com.hyperion.css
Interface CSSAPIIF

All Known Implementing Classes:

CSSAPIImpl

public interface CSSAPIIF

This is the interface to the security platform functionality. This interface provides for:

1. Authentication by user name and password.
2. Authentication by token.
3. Integration with a Security Agent (For instance: Netegrity SiteMinder)
4. Getting users and groups based on names and identities.

The searchOrder that is specified in the associated configuration is used to determine the sequence in which the plugged-in providers are called to get to the information requested. Note: Unless specified otherwise the switch from one provider to another in the search order would take place only if the first provider does not return anything.

Sample use of the application:

    Map context = new HashMap(5);
    context.put(CSSAPIIF.LOCALE, new Locale("en", "US"));	  
    String logPath = "C:/Hyperion/logs/";
    
    CSSSystem instance = CSSSystem.getInstance(context, logPath);
    CSSAPIIF css = instance.getCSSAPI();

    // Host information (IP address/Host Name) is required for Auditing.
    context.put(CSSAPIIF.HOST_INFO, "ajoseph.hyperion.com");
 
    try
    {
    	context.put(CSSAPIIF.LOGIN_NAME, "gkhanna");
    	context.put(CSSAPIIF.PASSWORD, "password");

      CSSUserIF user = css.authenticate(context);
    }
    catch (CSSTokenNotAvailableException tNAE)
    {
       // log this
       // check message and error code for more info
       // try again
    }
    catch (CSSAuthenticationException aE)
    {
       // Unable to authenticate
       // check credentials
       // check message and error code for more info
       // log this
    }
    catch (CSSIllegalArgumentException iAE)
    {
       // check arguments and correct them according to the contract
       // check message and error code for more info
       // try again
    }
    catch (CSSNoProviderException nPE)
    {
       // CSS was unable to launch a provider
       // that was requested in the provider entry in the context
       // check message and error code for more info
       // check and try again
       // log this
    }
    catch (CSSInvalidIdentityException iIE)
    {
       // Unable to use the identity passed in the token
       // log this
    }
    catch (CSSTokenNotAcceptedException tNAcceptedE)
    {
       // the token passed in is not valid
       // log this
    }
    catch (CSSException e)
    {
       // Any other abnormality
       // check message and error code for more info
       // log this
    }
 

To override the search order, the specification of the provider in the input is supported through the following syntax:

entryName@ProviderName

Here, entryName could be a userName or a groupName. The ProviderName specifies the name of the provider as determined in the Configuration settings.

There is a specific case for NTLM providers. The NTLM provider may or may not specify a domain. If it does specify a domain, then that NTLM provider is only responsible for performing the operations on that domain.
If on the other hand, no domain is specified, then the provider performs operations on all the trusted domains. If a token contains a domain that does not correspond to any of the NTLM providers listed domains, then the first provider that does not have domain listed would be used.

Some examples:

The getUsers(context, name) is to be called with a name parameter to get user/s that have that name. Passing null is not accepted and would not return all the users. The search operation stops at the first provider wherin the match can be made.
You can use wildcards such as '*' for the userName parameter. In this case users would be returned in the order of directories that is specified by the search order.
You could retreive all users on a provider by specifying "*@providerName"

The getGroups(context, groupName) can be called with the wildcard * for groupName to get all the groups from the first provider in the search order. If there are no matches then the control flows over to the subsequent provider and so on. In this case it would go by the search order.
To get all groups from a particular provider, specify "*@providerName".
This follows the "groupName@providerName" syntax. You can also have wildcards such as "GA*@providerName" for the groupName parameter.

This class is classified as thread safe.

Since:

v2.0

Author:

gkhanna

Field Summary

static java.lang.String	ACCESS_TYPE_MANAGE Constant that holds the flag determining that the MANAGE type of access is requested on specified API call.
static java.lang.String	ACCESS_TYPE_VIEW Constant that holds the flag determining that the VIEW type of access is requested on specified API call.
static java.lang.String	DELEGATEDMODE_SHOW_ALL
static java.lang.String	DIRECT_ROLE_ONLY Constant that holds the type specified for the NATIVE provider.
static java.lang.String	ENTITY_DEACTIVATE Constant that holds the name of the property for specifying the that the user or group entity needs to be deactivated or a deactivated user and group is to be retreived.
static java.lang.String	ENTRY_TYPE_GROUP Constant that holds type of the entry.
static java.lang.String	ENTRY_TYPE_OTHER Constant that holds the type of the entry.
static java.lang.String	ENTRY_TYPE_ROLE Constant that holds type of the entry.
static java.lang.String	ENTRY_TYPE_USER Constant that holds the type of the entry.
static java.lang.String	ESCAPE_AUTH_FILTER
static java.lang.String	FORCE_DEPENDENCY_CHECK Constant that holds the flag deciding whether Native Directory active check is to be done during intialialization.
static java.lang.String	HOST_INFO Constant that holds the name of the property for specifying the Host Name or IP Address of the machine that user is logging in from.
static java.lang.String	HTTP_SERVLET_REQUEST Constant that holds the name of the property for specifying the HTTP Servlet Request object.
static java.lang.String	HUB_ADMINISTRATOR_IDENTITY Constant that holds the seeded Hyperion Shared Services administrator identity.
static java.lang.String	HUB_APP_NAME added HUB project name and application name constants to use in LCM
static java.lang.String	HUB_APPLICATION_ID Constant that holds the Hyperion Shared Services Application Id.
static java.lang.String	HUB_PROJECT Constant that is used to specify that the project is the Hub (Shared Services) Project.
static java.lang.String	HUB_PROJECT_NAME
static java.lang.String	IDENTITY_USER Constant that holds the name of the property for specifying the identity for a user.
static java.lang.String	IE_DELEGATED_MODE
static java.lang.String	KERBEROS_LOGIN_NAME
static java.lang.String	LOCALE Constant that holds the property that specifies the name of the Locale.
static java.lang.String	LOG_PREPEND_TEXT Constant that holds the the name of the property that specifies the text message to be prepended to the log messages.
static java.lang.String	LOGIN_NAME Constant that holds the name of the property for specifying the user name.
static java.lang.String	OBJECT_ID Constant that holds the property that specifies the name of the object id.
static java.lang.String	PASSWORD Constant that holds the name of the property for specifying the password.
static java.lang.String	PREFIX_TO_APP_LOGGER Constant that holds the prefix to the Application Logger that is invoked throught the CSSApplicationIF.log(String) method.
static java.lang.String	PROVIDER_NAME Constant that holds the name of the property for specifying the provider to be used.
static java.lang.String	PROVIDER_REQUEST Constant that holds the name of the property for specifying the provider URL that an entry belongs to.
static java.lang.String	PROVIDER_TYPE Constant that holds the name of the property for specifying the provider type to be used.
static java.lang.String	PROVIDER_TYPE_CUSTOM Constant that holds the type specified for the custom provider.
static java.lang.String	PROVIDER_TYPE_DATABASE Constant that holds the type specified for the DB provider.
static java.lang.String	PROVIDER_TYPE_LDAP Constant that holds the type specified for the LDAP provider.
static java.lang.String	PROVIDER_TYPE_MSAD Constant that holds the type specified for the MSAD provider.
static java.lang.String	PROVIDER_TYPE_NATIVE Constant that holds the type specified for the NATIVE provider.
static java.lang.String	PROVIDER_TYPE_NTLM Constant that holds the type specified for the NTLM provider.
static java.lang.String	PROVIDER_TYPE_SAP Constant that holds the type specified for the SAP provider.
static java.lang.String	PRP_CACHE_SCHEME_ABORTCACHING Constant that holds the name of the property for disabling the the CSS configuration caching scheme.
static java.lang.String	PRP_CACHE_SCHEME_CACHE_PATH Constant that holds the name of the property for specifying the cache directory to use for the CSS configuration caching scheme.
static java.lang.String	PRP_CACHE_SCHEME_LOCK_PORT Constant that holds the name of the property for specifying the local port CSS should use for its file locking scheme.
static java.lang.String	PRP_NATIVE_PROVIDER_TRANSPORT_COMPRESSION Constant that holds the name of the property for specifying native provider transport compression.
static java.lang.String	PRP_NATIVE_PROVIDER_TRANSPORT_ENABLE Constant that holds the name of the property to enable and disable the native provider RPC transport.
static java.lang.String	QUERY_LIMIT Constant that holds the name of the property for specifiying that the scope of the query should be limited.
static java.lang.String	RETURN_HIERARCHY Constant that holds the name of the property for specifiying that the "memberOf" relationships are to be returned.
static java.lang.String	ROLE_ADMINISTRATOR_IDENTITY Constant that holds the Administrator role identity.
static java.lang.String	ROLE_ANALYTIC_SERVICES_APPLICATION_CREATOR_IDENTITY Constant that holds the Analytic Services Application Creator role identity.
static java.lang.String	ROLE_APPLICATION_CREATOR_IDENTITY Constant that holds the Application Creator role identity.
static java.lang.String	ROLE_CALCULATION_MANAGER_ADMINISTRATOR_IDENTITY Constant that holds the Calculation Manager Administrator role identity.
static java.lang.String	ROLE_CREATE_INTEGRATIONS_IDENTITY Constant that holds the Create Integrations role identity.
static java.lang.String	ROLE_DIMENSION_EDITOR_IDENTITY Constant that holds the Dimension Editor role identity.
static java.lang.String	ROLE_DIRECTORY_MANAGER_IDENTITY Constant that holds the Directory Manager role identity.
static java.lang.String	ROLE_FINANCIAL_MANAGEMENT_APPLICATION_CREATOR_IDENTITY Constant that holds the Financial Management Application Creator role identity.
static java.lang.String	ROLE_FINANCIAL_MANAGEMENT_CALCULATION_MANAGER_ADMINISTRATOR_IDENTITY Constant that holds the Financial Management Calculation Manager Administrator role identity.
static java.lang.String	ROLE_LCM_ADMINISTRATOR_IDENTITY Constant that holds the LCM Administrator role identity.
static java.lang.String	ROLE_MANAGE_MODELS_UNIQUE_ID Constant that holds the Manage Model role Unique ID.
static java.lang.String	ROLE_PLANNING_APPLICATION_CREATOR_IDENTITY Constant that holds the Planning Application Creator role identity.
static java.lang.String	ROLE_PLANNING_CALCULATION_MANAGER_ADMINISTRATOR_IDENTITY Constant that holds the Planning Calculation Manager Administrator role identity.
static java.lang.String	ROLE_PROFITABILITY_APPLICATION_CREATOR_IDENTITY Constant that holds the Profitability Application Creator role identity.
static java.lang.String	ROLE_PROJECT_MANAGER_IDENTITY Constant that holds the Project Manager role identity.
static java.lang.String	ROLE_PROVISIONING_MANAGER_IDENTITY Constant that holds the Provisioning Manager role identity.
static java.lang.String	ROLE_RUN_INTEGRATIONS_IDENTITY Constant that holds the Run Integrations role identity.
static java.lang.String	SAP_TICKET Constant that holds the name of the property for specifying the SAP Ticket.
static java.lang.String	SECURITY_AGENT_LOGIN_NAME Constant that holds name of the property for specifying the login name.
static java.lang.String	SPECIFY_ALL Constant that is used to specify interest in all instances for the argument/parameter in question.
static java.lang.String	SPECIFY_CONTAINER Constant that is used to specify interest in the container instance for the argument/parameter in question.
static java.lang.String	SPECIFY_NONE Constant that is used to specify that argument/parameter in question should not be taken into account in the result of this query.
static java.lang.String	STATUS Constant that holds the status of the User or Group (whether active or inactive).
static java.lang.String	THROW_COMMUNICATION_EXCEPTION Constant that holds the name of the property for specifying the interest in recieving the CSSCommunicationException.
static java.lang.String	TOKEN Constant that holds the name of the property for specifying the token string.
static java.lang.String	USE_LOCAL_HUB Constant that holds name of the property for specifying that Hyperion Shared Services is local to the process that CSS is running on.
static java.lang.String	VALIDATE_ROLE Constant that holds the flag deciding whether role validation for the principal is to be done before performing an operation.
static java.lang.String	WORLD_GROUP_DESCRIPTION Constant that holds the WORLD Group description.
static java.lang.String	WORLD_GROUP_IDENTITY Constant that holds the WORLD Group identity.
static java.lang.String	WORLD_GROUP_NAME Constant that holds the WORLD Group name.

Method Summary

CSSUserIF	authenticate(java.util.Map context) Deprecated.
CSSUserIF	authenticate(java.util.Map context, java.lang.String username, java.lang.String password) Authenticates the specified username against the specified password with the providers configured in the security system.
CSSUserIF	authenticateProxyUser(java.util.Map context, java.lang.String username, java.lang.String trustedServiceKey) Authenticates the specified username using proxy, after validating the trusted service key.
CSSUserIF	authenticateSapTicket(java.util.Map context, java.lang.String ticket) Authenticates the specified sap ticket against the providers configured in the security system.
CSSUserIF	authenticateSecurityAgent(java.util.Map context, javax.servlet.http.HttpServletRequest request) Authenticates by parsing the username and password if available from the specified HTTP Servlet Request.
CSSUserIF	authenticateToken(java.util.Map context, java.lang.String token) Authenticates the specified sso_token against the providers configured in the security system.
CSSUserIF	authenticateUserFromSecurityAgent(java.util.Map context, java.lang.String username, java.lang.String trustedServiceKey) Authenticates the specified username , after validating the trusted service key.
CSSDirectoryManagementAPIIF	getDirectoryManagementAPI(java.util.Map context) Returns an interface to CRUD of Hyperion Shared Services User Directory.
CSSGroupIF	getGroupByIdentity(java.util.Map context, CSSPrincipalIF principal, java.lang.String identity) Get a group based on the identity of the group.
CSSGroupIF	getGroupByIdentity(java.util.Map context, java.lang.String identity) Deprecated.
CSSGroupIF[]	getGroups(java.util.Map context, CSSPrincipalIF principal, GroupSearchFilter groupSrchFilter) Get a group specified by group search filter passed in The group search filter contains group filter attributes and values like, GROUPNAME, DESCRIPTION.
CSSGroupIF[]	getGroups(java.util.Map context, CSSPrincipalIF principal, java.lang.String groupName) Get a group based on the name.
CSSGroupIF[]	getGroups(java.util.Map context, java.lang.String groupName) Deprecated.
CSSGroupIF[]	getGroupsByIdentities(java.util.Map context, java.lang.String[] identities) Return an Array for a CSSGroupIF objects for an array of group identities.
java.lang.String[]	getHeaderNamesFromSecurityAgent(java.util.Map context) This method returns the HTTP headers that would carry the login name of the user.
CSSMigrationAPIIF	getMigrationAPI(java.util.Map context) Provides handle to the Migration Interface.
java.util.Map	getProviderMap(java.util.Map context) Gets the names and types of the providers that are registered with the security platform.
java.lang.String[]	getProviderNames(java.util.Map context) Deprecated.
CSSUserIF	getUserByEmail(java.util.Map context, CSSPrincipalIF principal, java.lang.String email) Get a user based on an email match.
CSSUserIF	getUserByEmail(java.util.Map context, java.lang.String email) Deprecated.
CSSUserIF	getUserByIdentity(java.util.Map context, CSSPrincipalIF principal, java.lang.String identity) Get a user based on the identity of the user.
CSSUserIF	getUserByIdentity(java.util.Map context, java.lang.String identity) Deprecated.
CSSUserProvisioningAPIIF	getUserProvisioningAPI(java.util.Map context) Returns the User and Group Provisioning Interface.
CSSUserIF[]	getUsers(java.util.Map context, CSSPrincipalIF principal, java.lang.String userName) Gets the user specified by userName.
CSSUserIF[]	getUsers(java.util.Map context, CSSPrincipalIF principal, java.lang.String userName, java.lang.String firstName, java.lang.String lastName) Get a user based on a user name , firstName and lastName match.
CSSUserIF[]	getUsers(java.util.Map context, CSSPrincipalIF principal, UserSearchFilter userSrchFilter) Gets the user specified by user search filter passed in The user search filter contains user filter attributes and values like, USERNAME,FIRSTNAME,LASTNAME,EMAIL,DESCRIPTION (Also ACTIVE, INACTIVE and ALL for native) Etc.
CSSUserIF[]	getUsers(java.util.Map context, java.lang.String userName) Deprecated.
CSSUserIF[]	getUsers(java.util.Map context, java.lang.String userName, java.lang.String firstName, java.lang.String lastName) Deprecated.
CSSUserIF[]	getUsersByName(java.util.Map context, CSSPrincipalIF principal, java.lang.String firstName, java.lang.String lastName) Get a user based on a firstName and lastName match.
CSSUserIF[]	getUsersByName(java.util.Map context, java.lang.String firstName, java.lang.String lastName) Deprecated.
void	initialize(java.util.Map context, CSSApplicationIF appCallback) Deprecated.
boolean	isNativeProviderActive(java.util.Map context) Return the status of the Native Provider after CSS has intialized.
boolean	isSecurityAgentProtected(java.util.Map context) This method is invoked to determine if the access to a resource might be protected by a Security Agent.
boolean	isValidCSSToken(java.util.Map context, java.lang.String token) Determines if the token is valid.
CSSLoginUserIF	login(java.util.Map context, java.lang.String applicationId, boolean indirect) Deprecated.
CSSLoginUserIF	login(java.util.Map context, java.lang.String username, java.lang.String password, java.lang.String[] applicationIds) Authenticates the specified username against the specified password with the providers configured in the security system.
CSSLoginUserIF	loginSapTicket(java.util.Map context, java.lang.String sapTicket, java.lang.String[] applicationIds) Authenticates the specified sap ticket against the providers configured in the security system.
CSSLoginUserIF	loginSecurityAgent(java.util.Map context, javax.servlet.http.HttpServletRequest request, java.lang.String[] applicationIds) Authenticates by parsing the username and password if available from the specified HTTP Servlet Request.
CSSLoginUserIF	loginToken(java.util.Map context, java.lang.String token, java.lang.String[] applicationIds) Authenticates the specified sso_token against the providers configured in the security system.

Field Detail

PRP_CACHE_SCHEME_CACHE_PATH

public static final java.lang.String PRP_CACHE_SCHEME_CACHE_PATH

Constant that holds the name of the property for specifying the cache directory to use for the CSS configuration caching scheme.
Values assigned in the map override any settings specified on the command line. If no value is specified the default is the Java temp directory, java.io.tmpdir.
The value of this constant is "com.hyperion.css.cache.path".

Since:

CSS v2.6.0

See Also:

Constant Field Values

PRP_CACHE_SCHEME_ABORTCACHING

public static final java.lang.String PRP_CACHE_SCHEME_ABORTCACHING

Constant that holds the name of the property for disabling the the CSS configuration caching scheme.

 Setting this property to true turns off caching.
 Setting this property to false enables caching.  Caching
 is enabled by default.
 

Values assigned in the map override any settings specified on the command line.
The value of this constant is "com.hyperion.css.cache.flag.abortcaching".

Since:

CSS v2.6.0

See Also:

Constant Field Values

PRP_CACHE_SCHEME_LOCK_PORT

public static final java.lang.String PRP_CACHE_SCHEME_LOCK_PORT

Constant that holds the name of the property for specifying the local port CSS should use for its file locking scheme.
Values assigned in the map override any settings specified on the command line.
The value of this constant is "com.hyperion.css.cache.lock.port".

Since:

CSS v2.6.0

See Also:

Constant Field Values

HOST_INFO

public static final java.lang.String HOST_INFO

Constant that holds the name of the property for specifying the Host Name or IP Address of the machine that user is logging in from.

The value of this constant is "hyperion.login.hostinfo".

See Also:

Constant Field Values

LOGIN_NAME

public static final java.lang.String LOGIN_NAME

Constant that holds the name of the property for specifying the user name. The value of the property should be the login name of the user.

The value of this constant is "hyperion.loginName".

See Also:

Constant Field Values

SAP_TICKET

public static final java.lang.String SAP_TICKET

Constant that holds the name of the property for specifying the SAP Ticket. The value of the property should be the SAP Ticket representing a user that has been authenticated through SAP.

The value of this constant is "hyperion.sAPTicket".

See Also:

Constant Field Values

HTTP_SERVLET_REQUEST

public static final java.lang.String HTTP_SERVLET_REQUEST

Constant that holds the name of the property for specifying the HTTP Servlet Request object. The value of the property should be the HTTP servlet request object that contains information about the user to be authenticated. Note that this constant has to be used only with web applications.

The value of this constant is "hyperion.httpServletRequest".

See Also:

Constant Field Values

PASSWORD

public static final java.lang.String PASSWORD

Constant that holds the name of the property for specifying the password. The value of the property should be the password of the user.

The value of this constant is "hyperion.password".

See Also:

Constant Field Values

TOKEN

public static final java.lang.String TOKEN

Constant that holds the name of the property for specifying the token string. The value of the property should be the token associated with a user.

The value of this constant is "hyperion.token".

See Also:

CSSUserIF.getToken(), Constant Field Values

PROVIDER_REQUEST

public static final java.lang.String PROVIDER_REQUEST

Constant that holds the name of the property for specifying the provider URL that an entry belongs to. The value of the property should be the provider URL. For instance: "ldap://localhost:389/ou=abc,o=com" For NTLM, the provider URL would be the domain name.

This is used in isValidCSSToken(Map, String)

The value of this constant is "hyperion.providerRequest".

See Also:

Constant Field Values

PROVIDER_NAME

public static final java.lang.String PROVIDER_NAME

Constant that holds the name of the property for specifying the provider to be used. The value of the property should be the provider name. For instance: ldapServer1, NTLMServer2 etc.
In the configuration, the provider name maps to the entries in the searchOrder element.

The value of this constant is "hyperion.providerName".

Since:

CSS v2.0.8

See Also:

Constant Field Values

PREFIX_TO_APP_LOGGER

public static final java.lang.String PREFIX_TO_APP_LOGGER

Constant that holds the prefix to the Application Logger that is invoked throught the CSSApplicationIF.log(String) method.

The value of this constant is "***CSS***".

See Also:

Constant Field Values

PROVIDER_TYPE

public static final java.lang.String PROVIDER_TYPE

Constant that holds the name of the property for specifying the provider type to be used. The value of the property should be the provider type. For instance: NTLM, LDAP, MSAD etc.

This is specified by constants:

1. PROVIDER_TYPE_LDAP
2. PROVIDER_TYPE_MSAD
3. PROVIDER_TYPE_NTLM
4. PROVIDER_TYPE_NATIVE
5. PROVIDER_TYPE_SAP
6. PROVIDER_TYPE_CUSTOM

The value of this constant is "hyperion.providerType".

Since:

CSS v2.0.8

See Also:

Constant Field Values

ENTRY_TYPE_USER

public static final java.lang.String ENTRY_TYPE_USER

Constant that holds the type of the entry.

The value of this constant is "USER".

See Also:

Constant Field Values

ENTRY_TYPE_GROUP

public static final java.lang.String ENTRY_TYPE_GROUP

Constant that holds type of the entry.

The value of this constant is "GROUP".

See Also:

Constant Field Values

ENTRY_TYPE_ROLE

public static final java.lang.String ENTRY_TYPE_ROLE

Constant that holds type of the entry.

The value of this constant is "ROLE".

See Also:

Constant Field Values

ENTRY_TYPE_OTHER

public static final java.lang.String ENTRY_TYPE_OTHER

Constant that holds the type of the entry.

The value of this constant is "OTHER".

See Also:

Constant Field Values

WORLD_GROUP_IDENTITY

public static final java.lang.String WORLD_GROUP_IDENTITY

Constant that holds the WORLD Group identity.

The value of this constant is "native://DN=cn=611,ou=Groups,dc=css,dc=hyperion,dc=com?GROUP".

See Also:

Constant Field Values

WORLD_GROUP_NAME

public static final java.lang.String WORLD_GROUP_NAME

Constant that holds the WORLD Group name.

The value of this constant is "WORLD".

See Also:

Constant Field Values

WORLD_GROUP_DESCRIPTION

public static final java.lang.String WORLD_GROUP_DESCRIPTION

Constant that holds the WORLD Group description.

The value of this constant is "All Users are members of this group".

See Also:

Constant Field Values

HUB_APPLICATION_ID

public static final java.lang.String HUB_APPLICATION_ID

Constant that holds the Hyperion Shared Services Application Id.

The value of this constant is "HUB:1111".

See Also:

Constant Field Values

ROLE_ADMINISTRATOR_IDENTITY

public static final java.lang.String ROLE_ADMINISTRATOR_IDENTITY

Constant that holds the Administrator role identity.

The value of this constant is ""native://DN=cn=HUB:1,ou=HUB,ou=Roles,dc=css,dc=hyperion,dc=com?ROLE"".

See Also:

Constant Field Values

ROLE_PROVISIONING_MANAGER_IDENTITY

public static final java.lang.String ROLE_PROVISIONING_MANAGER_IDENTITY

Constant that holds the Provisioning Manager role identity.

The value of this constant is ""native://DN=cn=HUB:2,ou=HUB,ou=Roles,dc=css,dc=hyperion,dc=com?ROLE"".

See Also:

Constant Field Values

ROLE_DIRECTORY_MANAGER_IDENTITY

public static final java.lang.String ROLE_DIRECTORY_MANAGER_IDENTITY

Constant that holds the Directory Manager role identity.

The value of this constant is ""native://DN=cn=HUB:3,ou=HUB,ou=Roles,dc=css,dc=hyperion,dc=com?ROLE"".

See Also:

Constant Field Values

ROLE_PROJECT_MANAGER_IDENTITY

public static final java.lang.String ROLE_PROJECT_MANAGER_IDENTITY

Constant that holds the Project Manager role identity.

The value of this constant is ""native://DN=cn=HUB:4,ou=HUB,ou=Roles,dc=css,dc=hyperion,dc=com?ROLE"".

See Also:

Constant Field Values

ROLE_CREATE_INTEGRATIONS_IDENTITY

public static final java.lang.String ROLE_CREATE_INTEGRATIONS_IDENTITY

Constant that holds the Create Integrations role identity.

The value of this constant is ""native://DN=cn=HUB:5,ou=HUB,ou=Roles,dc=css,dc=hyperion,dc=com?ROLE"".

See Also:

Constant Field Values

ROLE_RUN_INTEGRATIONS_IDENTITY

public static final java.lang.String ROLE_RUN_INTEGRATIONS_IDENTITY

Constant that holds the Run Integrations role identity.

The value of this constant is ""native://DN=cn=HUB:6,ou=HUB,ou=Roles,dc=css,dc=hyperion,dc=com?ROLE"".

See Also:

Constant Field Values

ROLE_LCM_ADMINISTRATOR_IDENTITY

public static final java.lang.String ROLE_LCM_ADMINISTRATOR_IDENTITY

Constant that holds the LCM Administrator role identity.

The value of this constant is ""native://DN=cn=HUB:7,ou=HUB,ou=Roles,dc=css,dc=hyperion,dc=com?ROLE"".

See Also:

Constant Field Values

ROLE_DIMENSION_EDITOR_IDENTITY

public static final java.lang.String ROLE_DIMENSION_EDITOR_IDENTITY

Constant that holds the Dimension Editor role identity.

The value of this constant is "native://DN=cn=HUB:8,ou=HUB,ou=Roles,dc=css,dc=hyperion,dc=com?ROLE".

See Also:

Constant Field Values

ROLE_APPLICATION_CREATOR_IDENTITY

public static final java.lang.String ROLE_APPLICATION_CREATOR_IDENTITY

Constant that holds the Application Creator role identity.

The value of this constant is "native://DN=cn=HUB:9,ou=HUB,ou=Roles,dc=css,dc=hyperion,dc=com?ROLE".

See Also:

Constant Field Values

ROLE_FINANCIAL_MANAGEMENT_APPLICATION_CREATOR_IDENTITY

public static final java.lang.String ROLE_FINANCIAL_MANAGEMENT_APPLICATION_CREATOR_IDENTITY

Constant that holds the Financial Management Application Creator role identity.

The value of this constant is "native://DN=cn=HUB:10,ou=HUB,ou=Roles,dc=css,dc=hyperion,dc=com?ROLE".

See Also:

Constant Field Values

ROLE_PLANNING_APPLICATION_CREATOR_IDENTITY

public static final java.lang.String ROLE_PLANNING_APPLICATION_CREATOR_IDENTITY

Constant that holds the Planning Application Creator role identity.

The value of this constant is "native://DN=cn=HUB:11,ou=HUB,ou=Roles,dc=css,dc=hyperion,dc=com?ROLE".

See Also:

Constant Field Values

ROLE_ANALYTIC_SERVICES_APPLICATION_CREATOR_IDENTITY

public static final java.lang.String ROLE_ANALYTIC_SERVICES_APPLICATION_CREATOR_IDENTITY

Constant that holds the Analytic Services Application Creator role identity.

The value of this constant is "native://DN=cn=HUB:12,ou=HUB,ou=Roles,dc=css,dc=hyperion,dc=com?ROLE".

See Also:

Constant Field Values

ROLE_PROFITABILITY_APPLICATION_CREATOR_IDENTITY

public static final java.lang.String ROLE_PROFITABILITY_APPLICATION_CREATOR_IDENTITY

Constant that holds the Profitability Application Creator role identity.

The value of this constant is "native://DN=cn=HUB:16,ou=HUB,ou=Roles,dc=css,dc=hyperion,dc=com?ROLE".

See Also:

Constant Field Values

ROLE_CALCULATION_MANAGER_ADMINISTRATOR_IDENTITY

public static final java.lang.String ROLE_CALCULATION_MANAGER_ADMINISTRATOR_IDENTITY

Constant that holds the Calculation Manager Administrator role identity.

The value of this constant is "native://DN=cn=HUB:17,ou=HUB,ou=Roles,dc=css,dc=hyperion,dc=com?ROLE".

See Also:

Constant Field Values

ROLE_FINANCIAL_MANAGEMENT_CALCULATION_MANAGER_ADMINISTRATOR_IDENTITY

public static final java.lang.String ROLE_FINANCIAL_MANAGEMENT_CALCULATION_MANAGER_ADMINISTRATOR_IDENTITY

Constant that holds the Financial Management Calculation Manager Administrator role identity.

The value of this constant is "native://DN=cn=HUB:18,ou=HUB,ou=Roles,dc=css,dc=hyperion,dc=com?ROLE".

See Also:

Constant Field Values

ROLE_PLANNING_CALCULATION_MANAGER_ADMINISTRATOR_IDENTITY

public static final java.lang.String ROLE_PLANNING_CALCULATION_MANAGER_ADMINISTRATOR_IDENTITY

Constant that holds the Planning Calculation Manager Administrator role identity.

The value of this constant is "native://DN=cn=HUB:19,ou=HUB,ou=Roles,dc=css,dc=hyperion,dc=com?ROLE".

See Also:

Constant Field Values

ROLE_MANAGE_MODELS_UNIQUE_ID

public static final java.lang.String ROLE_MANAGE_MODELS_UNIQUE_ID

Constant that holds the Manage Model role Unique ID. Note that this role should be registered by the product. This unique id is to ensure a standard across teams.

The value of this constant is ""1313"".

See Also:

Constant Field Values

HUB_ADMINISTRATOR_IDENTITY

public static final java.lang.String HUB_ADMINISTRATOR_IDENTITY

Constant that holds the seeded Hyperion Shared Services administrator identity.

The value of this constant is ""native://DN=cn=911,ou=People,dc=css,dc=hyperion,dc=com?USER"".

See Also:

Constant Field Values

LOCALE

public static final java.lang.String LOCALE

Constant that holds the property that specifies the name of the Locale.

The value of this constant is "LOCALE".

See Also:

Constant Field Values

OBJECT_ID

public static final java.lang.String OBJECT_ID

Constant that holds the property that specifies the name of the object id.

The value of this constant is "OBJECT_ID".

Since:

CSS v3.0

See Also:

Constant Field Values

QUERY_LIMIT

public static final java.lang.String QUERY_LIMIT

Constant that holds the name of the property for specifiying that the scope of the query should be limited. If the value is >true then the scope of the query would be limited.

The value of this constant is "hyperion.query.limit".

See Also:

Constant Field Values

RETURN_HIERARCHY

public static final java.lang.String RETURN_HIERARCHY

Constant that holds the name of the property for specifiying that the "memberOf" relationships are to be returned. If the value is >true then the hierarchy would be returned..

The value of this constant is "hyperion.return.hierarchy".

See Also:

Constant Field Values

ENTITY_DEACTIVATE

public static final java.lang.String ENTITY_DEACTIVATE

Constant that holds the name of the property for specifying the that the user or group entity needs to be deactivated or a deactivated user and group is to be retreived. The value of the property is "true" is the user or group entry has to be deactivated or a deactivated user or group needs to be returned.

The value of this constant is "hyperion.deactivate".

See Also:

Constant Field Values

LOG_PREPEND_TEXT

public static final java.lang.String LOG_PREPEND_TEXT

Constant that holds the the name of the property that specifies the text message to be prepended to the log messages.

The value of this constant is "LOG_PREPEND_TEXT".

Since:

CSS v2.5

See Also:

Constant Field Values

SECURITY_AGENT_LOGIN_NAME

public static final java.lang.String SECURITY_AGENT_LOGIN_NAME

Constant that holds name of the property for specifying the login name. The value of this property is the login name that is retrieved from the Security Agent.

The Security Agent could be Netegrity SiteMinder. The value for this constant should be the login name for a user.

The value of this constant is "securityAgent.loginName".

Since:

CSS v2.5

See Also:

Constant Field Values

STATUS

public static final java.lang.String STATUS

Constant that holds the status of the User or Group (whether active or inactive). The value of this property can be set to "active" or "inactive". user.

The value of this constant is "status".

See Also:

Constant Field Values

USE_LOCAL_HUB

public static final java.lang.String USE_LOCAL_HUB

Constant that holds name of the property for specifying that Hyperion Shared Services is local to the process that CSS is running on. The value of this property is "true" if there is no requirement for RPC to Shared Services, as Shared Services is local.

This property would be made use of by the CSS UI that will run on the Hyperion Shared Services server. The value for this constant should either true or false.

The value of this constant is "hyperion_use_local_hub".

Since:

CSS v3.0

See Also:

Constant Field Values

HUB_PROJECT

public static final java.lang.String HUB_PROJECT

Constant that is used to specify that the project is the Hub (Shared Services) Project.
The Hub Project is preconfigured and cannot be deleted or updated.

This property serves as the identity of the Hyperion Hub (Shared Services) Project. The Hyperion Hub Project cannot be updated in any way including addition or removal of applications.

The value of this constant is "hyperion.hub.project".

Since:

CSS v3.0

See Also:

Constant Field Values

SPECIFY_ALL

public static final java.lang.String SPECIFY_ALL

Constant that is used to specify interest in all instances for the argument/parameter in question.
This property would be made use in invocations of the various CSS API methods. Details would be elucidated in the documentation of the respective methods.

The value of this constant is "hyperion.all".

Since:

CSS v3.0

See Also:

Constant Field Values

SPECIFY_NONE

public static final java.lang.String SPECIFY_NONE

Constant that is used to specify that argument/parameter in question should not be taken into account in the result of this query.
This property would be made use in invocations of the various CSS API methods. Details would be elucidated in the documentation of the respective methods.

The value of this constant is "hyperion.none".

Since:

CSS v3.0

See Also:

Constant Field Values

SPECIFY_CONTAINER

public static final java.lang.String SPECIFY_CONTAINER

Constant that is used to specify interest in the container instance for the argument/parameter in question.
This property would be made use in invocations of the various CSS API methods. Details would be elucidated in the documentation of the respective methods.

The value of this constant is "hyperion.container".

Since:

CSS v3.0

See Also:

Constant Field Values

PRP_NATIVE_PROVIDER_TRANSPORT_COMPRESSION

public static final java.lang.String PRP_NATIVE_PROVIDER_TRANSPORT_COMPRESSION

Constant that holds the name of the property for specifying native provider transport compression. This property is used if Hyperion Shared Services is running on a different computer than the CSS API consumer. A value of "true" enables compression. A falue of "false" disables compression. "true" is the default.

Values assigned in the map override any settings specified on the command line.

The value of this constant is "com.hyperion.css.rpc.transport.compression".

Since:

CSS v3.0

See Also:

Constant Field Values

PRP_NATIVE_PROVIDER_TRANSPORT_ENABLE

public static final java.lang.String PRP_NATIVE_PROVIDER_TRANSPORT_ENABLE

Constant that holds the name of the property to enable and disable the native provider RPC transport. A value of "true" enables RPC. A falue of "false" disables RPC. The setting is "true" by default. This setting should only be used by applications running on Hyperion Shared Services; typically CTG applications. A word of warning: using the native provider locally requires certain HUB, Slide, and other components to be propertly configured.

Values assigned in the map override any settings specified on the command line.

The value of this constant is "com.hyperion.css.rpc.transport.enable".

Since:

CSS v3.0

See Also:

Constant Field Values

IDENTITY_USER

public static final java.lang.String IDENTITY_USER

Constant that holds the name of the property for specifying the identity for a user.

The value for this property is the value of the user identity.

The value of this constant is "hyperion.user.identity".

Since:

CSS v3.0

See Also:

Constant Field Values

PROVIDER_TYPE_LDAP

public static final java.lang.String PROVIDER_TYPE_LDAP

Constant that holds the type specified for the LDAP provider.

The value of this constant is specified by CSSConfigurationDefaults.PROVIDER_TYPE_LDAP.

Since:

CSS v2.0.8

PROVIDER_TYPE_NTLM

public static final java.lang.String PROVIDER_TYPE_NTLM

Constant that holds the type specified for the NTLM provider.

The value of this constant is specified by CSSConfigurationDefaults.PROVIDER_TYPE_NTLM.

Since:

CSS v2.0.8

PROVIDER_TYPE_MSAD

public static final java.lang.String PROVIDER_TYPE_MSAD

Constant that holds the type specified for the MSAD provider.

The value of this constant is specified by CSSConfigurationDefaults.PROVIDER_TYPE_MSAD.

Since:

CSS v2.0.8

PROVIDER_TYPE_NATIVE

public static final java.lang.String PROVIDER_TYPE_NATIVE

Constant that holds the type specified for the NATIVE provider.

The value of this constant is specified by CSSConfigurationDefaults.PROVIDER_TYPE_NATIVE.

Since:

CSS v2.0.8

PROVIDER_TYPE_SAP

public static final java.lang.String PROVIDER_TYPE_SAP

Constant that holds the type specified for the SAP provider.

The value of this constant is specified by CSSConfigurationDefaults.PROVIDER_TYPE_SAP.

Since:

CSS v2.0.8

PROVIDER_TYPE_DATABASE

public static final java.lang.String PROVIDER_TYPE_DATABASE

Constant that holds the type specified for the DB provider.

The value of this constant is specified by CSSConfigurationDefaults.PROVIDER_TYPE_DATABASE.

DIRECT_ROLE_ONLY

public static final java.lang.String DIRECT_ROLE_ONLY

Constant that holds the type specified for the NATIVE provider.

The value of this constant is specified by CSSConfigurationDefaults.PROVIDER_TYPE_NATIVE.

Since:

CSS v3.0.1

See Also:

Constant Field Values

THROW_COMMUNICATION_EXCEPTION

public static final java.lang.String THROW_COMMUNICATION_EXCEPTION

Constant that holds the name of the property for specifying the interest in recieving the CSSCommunicationException. The value of the property should be true and this exception is propogated to the consumer of the API (the client).

The value of this constant is "com.hyperion.css.throwCommunicationException".

Since:

CSS v2.6.0

See Also:

Constant Field Values

PROVIDER_TYPE_CUSTOM

public static final java.lang.String PROVIDER_TYPE_CUSTOM

Constant that holds the type specified for the custom provider.

The value of this constant is specified by CSSConfigurationDefaults.PROVIDER_TYPE_CUSTOM.

Since:

CSS v2.0.8

VALIDATE_ROLE

public static final java.lang.String VALIDATE_ROLE

Constant that holds the flag deciding whether role validation for the principal is to be done before performing an operation.

The flag can be added to the context and the value associated with the flag can be either TRUE or FALSE.

Since:

CSS v3.0.1

See Also:

Constant Field Values

FORCE_DEPENDENCY_CHECK

public static final java.lang.String FORCE_DEPENDENCY_CHECK

Constant that holds the flag deciding whether Native Directory active check is to be done during intialialization.

The flag can be added to the context and the value associated with the flag can be either TRUE or FALSE.

Presense of this flag with value TRUE will dictate the initialize(Map, CSSApplicationIF) to throw exception if the Native Directory is not reachable. FALSE would ignore this check and continue the initialization.

Absence of this flag will be treated as FALSE.

Since:

CSS v3.0.1

See Also:

Constant Field Values

KERBEROS_LOGIN_NAME

public static final java.lang.String KERBEROS_LOGIN_NAME

See Also:

Constant Field Values

ACCESS_TYPE_VIEW

public static final java.lang.String ACCESS_TYPE_VIEW

Constant that holds the flag determining that the VIEW type of access is requested on specified API call.

Since:

CSS v9.3.1

See Also:

Constant Field Values

ACCESS_TYPE_MANAGE

public static final java.lang.String ACCESS_TYPE_MANAGE

Constant that holds the flag determining that the MANAGE type of access is requested on specified API call.

Since:

CSS v9.3.1

See Also:

Constant Field Values

DELEGATEDMODE_SHOW_ALL

public static final java.lang.String DELEGATEDMODE_SHOW_ALL

See Also:

Constant Field Values

HUB_APP_NAME

public static final java.lang.String HUB_APP_NAME

added HUB project name and application name constants to use in LCM

See Also:

Constant Field Values

HUB_PROJECT_NAME

public static final java.lang.String HUB_PROJECT_NAME

See Also:

Constant Field Values

IE_DELEGATED_MODE

public static final java.lang.String IE_DELEGATED_MODE

See Also:

Constant Field Values

ESCAPE_AUTH_FILTER

public static final java.lang.String ESCAPE_AUTH_FILTER

See Also:

Constant Field Values

Method Detail

authenticate

public CSSUserIF authenticate(java.util.Map context)
                       throws CSSNoProviderException,
                              CSSTokenNotAvailableException,
                              CSSIllegalArgumentException,
                              CSSAuthenticationException,
                              CSSTokenNotAcceptedException,
                              CSSInvalidIdentityException,
                              com.hyperion.css.common.configuration.CSSConfigurationException,
                              CSSCommunicationException,
                              CSSException

Deprecated.

The user is authenticated by the security platform.

The context can specify the following:

1. login name
2. password
3. token
4. Host info
5. locale
6. login name from the Security Agent header
7. the SAP Ticket
8. the HTTP Servlet Request Object

These properties are discussed in the field description. Please note that if the locale is not specified, the default locale set for the system is used.

The host info (ip-address/hostname) is required for auditing purposes.

If the login name from the header is specified as SECURITY_AGENT_LOGIN_NAME and is passed in the context argument then authentication using the loginName specified by this header would take precedence. This implies that even if a token is passed in, the authentication would be on the basis of the login name header provided by the Security Agent.

The HTTP Servlet Request Object is required when a security agent is configured. The request object will be parsed for username and password (in a few cases) according to the security agent mode configured. This parameter replaces the "login name from the Security Agent header" and "SAP Ticket" options that can be specified in the context. Note that this constant has to be used only with web applications.

To extend the lifetime of a token, this method can be invoked and the token is stamped with the current time and its validity period is reset.

The entryName@ProviderName syntax is supported by this method. This can be specified in the user name.

The domainName\entryName syntax is also supported for the benefit of applications using NTLM as the authentication protocol.

This method does not support wildcards in the arguments. No guarantee is made for the behavior of this method if wildcards are part of the arguments.

Also, reserved characters for different directory servers are not directly supported.The caller needs to escape them in the appropriate way for the underlying directory store.

Parameters:

context - - Map structure holding key-value information about login name, password, token, and locale.

Returns:

CSSUserIF - this contains the token string that can be used to single-sign-on.

Throws:

CSSNoProviderException - - if no provider exists with the name specified.

CSSIllegalArgumentException - - if there is an argument that is inappropriate.

CSSAuthenticationException - - If there was a match for the user but the credentials were incorrect.

CSSTokenNotAcceptedException - - if the token was not based on a provider for this application.

CSSTokenNotAvailableException - - if the token could not be contructed.

CSSInvalidIdentityException - - if the identity encapsulated in the token was invalid.

com.hyperion.css.common.configuration.CSSConfigurationException - - if the configuration specified is not valid.

CSSException - - if there was any other abnormality.

CSSCommunicationException

See Also:

CSSUserIF

authenticate

public CSSUserIF authenticate(java.util.Map context,
                              java.lang.String username,
                              java.lang.String password)
                       throws CSSException

Authenticates the specified username against the specified password with the providers configured in the security system.

The context can specify the following:

1. Host info
2. locale

These properties are discussed in the field description. Please note that if the locale is not specified, the default locale set for the system is used.

The host info (ip-address/hostname) is required for auditing purposes.

Parameters:

context - - Map structure holding key-value information about locale, host info

username - - name of the user to be authenticated.

password - - password for the user to be authenticated.

Returns:

CSSUserIF - this contains the token string that can be used to single-sign-on.

Throws:

CSSException - - one of the following exception will be thrown.

CSSNoProviderException - if no provider exists with the name specified.

CSSIllegalArgumentException - if there is an argument that is inappropriate.

CSSAuthenticationException - If there was a match for the user but the credentials were incorrect.

CSSConfigurationException - if the configuration specified is not valid.

CSSPasswordExpiryWarning - if the users password is expiring in a few days (Native User only).

CSSPasswordExpiredException - if the users password has expired (Native User only).

CSSException - if there was any other abnormality.

authenticateToken

public CSSUserIF authenticateToken(java.util.Map context,
                                   java.lang.String token)
                            throws CSSException

Authenticates the specified sso_token against the providers configured in the security system.

The context can specify the following:

1. Host info
2. locale

These properties are discussed in the field description. Please note that if the locale is not specified, the default locale set for the system is used.

The host info (ip-address/hostname) is required for auditing purposes.

Parameters:

context - - Map structure holding key-value information about locale, host info

token - - CSS token to be used for authentication

Returns:

CSSUserIF - this contains the token string that can be used to single-sign-on.

Throws:

CSSException - - one of the following exception will be thrown.

CSSNoProviderException - if no provider exists with the name specified.

CSSIllegalArgumentException - if there is an argument that is inappropriate.

CSSAuthenticationException - If there was a match for the user but the credentials were incorrect.

CSSTokenNotAcceptedException - if the token was not based on a provider for this application.

CSSTokenNotAvailableException - if the token could not be contructed.

CSSInvalidIdentityException - if the identity encapsulated in the token was invalid.

CSSConfigurationException - if the configuration specified is not valid.

CSSPasswordExpiryWarning - if the users password is expiring in a few days (Native User only).

CSSPasswordExpiredException - if the users password has expired (Native User only).

CSSException - if there was any other abnormality.

authenticateSecurityAgent

public CSSUserIF authenticateSecurityAgent(java.util.Map context,
                                           javax.servlet.http.HttpServletRequest request)
                                    throws CSSException

Authenticates by parsing the username and password if available from the specified HTTP Servlet Request. If password is not present the providers will be treated as trusted and will check only for the validity of the username derived from the HTTP request..

The context can specify the following:

1. Host info
2. locale

These properties are discussed in the field description. Please note that if the locale is not specified, the default locale set for the system is used.

The host info (ip-address/hostname) is required for auditing purposes.

Parameters:

context - - Map structure holding key-value information about locale, host info

request - - The HTTP Servlet Request containing information about the username and password.

Returns:

CSSUserIF - this contains the token string that can be used to single-sign-on.

Throws:

CSSException - - one of the following exception will be thrown.

CSSNoProviderException - if no provider exists with the name specified.

CSSIllegalArgumentException - if there is an argument that is inappropriate.

CSSAuthenticationException - If there was a match for the user but the credentials were incorrect.

CSSConfigurationException - if the configuration specified is not valid.

CSSPasswordExpiryWarning - if the users password is expiring in a few days (Native User only).

CSSPasswordExpiredException - if the users password has expired (Native User only).

CSSException - if there was any other abnormality.

authenticateUserFromSecurityAgent

public CSSUserIF authenticateUserFromSecurityAgent(java.util.Map context,
                                                   java.lang.String username,
                                                   java.lang.String trustedServiceKey)
                                            throws CSSException

Authenticates the specified username , after validating the trusted service key. This key is known only to trusted services and is required for successful authentication of the user. Note that this user should belong to a trusted provider.

The context can specify the following:

1. Host info
2. locale

These properties are discussed in the field description. Please note that if the locale is not specified, the default locale set for the system is used.

The host info (ip-address/hostname) is required for auditing purposes.

Parameters:

context - - Map structure holding key-value information about locale, host info

username - - name of the user to be authenticated.

trustedServiceKey - - value of the trusted services key.

Returns:

CSSUserIF - this contains the token string that can be used to single-sign-on.

Throws:

CSSException - - one of the following exception will be thrown.

CSSNoProviderException - if no provider exists with the name specified.

CSSIllegalArgumentException - if there is an argument that is inappropriate.

CSSAuthorizationException - If specified trusted services key is incorrect.

CSSAuthenticationException - If there was no match for the user.

CSSConfigurationException - if the configuration specified is not valid.

CSSException - if there was any other abnormality.

authenticateSapTicket

public CSSUserIF authenticateSapTicket(java.util.Map context,
                                       java.lang.String ticket)
                                throws CSSException

Authenticates the specified sap ticket against the providers configured in the security system.

The context can specify the following:

1. Host info
2. locale

These properties are discussed in the field description. Please note that if the locale is not specified, the default locale set for the system is used.

The host info (ip-address/hostname) is required for auditing purposes.

Parameters:

context - - Map structure holding key-value information about locale, host info

ticket - - SAP ticket that will be used for authentication.

Returns:

CSSUserIF - this contains the token string that can be used to single-sign-on.

Throws:

CSSException - - one of the following exception will be thrown.

CSSNoProviderException - if no provider exists with the name specified.

CSSIllegalArgumentException - if there is an argument that is inappropriate.

CSSAuthenticationException - If there was a match for the user but the credentials were incorrect.

CSSConfigurationException - if the configuration specified is not valid.

CSSException - if there was any other abnormality.

login

public CSSLoginUserIF login(java.util.Map context,
                            java.lang.String applicationId,
                            boolean indirect)
                     throws CSSNoProviderException,
                            CSSTokenNotAvailableException,
                            CSSIllegalArgumentException,
                            CSSAuthenticationException,
                            CSSAuthorizationException,
                            CSSTokenNotAcceptedException,
                            CSSInvalidIdentityException,
                            com.hyperion.css.common.configuration.CSSConfigurationException,
                            CSSCommunicationException,
                            CSSException

Deprecated.

Convenience API to authenticate the user and get the groups and roles list of the user for the specified application id.

The login API would perform the following CSS API calls

authenticate(Map)

CSSUserIF.getGroupsList(com.hyperion.css.common.CSSPrincipalIF, String, boolean)getGroups

CSSUserIF.getRolesList(com.hyperion.css.common.CSSPrincipalIF, String, boolean)

The CSSUserIF returned by this API will have the groups list and roles list pre-populated.

Parameters:

context - - Map structure holding key-value information about login name, password, token, locale and hostinfo.

applicationId - - the application id to which the user is logging in to.

indirect - - boolean value for whether to return direct group user belongs to or return all the groups in hierarchy.

Returns:

CSSLoginUserIF - this contains user object(CSSUserIF) and groups and roles lists belong to the user.

Throws:

CSSNoProviderException - - if no provider exists with the name specified.

CSSIllegalArgumentException - - if there is an argument that is inappropriate.

CSSAuthenticationException - - If there was a match for the user but the credentials were incorrect.

CSSAuthorizationException - - if the principal is not the provisioning manager of the destination application

CSSTokenNotAcceptedException - - if the token was not based on a provider for this application.

CSSTokenNotAvailableException - - if the token could not be constructed.

CSSInvalidIdentityException - - if the identity encapsulated in the token was invalid.

com.hyperion.css.common.configuration.CSSConfigurationException - - if the configuration specified is not valid.

CSSException - - if there was any other abnormality.

CSSCommunicationException

See Also:

CSSUserIF

login

public CSSLoginUserIF login(java.util.Map context,
                            java.lang.String username,
                            java.lang.String password,
                            java.lang.String[] applicationIds)
                     throws CSSException

Authenticates the specified username against the specified password with the providers configured in the security system. This method return a composite login user object that returns pre-computed list of groups and roles for the specified applications. The implementation of this method has been tuned for login performance and is recommended to be used for login use case.

The context can specify the following:

1. Host info
2. locale

These properties are discussed in the field description. Please note that if the locale is not specified, the default locale set for the system is used.

The host info (ip-address/hostname) is required for auditing purposes.

An empty or null value for applicationId will return empty results for group and roles listing.

Parameters:

context - - Map structure holding key-value information about locale, host info

username - - name of the user to be authenticated.

password - - password for the user to be authenticated.

applicationIds - - array of application ids to check the roles and group info on.

Returns:

CSSUserIF - this contains the token string that can be used to single-sign-on.

Throws:

CSSException - - one of the following exception will be thrown.

CSSNoProviderException - if no provider exists with the name specified.

CSSIllegalArgumentException - if there is an argument that is inappropriate.

CSSAuthenticationException - If there was a match for the user but the credentials were incorrect.

CSSConfigurationException - if the configuration specified is not valid.

CSSPasswordExpiryWarning - if the users password is expiring in a few days (Native User only).

CSSPasswordExpiredException - if the users password has expired (Native User only).

CSSException - if there was any other abnormality.

loginToken

public CSSLoginUserIF loginToken(java.util.Map context,
                                 java.lang.String token,
                                 java.lang.String[] applicationIds)
                          throws CSSException

Authenticates the specified sso_token against the providers configured in the security system. This method return a composite login user object that returns pre-computed list of groups and roles for the specified applications. The implementation of this method has been tuned for login performance and is recommended to be used for login use case.

The context can specify the following:

1. Host info
2. locale

These properties are discussed in the field description. Please note that if the locale is not specified, the default locale set for the system is used.

The host info (ip-address/hostname) is required for auditing purposes.

An empty or null value for applicationId will return empty results for group and roles listing.

Parameters:

context - - Map structure holding key-value information about locale, host info

token - - CSS token to be used for authentication.

applicationIds - - array of application ids to check the roles and group info on.

Returns:

CSSUserIF - this contains the token string that can be used to single-sign-on.

Throws:

CSSException - - one of the following exception will be thrown.

CSSNoProviderException - if no provider exists with the name specified.

CSSIllegalArgumentException - if there is an argument that is inappropriate.

CSSAuthenticationException - If there was a match for the user but the credentials were incorrect.

CSSTokenNotAcceptedException - if the token was not based on a provider for this application.

CSSTokenNotAvailableException - if the token could not be contructed.

CSSInvalidIdentityException - if the identity encapsulated in the token was invalid.

CSSConfigurationException - if the configuration specified is not valid.

CSSPasswordExpiryWarning - if the users password is expiring in a few days (Native User only).

CSSPasswordExpiredException - if the users password has expired (Native User only).

CSSException - if there was any other abnormality.

loginSecurityAgent

public CSSLoginUserIF loginSecurityAgent(java.util.Map context,
                                         javax.servlet.http.HttpServletRequest request,
                                         java.lang.String[] applicationIds)
                                  throws CSSException

Authenticates by parsing the username and password if available from the specified HTTP Servlet Request. If password is not present the providers will be treated as trusted and will check only for the validity of the username derived from the HTTP request.

This method return a composite login user object that returns pre-computed list of groups and roles for the specified applications. The implementation of this method has been tuned for login performance and is recommended to be used for login use case.

The context can specify the following:

1. Host info
2. locale

These properties are discussed in the field description. Please note that if the locale is not specified, the default locale set for the system is used.

The host info (ip-address/hostname) is required for auditing purposes.

An empty or null value for applicationId will return empty results for group and roles listing.

Parameters:

context - - Map structure holding key-value information about locale, host info

request - - The HTTP Servlet Request containing information about the username and password.

applicationIds - - array of application ids to check the roles and group info on.

Returns:

CSSUserIF - this contains the token string that can be used to single-sign-on.

Throws:

CSSException - - one of the following exception will be thrown.

CSSNoProviderException - if no provider exists with the name specified.

CSSIllegalArgumentException - if there is an argument that is inappropriate.

CSSAuthenticationException - If there was a match for the user but the credentials were incorrect.

CSSConfigurationException - if the configuration specified is not valid.

CSSPasswordExpiryWarning - if the users password is expiring in a few days (Native User only).

CSSPasswordExpiredException - if the users password has expired (Native User only).

CSSException - if there was any other abnormality.

loginSapTicket

public CSSLoginUserIF loginSapTicket(java.util.Map context,
                                     java.lang.String sapTicket,
                                     java.lang.String[] applicationIds)
                              throws CSSException

Authenticates the specified sap ticket against the providers configured in the security system.

This method return a composite login user object that returns pre-computed list of groups and roles for the specified applications. The implementation of this method has been tuned for login performance and is recommended to be used for login use case.

The context can specify the following:

1. Host info
2. locale

These properties are discussed in the field description. Please note that if the locale is not specified, the default locale set for the system is used.

The host info (ip-address/hostname) is required for auditing purposes.

An empty or null value for applicationId will return empty results for group and roles listing.

Parameters:

context - - Map structure holding key-value information about locale, host info

sapTicket - - SAP ticket that will be used for authentication.

applicationIds - - array of application ids to check the roles and group info on.

Returns:

CSSUserIF - this contains the token string that can be used to single-sign-on.

Throws:

CSSException - - one of the following exception will be thrown.

CSSNoProviderException - if no provider exists with the name specified.

CSSIllegalArgumentException - if there is an argument that is inappropriate.

CSSAuthenticationException - If there was a match for the user but the credentials were incorrect.

CSSConfigurationException - if the configuration specified is not valid.

CSSException - if there was any other abnormality.

getUsers

public CSSUserIF[] getUsers(java.util.Map context,
                            CSSPrincipalIF principal,
                            java.lang.String userName)
                     throws CSSIllegalArgumentException,
                            com.hyperion.css.common.configuration.CSSConfigurationException,
                            CSSCommunicationException,
                            CSSException

Gets the user specified by userName. The userName could be mapped to a particular attribute in a directory through the Configuration. The search for users based on *userName* should be based on getting all users who have userName as a part of the value of the attribute specified.

The userName could contain a wildcard such as "*". This implies that all the matching users in the directory need to be returned. However, the NTLM provider does not support * as a prefix to the userName.

Passing null as the userName parameter is not accepted and does not return all the users. You can use wildcards such as '*' for the userName parameter. In this case, users are returned in the order of directories that are specified by the search order.

You can retreive all users on a provider by specifying "*@providerName"

Passing a groupName to this call is not supported and no guarantees are made on the validity of the results.

The context can specify the following:

1. locale

These properties are discussed in the field description. Please note that if the locale is not specified, the default locale set for the system is used.

The entryName@ProviderName syntax is supported by this method as a part of the user name.

Also, reserved characters for different directory servers are not directly supported.The caller needs to escape them in the appropriate way for the underlying directory store.

Only the users matching the filter AND are authorized for view by the specified principal will be returned. An empty array will be returned if there are no users matching the filter OR principal is not authorized to view them.

Parameters:

context - - Map structure holding key-value information about locale.

principal - CSSPrincipal identifying the user requesting information. Cannot be null.

userName - String argument representing the user login name.

Returns:

CSSUserIF[] - Returns an empty array if there are no matches.

Throws:

CSSIllegalArgumentException - - if there is an argument that is inappropriate.

com.hyperion.css.common.configuration.CSSConfigurationException - - if the configuration specified is not valid.

CSSCommunicationException - - if provider is specified with the name of the user viz. in the userName argument but is not reachable. For instance: "userName@providerName". If this provider cannot be contacted then the exception is thrown.

CSSException - - if there was any other abnormality.

getUserByEmail

public CSSUserIF getUserByEmail(java.util.Map context,
                                CSSPrincipalIF principal,
                                java.lang.String email)
                         throws CSSIllegalArgumentException,
                                com.hyperion.css.common.configuration.CSSConfigurationException,
                                CSSCommunicationException,
                                CSSException

Get a user based on an email match. The email could be mapped to a particular attribute in a directory through the configuration. The search for users based on email should be absolute.

The context can specify the following:

1. locale

These properties are discussed in the field description. Please note that if the locale is not specified, the default locale set for the system is used.

This method is not supported by the NTLM provider.

Wildcards should not be used in the arguments of this method. No guarantee is made for the behavior of this method if wildcards are part of the arguments.

Also, reserved characters for different directory servers are not directly supported.The caller needs to escape them in the appropriate way for the underlying directory store.

Parameters:

context - Map structure holding key-value information about locale.

principal - CSSPrincipal identifying the user requesting information. Cannot be null.

email - The complete e-mail address string for the user.

Returns:

CSSUserIF

Throws:

CSSIllegalArgumentException - - if there is an argument that is inappropriate.

com.hyperion.css.common.configuration.CSSConfigurationException - - if the configuration specified is not valid.

CSSException - - if there was any other abnormality.

CSSCommunicationException

getUsersByName

public CSSUserIF[] getUsersByName(java.util.Map context,
                                  CSSPrincipalIF principal,
                                  java.lang.String firstName,
                                  java.lang.String lastName)
                           throws CSSIllegalArgumentException,
                                  com.hyperion.css.common.configuration.CSSConfigurationException,
                                  CSSCommunicationException,
                                  CSSException

Get a user based on a firstName and lastName match. The firstName and lastName could be mapped to a particular set of attribute/s in a directory through the configuration. If there are two attributes, one each for firstName and lastName , then the search would be absolute and an AND would be performed.

If one of the parameters (for example, firstName) is not specified, then results for the other (for example, lastName are returned.

Wildcards should not be used in the arguments of this method. No guarantee is made for the behavior of this method if wildcards are part of the arguments.

The context can specify the following:

1. locale

These properties are discussed in the field description.

Please note that if the locale is not specified, the default locale set for the system is used.

This method is not supported by the NTLM provider.

Also, reserved characters for different directory servers are not directly supported.The caller needs to escape them in the appropriate way for the underlying directory store.

Only the users matching the filter AND are authorized for view by the specified principal will be returned. An empty array will be returned if there are no users matching the filter OR principal is not authorized to view them.

Parameters:

context - Map structure holding key-value information about locale.

principal - CSSPrincipal identifying the user requesting information. Cannot be null.

firstName - The user's first name, with appended middle name if one exists.

lastName - The user's last name.

Returns:

CSSUserIF[]

Throws:

CSSIllegalArgumentException - - if there is an argument that is inappropriate.

com.hyperion.css.common.configuration.CSSConfigurationException - - if the configuration specified is not valid.

CSSException - - if there was any other abnormality.

CSSCommunicationException

getUsers

public CSSUserIF[] getUsers(java.util.Map context,
                            CSSPrincipalIF principal,
                            java.lang.String userName,
                            java.lang.String firstName,
                            java.lang.String lastName)
                     throws CSSIllegalArgumentException,
                            com.hyperion.css.common.configuration.CSSConfigurationException,
                            CSSCommunicationException,
                            CSSException

Get a user based on a user name , firstName and lastName match. All the attributes are absolute and required. The way this is evaluated is as follows (in LDAP parlance):

 (&(userName="gkhanna")(firstName="Gaurav")(lastName="khanna") )
 

This can be explained as simply the AND of all the arguments.

The context can specify the following:

1. locale

These properties are discussed in the field description. Please note that if the locale is not specified, the default locale set for the system is used.

Wildcards should not be used in the arguments of this method. No guarantee is made for the behavior of this method if wildcards are part of the arguments.

Also, reserved characters for different directory servers are not directly supported.The caller needs to escape them in the appropriate way for the underlying directory store.

Only the users matching the filter AND are authorized for view by the specified principal will be returned. An empty array will be returned if there are no users matching the filter OR principal is not authorized to view them.

Parameters:

context - Map structure holding key-value information about locale.

principal - CSSPrincipal identifying the user requesting information. Cannot be null.

userName - String argument representing the user login name.

firstName - The user's first name, with appended middle name if one exists.

lastName - The user's last name.

Returns:

CSSUserIF[] - empty if there is no match

Throws:

CSSIllegalArgumentException - - if there is an argument that is inappropriate.

com.hyperion.css.common.configuration.CSSConfigurationException - - if the configuration specified is not valid.

CSSException - - if there was any other abnormality.

CSSCommunicationException

See Also:

getUsersByName(Map, String, String), getUsers(Map, String)

getUserByIdentity

public CSSUserIF getUserByIdentity(java.util.Map context,
                                   CSSPrincipalIF principal,
                                   java.lang.String identity)
                            throws CSSNoProviderException,
                                   CSSInvalidIdentityException,
                                   CSSInvalidUserException,
                                   CSSIllegalArgumentException,
                                   com.hyperion.css.common.configuration.CSSConfigurationException,
                                   CSSCommunicationException,
                                   CSSException

Get a user based on the identity of the user. The identity is stored by the application and is generated by the security platform.

The context can specify the following:

1. locale
2. flag that required a Communication Exception be thrown to the caller (throw Communication Exception)

These properties are discussed in the field description. Please note that if the locale is not specified, the default locale set for the system is used.

Also, reserved characters for different directory servers are not directly supported.The caller needs to escape them in the appropriate way for the underlying directory store.

Parameters:

context - Map structure holding information about the locale.

principal - CSSPrincipal identifying the user requesting information. Cannot be null.

identity - String returned from the user object that uniquely identifies one user on a provider.

Returns:

CSSUserIF

Throws:

CSSNoProviderException - - if no provider exists with the name specified.

CSSInvalidIdentityException - - if the identity is invalid.

CSSInvalidUserException - - if the user specified by the identity does not exist. The user might have been deleted.

CSSIllegalArgumentException - - if there is an argument that is inappropriate.

com.hyperion.css.common.configuration.CSSConfigurationException - - if the configuration specified is not valid.

CSSCommunicationException - - if the caller has specified interest in consuming this and a provider of the type specified by the identity is not reachable. If any one of the providers of this type cannot be contacted and the user specified by the identity passed in cannot be found then the exception is thrown.

CSSException - - if there was any other abnormality.

getGroups

public CSSGroupIF[] getGroups(java.util.Map context,
                              CSSPrincipalIF principal,
                              java.lang.String groupName)
                       throws CSSIllegalArgumentException,
                              com.hyperion.css.common.configuration.CSSConfigurationException,
                              CSSCommunicationException,
                              CSSException

Get a group based on the name. The name could be mapped to a particular attribute in a directory through the configuration. The search for groups based on *name* should be based on getting all groups who have name as a part of the value of the attribute specified. For instance: the search is on "*name*".
However, the NTLM provider does not support * as a prefix to the name.

Passing in null as the groupName is equivalent to the * wildcard character.

The method can be called with the wildcard * for groupName to get all the groups from the first provider in the search order. In this case it would go by the search order.

To get all groups from a particular provider, specify "*@providerName"

.

This follows the "groupName@providerName" syntax. You can also have wildcards such as "GA*@providerName" for the groupName parameter.

The context can specify the following:

1. locale

These properties are discussed in the field description. Please note that if the locale is not specified, the default locale set for the system is used.

The entryName@ProviderName syntax is supported by this method. This is used in the name parameter.

Also, reserved characters for different directory servers are not directly supported.The caller needs to escape them in the appropriate way for the underlying directory store.

Only the groups matching the filter AND are authorized for view by the specified principal will be returned. An empty array will be returned if there are no groups matching the filter OR principal is not authorized to view them.

Parameters:

context - Map structure holding locale information.

principal - CSSPrincipal identifying the user requesting information. Cannot be null.

groupName - Name of the group.

Returns:

CSSGroupIF[] - empty if there is no match

Throws:

CSSIllegalArgumentException - - if there is an argument that is inappropriate.

com.hyperion.css.common.configuration.CSSConfigurationException - - if the configuration specified is not valid.

CSSCommunicationException - - if provider is specified with the name of the group viz. in the groupName argument but is not reachable. For instance: "groupName@providerName". If this provider cannot be contacted then the exception is thrown.

CSSException - - if there was any other abnormality.

getGroupByIdentity

public CSSGroupIF getGroupByIdentity(java.util.Map context,
                                     CSSPrincipalIF principal,
                                     java.lang.String identity)
                              throws CSSNoProviderException,
                                     CSSIllegalArgumentException,
                                     CSSInvalidIdentityException,
                                     CSSInvalidGroupException,
                                     com.hyperion.css.common.configuration.CSSConfigurationException,
                                     CSSCommunicationException,
                                     CSSException

Get a group based on the identity of the group. The identity is stored by the application and is generated by the security platform.

The context can specify the following:

1. locale

These properties are discussed in the field description. Please note that if the locale is not specified, the default locale set for the system is used.

Also, reserved characters for different directory servers are not directly supported.The caller needs to escape them in the appropriate way for the underlying directory store.

Parameters:

context - Map structure holding locale information.

principal - CSSPrincipal identifying the user requesting information. Cannot be null.

identity - String returned from the group object that uniquely identifies one group on a provider.

Returns:

CSSGroupIF

Throws:

CSSNoProviderException - - if no provider exists with the name specified.

CSSIllegalArgumentException - - if there is an argument that is inappropriate.

CSSInvalidIdentityException - - if the identity is invalid.

CSSInvalidGroupException - - if the group specified by the identity does not exist. The group might have been deleted.

com.hyperion.css.common.configuration.CSSConfigurationException - - if the configuration specified is not valid.

CSSException - - if there was any other abnormality.

CSSCommunicationException

isValidCSSToken

public boolean isValidCSSToken(java.util.Map context,
                               java.lang.String token)
                        throws CSSIllegalArgumentException,
                               com.hyperion.css.common.configuration.CSSConfigurationException,
                               CSSException

Determines if the token is valid.

The context can specify the following:

1. provider request - the provider to use. If this property is specified then token is also validated for this provider. This implies that the token in order to be valid should have this provider as the "server of reference".
2. Locale

These properties are discussed in the field description. Please note that if the locale is not specified, the default locale set for the system is used.

Parameters:

context - Map structure holding provider and/or locale information.

token - Encrypted string that holds information for a user.

Returns:

boolean - true if it is valid. False otherwise.

Throws:

CSSIllegalArgumentException - - if there is an argument that is inappropriate.

com.hyperion.css.common.configuration.CSSConfigurationException - - if the configuration specified is not valid.

CSSException - - if there was any other abnormality.

initialize

public void initialize(java.util.Map context,
                       CSSApplicationIF appCallback)
                throws com.hyperion.css.common.configuration.CSSConfigurationException,
                       CSSIllegalArgumentException,
                       CSSCommunicationException,
                       CSSException

Deprecated.

Initializes the security platform by specifying the callback into the application.

The context can specify the following:

1. Locale
2. The text that is prepended to the log messages
3. Configuration cache behavior settings(e.g., PRP_CACHE_SCHEME_CACHE_PATH)
4. The specification whether the Hub Server is local or not.
5. FORCE_DEPENDENCY_CHECK flag forcing the dependency check.

These properties are discussed in the field description. Please note that if the locale is not specified, the default locale set for the system is used. Also, the Hub Server is assumed to be remote by default.

There are two types of tests on the configuration performed by this method:

1. Static Configuration Tests: This implies tests on the structure and validity of the configuration file.
2. Dynamic Configuration Tests: This implies tests on the correct execution of the providers based on the configuration provided. For instance: a test connection would be created to the underlying data store to determine the validity of the configuration. If a connection cannot be made to the directory store then the validity of the configuration cannot be confirmed and no exception is thrown.

Parameters:

appCallback - Handle passed by the application implementation to the security platform, providing a way for the security platform to send information back to the calling application.

Returns:

void

Throws:

com.hyperion.css.common.configuration.CSSConfigurationException - - if the configuration specified is not valid in terms of static tests or the configuration is not valid in terms of dynamic tests.

CSSIllegalArgumentException - - if there is an argument that is inappropriate.

CSSException - - if there was any other abnormality

CSSCommunicationException

Since:

CSS v2.5

getProviderMap

public java.util.Map getProviderMap(java.util.Map context)
                             throws CSSIllegalArgumentException

Gets the names and types of the providers that are registered with the security platform.

The context can specify the following:

1. locale

These properties are discussed in the field description. Please note that if the locale is not specified, the default locale set for the system is used.

The keys of the returned Map instance hold the provider type names, one for each type. The value associated with each type key is an ArrayList that contains a list of provider names as Strings.

Parameters:

context - Map structure holding locale information.

Returns:

A Map of provider types where each type is a collection of provider names. If there are no providers an empty Map is returned, null is never returned. If there are no providers for a given type the type will not appear in the Map. Modification by reference of the CSS type map is not allowed so a new deep clone is returned with each call.

Throws:

CSSIllegalArgumentException - - if there is an argument that is inappropriate.

See Also:

PROVIDER_TYPE_LDAP, PROVIDER_TYPE_MSAD, PROVIDER_TYPE_NTLM, PROVIDER_TYPE_CUSTOM, PROVIDER_TYPE_NATIVE

isSecurityAgentProtected

public boolean isSecurityAgentProtected(java.util.Map context)
                                 throws CSSIllegalArgumentException

This method is invoked to determine if the access to a resource might be protected by a Security Agent.

The Security Agent could be Netegrity Siteminder. If this method returns true then the caller should attempt to locate the appropriate header; for instance, for Netegrity: SECURITY_AGENT_LOGIN_NAME; in the HTTP headers. If the header exists then the value for that should be passed into the (@link #authenticate(Map)} method.

The context can specify the following:

1. locale

These properties are discussed in the field description. Please note that if the locale is not specified, the default locale set for the system is used.

Parameters:

context - Map structure holding locale information.

Returns:

boolean - true if the configuration specifies a Security Agent is used to protect the resources.

Throws:

CSSIllegalArgumentException - - if there is an argument that is inappropriate.

Since:

CSS v2.5

getHeaderNamesFromSecurityAgent

public java.lang.String[] getHeaderNamesFromSecurityAgent(java.util.Map context)
                                                   throws CSSIllegalArgumentException

This method returns the HTTP headers that would carry the login name of the user.

The header names are populated by the Security Agent. The Security Agent could be Netegrity SiteMinder.

The array returned could be of length > 0. If that is the case then the calling application needs to compare the headers from the HTTP REQUEST with the names from this array one by one starting from index 0. This comparison should be case insensitive.

There could be more than one header because different application/web servers map headers to different names. For instance, some might prepend HTTP to the header name.

It is the reponsibility of the product team to invoke this method and use the header names returned by it to retrieve the login name from the HTTP REQUEST.

The context can specify the following:

1. locale

These properties are discussed in the field description. Please note that if the locale is not specified, the default locale set for the system is used.

Parameters:

context - Map structure holding locale information.

Returns:

String[] - the header names that are used to specify the login name. This is empty if there is no match.

Throws:

CSSIllegalArgumentException - - if there is an argument that is inappropriate.

Since:

CSS v2.5

getUserProvisioningAPI

public CSSUserProvisioningAPIIF getUserProvisioningAPI(java.util.Map context)

Returns the User and Group Provisioning Interface.

Some of the functionality provided by the interface is as follows:

1. Provisioning user and groups
2. Delegated Administration
3. Access Control

Parameters:

context - - Map structure holding locale information.

Returns:

CSSUserProvisioningAPIIF

getDirectoryManagementAPI

public CSSDirectoryManagementAPIIF getDirectoryManagementAPI(java.util.Map context)

Returns an interface to CRUD of Hyperion Shared Services User Directory.

Some of the functionality provided by the interface is as follows:

1. Native user and group creation and management.
2. Roles Creation and Management

Parameters:

context - - Map structure holding locale information.

Returns:

CSSDirectoryManagementAPIIF

isNativeProviderActive

public boolean isNativeProviderActive(java.util.Map context)

Return the status of the Native Provider after CSS has intialized.

A true will be returned if the Native Directory (open LDAP) is active for connections.

Parameters:

context - = Map structure holding locale information.

Returns:

boolean - true if active, false otherwise

getMigrationAPI

public CSSMigrationAPIIF getMigrationAPI(java.util.Map context)

Provides handle to the Migration Interface.

The migration interface provides functionality like:

1. Checking to see if a migration is required.
2. Validating CSS identities for the status(UPDATED, DELETED, AMBIGOUOUS, IGNORED, DELETED) against external providers.

Parameters:

context - - Map structure holding locale information.

Returns:

CSSMigrationAPIIF

getUsers

public CSSUserIF[] getUsers(java.util.Map context,
                            CSSPrincipalIF principal,
                            UserSearchFilter userSrchFilter)
                     throws CSSCommunicationException,
                            CSSException

Gets the user specified by user search filter passed in The user search filter contains user filter attributes and values like, USERNAME,FIRSTNAME,LASTNAME,EMAIL,DESCRIPTION (Also ACTIVE, INACTIVE and ALL for native) Etc. This supports wild card search. Eg. The search for users based on *userName* should return all users matching this pattern.

when the attribute value is specified as "*" This implies that all the users in the directory need to be returned.The query can be based on any one of the above attributes. For native if the filter attribute can be set to ACTIVE, INACTIVE or ALL to return active, inactive and all users respectively. There may be a performence hit for NTLM because in case no group is passed as search criteria for NTLM and search is made on FIRSTNAME or LASTNAME. In this case first all the users are obtained and then they are filtered out based on FIRSTNAME or LASTNAME Etc.

Parameters:

context - - Map structure holding key-value information about locale and other parameters.

principal - - identity of the caller. Can not be null.

userSrchFilter - - contains the search filter attributes and values.

Returns:

CSSUserIF[] - Returns null if there is no match. Returns null incase userSrchFilter is null.

Throws:

CSSCommunicationException - - The provider could not connect to the directory server.

CSSException - - Any other abnormality.

getGroups

public CSSGroupIF[] getGroups(java.util.Map context,
                              CSSPrincipalIF principal,
                              GroupSearchFilter groupSrchFilter)
                       throws CSSCommunicationException,
                              CSSException

Get a group specified by group search filter passed in The group search filter contains group filter attributes and values like, GROUPNAME, DESCRIPTION. The name could be mapped to a particular attribute in a directory through the Configuration. The search for groups based on *name* should be based on getting all groups who have name as a part of the value of the attribute specified.

The attribute could contain a wildcard such as "*". This implies that all the groups in the directory need to be returned.The query can be based on any one of the above attributes.

Parameters:

context - Map structure holding key-value information about locale.

principal - - identity of the caller. Can not be null.

groupSrchFilter - - contains the group filter attributes and values.

Returns:

CSSGroupIF[] - empty if there is no match.Returns null incase groupSrchFilter is null.

Throws:

CSSCommunicationException - - The provider could not connect to the directory.

CSSException - - Any other abnormality.

getGroupsByIdentities

public CSSGroupIF[] getGroupsByIdentities(java.util.Map context,
                                          java.lang.String[] identities)

Return an Array for a CSSGroupIF objects for an array of group identities.

Note: This method does not refine the list if the delegated mode is on, this method is to get CSSGroupIF objects for given entries.

Parameters:

context - A map object that holds the context information.

identities - An array of non null string identities.

Returns:

An Array of CSSGroupIF objects for every identity that could be sucessfully resolved.

authenticateProxyUser

public CSSUserIF authenticateProxyUser(java.util.Map context,
                                       java.lang.String username,
                                       java.lang.String trustedServiceKey)
                                throws CSSException

Authenticates the specified username using proxy, after validating the trusted service key. This key is known only to trusted services and is required for successful authentication of the user. Note that this user should belong to a trusted provider.

The context can specify the following:

1. Host info
2. locale

These properties are discussed in the field description. Please note that if the locale is not specified, the default locale set for the system is used.

The host info (ip-address/hostname) is required for auditing purposes.

Note: If a SAP user name is specified the CSS token generated will not contain any SAP ticket. In other words this token cannot be used to Single Sign On into any SAP application.

Parameters:

context - - Map structure holding key-value information about locale, host info

username - - name of the user to be authenticated.

trustedServiceKey - - value of the trusted services key.

Returns:

CSSUserIF - this contains the token string that can be used to single-sign-on.

Throws:

CSSException - - one of the following exception will be thrown.

CSSNoProviderException - if no provider exists with the name specified.

CSSIllegalArgumentException - if there is an argument that is inappropriate.

CSSAuthorizationException - If specified trusted services key is incorrect.

CSSAuthenticationException - If there was no match for the user.

CSSConfigurationException - if the configuration specified is not valid.

CSSException - if there was any other abnormality.

getUsers

public CSSUserIF[] getUsers(java.util.Map context,
                            java.lang.String userName)
                     throws CSSIllegalArgumentException,
                            com.hyperion.css.common.configuration.CSSConfigurationException,
                            CSSCommunicationException,
                            CSSException

Deprecated.

Throws:

CSSIllegalArgumentException

com.hyperion.css.common.configuration.CSSConfigurationException

CSSCommunicationException

CSSException

getUserByEmail

public CSSUserIF getUserByEmail(java.util.Map context,
                                java.lang.String email)
                         throws CSSIllegalArgumentException,
                                com.hyperion.css.common.configuration.CSSConfigurationException,
                                CSSCommunicationException,
                                CSSException

Deprecated.

Throws:

CSSIllegalArgumentException

com.hyperion.css.common.configuration.CSSConfigurationException

CSSCommunicationException

CSSException

getUsersByName

public CSSUserIF[] getUsersByName(java.util.Map context,
                                  java.lang.String firstName,
                                  java.lang.String lastName)
                           throws CSSIllegalArgumentException,
                                  com.hyperion.css.common.configuration.CSSConfigurationException,
                                  CSSCommunicationException,
                                  CSSException

Deprecated.

Throws:

CSSIllegalArgumentException

com.hyperion.css.common.configuration.CSSConfigurationException

CSSCommunicationException

CSSException

getUsers

public CSSUserIF[] getUsers(java.util.Map context,
                            java.lang.String userName,
                            java.lang.String firstName,
                            java.lang.String lastName)
                     throws CSSIllegalArgumentException,
                            com.hyperion.css.common.configuration.CSSConfigurationException,
                            CSSCommunicationException,
                            CSSException

Deprecated.

Throws:

CSSIllegalArgumentException

com.hyperion.css.common.configuration.CSSConfigurationException

CSSCommunicationException

CSSException

getUserByIdentity

public CSSUserIF getUserByIdentity(java.util.Map context,
                                   java.lang.String identity)
                            throws CSSNoProviderException,
                                   CSSInvalidIdentityException,
                                   CSSInvalidUserException,
                                   CSSIllegalArgumentException,
                                   com.hyperion.css.common.configuration.CSSConfigurationException,
                                   CSSCommunicationException,
                                   CSSException

Deprecated.

Throws:

CSSNoProviderException

CSSInvalidIdentityException

CSSInvalidUserException

CSSIllegalArgumentException

com.hyperion.css.common.configuration.CSSConfigurationException

CSSCommunicationException

CSSException

getGroups

public CSSGroupIF[] getGroups(java.util.Map context,
                              java.lang.String groupName)
                       throws CSSIllegalArgumentException,
                              com.hyperion.css.common.configuration.CSSConfigurationException,
                              CSSCommunicationException,
                              CSSException

Deprecated.

Throws:

CSSIllegalArgumentException

com.hyperion.css.common.configuration.CSSConfigurationException

CSSCommunicationException

CSSException

getGroupByIdentity

public CSSGroupIF getGroupByIdentity(java.util.Map context,
                                     java.lang.String identity)
                              throws CSSNoProviderException,
                                     CSSIllegalArgumentException,
                                     CSSInvalidIdentityException,
                                     CSSInvalidGroupException,
                                     com.hyperion.css.common.configuration.CSSConfigurationException,
                                     CSSCommunicationException,
                                     CSSException

Deprecated.

Throws:

CSSNoProviderException

CSSIllegalArgumentException

CSSInvalidIdentityException

CSSInvalidGroupException

com.hyperion.css.common.configuration.CSSConfigurationException

CSSCommunicationException

CSSException

getProviderNames

public java.lang.String[] getProviderNames(java.util.Map context)
                                    throws CSSIllegalArgumentException

Deprecated.

Throws:

CSSIllegalArgumentException