Overview  Package   Class  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES
SUMMARY:  INNER | FIELD | CONSTR | METHOD DETAIL:  FIELD | CONSTR | METHOD

com.sun.identity.policy
Class PolicyEvaluator

java.lang.Object
  |
  +--com.sun.identity.policy.PolicyEvaluator
public class PolicyEvaluator
extends java.lang.Object

The class PolicyEvaluator evaluates policies and provides policy decisions.

Field Summary
static java.lang.String ALL_RESOURCES
          Constant used to identity all the resources of a service type.
static java.lang.String EMPTY_RESOURCE_NAME
          Constant used to identity empty resource
 
Constructor Summary
PolicyEvaluator(java.lang.String serviceTypeName)
          Constructor to create a PolicyEvaluator given the service type name.
 
Method Summary
 void addPolicyListener(PolicyListener policyListener)
          Adds a policy listener that would be notified whenever a policy is added, removed or changed
 PolicyDecision getPolicyDecision(SSOToken token, java.lang.String resourceName, java.util.Set actionNames, java.util.Map envParameters)
          Evaluates privileges of the user to perform the specified actions the the specified resource.
 java.util.Set getProtectedResourcesIgnoreConditions(SSOToken token, java.lang.String rootResource)
          Gets protected resources for a user identified by single sign on token Conditions defined in the policies are ignored while computing protected resources.
 ResourceResult getResourceResult(SSOToken token, java.lang.String resourceName, java.lang.String scope, java.util.Map envParameters)
          Deprecated. Use getResourceResults()
 java.util.Set getResourceResults(SSOToken token, java.lang.String resourceName, java.lang.String scope, java.util.Map envParameters)
          Gets resource result objects given a resource name.
 boolean isAllowed(SSOToken token, java.lang.String resourceName, java.lang.String actionName, java.util.Map envParameters)
          Evaluates simple privileges of boolean type.
 void removePolicyListener(PolicyListener policyListener)
          Removes a policy listener that was previously registered to receive notifications whenever a policy is added, removed or changed.
 
Methods inherited from class java.lang.Object
equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

ALL_RESOURCES

public static final java.lang.String ALL_RESOURCES
Constant used to identity all the resources of a service type. The resources include the sub resources of all resource prefixes of resource type

EMPTY_RESOURCE_NAME

public static final java.lang.String EMPTY_RESOURCE_NAME
Constant used to identity empty resource
Constructor Detail

PolicyEvaluator

public PolicyEvaluator(java.lang.String serviceTypeName)
                throws SSOException,
                       NameNotFoundException,
                       PolicyException
Constructor to create a PolicyEvaluator given the service type name.
Parameters:
serviceTypeName - the name of the service type for which this evaluator can be used for
Throws:
SSOException - if SSOToken used by PolicyEvaluator is invalid
NameNotFoundException - if the service with name serviceTypeName is not found
PolicyException - for any other abnormal condition
Method Detail

isAllowed

public boolean isAllowed(SSOToken token,
                         java.lang.String resourceName,
                         java.lang.String actionName,
                         java.util.Map envParameters)
                  throws SSOException,
                         PolicyException
Evaluates simple privileges of boolean type. The privilege indicate if the user can perform specified action on the specified resource. The evaluation depends on user's application environment parameters. Invoking this method would result in PolicyException, if the syntax for the actionName is not declared to be boolean, in the service schema.
Parameters:
token - single sign on token of the user evaluating policies
resourceName - name of the resource the user is trying to access
actionName - name of the action the user is trying to perform on the resource
envParameters - run-time environment parameters
Returns:
the result of the evaluation as a boolean value
Throws:
SSOException - single-sign-on token invalid or expired
PolicyException - for any other abnormal condition

getPolicyDecision

public PolicyDecision getPolicyDecision(SSOToken token,
                                        java.lang.String resourceName,
                                        java.util.Set actionNames,
                                        java.util.Map envParameters)
                                 throws SSOException,
                                        PolicyException
Evaluates privileges of the user to perform the specified actions the the specified resource. The evaluation depends on user's application environment parameters.
Parameters:
token - single sign on token of the user evaluating policies
resourceName - name of the resource the user is trying to access
actionNames - name of the action the user is trying to perform on the resource
envParameters - run-time environment parameters
Returns:
policy decision
Throws:
SSOException - single-sign-on token invalid or expired
PolicyException - for any other abnormal condition

getProtectedResourcesIgnoreConditions

public java.util.Set getProtectedResourcesIgnoreConditions(SSOToken token,
                                                           java.lang.String rootResource)
                                                    throws SSOException,
                                                           PolicyException
Gets protected resources for a user identified by single sign on token Conditions defined in the policies are ignored while computing protected resources. Only resources that are sub resources of the given rootResource or equal to the given rootResource would be returned. If all policies applicable to a resource are only referral policies, no ProtectedResource would be returned for such a resource.
Parameters:
token - single sign on token of the user
rootResource - only resources that are sub resources of the given rootResource or equal to the given rootResource would be returned rootResource would be returned. If PolicyEvaluator.ALL_RESOURCES is passed as rootResource, resources under all root resources of the service type are considered while computing protected resources.
Returns:
set of protected resources. The set contains ProtectedResource objects.
Throws:
SSOException - if single sign on token is invalid
PolicyException - for any other abnormal condition
See Also:
ProtectedResource

getResourceResults

public java.util.Set getResourceResults(SSOToken token,
                                        java.lang.String resourceName,
                                        java.lang.String scope,
                                        java.util.Map envParameters)
                                 throws SSOException,
                                        PolicyException
Gets resource result objects given a resource name. The set contains ResourceResult objects for all resources that would affect policy decisions for any resource associated with the argument resource name. To determine whether to include the ResourceResult of a resource, we compare argument resource name and policy resource name, treating wild characters in the policy resource name as wild. If the comparison resulted in EXACT_MATCH, WILD_CARD_MACTH or SUB_RESOURCE_MACTH, the resource result would be included.
Parameters:
token - single sign on token of the user evaluating policies
resourceName - name of the resource
scope - indicates whether to compute the resource result based on the policy decision for only the resourceName or all the resources associated with the resource name. The valid scope values are:
  • ResourceResult.SUBTREE_SCOPE
  • ResourceResult.STRICT_SUBTREE_SCOPE
  • ResourceResult.SELF_SCOPE
      If the scope is ResourceResult.SUBTREE_SCOPE, the method will return a set of ResourceResult objects, one of them for the resourceName and its sub resources; the others are for resources that match the resourceName by wildcard. If the scope is ResourceResult.STRICT_SUBTREE_SCOPE, the method will return a set object that contains one ResourceResult object. The ResourceResult contains the policy decisions regarding the resourceName and its sub resources. If the scope is ResourceResult.SELF_SCOPE, the method will return a set object that contains one ResourceResult object. The ResourceResult contains the policy decision regarding the resourceName only.
      envParameters - run-time environment parameters
      Returns:
      set of ResourceResult objects
      Throws:
      SSOException - if token is invalid
      PolicyException - for any other abnormal condition
      See Also:
      ResourceMatch.EXACT_MATCH, ResourceMatch.SUB_RESOURCE_MATCH, ResourceMatch.WILDCARD_MATCH, ResourceResult.SUBTREE_SCOPE, ResourceResult.STRICT_SUBTREE_SCOPE, ResourceResult.SELF_SCOPE

getResourceResult

public ResourceResult getResourceResult(SSOToken token,
                                        java.lang.String resourceName,
                                        java.lang.String scope,
                                        java.util.Map envParameters)
                                 throws SSOException,
                                        PolicyException
Deprecated. Use getResourceResults()

Gets resource result given a resource name. ResourceResult is a tree representation of policy decisions for all resources rooted at the resource name. To determine whether a resource defined in the policy is a sub resource of argument resource name, argument resource name and policy resource name are compared, treating wild characters as literals. If comparison resulted in EXACT_MACTH or SUB_RESOURCE_MACTH, the resource would be included
Parameters:
token - single sign on token of the user evaluating policies
resourceName - name of the resource
scope - indicates whether to compute the resource result based on the policy decision for only the resourceName or all the resources associated with the resource name. The valid scope values are:
  • ResourceResult.SUBTREE_SCOPE
  • ResourceResult.STRICT_SUBTREE_SCOPE
  • ResourceResult.SELF_SCOPE
If the scope is ResourceResult.SUBTREE_SCOPE or ResourceResult.STRICT_SUBTREE_SCOPE, the method will return a ResourceResult object that contains the policy decisions regarding the resourceName and its sub resources. If the scope is ResourceResult.SELF_SCOPE, the method will return a ResourceResult object that contains the policy decision regarding the resourceName only. Note, scope values ResourceResult.SUBTREE_SCOPE and ResourceResult.STRICT_SUBTREE_SCOPE are being treated as the same for backword compatibility reasons. This method is being deprecated. The method getResourceResults() should be used instead.
envParameters - run-time environment parameters
Returns:
ResourceResult.
Throws:
SSOException - if token is invalid
PolicyException - for any other abnormal condition
See Also:
ResourceMatch.EXACT_MATCH, ResourceMatch.SUB_RESOURCE_MATCH, ResourceMatch.WILDCARD_MATCH, ResourceResult.SUBTREE_SCOPE, ResourceResult.STRICT_SUBTREE_SCOPE, ResourceResult.SELF_SCOPE

addPolicyListener

public void addPolicyListener(PolicyListener policyListener)
Adds a policy listener that would be notified whenever a policy is added, removed or changed
Parameters:
policyListener - the listener to be added

removePolicyListener

public void removePolicyListener(PolicyListener policyListener)
Removes a policy listener that was previously registered to receive notifications whenever a policy is added, removed or changed. It is not an error to attempt to remove a listener that was not registered. It would return silently.
Parameters:
policyListener - the listener to be removed
Overview  Package   Class  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES
SUMMARY:  INNER | FIELD | CONSTR | METHOD DETAIL:  FIELD | CONSTR | METHOD