ProxyPolicyEvaluator.java revision 0c9594d96d580b0cba488fa7d01802fbb49d8a3e
/**
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
*
* The contents of this file are subject to the terms
* of the Common Development and Distribution License
* (the License). You may not use this file except in
* compliance with the License.
*
* You can obtain a copy of the License at
* See the License for the specific language governing
* permission and limitations under the License.
*
* When distributing Covered Code, include this CDDL
* Header Notice in each file and include the License file
* at opensso/legal/CDDLv1.0.txt.
* If applicable, add the following below the CDDL Header,
* with the fields enclosed by brackets [] replaced by
* your own identifying information:
* "Portions Copyrighted [year] [name of copyright owner]"
*
* $Id: ProxyPolicyEvaluator.java,v 1.4 2009/01/28 05:35:01 ww203982 Exp $
*
* Portions Copyrighted 2011-2014 ForgeRock AS.
*/
/**
* Class that lets a priviliged user to compute policy results for
* another user.
* Only privileged users can get <code>ProxyPolicyEvaluator</code>
* - only top level administrator, realm level policy administrator,
* realm administrator or realm policy administrator can get
* <code>ProxyPolicyEvaluator</code>. Top level administrator can compute policy
* results for any user. Realm administrator or policy administrator can
* compute policy results only for users who are members of the realm
* (including sub realm) that they manage. If they try to compute policys
* result for any other user, they would get a <code>PolicyException</code>.
* This class can be used only within the web container running policy server.
*
* @supported.all.api
* @deprecated since 12.0.0
*/
public class ProxyPolicyEvaluator {
private SSOToken adminToken;
private String serviceType;
private PolicyEvaluator policyEvaluator;
private static String baseDNString;
static {
}
/**
* Constructs a <code>ProxyPolicyEvaluator</code> instance.
* Only privileged users can create <code>ProxyPolicyEvaluator</code>.
*
* @param token single sign on token used to construct the proxy policy
* evaluator.
* @param serviceType service type for which construct the proxy policy
* evaluator
* @throws NoPermissionException if the token does not have privileges
* to create proxy policy evaluator
* @throws NameNotFoundException if the serviceType is not found in
* registered service types
* @throws PolicyException any policy exception coming from policy
* framework
* @throws SSOException if the token is invalid
*/
{
this.adminToken = token;
this.serviceType = serviceType;
this.policyEvaluator
}
/**
* Evaluates a simple privilege of boolean type. The privilege indicates
* if the user identified by the <code>principalName</code>
* can perform specified action on the specified resource.
*
* @param principalName principal name for whom to compute the privilege.
* @param realm realm of the user principal "/" separated format
* @param resourceName name of the resource for which to compute
* policy result.
* @param actionName name of the action the user is trying to perform on
* the resource
* @param env run time environment parameters
*
* @return the result of the evaluation as a boolean value
*
* @throws PolicyException exception form policy framework
* @throws SSOException if single sign on token is invalid
*
*/
throws PolicyException, SSOException
{
actionName, env);
return allowed;
}
/**
* Evaluates a simple privilege of boolean type. The privilege indicates
* if the user identified by the <code>principalName</code>
* can perform specified action on the specified resource.
*
* @param principalName principal name for whom to compute the privilege.
* @param resourceName name of the resource for which to compute
* policy result.
* @param actionName name of the action the user is trying to perform on
* the resource
* @param env run time environment parameters
*
* @return the result of the evaluation as a boolean value
*
* @throws PolicyException exception form policy framework
* @throws SSOException if single sign on token is invalid
*
*/
{
}
/**
* Gets policy decision for the user identified by the
* <code>principalName</code> for the given resource
*
* @param principalName principal name for whom to compute the policy
* decision
* @param realm realm of the user principal "/" separated format
* @param resourceName name of the resource for which to compute policy
* decision
* @param env run time environment parameters
*
* @return the policy decision for the principal for the given resource
*
* @throws PolicyException exception form policy framework
* @throws SSOException if single sign on token is invalid
*
*/
throws PolicyException, SSOException
{
// Let us log all policy evaluation results
if (PolicyUtils.logStatus) {
decision };
objs, adminToken);
}
}
+ " got policy decision "
+ " for resourceName:" + resourceName
+ " for serviceType :" + serviceType
+ " is " + pd);
}
return pd;
}
/**
* Gets policy decision for the user identified by the
* <code>principalName</code> for the given resource
*
* @param principalName principal name for whom to compute the policy
* decision
* @param resourceName name of the resource for which to compute policy
* decision
* @param env run time environment parameters
*
* @return the policy decision for the principal for the given resource
*
* @throws PolicyException exception form policy framework
* @throws SSOException if single sign on token is invalid
*
*/
throws PolicyException, SSOException
{
}
/**
* Gets policy decision for a resource, skipping subject evaluation.
* Conditions would be evaluated and would include applicable advices
* in policy decisions. Hence, you could get details such as
* <code>AuthLevel</code>, <code>AuthScheme</code> that would be required to
* access the resource.
*
* @param resourceName name of the resource for which to compute policy
* decision
* @param actionNames names of the actions the user is trying to perform on
* the resource
*
* @param env run time environment parameters
*
* @return the policy decision for the principal for the given resource
*
* @throws PolicyException exception form policy framework
* @throws SSOException if single sign on token is invalid
*
*/
{
// Let us log all policy evaluation results
if (PolicyUtils.logStatus) {
decision};
"PROXIED_POLICY_EVALUATION_IGNORING_SUBJECTS",
objs, adminToken);
}
}
+ " got policy decision "
+ " ignoring subjects "
+ " for resourceName:" + resourceName
+ " for serviceType :" + serviceType
+ " is " + pd);
}
return pd;
}
/**
* Gets protected resources for a user identified by the
* <code>principalName</code>. Conditions defined in the policies are
* ignored while computing protected resources.
* Only resources that are sub resources of the given
* <code>rootResource</code> or equal to the given <code>rootResource</code>
* would be returned.
* If all policies applicable to a resource are
* only referral policies, no <code>ProtectedResource</code> would be
* returned for such a resource.
*
* @param principalName principal name for whom to compute the privilege.
* @param rootResource only resources that are sub resources of the
* given <code>rootResource</code> or equal to the
* given <code>rootResource</code> would be returned.
* If <code>PolicyEvaluator.ALL_RESOURCES</code> is
* passed as <code>rootResource</code>, resources under
* all root resources of the service
* type are considered while computing protected
* resources.
*
* @return set of protected resources. The set contains
* <code>ProtectedResource</code> objects.
*
* @throws PolicyException exception form policy framework
* @throws SSOException if single sign on token is invalid
* @see ProtectedResource
*
*/
{
}
/**
* Gets protected resources for a user identified by the
* <code>principalName</code>. Conditions defined in the policies are
* ignored while computing protected resources.
* Only resources that are sub resources of the given
* <code>rootResource</code> or equal to the given <code>rootResource</code>
* would be returned.
* If all policies applicable to a resource are
* only referral policies, no <code>ProtectedResource</code> would be
* returned for such a resource.
*
* @param principalName principal name for whom to compute the privilege.
* @param realm realm of the user principal "/" separated format
* @param rootResource only resources that are sub resources of the
* given <code>rootResource</code> or equal to the
* given <code>rootResource</code> would be returned.
* If <code>PolicyEvaluator.ALL_RESOURCES</code> is
* passed as <code>rootResource</code>, resources under
* all root resources of the service
* type are considered while computing protected
* resources.
*
* @return set of protected resources. The set contains
* <code>ProtectedResource</code> objects.
*
* @throws PolicyException exception form policy framework
* @throws SSOException if single sign on token is invalid
* @see ProtectedResource
*
*/
throws PolicyException, SSOException
{
}
/**
* Gets proxy session token
* @param principalName user to proxy as
* @return proxy session token
* @throws PolicyException if proxy session token can not be obtained
* @throws SSOException if the session token of the administrative user
* is invalid
*/
throws PolicyException, SSOException
{
}
boolean proxyPermission = false;
try {
"getProxyToken:principalName, orgDN="+principalName+
","+orgDN);
}
principalName, true);
} catch (AuthException ae) {
throw new PolicyException(ae);
} catch (LoginException le) {
throw new PolicyException(le);
}
}
try {
"1.0", "organization", "default",
actionNames, null);
+"check:" +proxyPermission);
}
if (!proxyPermission) {
+ " can not create proxy sso token for user "
+ principalName);
}
}
} catch(DelegationException de) {
throw new PolicyException(de);
}
return token;
}
}