com.sun.identity.policy.interfaces
Interface Condition

All Superinterfaces:

java.lang.Cloneable

public interface Condition

extends java.lang.Cloneable

The class Condition defines an interface to allow pluggable condition. These are used to control policy decisions based on parameters such as time, authentication level of the user session and IP address from which the user is making the request. A condition computes a ConditionDecision based on the state of condition object as set by setProperties method call and the environment passed in a map of key/value pairs. ConditionDecision encapsulates whether a policy applies for the request and advice messages generated by the condition. The following Condition implementation are provided with the Policy framework: AuthLevelCondition, AuthSchemeCondition, IPCondition, SimpleTimeCondition AuthenticateToRealmCondition, AuthenticateToServiceCondition, LDAPFilterCondition LEAuthLevelCondition,SessionCondition and SessionPropertyCondition All condition implementations should have a public no argument constructor.

See Also:

ConditionDecision

Field Summary

static java.lang.String	AUTH_LEVEL Key that is used to define the minimum authentication level in an AuthLevelCondition or the maximum authentication level in a LEAuthLevelCondition of a policy being evaluated.
static java.lang.String	AUTH_SCHEME Key that is used to define the authentication scheme in an AuthSchemeCondition of a policy.
static java.lang.String	AUTHENTICATE_TO_REALM Key used in AuthenticateToRealmCondition to specify the realm for which the user should authenticate for the policy to apply.
static java.lang.String	AUTHENTICATE_TO_SERVICE Key that is used in AuthenticateToServiceCondition to specify the authentication chain for which the user should authenticate for the policy to apply.
static java.lang.String	DNS_NAME Key that is used in an IPCondition to define the DNS name values for which a policy applies.
static java.lang.String	END_DATE Key that is used in a SimpleTimeCondition to define the end of date range for which a policy applies.The value corresponding to the key has to be a Set that has just one element which is a String that corresponds to the pattern described below.
static java.lang.String	END_DAY Key that is used in a SimpleTimeCondition to define the end of day of week range for which a policy applies.
static java.lang.String	END_IP Key that is used in IPCondition to define the end of IP address range for which a policy applies.
static java.lang.String	END_TIME Key that is used in a SimpleTimeCondition to define the end of time range during which a policy applies.The value corresponding to the key has to be a Set that has just one element which is a String that conforms to the pattern described here.
static java.lang.String	ENFORCEMENT_TIME_ZONE Key that is used in a SimpleTimeCondition to define the time zone basis to evaluate the policy.
static java.lang.String	LDAP_FILTER Key that is used in a LDAPFilterCondition to define the ldap filter that should be satisfied by the ldap entry of the user for the condition to be satisifed The value should be a Set with only one element.
static java.lang.String	MAX_SESSION_TIME Key that is used in SessionCondition to define the maximum session time in minutes for which a policy applies.
static java.lang.String	REQUEST_AUTH_LEVEL Key that is used to define the authentication level of the request.
static java.lang.String	REQUEST_AUTH_SCHEMES Key that is used to define the name of authentication scheme of the request.
static java.lang.String	REQUEST_AUTHENTICATED_TO_REALMS Key that is used to identify the names of authenticated realms in the request.
static java.lang.String	REQUEST_AUTHENTICATED_TO_SERVICES Key that is used to identify the names of authentication chains in the request.
static java.lang.String	REQUEST_DNS_NAME Key that is used to define request DNS name that is passed in the env parameter while invoking getConditionDecision method of an IPCondition.
static java.lang.String	REQUEST_IP Key that is used to define request IP address that is passed in the env parameter while invoking getConditionDecision method of an IPCondition.
static java.lang.String	REQUEST_TIME_ZONE Key that is used to define the time zone that is passed in the env parameter while invoking getConditionDecision method of a SimpleTimeCondition Value for the key should be a TimeZone object.
static java.lang.String	START_DATE Key that is used in a SimpleTimeCondition to define the start of date range for which a policy applies.
static java.lang.String	START_DAY Key that is used in a SimpleTimeCondition to define the start of day of week range for which a policy applies.
static java.lang.String	START_IP Key used in IPCondition to define the start of IP address range for which a policy applies.
static java.lang.String	START_TIME Key that is used in SimpleTimeCondition to define the beginning of time range during which a policy applies.
static java.lang.String	TERMINATE_SESSION Key in SessionCondition that is used to define the option to terminate the session if the session exceeds the maximum session time.
static java.lang.String	VALUE_CASE_INSENSITIVE Key that is passed in the env parameter while invoking getConditionDecision method of a SessionPropertyCondition to indicate if a case insensitive match needs to done of the property value against same name property in the user's single sign on token.

Method Summary

java.lang.Object	clone() Returns a copy of this object.
ConditionDecision	getConditionDecision(SSOToken token, java.util.Map env) Gets the decision computed by this condition object, based on the map of environment parameters
java.lang.String	getDisplayName(java.lang.String property, java.util.Locale locale) Gets the display name for the property name.
java.util.Map	getProperties() Gets the properties of the condition
java.util.List	getPropertyNames() Returns a list of property names for the condition.
Syntax	getPropertySyntax(java.lang.String property) Returns the syntax for a property name
java.util.Set	getValidValues(java.lang.String property) Returns a set of valid values given the property name.
void	setProperties(java.util.Map properties) Sets the properties of the condition.

Field Detail

AUTH_LEVEL

public static final java.lang.String AUTH_LEVEL

Key that is used to define the minimum authentication level in an AuthLevelCondition or the maximum authentication level in a LEAuthLevelCondition of a policy being evaluated. In case of AuthLevelCondition policy would apply if the request authentication level is at least the level defined in condition while in case of LEAuthLevelCondition policy would apply if the request authentication level is less than or equal to the level defined in the condition. The value should be a Set with only one element. The element should be a String, parse-able as an integer or a realm qualified integer like "sun:1" where "sun" is a realm name.":" needs to used a delimiter between realm name and the level.

See Also:

setProperties(Map), Constant Field Values

REQUEST_AUTH_LEVEL

public static final java.lang.String REQUEST_AUTH_LEVEL

Key that is used to define the authentication level of the request. Its passed down in the env Map to the getConditionDecision call of an AuthLevelCondition or LEAuthLevelCondition for condition evaluation.

The value should be an Integer or a Set of Strings. If it is a Set of Strings, each element of the set has to be parseable as integer or should be a realm qualified integer like "sun:1". If the env parameter is null or does not define value for REQUEST_AUTH_LEVEL, the value for REQUEST_AUTH_LEVEL is obtained from the single sign on token of the user

See Also:

getConditionDecision(SSOToken, Map), AUTH_LEVEL, Constant Field Values

AUTH_SCHEME

public static final java.lang.String AUTH_SCHEME

Key that is used to define the authentication scheme in an AuthSchemeCondition of a policy. Policy would apply if the authentication scheme of the request is same as defined in the condition. The value should be a Set with only one element. The element should be a String, the authentication scheme name.

See Also:

setProperties(Map), Constant Field Values

REQUEST_AUTH_SCHEMES

public static final java.lang.String REQUEST_AUTH_SCHEMES

Key that is used to define the name of authentication scheme of the request. Its passed down as part of the env Map to getConditionDecision of an AuthSchemeCondition for condition evaluation. Value for the key should be a Set with each element being a String. If the env parameter is null or does not define value for REQUEST_AUTH_SCHEMES, the value for REQUEST_AUTH_SCHEMES is obtained from the single sign on token of the user

See Also:

getConditionDecision(SSOToken, Map), AUTH_SCHEME, Constant Field Values

AUTHENTICATE_TO_REALM

public static final java.lang.String AUTHENTICATE_TO_REALM

Key used in AuthenticateToRealmCondition to specify the realm for which the user should authenticate for the policy to apply. The value should be a Set with only one element. The should be a String, the realm name.

See Also:

setProperties(Map), Constant Field Values

REQUEST_AUTHENTICATED_TO_REALMS

public static final java.lang.String REQUEST_AUTHENTICATED_TO_REALMS

Key that is used to identify the names of authenticated realms in the request. Its passed down as part of the env Map to getConditionDecision of an AuthenticateToRealmCondition for condition evaluation. Value for the key should be a Set with each element being a String If the env parameter is null or does not define value for REQUEST_AUTHENTICATED_TO_REALMS, the value for REQUEST_AUTHENTICATED_TO_REALMS is obtained from the single sign on token of the user

See Also:

getConditionDecision(SSOToken, Map), AUTHENTICATE_TO_REALM, Constant Field Values

AUTHENTICATE_TO_SERVICE

public static final java.lang.String AUTHENTICATE_TO_SERVICE

Key that is used in AuthenticateToServiceCondition to specify the authentication chain for which the user should authenticate for the policy to apply. The value should be a Set with only one element. The should be a String, the realm name.

See Also:

setProperties(Map), Constant Field Values

REQUEST_AUTHENTICATED_TO_SERVICES

public static final java.lang.String REQUEST_AUTHENTICATED_TO_SERVICES

Key that is used to identify the names of authentication chains in the request. Its passed down as part of the env Map to getConditionDecision of an AuthenticateToServiceCondition for condition evaluation. Value for the key should be a Set with each element being a String. If the env parameter is null or does not define value for REQUEST_AUTHENTICATED_TO_SERVICES, the value for REQUEST_AUTHENTICATED_TO_SERVICES is obtained from the single sign on token of the user

See Also:

getConditionDecision(SSOToken, Map), AUTHENTICATE_TO_SERVICE, Constant Field Values

START_IP

public static final java.lang.String START_IP

Key used in IPCondition to define the start of IP address range for which a policy applies. The value corresponding to the key has to be a Set that has just one element which is a String that conforms to the pattern described here. If a value is defined for START_IP, a value should also be defined for END_IP. The patterns is : n.n.n.n where n would take any integer value between 0 and 255 inclusive. Some sample values are 122.100.85.45 145.64.55.35 15.64.55.35

See Also:

setProperties(Map), Constant Field Values

END_IP

public static final java.lang.String END_IP

Key that is used in IPCondition to define the end of IP address range for which a policy applies. The value corresponding to the key has to be a Set that has just one element which is a String that conforms to the pattern described here. If a value is defined for END_IP, a value should also be defined for START_IP. The patterns is : n.n.n.n where n would take any integer value between 0 and 255 inclusive. Some sample values are 122.100.85.45 145.64.55.35 15.64.55.35

See Also:

setProperties(Map), Constant Field Values

DNS_NAME

public static final java.lang.String DNS_NAME

Key that is used in an IPCondition to define the DNS name values for which a policy applies. The value corresponding to the key has to be a Set where each element is a String that conforms to the patterns described here. The patterns is :

 ccc.ccc.ccc.ccc
 *.ccc.ccc.ccc

where c is any valid character for DNS domain/host name. There could be any number of .ccc components. Some sample values are:

 www.sun.com
 finace.yahoo.com
 *.yahoo.com
 

See Also:

setProperties(Map), Constant Field Values

REQUEST_IP

public static final java.lang.String REQUEST_IP

Key that is used to define request IP address that is passed in the env parameter while invoking getConditionDecision method of an IPCondition. Value for the key should be a String that is a string representation of IP of the client, in the form n.n.n.n where n is a value between 0 and 255 inclusive.

See Also:

getConditionDecision(SSOToken, Map), REQUEST_DNS_NAME, Constant Field Values

REQUEST_DNS_NAME

public static final java.lang.String REQUEST_DNS_NAME

Key that is used to define request DNS name that is passed in the env parameter while invoking getConditionDecision method of an IPCondition. Value for the key should be a set of strings representing the DNS names of the client, in the form ccc.ccc.ccc. If the env parameter is null or does not define value for REQUEST_DNS_NAME, the value for REQUEST_DNS_NAME is obtained from the single sign on token of the user

See Also:

getConditionDecision(SSOToken, Map), Constant Field Values

LDAP_FILTER

public static final java.lang.String LDAP_FILTER

Key that is used in a LDAPFilterCondition to define the ldap filter that should be satisfied by the ldap entry of the user for the condition to be satisifed The value should be a Set with only one element. The element should be a String.

See Also:

setProperties(Map), Constant Field Values

MAX_SESSION_TIME

public static final java.lang.String MAX_SESSION_TIME

Key that is used in SessionCondition to define the maximum session time in minutes for which a policy applies. The value corresponding to the key has to be a Set that has just one element which is a string and parse-able as an Integer.

See Also:

Constant Field Values

TERMINATE_SESSION

public static final java.lang.String TERMINATE_SESSION

Key in SessionCondition that is used to define the option to terminate the session if the session exceeds the maximum session time. The value corresponding to the key has to be a Set that has just one element which is a string. The option is on if the string value is equal to true.

See Also:

Constant Field Values

START_TIME

public static final java.lang.String START_TIME

Key that is used in SimpleTimeCondition to define the beginning of time range during which a policy applies. The value corresponding to the key has to be a Set that has just one element which is a String that conforms to the pattern described here. If a value is defined for START_TIME, a value should also be defined for END_TIME. The patterns is:

    HH:mm
 

Some sample values are

     08:25
     18:45
 

See Also:

setProperties(Map), END_TIME, Constant Field Values

END_TIME

public static final java.lang.String END_TIME

Key that is used in a SimpleTimeCondition to define the end of time range during which a policy applies.The value corresponding to the key has to be a Set that has just one element which is a String that conforms to the pattern described here. If a value is defined for END_TIME, a value should also be defined for START_TIME. The patterns is:

    HH:mm
 

Some sample values are

     08:25
     18:45
 

See Also:

setProperties(Map), START_TIME, Constant Field Values

START_DAY

public static final java.lang.String START_DAY

Key that is used in a SimpleTimeCondition to define the start of day of week range for which a policy applies. The value corresponding to the key has to be a Set that has just one element which is a String that is one of the values Sun, Mon, Tue, Wed, Thu, Fri, Sat. If a value is defined for START_DAY, a value should also be defined for END_DAY. Some sample values are

     Sun
     Mon
 

See Also:

setProperties(Map), END_DAY, Constant Field Values

END_DAY

public static final java.lang.String END_DAY

Key that is used in a SimpleTimeCondition to define the end of day of week range for which a policy applies. Its defined in a SimpleTimeCondition associated with the policy. The value corresponding to the key has to be a Set that has just one element which is a String that is one of the values Sun, Mon, Tue, Wed, Thu, Fri, Sat. If a value is defined for END_DAY, a value should also be defined for START_DAY. Some sample values are

     Sun
     Mon
 

See Also:

setProperties(Map), START_DAY, Constant Field Values

START_DATE

public static final java.lang.String START_DATE

Key that is used in a SimpleTimeCondition to define the start of date range for which a policy applies. The value corresponding to the key has to be a Set that has just one element which is a String that corresponds to the pattern described below. If a value is defined for START_DATE, a value should also be defined for END_DATE. The pattern is

     yyyy:MM:dd
 Some sample values are
     2001:02:26
     2002:12:31
 

See Also:

setProperties(Map), END_DATE, Constant Field Values

END_DATE

public static final java.lang.String END_DATE

Key that is used in a SimpleTimeCondition to define the end of date range for which a policy applies.The value corresponding to the key has to be a Set that has just one element which is a String that corresponds to the pattern described below. If a value is defined for END_DATE, a value should also be defined for START_DATE. The pattern is

     yyyy:MM:dd
 Some sample values are
     2001:02:26
     2002:12:31
 

See Also:

setProperties(Map), START_DATE, Constant Field Values

ENFORCEMENT_TIME_ZONE

public static final java.lang.String ENFORCEMENT_TIME_ZONE

Key that is used in a SimpleTimeCondition to define the time zone basis to evaluate the policy. The value corresponding to the key has to be a one element Set where the element is a String that is one of the standard timezone IDs supported by java or a String of the pattern GMT[+|-]hh[[:]mm] here. If the value is not a valid time zone id and does not match the pattern GMT[+|-]hh[[:]mm], it would default to GMT

See Also:

TimeZone, Constant Field Values

REQUEST_TIME_ZONE

public static final java.lang.String REQUEST_TIME_ZONE

Key that is used to define the time zone that is passed in the env parameter while invoking getConditionDecision method of a SimpleTimeCondition Value for the key should be a TimeZone object. This would be used only if the ENFORCEMENT_TIME_ZONE is not defined for the SimpleTimeCondition

See Also:

getConditionDecision(SSOToken, Map), ENFORCEMENT_TIME_ZONE, TimeZone, Constant Field Values

VALUE_CASE_INSENSITIVE

public static final java.lang.String VALUE_CASE_INSENSITIVE

Key that is passed in the env parameter while invoking getConditionDecision method of a SessionPropertyCondition to indicate if a case insensitive match needs to done of the property value against same name property in the user's single sign on token.

See Also:

Constant Field Values

Method Detail

getPropertyNames

public java.util.List getPropertyNames()

Returns a list of property names for the condition.

Returns:

list of property names

getPropertySyntax

public Syntax getPropertySyntax(java.lang.String property)

Returns the syntax for a property name

Parameters:

property - property name

Returns:

Syntax for the property name

See Also:

Syntax

getDisplayName

public java.lang.String getDisplayName(java.lang.String property,
                                       java.util.Locale locale)
                                throws PolicyException

Gets the display name for the property name. The locale variable could be used by the plugin to customize the display name for the given locale. The locale variable could be null, in which case the plugin must use the default locale.

Parameters:

property - property name

locale - locale for which the property name must be customized

Returns:

display name for the property name.

Throws:

PolicyException

getValidValues

public java.util.Set getValidValues(java.lang.String property)
                             throws PolicyException

Returns a set of valid values given the property name. This method is called if the property Syntax is either the SINGLE_CHOICE or MULTIPLE_CHOICE.

Parameters:

property - property name

Returns:

Set of valid values for the property.

Throws:

PolicyException - if unable to get the Syntax.

setProperties

public void setProperties(java.util.Map properties)
                   throws PolicyException

Sets the properties of the condition. This influences the ConditionDecision that would be computed by a call to method getConditionDecision(Map) and the advice messages generated included in the ConditionDecision. ConditionDecision encapsulates whether a policy applies for the request and advice messages generated by the condition. For example, for a TimeCondition, the properties would define StartTime and EndTime, to define the time range during which the policy applies

Parameters:

properties - the properties of the condition that would influence the ConditionDecision returned by a call to method getConditionDecision(Map). Keys of the properties have to be String. Value corresponding to each key have to be a Set of String elements. Each implementation of Condition could add further restrictions on the keys and values of this map.

Throws:

PolicyException - for any abnormal condition

See Also:

ConditionDecision

getProperties

public java.util.Map getProperties()

Gets the properties of the condition

Returns:

properties of the condition

See Also:

setProperties(java.util.Map)

getConditionDecision

public ConditionDecision getConditionDecision(SSOToken token,
                                              java.util.Map env)
                                       throws PolicyException,
                                              SSOException

Gets the decision computed by this condition object, based on the map of environment parameters

Parameters:

token - single-sign-on token of the user

env - request specific environment map of key/value pairs For example this would contain IP address of remote client for an IPCondition.

Returns:

the condition decision. The condition decision encapsulates whether a policy applies for the request and advice messages generated by the condition. Policy framework continues evaluating a policy only if it applies to the request as indicated by the ConditionDecision. Otherwise, further evaluation of the policy is skipped. However, the advice messages encapsulated in the ConditionDecision are aggregated and passed up, encapsulated in the policy decision.

Throws:

PolicyException - if the decision could not be computed

SSOException - if SSO token is not valid

See Also:

ConditionDecision

clone

public java.lang.Object clone()

Returns a copy of this object.

Returns:

a copy of this object