AuthLevelCondition.java revision e60a1cf74ca44a3bb3e3fe63b106e6ef6dca910f
0N/A * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. 0N/A * Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved 0N/A * The contents of this file are subject to the terms 0N/A * of the Common Development and Distribution License 0N/A * (the License). You may not use this file except in 0N/A * compliance with the License. 0N/A * You can obtain a copy of the License at 0N/A * See the License for the specific language governing 0N/A * permission and limitations under the License. 0N/A * When distributing Covered Code, include this CDDL 0N/A * Header Notice in each file and include the License file 0N/A * If applicable, add the following below the CDDL Header, 0N/A * with the fields enclosed by brackets [] replaced by 0N/A * your own identifying information: 0N/A * "Portions Copyrighted [year] [name of copyright owner]" 0N/A * Portions Copyright 2014 ForgeRock AS 0N/A * This class <code>AuthLevelCondition</code> is a plugin implementation 0N/A * of <code>Condition</code> interface. This condition would imply policy 2095N/A * applies if the <code>requestAuthLevel</code> is greater than or equal to the 2095N/A * <code>AuthLevel</code> set in the Condition. <code>requestAuthLevel</code> 2095N/A * is looked up from <code>env </code> map passed in the 2095N/A * <code>getConditionDecision()</code> call. If it is not found in the 2095N/A * <code>env</code> map, <code>AuthLevel</code> is looked up from single sign on 0N/A * @deprecated Use {@link org.forgerock.openam.entitlement.conditions.environment.AuthLevelCondition} instead. 0N/A /** No argument constructor 0N/A * Returns a list of property names for the condition. 0N/A * @return list of property names 0N/A * Returns the syntax for a property name 0N/A * @see com.sun.identity.policy.Syntax 0N/A * @param property property name 0N/A * @return <code>Syntax<code> for the property name 0N/A * Gets the display name for the property name. 0N/A * The <code>locale</code> variable could be used by the plugin to 0N/A * customize the display name for the given locale. 0N/A * The <code>locale</code> variable could be <code>null</code>, in which 0N/A * case the plugin must use the default locale. 6197N/A * @param property property name. 0N/A * @param locale locale for which the property name must be customized. 0N/A * @return display name for the property name. 0N/A * @throws PolicyException if unable to get display name 0N/A * Returns a set of valid values given the property name. This method 0N/A * is called if the property Syntax is either the SINGLE_CHOICE or 0N/A * @param property property name 0N/A * @return <code>Set</code> of valid values for the property. 0N/A * @exception PolicyException if unable to get the Syntax. 0N/A /** Sets the properties of the condition. 0N/A * Evaluation of <code>ConditionDecision</code> is influenced by these 0N/A * @param properties the properties of the condition that governs 0N/A * whether a policy applies. The properties should 0N/A * define value for the key <code>AUTH_LEVEL</code>. The value 0N/A * should be a Set with only one element. The element should be 0N/A * a String, parseable as an integer or an integer qaulified with 0N/A * realm name. Please note that properties is not cloned by 0N/A * @throws PolicyException if properties is null or does not contain 0N/A * value for the key <code>AUTH_LEVEL</code> or the value of the 0N/A * key is not a Set with one String element that is parse-able as 0N/A * @see #REQUEST_AUTH_LEVEL 0N/A * @see #getConditionDecision(SSOToken, Map) 0N/A /** Gets the properties of the condition. 0N/A * @return unmodifiable map view of properties that govern the 0N/A * evaluation of the condition decision 0N/A * @see #setProperties(Map) 0N/A * Gets the decision computed by this condition object, based on the 0N/A * map of environment parameters 0N/A * @param token single-sign-on token of the user 0N/A * @param env request specific environment map of key/value pairs 0N/A * <code>AuthLevelCondition</code> looks for value of key 0N/A * <code>REQUEST_AUTH_LEVEL</code> in the map. The value should be 0N/A * an Integer or a set of <code>String</code>s. 0N/A * If it is a <code>Set</code> of <code>String</code>s, each element 0N/A * of the set has to be parseable as integer or should be a realm 0N/A * qualified integer. If the <code>env</code> parameter is null or 0N/A * does not define value for <code>REQUEST_AUTH_LEVEL</code>, 0N/A * the value for <code>REQUEST_AUTH_LEVEL</code> is obtained from 0N/A * the single sign on token of the user. 0N/A * @return the condition decision. The condition decision encapsulates 0N/A * whether a policy applies for the request and advice messages 0N/A * generated by the condition. 0N/A * The decision would imply policy is 0N/A * applicable if <code>AUTH_LEVEL</code> is greater than or equal to 0N/A * <code>REQUES_AUTH_LEVEL</code>. If <code>AUTH_LEVEL</code> is 0N/A * qualified with a realm name, <code>REQUEST_AUTH_LEVEL</code> 0N/A * values only with the matching realm name are compared. If the 0N/A * policy is not applicable as determined by the 0N/A * <code>Condition</code>, an <code>Advice</code> would be 0N/A * included in the <code>ConditionDecision</code> with key 0N/A * <code>AUTH_LEVEL_ADVICE</code> and value corresponding to 0N/A * <code>AUTH_LEVEL</code> 0N/A * Policy framework continues evaluating a policy only if it applies 0N/A * to the request as indicated by the <code>ConditionDecision</code>. 0N/A * Otherwise, further evaluation of the policy is skipped. 0N/A * However, the <code>Advice</code>s encapsulated in the 0N/A * <code>ConditionDecision</code> are aggregated and passed up, encapsulated 0N/A * in the <code>PolicyDecision</code>. 0N/A * @throws PolicyException if the condition has not been initialized 0N/A * with a successful call to <code>setProperties(Map)</code> 0N/A * and/or the value of <code>REQUEST_AUTH_LEVEL</code> could not 0N/A * @throws SSOException if the token is invalid 0N/A * @see #setProperties(Map) 0N/A * @see #REQUEST_AUTH_LEVEL 0N/A * @see com.sun.identity.policy.ConditionDecision 0N/A * @see com.sun.identity.authentication.util.AMAuthUtils 0N/A * #getAuthenticatedLevels(SSOToken) 0N/A * @see com.sun.identity.authentication.util.AMAuthUtils 0N/A * #getRealmQualifiedAuthenticatedLevels(SSOToken) 0N/A * Returns a copy of this object. 0N/A * @return a copy of this object 0N/A // this should never happen 0N/A * This method validates the properties set using the <code>setProperties 988N/A * </code> method. It checks for the presence of the required key 0N/A * <code>AUTH_LEVEL</code>, validates it and also makes sure no other 0N/A * invalid key is being set. 2095N/A //Check if the required key(s) are defined 2095N/A //Check if all the keys are valid 1689N/A "attempt_to_set_invalid_property ",
2095N/A * This method validates the auth levels set using the <code>setProperties 2095N/A * </code> method. It is called from validateProperties() method. 2095N/A * It validates <code>AUTH_LEVEL</code>. 0N/A "property_does_not_allow_empty_or_multiple_values",
* gets the maximum auth level specified for the REQUEST_AUTH_LEVEL * property in the environment Map. * @see #REQUEST_AUTH_LEVEL +
"envMap,realm): entering: envMap= " +
env +
"getMaxRequestAuthLevel():Integer level in env= " +
"getMaxRequestAuthLevel():" +
"requestAuthLevel Set element" "request_authlevel_in_env_set_element_not_string",
DEBUG.
warning(
"AuthLevelCondition.getMaxRequestAuthLevel():" +
"requestAuthLevel in env neither" "request_authlevel_in_env_not_Integer_or_set",
* gets the maximum auth level specified for the REQUEST_AUTH_LEVEL * property in the SSO token. * @see #REQUEST_AUTH_LEVEL +
"token,authRealm): entering:" +
"): levels from token= " +
"): qualifiedLeves from token= " * Extract the integer auth level from String realm qualified DEBUG.
warning(
"AuthLevelCondition.getAuthLevel(qualifiedLevel):" +
"got NumberFormatException:"