001/* 002 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. 003 * 004 * Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved 005 * 006 * The contents of this file are subject to the terms 007 * of the Common Development and Distribution License 008 * (the License). You may not use this file except in 009 * compliance with the License. 010 * 011 * You can obtain a copy of the License at 012 * https://opensso.dev.java.net/public/CDDLv1.0.html or 013 * opensso/legal/CDDLv1.0.txt 014 * See the License for the specific language governing 015 * permission and limitations under the License. 016 * 017 * When distributing Covered Code, include this CDDL 018 * Header Notice in each file and include the License file 019 * at opensso/legal/CDDLv1.0.txt. 020 * If applicable, add the following below the CDDL Header, 021 * with the fields enclosed by brackets [] replaced by 022 * your own identifying information: 023 * "Portions Copyrighted [year] [name of copyright owner]" 024 * 025 * $Id: ProxyPolicyEvaluator.java,v 1.4 2009/01/28 05:35:01 ww203982 Exp $ 026 * 027 * Portions Copyrighted 2011-2015 ForgeRock AS. 028 */ 029 030package com.sun.identity.policy; 031 032import java.util.Map; 033import java.util.Set; 034 035import com.iplanet.sso.SSOException; 036import com.iplanet.sso.SSOToken; 037import com.iplanet.sso.SSOTokenManager; 038import org.forgerock.opendj.ldap.DN; 039 040/** 041 * Class that lets a priviliged user to compute policy results for 042 * another user. 043 * Only privileged users can get <code>ProxyPolicyEvaluator</code> 044 * - only top level administrator, realm level policy administrator, 045 * realm administrator or realm policy administrator can get 046 * <code>ProxyPolicyEvaluator</code>. Top level administrator can compute policy 047 * results for any user. Realm administrator or policy administrator can 048 * compute policy results only for users who are members of the realm 049 * (including sub realm) that they manage. If they try to compute policys 050 * result for any other user, they would get a <code>PolicyException</code>. 051 * This class can be used only within the web container running policy server. 052 * 053 * @supported.all.api 054 * @deprecated since 12.0.0 055 */ 056@Deprecated 057public class ProxyPolicyEvaluator { 058 059 private SSOToken adminToken; 060 private String serviceType; 061 private PolicyEvaluator policyEvaluator; 062 private static String baseDNString; 063 private static DN baseDN; 064 065 static { 066 baseDNString = com.sun.identity.sm.ServiceManager.getBaseDN(); 067 baseDN = DN.valueOf(baseDNString); 068 } 069 070 /** 071 * Constructs a <code>ProxyPolicyEvaluator</code> instance. 072 * Only privileged users can create <code>ProxyPolicyEvaluator</code>. 073 * 074 * @param token single sign on token used to construct the proxy policy 075 * evaluator. 076 * @param serviceType service type for which construct the proxy policy 077 * evaluator 078 * @throws NoPermissionException if the token does not have privileges 079 * to create proxy policy evaluator 080 * @throws NameNotFoundException if the serviceType is not found in 081 * registered service types 082 * @throws PolicyException any policy exception coming from policy 083 * framework 084 * @throws SSOException if the token is invalid 085 */ 086 ProxyPolicyEvaluator(SSOToken token, String serviceType) 087 throws NoPermissionException, NameNotFoundException, 088 PolicyException, SSOException 089 { 090 SSOTokenManager.getInstance().validateToken(token); 091 this.adminToken = token; 092 this.serviceType = serviceType; 093 this.policyEvaluator 094 = PolicyEvaluatorFactory.getInstance() 095 .getPolicyEvaluator(token, serviceType); 096 } 097 098 /** 099 * Gets policy decision for a resource, skipping subject evaluation. 100 * Conditions would be evaluated and would include applicable advices 101 * in policy decisions. Hence, you could get details such as 102 * <code>AuthLevel</code>, <code>AuthScheme</code> that would be required to 103 * access the resource. 104 * 105 * @param resourceName name of the resource for which to compute policy 106 * decision 107 * @param actionNames names of the actions the user is trying to perform on 108 * the resource 109 * 110 * @param env run time environment parameters 111 * 112 * @return the policy decision for the principal for the given resource 113 * 114 * @throws PolicyException exception form policy framework 115 * @throws SSOException if single sign on token is invalid 116 * 117 */ 118 public PolicyDecision getPolicyDecisionIgnoreSubjects(String resourceName, 119 Set actionNames, Map env) throws PolicyException, SSOException 120 { 121 PolicyDecision pd = policyEvaluator.getPolicyDecisionIgnoreSubjects( 122 resourceName, actionNames, env); 123 // Let us log all policy evaluation results 124 if (PolicyUtils.logStatus) { 125 String decision = pd.toString(); 126 if (decision != null && decision.length() != 0) { 127 String[] objs = 128 {adminToken.getPrincipal().getName(), resourceName, 129 decision}; 130 PolicyUtils.logAccessMessage( 131 "PROXIED_POLICY_EVALUATION_IGNORING_SUBJECTS", 132 objs, adminToken); 133 } 134 } 135 136 if (PolicyManager.debug.messageEnabled()) { 137 PolicyManager.debug.message( 138 " Admin: " + adminToken.getPrincipal().getName() 139 + " got policy decision " 140 + " ignoring subjects " 141 + " for resourceName:" + resourceName 142 + " for serviceType :" + serviceType 143 + " is " + pd); 144 } 145 146 return pd; 147 } 148}