active <code>boolean</code> representing active or inactive.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Gets the priority of the policy.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return priority of the policy
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Sets a priority of the policy.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param priority priority of the policy
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Gets the set of rule names associated with the policy.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return <code>Set</code> of rule names
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Gets the rule object identified by name.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param ruleName name of rule.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return <code>Rule</code> object.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception NameNotFoundException if a <code>Rule</code> with the given
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * name does not exist
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public Rule getRule(String ruleName) throws NameNotFoundException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw (new NameNotFoundException(ResBundleUtils.rbName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "rule_not_found", null, ruleName, PolicyException.RULE));
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Adds a new policy rule.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param rule rule object to be added to the policy
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception NameAlreadyExistsException a rule with the given name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * already exists
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception InvalidNameException if the rule name is invalid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * same service name as the policy
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public void addRule(Rule rule) throws NameAlreadyExistsException ,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Since 5.0 does not support rule name, it can be null
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Assign a name dynamically
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster rule.setName("rule" + ServiceTypeManager.generateRandomName());
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Check if the rule name or rule itself already exists
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw (new NameAlreadyExistsException(ResBundleUtils.rbName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "rule_name_already_present", null, rule.getName(),
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw (new NameAlreadyExistsException(ResBundleUtils.rbName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Replaces an existing rule with the same name by the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * current one. If a <code>Rule</code> with the same name does not exist,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * it will be added.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param rule <code>Rule</code> that will replace an existing rule
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * with the same name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception InvalidNameException if <code>Rule</code> name is invalid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public void replaceRule(Rule rule) throws InvalidNameException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Since 5.0 does not support rule name, it can be null
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Assign a name dynamically
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster rule.setName("rule" + ServiceTypeManager.generateRandomName());
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Removes the <code>Rule</code> with the given name.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param ruleName name of the rule
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return returns the <code>Rule</code> object being removed;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * if not present returns <code>null</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns a <code>Subjects</code> object that contains
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * a set of <code>Subject</code> instances for which the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * policy is applied.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return Subjects object of the policy
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Get the <code>Set</code> of subject names associated with the policy.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return <code>Set</code> of String objects representing subject names
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Gets the Subject object identified by name.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param subjectName name of subject.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return <code>Subject</code> object
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception NameNotFoundException if a Subject with the given name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * does not exist
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public Subject getSubject(String subjectName) throws NameNotFoundException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Adds a new policy subject.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The subject is added as a normal (non exclusive) subject.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * So, policy will apply to members of the subject.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The policy will apply to a user if he is a member of
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * any normal (non exclusive) subject in the policy
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * or not a member of any exclusive subject in the policy.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param name name of the Subject instance
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param subject Subject object to be added to the policy
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception NameAlreadyExistsException if a Subject with the given name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * already exists
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception InvalidNameException if the subject name is invalid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public void addSubject(String name, Subject subject)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throws NameAlreadyExistsException, InvalidNameException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Adds a reference in the policy to a Subject defined at the realm.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param token SSOToken of the user adding the subject
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param subjectName name of the Subject as defined at the realm
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param realmName name of the realm in which the subject is defined
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception NameAlreadyExistsException if a Subject with the given name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * already exists in the policy
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception InvalidNameException if the subject name is invalid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * or the subject is not found at the realm
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception SSOException if the SSO token is invalid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception PolicyException if the subject could not be added
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * for any other reason
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public void addRealmSubject(SSOToken token, String subjectName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throws NameAlreadyExistsException, InvalidNameException,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster PolicyManager pm = new PolicyManager(token, realmName);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster SubjectTypeManager stm = pm.getSubjectTypeManager();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Adds a reference in the policy to a Subject defined at the realm.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param subjectName name of the Subject as defined at the realm
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param stm <code>SubjectTypeManager<code> of the realm.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * You have to pass the SubjectTypeManager of realm in which
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * you would save the policy. Trying to save the policy at
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * a different realm would throw PolicyException.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception NameAlreadyExistsException if a Subject with the given name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * already exists in the policy
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception InvalidNameException if the subject name is invalid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * or the subject is not found at the realm
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception SSOException if the SSO token is invalid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception PolicyException if the subject could not be added
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * for any other reason
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public void addRealmSubject(String subjectName, SubjectTypeManager stm,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throws NameAlreadyExistsException, InvalidNameException,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String realmName = stm.getPolicyManager().getOrganizationDN();
a14393818a78c503f7715c393044b33c86e90195Phill Cunnington realmName = LDAPUtils.formatToRFC(realmName);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if ((subjectRealm != null) && !subjectRealm.equals(realmName)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster DEBUG.message("Policy.addRealmSubject():can not add"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + " , policy already has subject from different realm:"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw (new InvalidNameException(ResBundleUtils.rbName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "policy_realms_do_not_match", objs, null, realmName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * would result in NameNotFoundException if the subject does not exist
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * we would propogate the exception without catching
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster users.addSubject(subjectName, stm.getSharedSubject(subjectName),
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster DEBUG.message("Policy.addRealmSubject():added "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Adds a new policy subject.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The policy will apply to a user if he is a member of
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * any normal (non exclusive) subject in the policy
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * or not a member of any exclusive subject in the policy.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param name name of the Subject instance
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param subject Subject object to be added to the policy
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param exclusive boolean flag indicating whether the subject
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * is to be exclusive subject. If subject is exclusive,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * policy applies to users who are not members of the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * subject. Otherwise, policy applies to members of the subject.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception NameAlreadyExistsException if a Subject with the given name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * already exists
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception InvalidNameException if the subject name is invalid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public void addSubject(String name, Subject subject, boolean exclusive)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throws NameAlreadyExistsException, InvalidNameException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Replaces an existing subject with the same name by the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * current one. If a subject with the same name does not exist,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * it will be added.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The subject is replaced as a normal (non exclusive) subject.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * So, policy will apply to members of the subject.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The policy will apply to a user if he is a member of
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * any normal (non exclusive) subject subject in the policy
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * or not a member of any exclusive subject subject in the policy.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param name name of the Subject instance
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param subject Subject that will replace an existing Subject
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * with the same name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception NameNotFoundException if a Subject instance
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * with the given name is not present
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public void replaceSubject(String name, Subject subject)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Replaces an existing subject with the same name by the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * current one. If a subject with the same name does not exist,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * it will be added.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The policy will apply to a user if he is a member of
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * any normal (non exclusive) subject in the policy
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * or not a member of any exclusive subject in the policy.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param name name of the Subject instance
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param subject Subject that will replace an existing Subject
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * with the same name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param exclusive boolean flag indicating whether the subject
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * is to be exclusive subject. If subject is exclusive,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * policy applies to users who are not members of the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * subject. Otherwise, policy applies to members of the subject.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception NameNotFoundException if a Subject instance
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * with the given name is not present
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public void replaceSubject(String name, Subject subject, boolean exclusive)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster users.replaceSubject(name, subject, exclusive);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Removes the subject with the given name.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param subjectName name of the Subject
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return returns the Subject object being removed.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * if not present returns <code>null</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public Subject removeSubject(String subjectName) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Removes the <code>Subject</code> object identified by
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * object's <code>equals</code> method. If a Subject instance
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * does not exist, the method will return silently.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param subject Subject object that
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * will be removed from the user collection
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String subjectName = users.getSubjectName(subject);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Checks if the subject is exclusive.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * If subject is exclusive, policy applies to users who are not members of
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * the subject. Otherwise, policy applies to members of the subject.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The policy will apply to a user if he is a member of
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * any normal (non exclusive) subject in the policy
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * or not a member of any exclusive subject in the policy.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param subjectName name of the subject
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return <code>true</code> if the subject is exclusive, <code>false</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * otherwise.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception NameNotFoundException if the subject with the given
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>subjectName</code> does not exist in the policy.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public boolean isSubjectExclusive(String subjectName)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Checks if the subjectName is a reference to a Subject
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * defined at the realm
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param subjectName name of the subject
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return <code>true</code> if the subject is a reference to a
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Subject defined at the realm, <code>false</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * otherwise.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception NameNotFoundException if the subject with the given
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>subjectName</code> does not exist in the policy.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public boolean isRealmSubject(String subjectName)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns a <code>Referrals</code> object that contains
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * a set of <code>Referral</code> instances for whom the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * policy is applied.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return Referrals object of the policy
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Get the <code>Set</code> of referral names associated with the policy.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return <code>Set</code> of referral names
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Gets the Referral object identified by name.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param referralName name of referral.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return <code>Referral</code> object
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception NameNotFoundException if a Referral with the given name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * does not exist
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public Referral getReferral(String referralName) throws
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Adds a new policy referral.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param name name of the <code>Referral</code> instance
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param referral <code>Referral</code> object to be added to the policy
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception NameAlreadyExistsException if a Referral with the given name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * already exists
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception InvalidNameException if the referral name is invalid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public void addReferral(String name, Referral referral)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throws NameAlreadyExistsException, InvalidNameException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Replaces an existing referral with the same name by the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * current one. If a referral with the same name does not exist,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * it will be added.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param name name of the <code>Referral</code> instance
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param referral <code>Referral</code> that will replace an existing
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Referral with the same name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception NameNotFoundException if a Referral instance
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * with the given name is not present
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public void replaceReferral(String name, Referral referral)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Removes the referral with the given name.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param referralName name of the <code>Referral</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return returns the <code>Referral</code> object being removed;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * if not present returns <code>null</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public Referral removeReferral(String referralName) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Removes the <code>Referral</code> object identified by
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * object's <code>equals</code> method. If a Referral instance
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * does not exist, the method will return silently.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param referral Referral object that will be removed
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public void removeReferral(Referral referral) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String referralName = referrals.getReferralName(referral);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns a <code>Conditions</code> object that contains
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * a set of <code>Condition</code> objects that apply
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * to the policy
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return <code>Conditions</code> object of the policy
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Get the set of condition names associated with the policy.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return <code>Set</code> of condition names
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Gets the condition object identified by name.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param condition name of condition.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return <code>Condition</code> object.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception NameNotFoundException if a Condition with the given name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * does not exist.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public Condition getCondition(String condition) throws
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Adds a new policy condition.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param name name of the Condition instance
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param condition Condition object to be added to the policy
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception NameAlreadyExistsException if a Condition with the given name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * already exists
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception InvalidNameException if the condition name is invalid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public void addCondition(String name, Condition condition)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throws NameAlreadyExistsException, InvalidNameException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Replaces an existing condition with the same name by the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * current one. If a condition with the same name does not exist,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * it will be added.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param name name of the <code>Condition</code> instance
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param condition <code>Condition</code> that will replace an
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * existing Condition with the same name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception NameNotFoundException if a Condition instance
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * with the given name is not present
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public void replaceCondition(String name, Condition condition)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Removes the condition with the given name.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param condition name of the <code>Condition</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return returns the Condition object being removed;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * if not present returns <code>null</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public Condition removeCondition(String condition) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Removes the <code>Condition</code> object identified by
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * object's <code>equals</code> method. If a condition instance
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * does not exist, the method will return silently.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param condition Condition object that will be removed
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public void removeCondition(Condition condition) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String conditionName = conditions.getConditionName(condition);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns a <code>ResponseProviders</code> object that contains
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * a set of <code>ResponseProvider</code> objects that apply
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * to the policy
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return <code>ResponseProviders</code> object found in the policy
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Get a <code>Set</code> of <code>String</code> objects representing
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * the responseProvider names associated with the policy.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return <code>Set</code> of responseProvider names
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return respProviders.getResponseProviderNames();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Gets the <code>ResponseProvider</code> object identified by name.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param respProvider name of <code>ResponseProvider</code>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return <code>ResponseProvider</code> object.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception NameNotFoundException if a ResponseProvider with the given
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * name does not exist.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public ResponseProvider getResponseProvider(String respProvider)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return respProviders.getResponseProvider(respProvider);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Adds a new <code>ResponseProvider</code> to the policy.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param name name of the <code>ResponseProvider</code> instance
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param respProvider <code>ResponseProvider</code> object to be added to
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * the policy
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception NameAlreadyExistsException if a ResponseProvider with the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * given name already exists
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception InvalidNameException if the <code>respProvider</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * name is invalid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public void addResponseProvider(String name, ResponseProvider respProvider)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster respProviders.addResponseProvider(name, respProvider);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Replaces an existing <code>ResponseProvider</code> with the same name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * by the current one. If a respProvider with the same name does not exist,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * it will be added.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param name name of the ResponseProvider instance
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param respProvider ResponseProvider that will replace an existing
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * ResponseProvider with the same name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception NameNotFoundException if a ResponseProvider instance
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * with the given name is not present.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public void replaceResponseProvider(String name,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster ResponseProvider respProvider) throws NameNotFoundException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster respProviders.replaceResponseProvider(name, respProvider);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Removes the <code>ResponseProvider</code> with the given name.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param respProvider name of the ResponseProvider
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return returns the ResponseProvider object being removed;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * if not present returns null.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public ResponseProvider removeResponseProvider(String respProvider) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return respProviders.removeResponseProvider(respProvider);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Removes the <code>ResponseProvider</code> object.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * If a respProvider instance does not exist, the method will
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * return silently.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param respProvider ResponseProvider object that
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * will be removed
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public void removeResponseProvider(ResponseProvider respProvider) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String respProviderName = respProviders.getResponseProviderName(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Stores the policy object in a persistent data store
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * under the organization, sub-organization or a container
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * object, specified as a parameter. The organization,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * sub-organization, or the container can be either
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * a LDAP distinguished name (<code>dn</code>) or slash "/" separated
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * as per SMS. This method
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * uses the <code>SSOToken</code> provided to perform the store
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * operation, and hence if the single sign token has expired
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>SSOException</code> will be thrown, and if the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * user does not have the required privileges
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>NoPermissionException</code> exception will be thrown.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * If a policy with the same name exists for the organization
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * the method will throw <code>NameAlreadyExistsException</code>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * And if the organization name does not exist, the method
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * will throw <code>NameNotFoundException</code>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param token SSO token of the user managing policy
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param name name of the organization, sub-organization or
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * a container in which the policy will be stored.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception SSOException invalid or expired single-sign-on token
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception NoPermissionException user does not have sufficient
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * privileges to add policy
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception NameAlreadyExistsException a policy with the same
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * name already exists
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception NameNotFoundException the given organization name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * does not exist
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception PolicyException for any other abnormal condition
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public void store(SSOToken token, String name) throws SSOException,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster NoPermissionException, NameAlreadyExistsException,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster PolicyManager pm = new PolicyManager(token, name);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Checks if two policy objects are equal.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * This method does not check the policy name and description
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * for equality.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param obj object againt which the policy object
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * will be checked for equality
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return <code>true</code> if policies are equal,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>false</code> otherwise.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (rules.equals(p.rules) && users.equals(p.users)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return (true);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return (false);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Creates and returns a copy of this object. The returned
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>Policy</code> object will have the same policy
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * name, rules, subjects, referrals and conditions
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * such that <code>x.clone().equals(x)</code> will be
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>true</code>. However <code>x.clone()</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * will not be the same as <code>x</code>, i.e.,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>x.clone() != x</code>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return a copy of this object
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Copy state variables
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Copy rules
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Copy subjects
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Copy referrals
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster answer.referrals = (Referrals) referrals.clone();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Copy responseProviders
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster answer.respProviders = (ResponseProviders) respProviders.clone();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Copy conditions
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster answer.conditions = (Conditions) conditions.clone();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns the serialized policy in XML
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return serialized policy in XML
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return toXML(true);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster answer.append("<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster answer.append(XMLUtils.escapeSpecialCharacters(policyName));
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if ((description != null) && (description.length() > 0)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster answer.append(XMLUtils.escapeSpecialCharacters(description));
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if ((createdBy != null) && (createdBy.length() > 0)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster .append(XMLUtils.escapeSpecialCharacters(createdBy));
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if ((lastModifiedBy != null) && (lastModifiedBy.length() > 0)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster .append(PolicyManager.LAST_MODIFIED_BY_ATTRIBUTE)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster .append(XMLUtils.escapeSpecialCharacters(lastModifiedBy));
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster .append(PolicyManager.LAST_MODIFIED_DATE_ATTRIBUTE)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster answer.append("\" referralPolicy=\"").append(referralPolicy);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster for (Iterator i = getRuleNames().iterator(); i.hasNext(); ) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Ignore the exception
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster DEBUG.error("Error in policy.toXML():" + e.getMessage());
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Add the users
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Add the conditions
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if ( !(conditions.getConditionNames().isEmpty()) ) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Add the responseProviders
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if ( !(respProviders.getResponseProviderNames().isEmpty()) ) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Add the referrals
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if ( !(referrals.getReferralNames().isEmpty()) ) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Gets string representation of the policy object.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return XML string representation of the policy object
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Checks for the char <code>c</code> in the String
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param name String in which the character needs to be checked for.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param c <code>char</code> which needs to be checked.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception InvalidNameException if <code>c</code> does not occur
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * anywhere in <code>name</code>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster static void checkForCharacter(String name, char c)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw (new InvalidNameException(ResBundleUtils.rbName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Gets policy decision
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param token sso token identifying the user for who the policy has to
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * be evaluated.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param resourceTypeName resourceType name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param resourceName resourceName
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param actionNames a set of action names for which policy results
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * are to be evaluated. Each element of the set should be a
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param envParameters a <code>Map</code> of environment parameters
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Each key of the <code>Map</code> is a String valued parameter name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Each value of the map is a <code>Set</code> of String values
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return a <code>PolicyDecision</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception NameNotFoundException if the action name or resource name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * is not found
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception SSOException if token is invalid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception PolicyException for any other exception condition
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public PolicyDecision getPolicyDecision(SSOToken token,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String resourceTypeName,String resourceName, Set actionNames,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Map envParameters) throws SSOException, NameNotFoundException,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster PolicyDecision policyDecision = new PolicyDecision();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster ServiceTypeManager stm = ServiceTypeManager.getServiceTypeManager();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * get the evaluation order that is likely to be least expensive
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * in terms of cpu.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + " is Using Policy evaluation order :" + evaluationOrder);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (isReferralPolicy() && !referrals.isEmpty()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster //process referrals irrespective subjects and conditions
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster resourceType, referralDecision, policyDecision);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster (token != null) ? token.getPrincipal().getName()
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster new StringBuffer("at Policy.getPolicyDecision()")
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster .append(" principal, resource name, action names,")
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster } else if (evaluationOrder == SUBJECTS_CONDITIONS_RULES) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "SUBJECTS_CONDITIONS_RULES");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster getPolicyDecisionSCR(token, resourceType, resourceName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster } else if (evaluationOrder == CONDITIONS_SUBJECTS_RULES) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "CONDITIONS_SUBJECTS_RULES");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster getPolicyDecisionCSR(token, resourceType, resourceName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster } else if (evaluationOrder == RULES_SUBJECTS_CONDITIONS) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "RULES_SUBJECTS_CONDITIONS");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster getPolicyDecisionRSC(token, resourceType, resourceName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster } else if (evaluationOrder == RULES_CONDITIONS_SUBJECTS) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "RULES_CONDITIONS_SUBJECTS");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster getPolicyDecisionRCS(token, resourceType, resourceName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster } else if (evaluationOrder == SUBJECTS_RULES_CONDITIONS) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "SUBJECTS_RULES_CONDITIONS");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster getPolicyDecisionSRC(token, resourceType, resourceName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster } else if (evaluationOrder == CONDITIONS_RULES_SUBJECTS) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "CONDITIONS_RULES_SUBJECTS");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster getPolicyDecisionCRS(token, resourceType, resourceName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster } else { //default:RULES_CONDITIONS_SUBJECTS
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster DEBUG.message("Using default policy evaluation order:"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "RULES_CONDITIONS_SUBJECTS");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster getPolicyDecisionRCS(token, resourceType, resourceName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster (token != null) ? token.getPrincipal().getName()
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster new StringBuffer("at Policy.getPolicyDecision()")
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster .append(" principal, resource name, action names,")
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Map actionDecisionMap = policyDecision.getActionDecisions();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (actionDecisionMap != null && !actionDecisionMap.isEmpty())
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if ((actionDecisions = actionDecisionMap.values()) != null &&
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Set actionValues = ((ActionDecision)it.next()).getValues();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (actionValues != null && !actionValues.isEmpty())
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster { // put the response Attrs in the PolicyDecision
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster respProviders.getResponseProviderDecision(token,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * even if one action Value found, set the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * resp attributes
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster /** Gets matched rule results given resource type, resource name and
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * action names
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param resourceType resource type(<code>ServiceType</code> of resource
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param resourceName resource name for which to get action values
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param actionNames action names for which to get values
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return <code>Map</code> of action values keyed by action names
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception NameNotFoundException
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private Map getMatchedRuleResults(ServiceType resourceType,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String resourceName, Set actionNames) throws NameNotFoundException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String resourceTypeName = resourceType.getName();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster StringBuilder cacheKeyBuffer = new StringBuilder(100);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String cacheKey = cacheKeyBuffer.append(resourceTypeName)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster .append(resourceName).append(actionNames).toString();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster answer = (Map) matchRulesResultsCache.get(cacheKey);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster //Process rules
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Iterator ruleIterator = rules.values().iterator();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Map actionResults = rule.getActionValues(resourceTypeName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster PolicyUtils.appendMapToMap(actionResults, answer);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster actionSchema = resourceType.getActionSchema(action);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "can not find action schmea for action = "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String trueValue = actionSchema.getTrueValue();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Add to cache
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster /**Gets resource names that are exact matches, sub resources or
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * wild card matches of argument resource name.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * To determine whether to include a
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * resource name of a resource, we compare argument resource name and
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * policy resource name, treating wild characters in the policy
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * resource name as wild. If the comparsion resulted in EXACT_MATCH,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * WILD_CARD_MATCH or SUB_RESOURCE_MATCH, the resource result would be
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param token sso token
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param serviceTypeName service type name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param resourceName resource name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param followReferrals indicates whether to follow the referrals to
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * compute the resources
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return resource names that match to be exact match, sub
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * resource match or wild card match of the argument
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * resourceName
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception PolicyException
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception SSOException
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @see ResourceMatch#EXACT_MATCH
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @see ResourceMatch#SUB_RESOURCE_MATCH
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @see ResourceMatch#WILDCARD_MATCH
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Set getResourceNames(SSOToken token, String serviceTypeName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster ServiceType st = ServiceTypeManager.getServiceTypeManager()
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Iterator ruleIterator = rules.values().iterator();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (rule.getServiceType().getName().equals(serviceTypeName)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster ResourceMatch resourceMatch = st.compare(resourceName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (resourceMatch.equals(ResourceMatch.SUB_RESOURCE_MATCH)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster || resourceMatch.equals(ResourceMatch.EXACT_MATCH)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster || resourceMatch.equals(ResourceMatch.WILDCARD_MATCH)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster sb.append(" for policyName, serviceType, resourceName, ");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster sb.append(getName()).append( ",").append( serviceTypeName);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster sb.append(",").append(resourceName).append(",");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster sb.append(ruleResource).append(",").append(resourceMatch);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (!resourceNames.isEmpty() && followReferrals) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Set rResourceNames = referrals.getResourceNames(token,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster sb.append(" for policyName, serviceType, resourceName, ");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster sb.append(getName()).append( ",").append( serviceTypeName);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster sb.append(",").append(resourceName).append(",");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster sb.append(followReferrals).append(",").append(resourceNames);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster /** Gets the resource names of a given serviceType managed by this
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param serviceTypeName name of service type for which to
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * find resource names
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return a set of resource names of serviceTypeName managed
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * by this policy
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception SSOException
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception NameNotFoundException
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Set getResourceNames(String serviceTypeName) throws SSOException,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Iterator ruleIterator = rules.values().iterator();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String rSvcTypeName = (rule.getServiceType() == null) ?
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster rule.getServiceTypeName() : rule.getServiceType().getName();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster// public String getServiceTypeName() {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster /* com.iplanet.am.admin.cli uses this method.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Need to clean up cli not to use this
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * method. Without this method build breaks - 03/05/02 */
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // return null;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Gets organizations referred to in this policy by OrgReferral(s)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * defined in this policy.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return names of organization (DNs) of organizations referred
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * to in this policy via <code>OrgReferral</code>(s) defined in
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * this policy.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Please note that <code>PeerOrgReferral</code> and
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>SubOrgReferral</code> extend <code>OrgReferral</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * and hence qualify as OrgReferral.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception PolicyException
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Set getReferredToOrganizations() throws PolicyException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Iterator referralNames = referrals.getReferralNames().iterator();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String referralName = (String) referralNames.next();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Referral referral = (Referral) referrals.getReferral(referralName);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if ( (values != null) && (!values.isEmpty()) ) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String orgName = (String) values.iterator().next();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster /** Sets time to live for Subjects result.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param ttl time to live for Subjects result
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * validates the String <code>name</code>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param name String to be validated.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception throws InvalidNameException is name is null or
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * does contain invalid character "/".
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private void validateName(String name) throws InvalidNameException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if ( (name == null) || (name.length() == 0) ) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw (new InvalidNameException(ResBundleUtils.rbName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "null_name", null, "", PolicyException.POLICY));
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster /** Gets policy decision computing Subjects, Conditions and Rules
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * in this order. Referrals in the policy are ignored.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param token sso token identifying the user for who the policy has to
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * be evaluated.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param resourceType service type
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param resourceName resource name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param actionNames a set of action names for which policy results
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * are to be evaluated. Each element of the set should be a
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param envParameters a map of environment parameters
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Each key of the map is a String valued parameter name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Each value of the map is a set of String values
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param policyDecision a collecting argument. Computed policy decisions
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * in this method are merged to this policy decision
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return computed and merged policy decision
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception NameNotFoundException if the action name or resource name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * is not found
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception SSOException if token is invalid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception PolicyException for any other exception condition
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private PolicyDecision getPolicyDecisionSCR(SSOToken token,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String resourceName, Set actionNames, Map envParameters,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throws SSOException, NameNotFoundException, PolicyException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster boolean resourceMatched = false;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster boolean allowedByConditions = false;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster boolean allowedBySubjects = false;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster conditionDecision = conditions.getConditionDecision(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster allowedByConditions = conditionDecision.isAllowed();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster advicesFromConditions = conditionDecision.getAdvices();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster conditionsTtl = conditionDecision.getTimeToLive();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (allowedByConditions) { //subjects+, conditions+
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster actionResults = getMatchedRuleResults(resourceType,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (resourceMatched) { //subjects+,conditions+,resourceMatch+
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster /* ActionDecision to include values, no advices
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster } else { // subjects+,conditions+,resourceMatch-
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster } else { //subjects+,conditions-
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster //ActionDecision to include advices only
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster actionResults = getMatchedRuleResults(resourceType,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster /* ActionDecision to include advices, no values
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster } else { //subjects-
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster /** Gets policy decision computing Subjects, Rules and Conditions
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * in this order. Referrals in the policy are ignored.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param token sso token identifying the user for who the policy has to
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * be evaluated.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param resourceType service type
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param resourceName resourceName
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param actionNames a set of action names for which policy results
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * are to be evaluated. Each element of the set should be a
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param envParameters a map of environment parameters
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Each key of the map is a String valued parameter name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Each value of the map is a set of String values
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param policyDecision a collecting argument. Computed policy decisions
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * in this method are merged to this policy decision
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return computed and merged policy decision
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception NameNotFoundException if the action name or resource name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * is not found
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception SSOException if token is invalid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception PolicyException for any other exception condition
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private PolicyDecision getPolicyDecisionSRC(SSOToken token,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String resourceName, Set actionNames, Map envParameters,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throws SSOException, NameNotFoundException, PolicyException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster boolean resourceMatched = false;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster boolean allowedByConditions = false;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster boolean allowedBySubjects = false;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster actionResults = getMatchedRuleResults(resourceType,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (resourceMatched) { //subjects+, resourceMatch+
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster conditionDecision = conditions.getConditionDecision(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster allowedByConditions = conditionDecision.isAllowed();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster advicesFromConditions = conditionDecision.getAdvices();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster conditionsTtl = conditionDecision.getTimeToLive();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster //subjects+, resourceMatch+,conditions+
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster /* ActionDecision to include values, no advices
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster } else { //subjects+, resourceMatch+,conditions-
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster /* ActionDecision to include advices, no values
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster } else { //subjects+,resourceMatch-
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster } else { //subjects-
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster /** Gets policy decision computing Conditions, Subject and Rules
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * in this order. Referrals in the policy are ignored.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param token sso token identifying the user for who the policy has to
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * be evaluated.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param resourceType service type
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param resourceName resourceName
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param actionNames a set of action names for which policy results
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * are to be evaluated. Each element of the set should be a
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param envParameters a map of environment parameters
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Each key of the map is a String valued parameter name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Each value of the map is a set of String values
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param policyDecision a collecting arugment. Computed policy decisions
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * in this method are merged to this policy decision
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return computed and merged policy decision
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception NameNotFoundException if the action name or resource name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * is not found
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception SSOException if token is invalid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception PolicyException for any other exception condition
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private PolicyDecision getPolicyDecisionCSR(SSOToken token,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String resourceName, Set actionNames, Map envParameters,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throws SSOException, NameNotFoundException, PolicyException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster boolean resourceMatched = false;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster boolean allowedByConditions = false;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster boolean allowedBySubjects = false;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster conditionDecision = conditions.getConditionDecision(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster allowedByConditions = conditionDecision.isAllowed();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster advicesFromConditions = conditionDecision.getAdvices();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster timeToLive = conditionDecision.getTimeToLive();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (allowedBySubjects) { //conditions+, subjects+
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster actionResults = getMatchedRuleResults(resourceType,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster //conditions+, subjects+, resourceMatched+
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster /* ActionDecision to include values, no advices
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster } else { //conditions+, subjects+, resourceMatched-
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster } else { //conditions+,subjects-
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster } else { //conditions-
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster boolean reportAdvices = false;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster actionResults = getMatchedRuleResults(resourceType,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster /* ActionDecision to include advices, no values
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster } else { //no advices to report
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster /** Gets policy decision computing Conditions, Rules and Subjects
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * in this order. Referrals in the policy are ignored.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param token sso token identifying the user for who the policy has to
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * be evaluated.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param resourceType service type
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param resourceName resourceName
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param actionNames a set of action names for which policy results
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * are to be evaluated. Each element of the set should be a
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param envParameters a map of environment parameters
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Each key of the map is a String valued parameter name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Each value of the map is a set of String values
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param policyDecision a collecting arugment. Computed policy decisions
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * in this method are merged to this policy decision
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return computed and merged policy decision
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception NameNotFoundException if the action name or resource name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * is not found
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception SSOException if token is invalid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception PolicyException for any other exception condition
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private PolicyDecision getPolicyDecisionCRS(SSOToken token,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String resourceName, Set actionNames, Map envParameters,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throws SSOException, NameNotFoundException, PolicyException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster boolean resourceMatched = false;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster boolean allowedByConditions = false;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster boolean allowedBySubjects = false;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster conditionDecision = conditions.getConditionDecision(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster allowedByConditions = conditionDecision.isAllowed();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster advicesFromConditions = conditionDecision.getAdvices();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster timeToLive = conditionDecision.getTimeToLive();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster actionResults = getMatchedRuleResults(resourceType,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (resourceMatched) { ///conditions+, resourceMatched+
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster //conditions+, resourceMatched+, subjects+
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster /* ActionDecision to include values, no advices
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster } else { //conditions+, resourceMatched+, subjects-
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster } else { //conditions+, resourceMatched-
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster } else { //conditions-
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster boolean reportAdvices = false;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster actionResults = getMatchedRuleResults(resourceType,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster /* ActionDecision to include advices, no values
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster } else { //no advices to report
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster /** Gets policy decision computing Rules, Subjects and Conditions
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * in this order. Referrals in the policy are ignored.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param token sso token identifying the user for who the policy has to
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * be evaluated.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param resourceType service type
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param resourceName resourceName
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param actionNames a set of action names for which policy results
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * are to be evaluated. Each element of the set should be a
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param envParameters a map of environment parameters
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Each key of the map is a String valued parameter name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Each value of the map is a set of String values
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param policyDecision a collecting arugment. Computed policy decisions
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * in this method are merged to this policy decision
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return computed and merged policy decision
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception NameNotFoundException if the action name or resource name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * is not found
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception SSOException if token is invalid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception PolicyException for any other exception condition
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private PolicyDecision getPolicyDecisionRSC(SSOToken token,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String resourceName, Set actionNames, Map envParameters,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throws SSOException, NameNotFoundException, PolicyException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster boolean resourceMatched = false;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster boolean allowedByConditions = false;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster boolean allowedBySubjects = false;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Map actionResults = getMatchedRuleResults(resourceType,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (allowedBySubjects) { //resourceMatched+, subjects+
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster conditionDecision = conditions.getConditionDecision(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster allowedByConditions = conditionDecision.isAllowed();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster advicesFromConditions = conditionDecision.getAdvices();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster conditionsTtl = conditionDecision.getTimeToLive();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster //resourceMatched+, subjects+, conditions+
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster /* ActionDecision to include values, no advices
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster } else { //resourceMatched+, subjects+, conditions-
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster /* ActionDecision to include advices, no values
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster } else { //resourceMatched+, subjects-
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster } else { //resourceMached-
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster /** Gets policy decision computing Rules, Conditions and Subjects
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * in this order. Referrals in the policy are ignored.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param token sso token identifying the user for who the policy has to
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * be evaluated.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param resourceType service type
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param resourceName resourceName
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param actionNames a set of action names for which policy results
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * are to be evaluated. Each element of the set should be a
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param envParameters a map of environment parameters
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Each key of the map is a String valued parameter name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Each value of the map is a set of String values
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param policyDecision a collecting argument. Computed policy decisions
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * in this method are merged to this policy decision
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return computed and merged policy decision
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception NameNotFoundException if the action name or resource name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * is not found
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception SSOException if token is invalid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception PolicyException for any other exception condition
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private PolicyDecision getPolicyDecisionRCS(SSOToken token,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String resourceName, Set actionNames, Map envParameters,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throws SSOException, NameNotFoundException, PolicyException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster boolean resourceMatched = false;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster boolean allowedByConditions = false;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster boolean allowedBySubjects = false;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Map actionResults = getMatchedRuleResults(resourceType,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster conditionDecision = conditions.getConditionDecision(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster allowedByConditions = conditionDecision.isAllowed();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster advicesFromConditions = conditionDecision.getAdvices();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster conditionsTtl = conditionDecision.getTimeToLive();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (allowedByConditions) { //resourceMatch+, conditions+
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster //resourceMatch+, conditions+, subjects+
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster /* ActionDecision to include values, no advices
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster } else { //resourceMatch+, conditions+, subjects-
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster } else { //resourceMatch+, conditions-
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster boolean reportAdvices = false;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster /* ActionDecision to include advices, no values
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster } else { //no advices to report
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster } else { //resourceMatch-
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster /** Gets evaluation order of Subjects, Rules and Conditions for this policy
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * that is likely to be least expensive in terms of cpu.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return int representing preferred evaluation order for this policy
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private int getEvaluationOrder(SSOToken token) throws SSOException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster int evaluationOrder = RULES_CONDITIONS_SUBJECTS;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster //treat subject weight as 0, if sub result is in cache
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster int mpsWeight = users.isSubjectResultCached(token) ? 0 : psWeight;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (( mpsWeight <= pcWeight) && (pcWeight <= prWeight)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster } else if (( pcWeight <= mpsWeight) && (mpsWeight <= prWeight)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster } else if (( prWeight <= pcWeight) && (pcWeight <= mpsWeight)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster } else if (( prWeight <= mpsWeight) && (mpsWeight <= pcWeight)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster } else if (( mpsWeight <= prWeight) && (prWeight <= pcWeight)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster } else if (( pcWeight <= prWeight) && (prWeight <= mpsWeight)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster /** Initializes global values of evaluation weight
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * per Subject, per Condition and per Rule element
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * of the policies by reading value of property
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>EVALUATION_WEIGHTS_KEY</code> from AMConfig.properties.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * If the value is not defined in AMConfig.properties, the value defaults
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * to <code>DEFAULT_EVALUATION_WEIGHTS</code>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @see #DEFAULT_EVALUATION_WEIGHTS
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private static void initializeStaticEvaluationWeights() {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster EVALUATION_WEIGHTS = com.iplanet.am.util.SystemProperties.get(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster EVALUATION_WEIGHTS_KEY, DEFAULT_EVALUATION_WEIGHTS);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster StringTokenizer st = new StringTokenizer(EVALUATION_WEIGHTS, ":");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "Policy.initializeStaticEvaluationWeights:"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + " invalid evaulationWeights defined, "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + " defaulting to " + DEFAULT_EVALUATION_WEIGHTS);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster EVALUATION_WEIGHTS = DEFAULT_EVALUATION_WEIGHTS;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "Policy.initializeStaticEvaluationWeights:"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + " invalid subjectWeight defined, defaulting to 0");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "Policy.initializeStaticEvaluationWeights:"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + " invalid ruleWeight defined, defaulting to 0");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "Policy.initializeStaticEvaluationWeights:"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + " invalid conditionWeight defined, defaulting to 0");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster /** Initializes evaluation weights for
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Subjects, Conditions and rules of this policy object.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster pcWeight = conditions.size() * conditionWeight;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Checks whether the policy is applicable to user identified by sso token
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return <code>true</code> if the policy is applicable to the user
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * identified by sso token, else <code>false</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if ( (ruleResults != null) && !ruleResults.isEmpty()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Iterator keys = ruleResults.keySet().iterator();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * We track the subject realm when a realm subject is added to the policy.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * We use this information to enforce that a policy has
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * realm subjects only from one realm. We also use this information
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * to enforce that policy is not saved into a different realm.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Clears the cached membership evaluation results corresponding
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * to the <code>tokenIdString</code>. This is triggered through
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>PolicySSOTokenListener</code> and <code>PolicyCache</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * when session property
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * of a logged in user is changed
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param tokenIdString sessionId of the user whose session property changed
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster void clearSubjectResultCache(String tokenIdString) throws PolicyException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster DEBUG.message("Policy.clearSubjectResultCache(tokenIdString): "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + " clearing cached subject evaluation result for "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + " tokenId XXXXX");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns creation date.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return creation date.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Sets the creation date.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param creationDate creation date.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public void setCreationDate(long creationDate) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns last modified date.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return last modified date.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Sets the last modified date.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param lastModifiedDate last modified date.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public void setLastModifiedDate(long lastModifiedDate) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns the user ID who last modified the policy.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return user ID who last modified the policy.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Sets the user ID who last modified the policy.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param lastModifiedBy user ID who last modified the policy.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public void setLastModifiedBy(String lastModifiedBy) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns the user ID who created the policy.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return user ID who created the policy.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Sets the user ID who created the policy.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param createdBy user ID who created the policy.