8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The contents of this file are subject to the terms
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * of the Common Development and Distribution License
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * (the License). You may not use this file except in
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * compliance with the License.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * You can obtain a copy of the License at
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * https://opensso.dev.java.net/public/CDDLv1.0.html or
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * See the License for the specific language governing
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * permission and limitations under the License.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * When distributing Covered Code, include this CDDL
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Header Notice in each file and include the License file
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * If applicable, add the following below the CDDL Header,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * with the fields enclosed by brackets [] replaced by
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * your own identifying information:
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * "Portions Copyrighted [year] [name of copyright owner]"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * $Id: ISPermission.java,v 1.5 2008/08/19 19:09:17 veiming Exp $
a4544a5a0e622ef69e38641f87ab1b5685e05911Phill Cunnington * Portions Copyrighted 2015 ForgeRock AS.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.authentication.service.SSOTokenPrincipal;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.policy.client.PolicyEvaluator;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.policy.client.PolicyEvaluatorFactory;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * This class provides the support for JAAS Authorization service
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Its a new JAAS <code>Permission</code> which extends the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * {@link java.security.Permission} class. This is the only
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * API which gets used by an application/container to evaluate policy against
8d3140b524c0e28c0a49dc7c7d481123ef3cfe11Chris Lee * the OpenAM Policy framework. This class provides implementations
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * of all the required abstract methods of <code>java.security.Permission</code>
8d3140b524c0e28c0a49dc7c7d481123ef3cfe11Chris Lee * , in a way that the policy evaluation is made against the OpenAM
8d3140b524c0e28c0a49dc7c7d481123ef3cfe11Chris Lee * Policy service.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * For example, one would use this class as follows to evaluate policy
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * permissions:
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * ISPermission perm = new ISPermission("iPlanetAMWebAgentService",
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * AccessController.checkPermission(perm);
8d3140b524c0e28c0a49dc7c7d481123ef3cfe11Chris Lee * If OpenAM has the policy service
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>iPlanetAMWebAgentService</code> which has a <code>Rule</code> defined
8d3140b524c0e28c0a49dc7c7d481123ef3cfe11Chris Lee * for resource <code>http://www.example.com:80</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * with action "GET" with allow privilege, this call will return quietly, if
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * such a policy is not found then access is denied and Exception thrown
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * accordingly. Also <code>ISPermission</code> co-exists with the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * permissions specified in the JDK policy store ( by default file <code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * sun.security.provider.PolicyFile</code> or defined on the command line
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * using the -D option.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @see java.security.Permission
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @see javax.security.auth.Subject
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @see java.security.ProtectionDomain
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.all.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private Map envParams = Collections.synchronizedMap(Collections.EMPTY_MAP);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private PolicyEvaluatorFactory policyEvalFactory;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster static Debug debug = Debug.getInstance("amPolicy");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Constructs an <code>ISPermission</code> instance, with the specified
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>ProtectionDomain</code>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param pd <code>ProtectionDomain</code> for which this
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>ISPermission</code> is being created.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster super("ISPermission");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("ISPermission(protectionDomain) constructor "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "called ");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Constructs an <code>ISPermission</code> instance, with the specified
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>Subject</code> and the <code>CodeSource</code>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param subject <code>Subject</code> for which this
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>ISPermission</code> is being created.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param codesource <code>CodeSource</code> for which this permission is
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * being created.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public ISPermission(Subject subject,CodeSource codesource) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster super("ISPermission");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("ISPermission(subject,codesource) constructor "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "called ");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Constructs an <code>ISPermission</code> instance, with the specified
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>CodeSource</code>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param codesource <code>CodeSource</code> for which this permission is
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * being created.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster super("ISPermission");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("ISPermission(codesource) constructor "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "called ");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Constructs an <code>ISPermission</code> instance, with the specified
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * service name, resource name and action name.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param serviceName name of service for which this
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>ISPermission</code> is being created. This name needs to be
8d3140b524c0e28c0a49dc7c7d481123ef3cfe11Chris Lee * one of the loaded services in the OpenAM's policy
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * engine. example: <code>iPlanetAMWegAgentService</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param resourceName name of the resource for which this
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>ISPermission</code> is being defined.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param actions name of the action that needs to be checked for. It
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * may be a <code>String</code> like "GET", "POST" in case of
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * service name <code>iPlanetAMWebAgentService</code>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public ISPermission(String serviceName,String resourceName, String
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster super("ISPermission");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("ISPermission:: Constructor called");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Constructs an <code>ISPermission</code> instance, with the specified
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * service name, resource name and action name.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param serviceName name of service for which this
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>ISPermission</code> is being created. This name needs to be
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * one of the loaded policy services in the OpenSSO.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>iPlanetAMWegAgentService</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param resourceName name of the resource for which this
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>ISPermission</code> is being defined.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param actions name of the action that needs to be checked for. It
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * may be a <code>String</code> like "GET", "POST" in case of
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * service name <code>iPlanetAMWebAgentService</code>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param envParams a <code>java.util.Map</code> of environment parameters
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * which are used by the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>com.sun.identity.policy.client.PolicyEvaluator</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * to evaluate the <code>com.sun.identity.policy.Conditions</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * associated with the policy. This is a Map of attribute-value pairs
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * representing the environment under which the policy needs to be
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * evaluated.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public ISPermission(String serviceName,String resourceName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster super("ISPermission");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("ISPermission:: Constructor called");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * returns the name of the service associated with this <code>ISPermission
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return <code>String</code> representing the name of the service for this
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * permission.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("ISPermission: getServiceName called");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * returns the name of the resource associated with this <code>ISPermission
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return <code>String</code> representing the name of the resource for
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * this permission.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("ISPermission: getResourceName called");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * returns environment parameters and their values associated with this
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>ISPermission</code>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return <code>Map</code> representing the environment parameters of
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * this permission. The <code>Map</code> consists of attribute
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * value pairs.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * returns a comma separated list of actions associated with this
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>ISPermission</code>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return a comma separated <code>String</code> representing the name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * of the action for this object. For example for:
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * ISPermission isp = new ISPermission("iPlanetAMWebAgentService,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * "http://www.sun.com:80", "GET, POST");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * getActions() would return "GET,POST"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("ISPermission: getActions called");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns true if two comma separated strings are equal.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param actions1 actions string.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param actions2 actions string.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return true if two comma separated strings are equal.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private boolean actionEquals(String actions1, String actions2) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Set actionSet1 = Collections.synchronizedSet(new HashSet());
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Set actionSet2 = Collections.synchronizedSet(new HashSet());
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster StringTokenizer st = new StringTokenizer(actions1,",");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster StringTokenizer st = new StringTokenizer(actions2,",");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns a <code>Set</code> of actions for this Permission.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param actions comma separated actions string.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return set of actions in this permsision.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster actionSet = Collections.synchronizedSet(new HashSet());
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster StringTokenizer st = new StringTokenizer(actions,",");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * returns the <code>Subject</code>associated with this <code>ISPermission
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return <code>javax.security.auth.Subject</code> representing the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * subject of this permission.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("ISPermission:: getSubject called ");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * returns the <code>CodeSource</code>associated with this
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>ISPermission</code>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return <code>java.security.CodeSource</code> representing the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>codesource</code> of this permission.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("ISPermission:: getCodeSource called ");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * returns the <code>ProtectionDomain</code>associated with this
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>ISPermission</code>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return <code>java.security.ProtectionDomain</code> representing the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>protectionDomain</code> of this permission.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public ProtectionDomain getProtectionDomain() {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("ISPermission:: getProtectionDomain called ");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns true if two <code>ISPermission</code> objects for equality.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param obj <code>ISPermission</code> object.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return true if subject, <code>codesource</code>, service name, resource
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * name actions and environment parameters of both objects are
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster boolean result = true;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("ISPermission:: equals(Object) called ");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (obj == this) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("ISPermission::equals::this " +result);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return true;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster result = false; // subject is null, while this.subject is
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // not null.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("ISPermission::subject equals:"+result);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("ISPermission::codesource equals:"+
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster ProtectionDomain protectionDomain = perm.getProtectionDomain();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster result = protectionDomain.equals(this.protectionDomain);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("ISPermission::protectionDomain equals:"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + protectionDomain.equals(this.protectionDomain));
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("ISPermission::servicename equals:"+
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster result = resourceName.equals(this.resourceName);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("ISPermission::resourceName equals:"+
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (envParams != null && !envParams.isEmpty()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (this.envParams != null && !this.envParams.isEmpty()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("ISPermission::equals::returning " +result);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns the hash code value for this Permission object.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The required <code>hashCode</code> behavior for Permission Objects is
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * the following: <p>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <li>Whenever it is invoked on the same Permission object more than
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * once during an execution of a Java application, the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>hashCode</code> method
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * must consistently return the same integer. This integer need not
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * remain consistent from one execution of an application to another
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * execution of the same application. <p>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <li>If two Permission objects are equal according to the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>equals</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * method, then calling the <code>hashCode</code> method on each of the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * two Permission objects must produce the same integer result.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return a hash code value for this object.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster hash = hash + this.protectionDomain.hashCode();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("ISPermission::hashCode::"+hash);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Checks if the specified permission's actions are "implied by"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * this object's actions.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The <code>implies</code> method is used by the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>AccessController</code> to determine whether or not a requested
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * permission is implied by another permission that is known to be valid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * in the current execution context.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param perm the permission to check against.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return true if the specified permission is implied by this object,
8d3140b524c0e28c0a49dc7c7d481123ef3cfe11Chris Lee * false if not. The check is made against the OpenAM's
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * policy service to determine this evaluation.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster boolean allowed = false;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("ISPermission:passed perm is of type ISPermission");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("ISPermission:implies:protectionDomain not null");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("ISPermission::implies: protectionDomain:"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster final String serviceName =((ISPermission)perm).getServiceName();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster final String actions = ((ISPermission)perm).getActions();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster final Map envParams = ((ISPermission)perm).getEnvParams();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("ISPermission: actions="+actions);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Principal[] principals = protectionDomain.getPrincipals();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // principals should have only one entry
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Principal principal = (Principal)principals[0];
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (principal.getName().equals("com.sun.identity."
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster +"authentication.service.SSOTokenPrincipal")) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("ISPermission::implies:principals:"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster tokenPrincipal = (SSOTokenPrincipal) principal;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + " Principal is null");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster SSOTokenManager ssomgr = SSOTokenManager.getInstance();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster ssomgr.createSSOToken(tokenPrincipal.getName());
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster /* TODO currently ISPermission uses remote policy
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster client API so if this class gets used from server side
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster , will always make remote call, need to make changes
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster in this code to to make a local/remote call accordingly.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("ISPermission::implies::created "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster break; // the final result is not allowwed
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("ISPermission:: actions is null");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster } catch (Exception e ) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("ISPermission:: subject was null");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("ISPermission: allowed::"+allowed);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns a <code>java.security.PermissionCollection</code> to store this
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * kind of Permission.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return an instance of <code>ISPermissionCollection</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public PermissionCollection newPermissionCollection() {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("ISPermission:: newISPermissionCollection() called");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns a string describing this Permission.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return <code>String</code> containing information about this Permission.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster str = str.append("(").append(getClass().getName()).append("\n");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster str = str.append(subject.toString()).append("\n");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster str = str.append(codesource.toString()).append("\n");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if ((serviceName != null) && (serviceName.length() != 0)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster str = str.append("serviceName=").append(serviceName).append("\n");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if ((resourceName != null) && (resourceName.length() != 0)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster str = str.append("resourceName=").append(resourceName).append("\n");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if ((actions != null) && (actions.length() != 0)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster str = str.append("actions=").append(actions).append("\n");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if ((envParams != null) && !(envParams.isEmpty())) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster str = str.append("envParams=").append(envParams.values())