policy/plugins/AMIdentitySubject.java

8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster/**
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The contents of this file are subject to the terms
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * of the Common Development and Distribution License
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * (the License). You may not use this file except in
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * compliance with the License.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * You can obtain a copy of the License at
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * https://opensso.dev.java.net/public/CDDLv1.0.html or
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * opensso/legal/CDDLv1.0.txt
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * See the License for the specific language governing
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * permission and limitations under the License.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * When distributing Covered Code, include this CDDL
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Header Notice in each file and include the License file
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * at opensso/legal/CDDLv1.0.txt.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * If applicable, add the following below the CDDL Header,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * with the fields enclosed by brackets [] replaced by
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * your own identifying information:
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * "Portions Copyrighted [year] [name of copyright owner]"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * $Id: AMIdentitySubject.java,v 1.3 2008/06/25 05:43:50 qcheng Exp $
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster */
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster/*
f48118365a7f4f1240516dbe66e47b24a896ff16Craig McDonnell * Portions Copyrighted 2011-2016 ForgeRock AS.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster */
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterpackage com.sun.identity.policy.plugins;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.iplanet.sso.SSOToken;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.iplanet.sso.SSOException;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
f48118365a7f4f1240516dbe66e47b24a896ff16Craig McDonnellimport com.iplanet.sso.SSOTokenListenersUnsupportedException;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.shared.debug.Debug;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.idm.AMIdentity;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.idm.IdRepoException;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.idm.IdType;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.idm.IdUtils;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.policy.PolicyException;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.policy.PolicyEvaluator;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.policy.ValidValues;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.policy.ResBundleUtils;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.policy.PolicyManager;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.policy.Syntax;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.policy.NameNotFoundException;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.policy.InvalidNameException;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.policy.SubjectEvaluationCache;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.policy.interfaces.Subject;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.security.AdminTokenAction;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport java.util.Collections;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport java.util.Iterator;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport java.util.Locale;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport java.util.Map;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport java.util.Set;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport java.util.HashSet;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport java.security.Principal;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport java.security.AccessController;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster/**
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * AMIdentitySubject is a <code>Subject</code> implementation that checks for
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * membership in a set of <code>AMIdentity</code> objects using the underlying
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Identity repository service.
1164a27de14824155610d26134a4d6d4be686892Phill Cunnington *
8ac02ff33c6b51ef72b5605b99434ccda7d74a0aPhill Cunnington * @deprecated Use {@link org.forgerock.openam.entitlement.conditions.subject.IdentitySubject} instead.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster */
1164a27de14824155610d26134a4d6d4be686892Phill Cunnington@Deprecated
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterpublic class AMIdentitySubject implements Subject {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    private Set subjectValues = new HashSet();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    private static Debug debug = Debug.getInstance(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        PolicyManager.POLICY_DEBUG_NAME);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    /** Constructs an <code>AMIdentityObject</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     */
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    public AMIdentitySubject() {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    /**
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * Initialize the AMIdentitySubject object by using the configuration
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * information passed by the Policy Framework.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * <p>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * This implementation  not need anything out of the <code>configParams
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * I/code> so does no operation.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @param configParams configuration parameters as a <code>Map</code>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @exception PolicyException if an error occured during
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * initialization of <code>Subject</code> instance
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     */
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    public void initialize(Map configParams) throws PolicyException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    //no op
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    /**
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * Returns the syntax of the values the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * <code>AMIdentitySubject</code> implementation can have.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @see com.sun.identity.policy.Syntax
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @param token the <code>SSOToken</code> that will be used
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * to determine the syntax
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @return <code>Syntax</code> of the values in this plugin.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * It returns <code>Syntax.MULTIPLE_CHOICE</code>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @exception SSOException if <code>SSOToken</code> is not valid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @exception <code>PolicyException</code> if unable to get the list of
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * valid names.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @return <code>Syntax</code> of the values for the <code>Subject</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     */
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    public Syntax getValueSyntax(SSOToken token) throws SSOException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        return (Syntax.MULTIPLE_CHOICE);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    /**
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * Returns a list of possible values for the <code>Subject</code>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @param token the <code>SSOToken</code> that will be used
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * to determine the possible values
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @return <code>ValidValues</code> object
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @exception SSOException if <code>SSOToken</code> is not valid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @exception PolicyException if unable to get the list of valid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * names.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * NOTE: The AMIdentitySubject plugin does not support this
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * functionality and in turn throws unsupported
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * <code>PolicyException</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     */
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    public ValidValues getValidValues(SSOToken token) throws
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        SSOException, PolicyException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        return (getValidValues(token, "*"));
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    /**
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * Returns a list of possible values for the <code>Subject
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * </code> that matches the pattern.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @param token the <code>SSOToken</code> that will be used
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * to determine the possible values
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @return <code>ValidValues</code> object
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @exception SSOException if SSO token is not valid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @exception PolicyException if unable to get the list of valid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * names.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * NOTE: The AMIdentitySubject plugin does not support this
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * functionality and in turn throws unsupported
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * <code>PolicyException</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     */
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    public ValidValues getValidValues(SSOToken token, String pattern)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        throws SSOException, PolicyException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        throw (new PolicyException(ResBundleUtils.rbName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            "am_id_subject_does_not_support_getvalidvalues", null, null));
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    /**
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * Returns the display name for the value for the given locale.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * For all the valid values obtained through the methods
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * <code>getValidValues</code> this method must be called
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * by GUI and CLI to get the corresponding display name.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * The <code>locale</code> variable could be used by the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * plugin to customize the display name for the given locale.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * The <code>locale</code> variable could be <code>null</code>,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * in which case the plugin must use the default locale (most probabily
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * en_US).
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * Alternatively, if the plugin does not have to localize
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * the value, it can just return the <code>value</code> as is.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @param value one of the valid value for the plugin
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @param locale locale for which the display name must be customized
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @exception NameNotFoundException if the given <code>value</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * is not one of the valid values for the plugin
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     */
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    public String getDisplayNameForValue(String value, Locale locale)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        throws NameNotFoundException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        return (value);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    /**
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * Returns the values that was set using the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * method <code>setValues</code>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @return <code>Set</code of values that have been set for the user
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * collection
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     */
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    public Set getValues() {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        if (subjectValues == null) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            return (Collections.EMPTY_SET);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        return (subjectValues);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    /**
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * Sets the values identifying <code>AMIdentity</code> objects on which
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * membership would be checked
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @param names <code>universalId(s)</code> of <code>AMIdentity</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * objects on which memberships would be checked
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @exception InvalidNameException if the given names are not valid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     */
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    public void setValues(Set names) throws InvalidNameException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        if (names == null) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            throw (new InvalidNameException(ResBundleUtils.rbName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                "amidentity_subject_invalid_subject_values", null, null,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                PolicyException.USER_COLLECTION));
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        subjectValues.addAll(names);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        if (debug.messageEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            debug.message("AMIdentitySubejct set subjectValues to: "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    + subjectValues);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    /**
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * Determines if the user is a member of this instance of the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * <code>Subject</code> object.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @param token single sign on token of the user
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @return <code>true</code> if the user is member of
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * this subject; <code>false</code> otherwise.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @exception SSOException if SSO token is not valid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @exception PolicyException if an error occured while
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * checking if the user is a member of this subject
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     */
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    public boolean isMember(SSOToken token)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            throws SSOException, PolicyException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        String tokenID = null;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        String userDN = null;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        if (token != null) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            Object tokenIDObject = token.getTokenID();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            if (tokenIDObject != null) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                tokenID = tokenIDObject.toString();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        if (tokenID == null) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            if (debug.warningEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                debug.warning("AMIdentitySubject.isMember():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        +"tokenID is null");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                debug.warning("AMIdentitySubject.isMember():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        +"returning false");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            return false;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        } else {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            Principal principal = token.getPrincipal();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            if(principal != null) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                userDN = principal.getName();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            if (userDN == null) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                if (debug.warningEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    debug.warning("AMIdentitySubject.isMember():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                            +"userDN is null");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    debug.warning("AMIdentitySubject.isMember():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                            +"returning false");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                return false;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        boolean subjectMatch = false;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        if (debug.messageEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            debug.message("AMIndentitySubject.isMember(): "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    + "entering with userDN = " + userDN);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        if (subjectValues.size() > 0) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            Iterator valueIter = subjectValues.iterator();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            while (valueIter.hasNext()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                Boolean matchFound = null;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                /* Actually this is universal id of AMIdentity object
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                 *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                 */
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                String subjectValue = (String)valueIter.next();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                if (debug.messageEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    debug.message("AMIndentitySubject.isMember(): "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                            + "checking membership with userDN = " + userDN
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                            + ", subjectValue = " + subjectValue);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                if ((matchFound = SubjectEvaluationCache.isMember(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        tokenID, "AMIdentitySubject" ,subjectValue)) != null) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    if (debug.messageEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        debug.message("AMIdentitySubject.isMember():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                                + "got membership from SubjectEvaluationCache "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                                + " for userDN = " + userDN
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                                + ", subjectValue = " + subjectValue
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                                + ", result = " + matchFound.booleanValue());
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    boolean result = matchFound.booleanValue();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    if (result) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        if (debug.messageEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                            debug.message("AMIndentitySubject.isMember(): "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                                    + " returning membership status = "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                                    + result);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        return result;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    } else {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        continue;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                // got here so entry not in subject evalauation cache
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                if (debug.messageEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    debug.message("AMIdentitySubject:isMember():entry for "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                            + subjectValue + " not in subject evaluation "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                            +"cache, so compute using IDRepo api");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                try {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    AMIdentity subjectIdentity = IdUtils.getIdentity(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                            getAdminToken(), subjectValue);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    if (subjectIdentity == null) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        if (debug.messageEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                            debug.message("AMidentitySubject.isMember():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                                    + "subjectIdentity is null for "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                                    + "subjectValue = " + subjectValue);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                            debug.message("AMidentitySubject.isMember():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                                    + "returning false");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        return false;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    AMIdentity tmpIdentity = IdUtils.getIdentity(token);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    String univId = IdUtils.getUniversalId(tmpIdentity);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    AMIdentity userIdentity = IdUtils.getIdentity(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        getAdminToken(), univId);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    if (userIdentity == null) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        if (debug.messageEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                            debug.message("AMidentitySubject.isMember():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                                    + "userIdentity is null");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                            debug.message("AMidentitySubject.isMember():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                                    + "returning false");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        return false;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    if (debug.messageEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        debug.message("AMidentitySubject.isMember():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                                + "user uuid = "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                                + IdUtils.getUniversalId( userIdentity)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                                + ", subject uuid = "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                                + IdUtils.getUniversalId(subjectIdentity) );
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    IdType userIdType = userIdentity.getType();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    IdType subjectIdType = subjectIdentity.getType();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    Set allowedMemberTypes = null;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    if (userIdentity.equals(subjectIdentity)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        if (debug.messageEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                            debug.message("AMidentitySubject.isMember():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                                    + "userIdentity equals subjectIdentity:"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                                    + "membership=true");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        subjectMatch = true;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    } else if (
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                            ((allowedMemberTypes
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                            = subjectIdType.canHaveMembers()) != null)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                            && allowedMemberTypes.contains(userIdType)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        subjectMatch = userIdentity.isMember(subjectIdentity);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        if (debug.messageEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                            debug.message("AMIdentitySubject.isMember():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                                    + "userIdentity type " + userIdType +
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                                    " can be a member of "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                                    + "subjectIdentityType " + subjectIdType
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                                    + ":membership=" + subjectMatch);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    } else {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        subjectMatch = false;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        if (debug.messageEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                            debug.message("AMIdentitySubject.isMember():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                                    + "userIdentity type " + userIdType +
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                                    " can not be a member of "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                                    + "subjectIdentityType " + subjectIdType
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                                    + ":membership=" + subjectMatch);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    if (debug.messageEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        debug.message("AMIdentitySubject.isMember: adding "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                            +"entry in SubjectEvaluationCache for "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                            + ", for userDN = " + userDN
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                            + ", subjectValue = " + subjectValue
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                            + ", subjectMatch = " + subjectMatch);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    }
f48118365a7f4f1240516dbe66e47b24a896ff16Craig McDonnell                    if (!PolicyEvaluator.ssoListenerRegistry.containsKey(tokenID)) {
f48118365a7f4f1240516dbe66e47b24a896ff16Craig McDonnell                        try {
f48118365a7f4f1240516dbe66e47b24a896ff16Craig McDonnell                            token.addSSOTokenListener(PolicyEvaluator.ssoListener);
f48118365a7f4f1240516dbe66e47b24a896ff16Craig McDonnell                            SubjectEvaluationCache.addEntry(tokenID, "AMIdentitySubject", subjectValue, subjectMatch);
f48118365a7f4f1240516dbe66e47b24a896ff16Craig McDonnell                            PolicyEvaluator.ssoListenerRegistry.put(tokenID, PolicyEvaluator.ssoListener);
f48118365a7f4f1240516dbe66e47b24a896ff16Craig McDonnell                            debug.message("AMIdentitySubject.isMember(): sso listener added");
f48118365a7f4f1240516dbe66e47b24a896ff16Craig McDonnell                        } catch (SSOTokenListenersUnsupportedException ex) {
f48118365a7f4f1240516dbe66e47b24a896ff16Craig McDonnell                            // Catching exception to avoid adding tokenID to SubjectEvaluationCache and ssoListenerRegistry
f48118365a7f4f1240516dbe66e47b24a896ff16Craig McDonnell                            debug.message("AMIdentitySubject.isMember(): could not add sso listener: {}", ex.getMessage());
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    if (subjectMatch) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        break;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                } catch (IdRepoException ire) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    debug.warning("AMidentitySubject.isMember():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                            + "can not check membership for user "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                            + userDN + ", subject "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                            + subjectValue, ire);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    String[] args = {userDN, subjectValue};
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    throw (new PolicyException(ResBundleUtils.rbName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        "am_id_subject_membership_evaluation_error", args,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        ire));
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        if (debug.messageEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            if (!subjectMatch) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                debug.message("AMIdentitySubject.isMember(): user " + userDN
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                      + " is not a member of this subject");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            } else {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                debug.message("AMIdentitySubject.isMember(): User " + userDN
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                      + " is a member of this subject");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        return subjectMatch;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster   /**
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    * Return a hash code for this <code>AMIdentitySubject</code>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    * @return a hash code for this <code>AMIdentitySubject</code> object.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    */
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    public int hashCode() {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        return subjectValues.hashCode();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    /**
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * Indicates whether some other object is "equal to" this one.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @param o another object that will be compared with this one
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @return <code>true</code> if eqaul; <code>false</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * otherwise
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     */
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    public boolean equals(Object o) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        if (o instanceof AMIdentitySubject) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            AMIdentitySubject subject = (AMIdentitySubject) o;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            return(subjectValues.equals(subject.subjectValues));
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        return (false);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    /**
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * Creates and returns a copy of this object.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @return a copy of this object
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     */
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    public Object clone() {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        AMIdentitySubject theClone = null;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        try {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            theClone = (AMIdentitySubject) super.clone();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        } catch (CloneNotSupportedException e) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            // this should never happen
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            throw new InternalError();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        if (subjectValues != null) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            theClone.subjectValues = new HashSet();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            theClone.subjectValues.addAll(subjectValues);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        return theClone;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    /**
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * This method returns an admin <code>SSOToken</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * which can be used to perform privileged operations.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     */
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    private SSOToken getAdminToken() throws SSOException{
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        SSOToken token = (SSOToken) AccessController.doPrivileged(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            AdminTokenAction.getInstance());
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        if (token == null) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            throw (new SSOException(new PolicyException(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                ResBundleUtils.rbName, "invalid_admin", null, null)));
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        return (token);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster}