policy/client/PolicyEvaluator.java

8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster/**
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The contents of this file are subject to the terms
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * of the Common Development and Distribution License
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * (the License). You may not use this file except in
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * compliance with the License.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * You can obtain a copy of the License at
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * https://opensso.dev.java.net/public/CDDLv1.0.html or
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * opensso/legal/CDDLv1.0.txt
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * See the License for the specific language governing
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * permission and limitations under the License.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * When distributing Covered Code, include this CDDL
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Header Notice in each file and include the License file
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * at opensso/legal/CDDLv1.0.txt.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * If applicable, add the following below the CDDL Header,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * with the fields enclosed by brackets [] replaced by
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * your own identifying information:
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * "Portions Copyrighted [year] [name of copyright owner]"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * $Id: PolicyEvaluator.java,v 1.7 2009/10/21 23:50:46 dillidorai Exp $
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster *
6033fe2cfc1c391360277704d2c66456a33e9446sachiko * Portions Copyrighted 2013-2015 ForgeRock AS.
b174f2fef6b1d8ee82424e19de3ad21f872c1ed7Mark de Reeper */
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterpackage com.sun.identity.policy.client;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.shared.debug.Debug;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.iplanet.dpro.session.SessionException;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.iplanet.sso.SSOException;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.iplanet.sso.SSOToken;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.iplanet.sso.SSOTokenManager;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.policy.ActionDecision;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.policy.PolicyDecision;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.policy.ResBundleUtils;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.policy.PolicyException;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.policy.PolicyUtils;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.policy.remote.PolicyEvaluationException;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.security.AdminTokenAction;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.security.AppSSOTokenProvider;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.log.Logger;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.log.LogRecord;
bfbee81df9e5db55835a1bf1e6981ec03379926ePeter Majorimport com.sun.identity.policy.interfaces.ResourceName;
57a1b25dcdf865eacb2fe2e17c5ca83e942da047David Lunaimport org.forgerock.util.thread.listener.ShutdownListener;
57a1b25dcdf865eacb2fe2e17c5ca83e942da047David Lunaimport org.forgerock.util.thread.listener.ShutdownManager;
57a1b25dcdf865eacb2fe2e17c5ca83e942da047David Luna
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport java.util.HashSet;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport java.util.Iterator;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport java.util.Map;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport java.util.Set;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport java.util.logging.Level;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport java.security.AccessController;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster/**
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * This class provides methods to get policy decisions
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * for clients of policy service.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * This class uses XML/HTTP protocol to
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * communicate with the Policy Service.
c690c4789c81f41167ef2293ae8891a1c20c8fc7Mark Craig * Policy client API implementation caches policy decision locally.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The cache is updated through policy change notifications and/or
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * polling.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster */
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterpublic class PolicyEvaluator {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    static Debug debug = Debug.getInstance("amRemotePolicy");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    private PolicyProperties policyProperties;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    private String serviceName;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    private SSOTokenManager ssoTokenManager;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    /**
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * Reference to singleton ResourceResultCache instance
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     */
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    private ResourceResultCache resourceResultCache;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    AppSSOTokenProvider appSSOTokenProvider;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    /**
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * Logger object for access messages
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     */
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    static Logger accessLogger;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    /**
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * Logger object for error messages
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     */
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    static Logger errorLogger;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    private static final String GET_RESPONSE_ATTRIBUTES
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            = "Get_Response_Attributes";
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    private SSOToken appSSOToken;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    /*
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * Number of attempts to make to server if policy decision received
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * from server has expired ttl
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     */
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    private final static int RETRY_COUNT = 3;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    private String logActions;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    /**
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * Creates an instance of client policy evaluator
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @param serviceName name of the service for which to create
c690c4789c81f41167ef2293ae8891a1c20c8fc7Mark Craig     *        policy evaluator.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @param appSSOTokenProvider an object where application single sign on
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *        token can be obtained.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @throws PolicyException if required properties cannot be retrieved.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @throws SSOException if application single sign on token is invalid.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     */
6033fe2cfc1c391360277704d2c66456a33e9446sachiko    private PolicyEvaluator(String serviceName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            AppSSOTokenProvider appSSOTokenProvider)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        throws PolicyException, SSOException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        if (debug.messageEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            debug.message("PolicyEvaluator():Creating PolicyEvaluator:"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    + "serviceName="+ serviceName
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    + ":appSSOTokenProvider=" + appSSOTokenProvider);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        if (serviceName == null) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            if (debug.warningEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                debug.warning("PolicyEvaluator():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        + "serviceName is null");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            return;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        } //else do the following
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    init(serviceName, appSSOTokenProvider);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    }
6033fe2cfc1c391360277704d2c66456a33e9446sachiko
6033fe2cfc1c391360277704d2c66456a33e9446sachiko    /**
6033fe2cfc1c391360277704d2c66456a33e9446sachiko     * Returns an instance of client policy evaluator
6033fe2cfc1c391360277704d2c66456a33e9446sachiko     *
6033fe2cfc1c391360277704d2c66456a33e9446sachiko     * @param serviceName name of the service for which to create
6033fe2cfc1c391360277704d2c66456a33e9446sachiko     *        policy evaluator.
6033fe2cfc1c391360277704d2c66456a33e9446sachiko     * @param appSSOTokenProvider an object where application single sign on
6033fe2cfc1c391360277704d2c66456a33e9446sachiko     *        token can be obtained.
6033fe2cfc1c391360277704d2c66456a33e9446sachiko     * @throws PolicyException if required properties cannot be retrieved.
6033fe2cfc1c391360277704d2c66456a33e9446sachiko     * @throws SSOException if application single sign on token is invalid.
6033fe2cfc1c391360277704d2c66456a33e9446sachiko     */
6033fe2cfc1c391360277704d2c66456a33e9446sachiko    static PolicyEvaluator getInstance(String serviceName,
6033fe2cfc1c391360277704d2c66456a33e9446sachiko            AppSSOTokenProvider appSSOTokenProvider)
6033fe2cfc1c391360277704d2c66456a33e9446sachiko        throws PolicyException, SSOException {
6033fe2cfc1c391360277704d2c66456a33e9446sachiko        return new PolicyEvaluator(serviceName,appSSOTokenProvider);
6033fe2cfc1c391360277704d2c66456a33e9446sachiko    }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    /**
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * Initializes an instance of client policy evaluator object
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @param serviceName name of the service for which to create
c690c4789c81f41167ef2293ae8891a1c20c8fc7Mark Craig     *        policy evaluator
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @param appSSOTokenProvider an object where application single sign on
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *        token can be obtained.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @throws PolicyException if required properties cannot be retrieved.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @throws SSOException if application single sign on token is invalid.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     */
b174f2fef6b1d8ee82424e19de3ad21f872c1ed7Mark de Reeper    private void init(final String serviceName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                      AppSSOTokenProvider appSSOTokenProvider)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        throws PolicyException, SSOException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        this.ssoTokenManager = SSOTokenManager.getInstance();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    this.serviceName = serviceName;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    this.appSSOTokenProvider = appSSOTokenProvider;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    this.policyProperties = new PolicyProperties();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        this.logActions = policyProperties.getLogActions();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        this.resourceResultCache
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                = ResourceResultCache.getInstance(policyProperties);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        appSSOToken = getNewAppSSOToken();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        if (PolicyProperties.previouslyNotificationEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            if (policyProperties.useRESTProtocol()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                resourceResultCache.removeRESTRemotePolicyListener(appSSOToken,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        serviceName, PolicyProperties.getPreviousNotificationURL());
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            } else {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                resourceResultCache.removeRemotePolicyListener(appSSOToken,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        serviceName, PolicyProperties.getPreviousNotificationURL());
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        if (policyProperties.notificationEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            // register remote policy listener policy service
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            if (debug.messageEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                debug.message( "PolicyEvaluator.init():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        + "adding remote policy listener with policy "
b174f2fef6b1d8ee82424e19de3ad21f872c1ed7Mark de Reeper                        + "service " + serviceName);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            if (policyProperties.useRESTProtocol()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                resourceResultCache.addRESTRemotePolicyListener(appSSOToken,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        serviceName, policyProperties.getRESTNotificationURL());
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            } else {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                resourceResultCache.addRemotePolicyListener(appSSOToken,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        serviceName, policyProperties.getNotificationURL());
b174f2fef6b1d8ee82424e19de3ad21f872c1ed7Mark de Reeper            }
b174f2fef6b1d8ee82424e19de3ad21f872c1ed7Mark de Reeper            // Add a hook to remove our listener on shutdown.
57a1b25dcdf865eacb2fe2e17c5ca83e942da047David Luna            ShutdownManager shutdownMan = com.sun.identity.common.ShutdownManager.getInstance();
57a1b25dcdf865eacb2fe2e17c5ca83e942da047David Luna
57a1b25dcdf865eacb2fe2e17c5ca83e942da047David Luna            shutdownMan.addShutdownListener(new ShutdownListener() {
57a1b25dcdf865eacb2fe2e17c5ca83e942da047David Luna                @Override
57a1b25dcdf865eacb2fe2e17c5ca83e942da047David Luna                public void shutdown() {
57a1b25dcdf865eacb2fe2e17c5ca83e942da047David Luna                    if (policyProperties.useRESTProtocol()) {
57a1b25dcdf865eacb2fe2e17c5ca83e942da047David Luna                        resourceResultCache.removeRESTRemotePolicyListener(appSSOToken,
57a1b25dcdf865eacb2fe2e17c5ca83e942da047David Luna                                serviceName, policyProperties.getRESTNotificationURL());
57a1b25dcdf865eacb2fe2e17c5ca83e942da047David Luna                        if (debug.messageEnabled()) {
57a1b25dcdf865eacb2fe2e17c5ca83e942da047David Luna                            debug.message("PolicyEvaluator: called removeRESTRemotePolicyListener, service "
57a1b25dcdf865eacb2fe2e17c5ca83e942da047David Luna                                    + serviceName + ", URL " + policyProperties.getRESTNotificationURL());
57a1b25dcdf865eacb2fe2e17c5ca83e942da047David Luna                        }
57a1b25dcdf865eacb2fe2e17c5ca83e942da047David Luna                    } else {
57a1b25dcdf865eacb2fe2e17c5ca83e942da047David Luna                        resourceResultCache.removeRemotePolicyListener(appSSOToken,
57a1b25dcdf865eacb2fe2e17c5ca83e942da047David Luna                                serviceName, policyProperties.getNotificationURL());
57a1b25dcdf865eacb2fe2e17c5ca83e942da047David Luna                        if (debug.messageEnabled()) {
57a1b25dcdf865eacb2fe2e17c5ca83e942da047David Luna                            debug.message("PolicyEvaluator: called removeRemotePolicyListener, service "
57a1b25dcdf865eacb2fe2e17c5ca83e942da047David Luna                                    + serviceName + ", URL " + policyProperties.getNotificationURL());
b174f2fef6b1d8ee82424e19de3ad21f872c1ed7Mark de Reeper                        }
57a1b25dcdf865eacb2fe2e17c5ca83e942da047David Luna                    }
b174f2fef6b1d8ee82424e19de3ad21f872c1ed7Mark de Reeper                }
57a1b25dcdf865eacb2fe2e17c5ca83e942da047David Luna            });
57a1b25dcdf865eacb2fe2e17c5ca83e942da047David Luna
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        ActionDecision.setClientClockSkew(policyProperties.getClientClockSkew());
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        if (debug.messageEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            debug.message("PolicyEvaluator:"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    + "initialized PolicyEvaluator");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    /**
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * Evaluates a simple privilege of boolean type. The privilege indicates
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * if the user can perform specified action on the specified resource.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @param token single sign on token of the user evaluating policies
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @param resourceName name of the resource the user is trying to access
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @param actionName name of the action the user is trying to perform on
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * the resource
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @return the result of the evaluation as a boolean value
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @throws PolicyException if result could not be computed for any
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *         reason other than single sign on token problem.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @throws SSOException if single sign on token is not valid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     */
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    public boolean isAllowed(SSOToken token, String resourceName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                 String actionName) throws PolicyException,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                 SSOException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    return isAllowed(token, resourceName, actionName, null); //null env Map
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    /**
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * Evaluates simple privileges of boolean type. The privilege indicates
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * if the user can perform specified action on the specified resource.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * The evaluation also depends on user's application environment parameters.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @param token single sign on token of the user evaluating policies.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @param resourceName name of the resource the user is trying to access
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @param actionName name of the action the user is trying to perform on
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * the resource
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @param envParameters run time environment parameters
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @return the result of the evaluation as a boolean value
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @throws PolicyException if result could not be computed for
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *         reason other than single sign on token problem.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @throws SSOException if single sign on token is not valid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     */
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    public boolean isAllowed(SSOToken token, String resourceName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                 String actionName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                 Map envParameters) throws PolicyException,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                 SSOException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        if (debug.messageEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            debug.message("PolicyEvaluator:isAllowed():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    + "token=" + token.getPrincipal().getName()
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    + ":resourceName="+ resourceName
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    + ":actionName=" + actionName
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    + ":envParameters) : entering");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        boolean actionAllowed = false;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        Set actionNames = new HashSet(1);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        actionNames.add(actionName);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        PolicyDecision policyDecision = getPolicyDecision(token, resourceName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                                   actionNames, envParameters);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        ActionDecision actionDecision =
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        (ActionDecision) policyDecision.getActionDecisions()
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                .get(actionName);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    String  trueValue = policyProperties.getTrueValue(serviceName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                actionName);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    String  falseValue = policyProperties.getFalseValue(serviceName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                actionName);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        if ( (actionDecision != null) && (trueValue != null)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    && (falseValue != null)  ) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            Set set = (Set) actionDecision.getValues();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            if ( (set != null) ) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                if ( set.contains(falseValue) ) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    actionAllowed = false;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                } else if ( set.contains(trueValue) ) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    actionAllowed = true;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        String result = actionAllowed ? "ALLOW" : "DENY";
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    String[] objs = {resourceName, actionName, result};
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        if (PolicyProperties.ALLOW.equals(logActions) && actionAllowed) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            logAccessMessage(Level.INFO,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                             ResBundleUtils.getString(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                             "policy_eval_allow", objs),token);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        } else if (PolicyProperties.DENY.equals(logActions) && !actionAllowed) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            logAccessMessage(Level.INFO,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                             ResBundleUtils.getString(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                             "policy_eval_deny", objs),token);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        } else if (PolicyProperties.BOTH.equals(logActions)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                || PolicyProperties.DECISION.equals(logActions)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            logAccessMessage(Level.INFO,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                             ResBundleUtils.getString(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                             "policy_eval_result", objs),token);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        } //else nothing to log
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        if (debug.messageEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            debug.message("PolicyEvaluator.isAllowed():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    + "token=" + token.getPrincipal().getName()
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    + ":resourceName=" + resourceName
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    + ":actionName=" + actionName
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    + ":returning: " + actionAllowed);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        return actionAllowed;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    /**
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * Evaluates privileges of the user to perform the specified actions
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * on the specified resource.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @param token single sign on token of the user evaluating policies.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @param resourceName name of the resource the user is trying to access.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @param actionNames Set of action names the user is trying to perform on
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * the resource.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @return policy decision
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @throws PolicyException if result could not be computed for any
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *         reason other than single sign on token problem.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @throws SSOException if single sign on token is not valid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     */
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    public PolicyDecision getPolicyDecision(SSOToken token,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        String resourceName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        Set actionNames)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        throws PolicyException, SSOException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    return getPolicyDecision(token, resourceName, actionNames, null);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    /**
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * Evaluates privileges of the user to perform the specified actions
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * on the specified resource. The evaluation also depends on user's
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * run time environment parameters.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @param token single sign on token of the user evaluating policies.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @param resourceName name of the resource the user is trying to access
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @param actionNames Set of action names the user is trying to perform on
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *        the resource.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @param envParameters run-time environment parameters
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @return policy decision
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @throws PolicyException if result could not be computed for any
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *         reason other than single sign on token problem.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @throws SSOException if single sign on token is invalid or expired.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     */
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    public PolicyDecision getPolicyDecision(SSOToken token,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        String resourceName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        Set actionNames,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        Map envParameters)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                throws PolicyException, SSOException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        //validate the token
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        ssoTokenManager.validateToken(token);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        if (debug.messageEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            debug.message("PolicyEvaluator:getPolicyDecision():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    + "token=" + token.getPrincipal().getName()
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    + ":resourceName=" + resourceName
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    + ":actionName=" + actionNames + ":entering");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
bfbee81df9e5db55835a1bf1e6981ec03379926ePeter Major        //We need to normalize the resourcename before sending off the policy request to ensure the policy is evaluated
bfbee81df9e5db55835a1bf1e6981ec03379926ePeter Major        //for the correct resource.
bfbee81df9e5db55835a1bf1e6981ec03379926ePeter Major        ResourceName resourceComparator = policyProperties.getResourceComparator(serviceName);
bfbee81df9e5db55835a1bf1e6981ec03379926ePeter Major        resourceName = resourceComparator.canonicalize(resourceName);
bfbee81df9e5db55835a1bf1e6981ec03379926ePeter Major
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    PolicyDecision pd = null;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        try {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        pd = resourceResultCache.getPolicyDecision(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        appSSOToken, serviceName, token, resourceName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        actionNames, envParameters, RETRY_COUNT);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        } catch (InvalidAppSSOTokenException e) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            if (debug.warningEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                debug.warning("PolicyEvaluator.getPolicyDecision():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        + "InvalidAppSSOTokenException occured:"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        + "getting new appssotoken");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            appSSOToken = getNewAppSSOToken();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            if (policyProperties.notificationEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                if (debug.warningEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    debug.warning("PolicyEvaluator.getPolicyDecision():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                            + "InvalidAppSSOTokenException occured:"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                            + "reRegistering remote policy listener");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                reRegisterRemotePolicyListener(appSSOToken);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        pd = resourceResultCache.getPolicyDecision(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    appSSOToken, serviceName, token, resourceName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    actionNames, envParameters, RETRY_COUNT);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        if (debug.messageEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            debug.message("PolicyEvaluator:getPolicyDecision():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    + "token=" + token.getPrincipal().getName()
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    + ":resourceName=" + resourceName
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    + ":actionNames=" + actionNames
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    + ":returning policyDecision:" + pd.toXML());
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    Object[] objs = {resourceName, actionNames, pd.toXML()};
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        if (PolicyProperties.DECISION.equals(logActions)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                logAccessMessage(Level.INFO,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                                 ResBundleUtils.getString(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                                 "policy_eval_decision", objs),token);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        } //else nothing to log
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    return pd;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    /**
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * Returns the application single sign on token, this token will be
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * passed while initializing the <code>PolicyEvaluator</code> or
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * if the application session token currently being used by
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * this <code>PolicyEvaluator</code>  has expired
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @return a valid application single sign on token.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     */
6033fe2cfc1c391360277704d2c66456a33e9446sachiko    private synchronized SSOToken getNewAppSSOToken() throws PolicyException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        SSOToken token = null;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        if (debug.messageEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            debug.message("PolicyEvaluator.getNewAppSSOToken():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        + "entering");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    if (appSSOTokenProvider != null) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        token = appSSOTokenProvider.getAppSSOToken();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            try {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                ssoTokenManager.refreshSession(token);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                if (!ssoTokenManager.isValidToken(token)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    if (debug.messageEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        debug.message("PolicyEvaluator.getNewAppSSOToken():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                                    + "AdminTokenAction returned "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                                    + " expired token, trying again");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    token = appSSOTokenProvider.getAppSSOToken();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            } catch (SSOException e) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                if (debug.warningEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    debug.warning("PolicyEvaluator.getNewAppSSOToken():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                            + "could not refresh session:", e);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                token = appSSOTokenProvider.getAppSSOToken();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    } else {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        token = (SSOToken) AccessController.doPrivileged(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                AdminTokenAction.getInstance());
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            try {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                ssoTokenManager.refreshSession(token);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                if (!ssoTokenManager.isValidToken(token)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    if (debug.messageEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        debug.message("PolicyEvaluator.getNewAppSSOToken():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                                    + "AdminTokenAction returned "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                                    + " expired token, trying again");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    token = (SSOToken) AccessController.doPrivileged(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                            AdminTokenAction.getInstance());
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            } catch (SSOException e) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                if (debug.warningEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    debug.warning("PolicyEvaluator.getNewAppSSOToken():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                            + "could not refresh session:", e);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                token = (SSOToken) AccessController.doPrivileged(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        AdminTokenAction.getInstance());
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    if (token == null) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        debug.error("PolicyEvaluator.getNewAppSSOToken():, "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            + "cannot obtain application SSO token");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            throw new PolicyException(ResBundleUtils.rbName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                "can_not_create_app_sso_token", null, null);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        if (debug.messageEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            debug.message("PolicyEvaluator.getNewAppSSOToken():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        + "returning token");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    return token;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    /**
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * Logs an access message from policy client api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @param level logging level
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @param message message string
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @param token single sign on token of user
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     */
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    private void logAccessMessage(Level level, String message,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    SSOToken token) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    try {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        if (accessLogger == null) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            accessLogger = (com.sun.identity.log.Logger)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    Logger.getLogger("amRemotePolicy.access");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            if (accessLogger == null) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            if (debug.warningEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            debug.warning("PolicyEvaluator.logAccessMessage:"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                + "Failed to create Logger");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                return;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        LogRecord lr = new LogRecord(level, message, token);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        accessLogger.log(lr, appSSOToken);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    } catch (Throwable ex) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        if (debug.warningEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        debug.warning("PolicyEvaluator.logAccessMessage:Error"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            + " writing access logs");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    /**
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * Returns application single sign on token provider
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @return <code>AppSSOTokenProvider</code> Object.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     */
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    AppSSOTokenProvider getAppSSOTokenProvider() {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    return appSSOTokenProvider;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    /**
8d3140b524c0e28c0a49dc7c7d481123ef3cfe11Chris Lee     * Gets names of policy advices that could be handled by OpenAM
8d3140b524c0e28c0a49dc7c7d481123ef3cfe11Chris Lee     * if PEP redirects user agent to OpenAM. If the server reports
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * an error indicating the app sso token provided was invalid,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * new app sso token is obtained from app
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * sso token  provider and another attempt is made to get policy advices
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @param refetchFromServer indicates whether to get the values fresh
8d3140b524c0e28c0a49dc7c7d481123ef3cfe11Chris Lee     *      from OpenAM or return the values from local cache
8d3140b524c0e28c0a49dc7c7d481123ef3cfe11Chris Lee     * @return names of policy advices that could be handled by OpenAM
8d3140b524c0e28c0a49dc7c7d481123ef3cfe11Chris Lee     *         Enterprise if PEP redirects user agent to OpenAM.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @throws InvalidAppSSOTokenException if the server reported that the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *         app sso token provided was invalid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @throws PolicyEvaluationException if the server reported any other error
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @throws PolicyException if there are problems in policy module
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *         while getting the result
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @throws SSOException if there are problems with sso token
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *         while getting the result
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     */
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    public Set getAdvicesHandleableByAM(boolean refetchFromServer)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            throws InvalidAppSSOTokenException, PolicyEvaluationException,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            PolicyException, SSOException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        Set advicesHandleableByAM = null;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        if (debug.messageEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            debug.message("PolicyEvaluator.getAdvicesHandleableByAM(): Entering"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    + "refetchFromServer=" + refetchFromServer);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        try {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            advicesHandleableByAM
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    = resourceResultCache.getAdvicesHandleableByAM(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    appSSOToken, refetchFromServer);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        } catch (InvalidAppSSOTokenException e) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            //retry with new app sso token
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            if (debug.warningEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                debug.warning("PolicyEvaluator.getAdvicesHandleableByAM():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        + "got InvalidAppSSOTokenException, "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        + " retrying with new app token");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            advicesHandleableByAM
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    = resourceResultCache.getAdvicesHandleableByAM(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    getNewAppSSOToken(), refetchFromServer);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        } catch (PolicyException pe) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            Throwable nestedException = pe.getNestedException();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            if ((nestedException != null)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        && (nestedException instanceof SessionException)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                //retry with new app sso token
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                if (debug.warningEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    debug.warning("PolicyEvaluator.getAdvicesHandleableByAM():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                            + "got SessionException, "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                            + " retrying with new app token");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                advicesHandleableByAM
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        = resourceResultCache.getAdvicesHandleableByAM(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        getNewAppSSOToken(), refetchFromServer);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            } else {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                throw pe;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        if (debug.messageEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            debug.message("PolicyEvaluator.getAdvicesHandleableByAM():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    + " Returning advicesHandleableByAM="
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    + advicesHandleableByAM);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        return advicesHandleableByAM;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    /**
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *  Returns XML string representation of advice map contained in the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *  actionDecision. This is a convenience method for use by PEP.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *  @param actionDecision actionDecision that contains the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *        advices
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *  @return XML string representation of advice map contained in the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *      actionDecision subject to the following rule. If the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *      actionDecision is null, the return value would be null.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *      Otherwise, if the actionDecision does not contain any advice,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *      the return value would be null. Otherwise, actionDecision contains
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *      advices. In this case, if the advices contains at least one advice
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *      name that could be handled by AM, the complete advices element is
c690c4789c81f41167ef2293ae8891a1c20c8fc7Mark Craig     *      serialized to XML and the XML string is returned. Otherwise, null
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *      is returned.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *  @throws PolicyException for any abnormal condition encountered in
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *      policy module
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *  @throws SSOException for any abnormal condition encountered in
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *      session module
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     */
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    public String getCompositeAdvice(ActionDecision actionDecision )
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            throws PolicyException, SSOException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        if(debug.messageEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            debug.message("PolicyEvaluator.getCompositeAdvice():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    + " entering, actionDecision = " + actionDecision.toXML());
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        String compositeAdvice = null;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        boolean matchFound = false;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        Map advices = null;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        if (actionDecision != null) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            advices = actionDecision.getAdvices();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        //false : use cached value
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        Set handleableAdvices = getAdvicesHandleableByAM(false);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        if(debug.messageEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            debug.message("PolicyEvaluator.getCompositeAdvice():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    + " handleableAdvices = " + handleableAdvices);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        if  ((advices != null) && !advices.isEmpty()
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                && (handleableAdvices !=null)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                && (!handleableAdvices.isEmpty()) ) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            Set adviceKeys = advices.keySet();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            if(debug.messageEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                debug.message("PolicyEvaluator.getCompositeAdvice():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        + " adviceKeys = " + adviceKeys);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            Iterator keyIter = adviceKeys.iterator();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            while (keyIter.hasNext()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                Object adviceKey = keyIter.next();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                if (handleableAdvices.contains(adviceKey)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    matchFound = true;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    if(debug.messageEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        debug.message("PolicyEvaluator.getCompositeAdvice():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                                + " matchFound = " + matchFound);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        debug.message("PolicyEvaluator.getCompositeAdvice():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                                + " common key = " + adviceKey);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    break;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        if (matchFound) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            compositeAdvice = PolicyUtils.advicesToXMLString(advices);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        if(debug.messageEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            debug.message("PolicyEvaluator.getCompositeAdvice():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    + " returning, compositeAdvcie = " + compositeAdvice);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        return compositeAdvice;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    /**
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * Registers this client again with policy service to get policy
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * change notifications
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @param appToken application sso token to use while registering with
c690c4789c81f41167ef2293ae8891a1c20c8fc7Mark Craig     * policy service to get notifications
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     */
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    void reRegisterRemotePolicyListener(SSOToken appToken)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            throws PolicyException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        if (debug.messageEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            debug.message("PolicyEvaluator.reRegisterRemotePolicyListener():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    + "entering");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        resourceResultCache.addRemotePolicyListener(appSSOToken,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                serviceName, policyProperties.getNotificationURL(),
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                true); //reRegister
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        //clear policy decision cache
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        resourceResultCache.clearCachedDecisionsForService(serviceName);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        if (debug.messageEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            debug.message("PolicyEvaluator.reRegisterRemotePolicyListener():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    + "returning");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster}