Package com.sun.identity.policy

Class PolicyEvaluator

  • @Deprecated
public class PolicyEvaluator
extends Object
    Deprecated.
    since 12.0.0
    The class PolicyEvaluator evaluates policies and provides policy decisions.

    • Field Detail

      • ALL_RESOURCES

        public static final String ALL_RESOURCES
        Deprecated.
        Constant used to identity all the resources of a service type. The resources include the sub resources of all resource prefixes of resource type
        See Also:
        Constant Field Values

      • EMPTY_RESOURCE_NAME

        public static final String EMPTY_RESOURCE_NAME
        Deprecated.
        Constant used to identity empty resource
        See Also:
        Constant Field Values

      • SUN_AM_REQUESTED_RESOURCE

        public static final String SUN_AM_REQUESTED_RESOURCE
        Deprecated.
        Constant used for key to pass the requested resource name canonicalized in the env map, so that Condition(s)/ResponseProvider(s) could use the requested resource name, if necessary
        See Also:
        Constant Field Values

      • SUN_AM_ORIGINAL_REQUESTED_RESOURCE

        public static final String SUN_AM_ORIGINAL_REQUESTED_RESOURCE
        Deprecated.
        Constant used for key to pass the requested resource name uncanonicalized in the env map, so that Condition(s)/ResponseProvider(s) could use the requested resource name, if necessary
        See Also:
        Constant Field Values

      • SUN_AM_REQUESTED_ACTIONS

        public static final String SUN_AM_REQUESTED_ACTIONS
        Deprecated.
        Constant used for key to pass the requested actions names in the env map, so that Condition(s)/ResponseProvider(s) could use the requested actions names, if necessary
        See Also:
        Constant Field Values

      • REALM_DN

        public static final String REALM_DN
        Deprecated.
        Constant used for key to pass the realm DN in the env map, so that Condition(s) can look up the relevant PolicyConfig config map, if necessary. LDAPFilterCondition needs to use PolicyConfig config map.
        See Also:
        Constant Field Values

      • DEFAULT_RESULTS_CACHE_SESSION_CAP

        public static int DEFAULT_RESULTS_CACHE_SESSION_CAP
        Deprecated.

      • resultsCacheSessionCap

        public static int resultsCacheSessionCap
        Deprecated.

      • DEFAULT_RESULTS_CACHE_RESOURCE_CAP

        public static int DEFAULT_RESULTS_CACHE_RESOURCE_CAP
        Deprecated.

      • resultsCacheResourceCap

        public static int resultsCacheResourceCap
        Deprecated.

      • ssoListenerRegistry

        public static Map ssoListenerRegistry
        Deprecated.

      • ssoListener

        public static SSOTokenListener ssoListener
        Deprecated.
        listener object to be used in cleaning up the userNSRoleCache, subjectEvaluationCache , user role cache in LDAPRoles and policyResultsCache upon user token expiration.

    • Constructor Detail

      • PolicyEvaluator

        public PolicyEvaluator​(String orgName,
                       String serviceTypeName,
                       String applicationName)
                throws PolicyException,
                       SSOException
        Deprecated.
        Creates a new policy evaluator instance.
        Parameters:
        orgName - the name of the organization under which the evaluation is being done
        serviceTypeName - the name of the ServiceType for which this evaluator can be used
        applicationName - the application name containing the policies in question
        Throws:
        PolicyException - should some error occur constructor the evaluator
        SSOException - should some error occur with regards to any SSO token

    • Method Detail

      • isAllowed

        public boolean isAllowed​(SSOToken token,
                         String resourceName,
                         String actionName)
                  throws PolicyException,
                         SSOException
        Deprecated.
        Evaluates a simple privilege of boolean type. The privilege indicate if the user can perform specified action on the specified resource. Invoking this method would result in PolicyException, if the syntax for the actionName is not declared to be boolean, in the service schema.
        Parameters:
        token - single sign on token of the user evaluating policies
        resourceName - name of the resource the user is trying to access
        actionName - name of the action the user is trying to perform on the resource
        Returns:
        the result of the evaluation as a boolean value
        Throws:
        SSOException - single-sign-on token invalid or expired
        PolicyException

      • isAllowed

        public boolean isAllowed​(SSOToken token,
                         String resourceName,
                         String actionName,
                         Map envParameters)
                  throws SSOException,
                         PolicyException
        Deprecated.
        Evaluates simple privileges of boolean type. The privilege indicate if the user can perform specified action on the specified resource. The evaluation depends on user's application environment parameters. Invoking this method would result in PolicyException, if the syntax for the actionName is not declared to be boolean, in the service schema.
        Parameters:
        token - single sign on token of the user evaluating policies
        resourceName - name of the resource the user is trying to access
        actionName - name of the action the user is trying to perform on the resource
        envParameters - run-time environment parameters
        Returns:
        the result of the evaluation as a boolean value
        Throws:
        SSOException - single-sign-on token invalid or expired
        PolicyException - for any other abnormal condition

      • getPolicyDecision

        public PolicyDecision getPolicyDecision​(SSOToken token,
                                        String resourceName,
                                        Set actionNames)
                                 throws PolicyException,
                                        SSOException
        Deprecated.
        Evaluates privileges of the user to perform the specified actions on the specified resource.
        Parameters:
        token - single sign on token of the user evaluating policies
        resourceName - name of the resource the user is trying to access
        actionNames - a Set of Sting objects representing names of the actions the user is trying to perform on the resource
        Returns:
        policy decision
        Throws:
        SSOException - single-sign-on token invalid or expired
        PolicyException - for any other abnormal condition.

      • getPolicyDecision

        public PolicyDecision getPolicyDecision​(SSOToken token,
                                        String resourceName,
                                        Set actionNames,
                                        Map envParameters)
                                 throws SSOException,
                                        PolicyException
        Deprecated.
        Evaluates privileges of the user to perform the specified actions on the specified resource. The evaluation depends on user's application environment parameters.
        Parameters:
        token - single sign on token of the user evaluating policies
        resourceName - name of the resource the user is trying to access
        actionNames - Set of names(String) of the action the user is trying to perform on the resource
        envParameters - Map of run-time environment parameters
        Returns:
        policy decision
        Throws:
        SSOException - single-sign-on token invalid or expired
        PolicyException - for any other abnormal condition

      • getProtectedResourcesIgnoreConditions

        public Set getProtectedResourcesIgnoreConditions​(SSOToken token,
                                                 String rootResource)
                                          throws SSOException,
                                                 PolicyException
        Deprecated.
        Gets protected resources for a user identified by single sign on token Conditions defined in the policies are ignored while computing protected resources. Only resources that are sub resources of the given rootResource or equal to the given rootResource would be returned. If all policies applicable to a resource are only referral policies, no ProtectedResource would be returned for such a resource.
        Parameters:
        token - single sign on token of the user
        rootResource - only resources that are sub resources of the given rootResource or equal to the given rootResource would be returned rootResource would be returned. If PolicyEvaluator.ALL_RESOURCES is passed as rootResource, resources under all root resources of the service type are considered while computing protected resources.
        Returns:
        Set of protected resources. The set contains ProtectedResource objects.
        Throws:
        SSOException - if single sign on token is invalid
        PolicyException - for any other abnormal condition
        See Also:
        ProtectedResource

      • getResourceResults

        public Set getResourceResults​(SSOToken token,
                              String resourceName,
                              String scope,
                              Map envParameters)
                       throws SSOException,
                              PolicyException
        Deprecated.
        Gets resource result objects given a resource name. The set contains ResourceResult objects for all resources that would affect policy decisions for any resource associated with the argument resource name. To determine whether to include the ResourceResult of a resource, we compare argument resource name and policy resource name, treating wild characters in the policy resource name as wild. If the comparison resulted in EXACT_MATCH, WILD_CARD_MACTH or SUB_RESOURCE_MACTH, the resource result would be included.
        Parameters:
        token - single sign on token of the user evaluating policies
        resourceName - name of the resource
        scope - indicates whether to compute the resource result based on the policy decision for only the resourceName or all the resources associated with the resource name. The valid scope values are:
        • ResourceResult.SUBTREE_SCOPE
        • ResourceResult.STRICT_SUBTREE_SCOPE
        • ResourceResult.SELF_SCOPE
            If the scope is ResourceResult.SUBTREE_SCOPE, the method will return a set of ResourceResult objects, one of them for the resourceName and its sub resources; the others are for resources that match the resourceName by wildcard. If the scope is ResourceResult.STRICT_SUBTREE_SCOPE, the method will return a set object that contains one ResourceResult object. The ResourceResult contains the policy decisions regarding the resourceName and its sub resources. If the scope is ResourceResult.SELF_SCOPE, the method will return a set object that contains one ResourceResult object. The ResourceResult contains the policy decision regarding the resourceName only.
        envParameters - run-time environment parameters
        Returns:
        set of ResourceResult objects
        Throws:
        SSOException - if token is invalid
        PolicyException - for any other abnormal condition
        See Also:
        ResourceMatch.EXACT_MATCH, ResourceMatch.SUB_RESOURCE_MATCH, ResourceMatch.WILDCARD_MATCH, ResourceResult.SUBTREE_SCOPE, ResourceResult.STRICT_SUBTREE_SCOPE, ResourceResult.SELF_SCOPE

      • getResourceResult

        public ResourceResult getResourceResult​(SSOToken token,
                                        String resourceName,
                                        String scope,
                                        Map envParameters)
                                 throws SSOException,
                                        PolicyException
        Deprecated.
        Use getResourceResults()
        Gets resource result given a resource name. ResourceResult is a tree representation of policy decisions for all resources rooted at the resource name. To determine whether a resource defined in the policy is a sub resource of argument resource name, argument resource name and policy resource name are compared, treating wild characters as literals. If comparison resulted in EXACT_MACTH or SUB_RESOURCE_MACTH, the resource would be included
        Parameters:
        token - single sign on token of the user evaluating policies
        resourceName - name of the resource
        scope - indicates whether to compute the resource result based on the policy decision for only the resourceName or all the resources associated with the resource name. The valid scope values are:
        • ResourceResult.SUBTREE_SCOPE
        • ResourceResult.STRICT_SUBTREE_SCOPE
        • ResourceResult.SELF_SCOPE
        If the scope is ResourceResult.SUBTREE_SCOPE or ResourceResult.STRICT_SUBTREE_SCOPE, the method will return a ResourceResult object that contains the policy decisions regarding the resourceName and its sub resources. If the scope is ResourceResult.SELF_SCOPE, the method will return a ResourceResult object that contains the policy decision regarding the resourceName only. Note, scope values ResourceResult.SUBTREE_SCOPE and ResourceResult.STRICT_SUBTREE_SCOPE are being treated as the same for backword compatibility reasons. This method is being deprecated. The method getResourceResults() should be used instead.
        envParameters - run-time environment parameters
        Returns:
        ResourceResult.
        Throws:
        SSOException - if token is invalid
        PolicyException - for any other abnormal condition
        See Also:
        ResourceMatch.EXACT_MATCH, ResourceMatch.SUB_RESOURCE_MATCH, ResourceMatch.WILDCARD_MATCH, ResourceResult.SUBTREE_SCOPE, ResourceResult.STRICT_SUBTREE_SCOPE, ResourceResult.SELF_SCOPE

      • getResourceNames

        public Set getResourceNames​(SSOToken token,
                            String resourceName,
                            boolean followReferral)
                     throws PolicyException,
                            SSOException
        Deprecated.
        Gets resource names that are exact matches, sub resources or wild card matches of argument resource name. To determine whether to include a resource name of a resource, we compare argument resource name and policy resource name, treating wild characters in the policy resource name as wild. If the comparison resulted in EXACT_MATCH, WILD_CARD_MACTH or SUB_RESOURCE_MACTH, the resource result would be included.
        Parameters:
        token - single sign on token
        resourceName - resoure name
        followReferral - indicates whether to follow the referrals defined in policies to compute resource names
        Returns:
        names of sub resources for the given resourceName. The return value would also include the resourceName.
        Throws:
        SSOException - if token is invalid
        PolicyException - for any other abnormal condition
        See Also:
        ResourceMatch.EXACT_MATCH, ResourceMatch.SUB_RESOURCE_MATCH, ResourceMatch.WILDCARD_MATCH

      • getResourceNames

        public Set getResourceNames​(SSOToken token,
                            String resourceName,
                            boolean followReferral,
                            Set visitedOrgs)
                     throws PolicyException,
                            SSOException
        Deprecated.
        Gets resource names that are exact matches, sub resources or wild card matches of argument resource name. To determine whether to include a resource name of a resource, we compare argument resource name and policy resource name, treating wild characters in the policy resource name as wild. If the comparsion resulted in EXACT_MATCH, WILD_CARD_MACTH or SUB_RESOURCE_MACTH, the resource result would be included.
        Parameters:
        token - single sign on token
        resourceName - resoure name
        followReferral - indicates whether to follow the referrals defined in policies to compute resource names
        visitedOrgs - organizations that were already visited to compute resource names
        Returns:
        names of sub resources for the given resourceName. The return value would also include the resourceName.
        Throws:
        SSOException - if token is invalid
        PolicyException - for any other abnormal condition
        See Also:
        ResourceMatch.EXACT_MATCH, ResourceMatch.SUB_RESOURCE_MATCH, ResourceMatch.WILDCARD_MATCH

      • addPolicyListener

        public void addPolicyListener​(PolicyListener policyListener)
        Deprecated.
        Adds a policy listener that would be notified whenever a policy is added, removed or changed
        Parameters:
        policyListener - the listener to be added

      • removePolicyListener

        public void removePolicyListener​(PolicyListener policyListener)
        Deprecated.
        Removes a policy listener that was previously registered to receive notifications whenever a policy is added, removed or changed. It is not an error to attempt to remove a listener that was not registered. It would return silently.
        Parameters:
        policyListener - the listener to be removed

      • getUserNSRoleValues

        public static Set getUserNSRoleValues​(SSOToken token)
                               throws SSOException,
                                      PolicyException
        Deprecated.
        Get the set of role DNs of a user. The role DNs are cached to improve the performance of IdentityServerRole subject membership validation.
        Parameters:
        token - single sign on token of the user evaluating policies
        Returns:
        The set of user nsRole attribute values
        Throws:
        SSOException - single-sign-on token invalid or expired
        PolicyException - if an error occured while getting the user's nsRole attribute value set