PolicyManager.java revision abecb4c15c1d3057f88dbae1db109e9b51fe1c35
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * The contents of this file are subject to the terms
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * of the Common Development and Distribution License
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * (the License). You may not use this file except in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * compliance with the License.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * You can obtain a copy of the License at
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * https://opensso.dev.java.net/public/CDDLv1.0.html or
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * See the License for the specific language governing
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * permission and limitations under the License.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * When distributing Covered Code, include this CDDL
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Header Notice in each file and include the License file
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * If applicable, add the following below the CDDL Header,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * with the fields enclosed by brackets [] replaced by
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * your own identifying information:
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * "Portions Copyrighted [year] [name of copyright owner]"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * $Id: PolicyManager.java,v 1.19 2010/01/25 23:48:15 veiming Exp $
07e35e8870f0a772252336889d391265a5485e4eSachiko Wallace * Portions Copyrighted 2011-2016 ForgeRock AS.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport static org.forgerock.openam.entitlement.PolicyConstants.SUPER_ADMIN_SUBJECT;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport static org.forgerock.openam.entitlement.utils.EntitlementUtils.getApplicationService;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport static org.forgerock.openam.entitlement.utils.EntitlementUtils.getEntitlementConfiguration;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport org.forgerock.openam.shared.concurrency.LockFactory;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.entitlement.Application;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.entitlement.EntitlementConfiguration;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.entitlement.EntitlementException;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.entitlement.PrivilegeIndexStore;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.entitlement.opensso.PrivilegeUtils;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.entitlement.opensso.SubjectUtils;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.policy.interfaces.Subject;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.security.AdminTokenAction;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.sm.OrganizationConfigManager;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.sm.ServiceAlreadyExistsException;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.sm.ServiceConfigManager;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.sm.ServiceNotFoundException;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.sm.ServiceSchemaManager;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * The <code>PolicyManager</code> class manages policies
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * for a specific organization, sub organization or a container.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * This class is the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * starting point for policy management, and provides methods to
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <p>It is a final class
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * and hence cannot be further extended. The methods in this class
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * works directly with the backend datastore (usually a
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * directory server) to store and manage policies. Hence, user
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * of this class must have valid <code>SSOToken</code>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * and privileges to the backend datastore.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @supported.api
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @deprecated since 12.0.0
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterpublic final class PolicyManager {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * The service name for Policy component.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @supported.api
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static final String POLICY_SERVICE_NAME = "iPlanetAMPolicyService";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static final String POLICY_DEBUG_NAME = "amPolicy";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * The key for the plugins to get the organization name.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @supported.api
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static final String ORGANIZATION_NAME = "OrganizationName";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "/sunamhiddenrealmdelegationservicepermissions";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static final String NAMED_POLICY = "Policies";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static final String REALM_SUBJECTS = "RealmSubjects";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static final String XML_REALM_SUBJECTS = "xmlRealmSubjects";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static final String NAMED_POLICY_ID = "NamedPolicy";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static final String RESOURCES_POLICY = "Resources";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static final String RESOURCES_POLICY_ID = "ServiceType";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static final String SUBJECTS_POLICY = "Subjects";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static final String SUBJECT_POLICY = "Subject";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static final String REALM_SUBJECT_POLICY = "RealmSubject";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static final String CONDITION_POLICY = "Condition";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static final String RESP_PROVIDER_POLICY = "ResponseProvider";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static final String REFERRAL_POLICY = "Referral";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static final String REFERRALS_POLICY = "Referrals";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static final String POLICY_XML = "xmlpolicy";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static final String POLICY_ROOT_NODE = "Policy";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static final String POLICY_SUBJECTS_NODE = "Subjects";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static final String POLICY_CONDITIONS_NODE = "Conditions";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static final String POLICY_RESP_PROVIDERS_NODE = "ResponseProviders";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static final String POLICY_REFERRALS_NODE = "Referrals";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static final String POLICY_RULE_SERVICE_NODE = "ServiceName";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static final String POLICY_RULE_RESOURCE_NODE = "ResourceName";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static final String POLICY_RULE_EXCLUDED_RESOURCE_NODE =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "ExcludedResourceName";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static final String POLICY_RULE_APPLICATION_NAME_NODE = "ApplicationName";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static final String ATTR_VALUE_PAIR_NODE = "AttributeValuePair";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static final String DESCRIPTION_ATTRIBUTE = "description";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static final String CREATED_BY_ATTRIBUTE = "createdby";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static final String CREATION_DATE_ATTRIBUTE = "creationdate";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static final String LAST_MODIFIED_BY_ATTRIBUTE = "lastmodifiedby";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static final String LAST_MODIFIED_DATE_ATTRIBUTE = "lastmodifieddate";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static final String PRIORITY_ATTRIBUTE = "priority";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static final String STATUS_ATTRIBUTE = "priority";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static final String STATUS_INACTIVE = "inactive";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static final String SERVICE_TYPE_NAME_ATTRIBUTE = "serviceName";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static final String POLICY_INDEX_ROOT_NODE = "PolicyCrossReferences";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static final String POLICY_INDEX_ROOT_NODE_NAME_ATTR = "name";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static final String POLICY_INDEX_ROOT_NODE_TYPE_ATTR = "type";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster POLICY_INDEX_ROOT_NODE_TYPE_ATTR_RESOURCES_VALUE = "Resources";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static final String POLICY_INDEX_REFERENCE_NODE = "Reference";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static final String POLICY_INDEX_REFERENCE_NODE_NAME_ATTR = "name";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static final String POLICY_INDEX_POLICYNAME_NODE = "PolicyName";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static final String POLICY_INDEX_POLICYNAME_NODE_NAME_ATTR = "name";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static final long DEFAULT_SUBJECTS_RESULT_TTL = 10 * 60 * 1000;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static final String WEB_AGENT_SERVICE = "iPlanetAMWebAgentService";
07e35e8870f0a772252336889d391265a5485e4eSachiko Wallace public static final String ID_REPO_SERVICE = "sunIdentityRepositoryService";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static final String ORG_ALIAS = "sunOrganizationAliases";
07e35e8870f0a772252336889d391265a5485e4eSachiko Wallace public static final String ORG_ALIAS_URL_HTTP_PREFIX = "http://";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static final String ORG_ALIAS_URL_HTTPS_PREFIX = "https://";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static final String ORG_ALIAS_URL_SUFFIX = ":*";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static javax.security.auth.Subject adminSubject;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Can be shared by classes
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static Debug debug = Debug.getInstance(POLICY_DEBUG_NAME);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static DN delegationRealm = DN.valueOf(DNMapper.orgNameToDN(DELEGATION_REALM));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static boolean migratedToEntitlementService = false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Constructor for <code>PolicyManager</code> for the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * top (or root) organization. It requires a <code>SSOToken
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * </code> which will be used to perform all data store
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * operations. If the user does not have sufficient
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * privileges <code>NoPermissionException</code> will be thrown.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param token <code>SSOToken</code> of the user managing policy
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SSOException invalid or expired single-sign-on token
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws PolicyException for any other abnormal condition
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @supported.api
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public PolicyManager(SSOToken token) throws SSOException, PolicyException {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message("Policy Manager constructed using SSO token");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Constructor for <code>PolicyManager</code> for the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * specified organization, sub organization or a container object.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * The names of the organization, sub organization or the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * container object could be either "/" separated (as per SMS)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * or could be the complete DN of the object.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * For example: <code>/isp/coke<code>, <code>/isp/pepsi/tacobell<code>,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * etc., or <code>"ou=tacobell, o=pepsi, o=isp"<code>,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>"o=coke, o=isp"</code>, etc.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * The constructor also requires a single sign on token.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * which will be used to perform all data store
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * operations. If the user does not have sufficient
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * privileges <code>NoPermissionException</code> will be thrown.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param token single-sign-on token of the user managing policies
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param name name of the organization, sub organization
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * or container for which to manage policies.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * The name could be either slash (/) separated
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * or the complete DN.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SSOException invalid or expired single-sign-on token
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws NameNotFoundException if the given organization,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * sub-organization or container name is not present
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws PolicyException for any other abnormal condition
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @supported.api
return (givenOrgName);
return policyConfig;
return (org);
+ org);
se));
return (answer);
if (isMigratedToEntitlementService()) {
policy);
} catch (EntitlementException e) {
} catch (ServiceAlreadyExistsException e) {
token);
if (isMigratedToEntitlementService()) {
} catch (EntitlementException e) {
token);
if (isMigratedToEntitlementService()) {
} catch (EntitlementException e) {
token);
return rm;
return (stm);
return (ctm);
return (rpm);
return (sConfig);
} catch (SMSException e) {
return (orgName);
throw (new UnsupportedOperationException());
throw (new UnsupportedOperationException());
return svtm;
return rtm;
} catch (Exception e) {
} catch (Exception e) {
return (null);
return viewBeanURL;
if ( useCache ) {
return policy;
return rim;
private boolean validateResourceForPrefixE(
Application appl = getApplicationService(SUPER_ADMIN_SUBJECT, realmName).getApplication(serviceName);
boolean interpretWildCard = true;
private boolean validateResourceForPrefix(
boolean interpretWildCard = true;
if (isMigratedToEntitlementService()) {
initialise();
isEmpty()) {
null);
throw new PolicyException(
boolean validResource = true;
if (!validResource) {
throw new PolicyException(
throw new PolicyException(
return subjects;
return policies;
policy = p;
return policy;
throws PolicyException {
return managedResourceNames;
throws PolicyException {
return (isMigratedToEntitlementService()) ?
throws PolicyException {
return managedResourceNames;
throws PolicyException {
return managedResourceNames;
return null;
return orgAlias;
return aliasMappedOrg;
throws EntitlementException {
if (isMigratedToEntitlementService()) {
boolean can = false;
} catch (PolicyException e) {
return can;
private boolean hasReferredResources() {
boolean hasPrefixes = false;
} catch (PolicyException e) {
return hasPrefixes;
static boolean isMigratedToEntitlementService() {
initialise();
return migratedToEntitlementService;
private static void initialise() {
boolean can = false;
if (isMigratedToEntitlementService()) {
} catch (PolicyException e) {
return can;