com.ibm.itim.apps.provisioning
Class PasswordManager

java.lang.Object
  extended by com.ibm.itim.apps.provisioning.PasswordManager

public class PasswordManager
extends java.lang.Object

Provides aggregate password management capabilities. These capabilities include the change, validation, and generation of passwords.


Constructor Summary
PasswordManager(PlatformContext platform, javax.security.auth.Subject subject)
          Constructs the manager with a platform context and a subject.
 
Method Summary
 BulkRequest changePassword(java.util.Collection accounts, java.util.Date scheduledTime)
          Changes the password of the specified accounts with a system generated password.
 BulkRequest changePassword(java.util.Collection accounts, java.lang.String password, java.util.Date scheduledTime, boolean notifyByMail)
          Changes the password of the specified accounts with the given password.
 java.lang.String generatePassword(java.util.Collection accounts)
          Generates a password that can be used to synchronize the passwords of the specified accounts.
 java.lang.String generatePasswordForRestore(java.util.Collection accounts)
          Generates a password that can be used to synchronize the passwords of the specified accounts.
 java.lang.String generateSyncPassword(PersonMO personMO)
          Generates a password that can be used to synchronize the password for all of the accounts the person owns.
 java.util.Collection getPasswordAccounts(PersonMO personMO)
          Returns the password protected accounts the subject owns.
 PasswordRulesInfo getRules(java.util.Collection accounts)
          Returns the combined password rules for the given accounts.
 boolean isPasswordValid(java.util.Collection accounts, java.lang.String password)
          Deprecated. As of ITIM 5.0, replaced by validatePassword(Collection accounts, String password).
 Request synchPasswords(PersonMO personMO, java.util.Date scheduledTime)
          Synchronizes all of the given identity's account passwords to a system generated password.
 Request synchPasswords(PersonMO personMO, java.lang.String password, java.util.Date scheduledTime)
          Synchronizes all of the given identity's account passwords to the given password.
 Request synchPasswords(PersonMO personMO, java.lang.String password, java.util.Date scheduledTime, boolean notifyByMail)
          Synchronizes all of the given identity's account passwords to the given password.
 void validatePassword(java.util.Collection accounts, java.lang.String password)
          Determines whether the specified password is valid for all of the given accounts.
 
Methods inherited from class java.lang.Object
equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

PasswordManager

public PasswordManager(PlatformContext platform,
                       javax.security.auth.Subject subject)
Constructs the manager with a platform context and a subject.

Parameters:
platform - PlatformContext holding platform connection information.
subject - Subject representing the authenticated caller.
Method Detail

getPasswordAccounts

public java.util.Collection getPasswordAccounts(PersonMO personMO)
                                         throws java.rmi.RemoteException,
                                                ApplicationException
Returns the password protected accounts the subject owns. Note, if the client is unauthorized to change password on an account owned by the subject, it will be filtered out of the return list and no AuthorizationException will be thrown.

Parameters:
personMO - PersonMO whose accounts are being retrieved.
Returns:
Collection of AccountMO representing accounts that are owned by the subject and are protected by passwords. If ServiceMO.isPasswordRequired() returns true, then it is password protected account.
Throws:
java.rmi.RemoteException - Thrown if unable to communicate with platform.
ApplicationException - Thrown if unable to obtain the accounts. This may possibly be caused by the subject being removed by another client previous to this call.

changePassword

public BulkRequest changePassword(java.util.Collection accounts,
                                  java.lang.String password,
                                  java.util.Date scheduledTime,
                                  boolean notifyByMail)
                           throws java.rmi.RemoteException,
                                  PasswordRuleException,
                                  InvalidPasswordException,
                                  ApplicationException
Changes the password of the specified accounts with the given password. Note, some accounts do not require password changes. This can be determined by checking the service the account is hosted on for password requirements ServiceMO.isPasswordRequired().

Parameters:
accounts - Collection of AccountMO that will have their passwords changed.
password - New password of accounts.
scheduledTime - The scheduled starting time of the process. If null, the process will start immediately. In case this method is invoked remotely, passing this parameter as the current date/time of the client machine is not a safe technique to use, since the date/time of the client machine may not be the same as the date/time of the ITIM server machine.
notifyByMail - boolean to send password notification by email
Returns:
BulkRequest object representing the operation's status.
Throws:
java.rmi.RemoteException - Thrown if unable to communicate with platform.
PasswordRuleException - Thrown if the rules defined in the password policies for each of the services hosting the accounts could not be merged. They are mutually exclusive.
InvalidPasswordException - Thrown if password does not pass a password policy check.
ApplicationException - Thrown if unable to submit the request. This may possibly be caused by an account being removed by another client previous to this call.

changePassword

public BulkRequest changePassword(java.util.Collection accounts,
                                  java.util.Date scheduledTime)
                           throws java.rmi.RemoteException,
                                  AuthorizationException,
                                  PasswordRuleException,
                                  ApplicationException
Changes the password of the specified accounts with a system generated password. The system generated password is the password generated by ITIM based on the combined password rules of accounts passed in. Note, some accounts do not require password changes. This can be determined by checking the service the account is hosted on for password requirements ServiceMO.isPasswordRequired().

Parameters:
accounts - Collection of AccountMO that will have their passwords changed.
scheduledTime - The scheduled starting time of the process. If null, the process will start immediately. In case this method is invoked remotely, passing this parameter as the current date/time of the client machine is not a safe technique to use, since the date/time of the client machine may not be the same as the date/time of the ITIM server machine.
Returns:
BulkRequest object representing the operation's status.
Throws:
java.rmi.RemoteException - Thrown if unable to communicate with platform.
PasswordRuleException - Thrown if the rules defined in the password policies for each of the services hosting the accounts could not be merged. They are mutually exclusive.
ApplicationException - Thrown if unable to submit the request. This may possibly be caused by an account being removed by another client previous to this call.
AuthorizationException

generatePassword

public java.lang.String generatePassword(java.util.Collection accounts)
                                  throws java.rmi.RemoteException,
                                         AuthorizationException,
                                         PasswordRuleException,
                                         ApplicationException
Generates a password that can be used to synchronize the passwords of the specified accounts. The system generated password is the password generated by ITIM based on the combined password rules of accounts passed in. Note, some accounts do not require password changes. This can be determined by checking the service the account is hosted on for password requirements (see ServiceMO.isPasswordRequired). The precense of an account that does not require a password will have no affect on the generated password.

Parameters:
accounts - Collection of AccountMO that the password should be compliant with.
Returns:
Generated password.
Throws:
java.rmi.RemoteException - Thrown if unable to communicate with platform.
AuthorizationException - Thrown if client is unauthorized to read or change the password of any of the accounts.
PasswordRuleException - Thrown if the rules defined in the password policies for each of the services hosting the accounts could not be merged. They are mutually exclusive.
ApplicationException - Thrown if the password could not be generated. This may possibly be caused by an account being removed by another client previous to this call.

generatePasswordForRestore

public java.lang.String generatePasswordForRestore(java.util.Collection accounts)
                                            throws java.rmi.RemoteException,
                                                   AuthorizationException,
                                                   PasswordRuleException,
                                                   ApplicationException
Generates a password that can be used to synchronize the passwords of the specified accounts. The accounts can be inactive. At least one account should require password on restore. The system generated password is the password generated by ITIM based on the combined password rules of accounts passed in. Note, some accounts do not require password changes. This can be determined by checking the service the account is hosted on for password requirements (see ServiceMO.isPasswordRequired). The presence of an account that does not require a password will have no affect on the generated password.

Parameters:
accounts - Collection of AccountMO that the password should be compliant with.
Returns:
Generated password.
Throws:
java.rmi.RemoteException - Thrown if there is a communication failure.
AuthorizationException - Thrown if client is unauthorized to change the password of any of the accounts
PasswordRuleException - Thrown if the rules defined in the password policies for each of the services hosting the accounts could not be merged. They are mutually exclusive.
ApplicationException - Thrown if the password could not be generated. This may possibly be caused by an account being removed by another client previous to this call.

generateSyncPassword

public java.lang.String generateSyncPassword(PersonMO personMO)
                                      throws java.rmi.RemoteException,
                                             AuthorizationException,
                                             PasswordRuleException,
                                             ApplicationException
Generates a password that can be used to synchronize the password for all of the accounts the person owns. The system generated password is the password generated by ITIM based on the combined password rules for all the accounts owned by the person. Note, some accounts do not require password changes. This can be determined by checking the service the account is hosted on for password requirements (see ServiceMO.isPasswordRequired). The presence of an account that does not require a password will have no affect on the generated password.

Parameters:
personMO - PersonMO representing the identity (person) whose passwords will be synchronized.
Returns:
Generated password.
Throws:
java.rmi.RemoteException - Thrown if unable to communicate with platform.
AuthorizationException - Thrown if client is unauthorized to synchronize change password on person's accounts.
PasswordRuleException - Thrown if the rules defined in the password policies for each of the services hosting the accounts could not be merged. They are mutually exclusive.
ApplicationException - Thrown if the password could not be generated. This may possibly be caused by an account being removed by another client previous to this call.

getRules

public PasswordRulesInfo getRules(java.util.Collection accounts)
                           throws java.rmi.RemoteException,
                                  AuthorizationException,
                                  PasswordRuleException,
                                  ApplicationException
Returns the combined password rules for the given accounts. This combination is the least restrictive set of rules that are valid accross all of the accounts. Note, password rules from different password policies can be mutually exclusive causing this call to fail with an exception.

Parameters:
accounts - Collection of AccountMO to take into consideration when identifying a common set of rules.
Returns:
PasswordRulesInfo.
Throws:
java.rmi.RemoteException - Thrown if unable to communicate with platform.
AuthorizationException - Thrown if client is unauthorized to view any of the password policies that govern any of the accounts.
PasswordRuleException - Thrown if the rules defined in the password policies for each of the services hosting the accounts could not be merged. They are mutually exclusive.
ApplicationException - Thrown if the combined rules could not be determined. This may possibly be caused by an account being removed by another client previous to this call.

isPasswordValid

public boolean isPasswordValid(java.util.Collection accounts,
                               java.lang.String password)
                        throws java.rmi.RemoteException,
                               AuthorizationException,
                               ApplicationException,
                               PasswordRuleException,
                               InvalidPasswordException
Deprecated. As of ITIM 5.0, replaced by validatePassword(Collection accounts, String password).

Determines whether the specified password is valid for all of the given accounts. If the password is not valid for just one of the accounts, the password will be classified as invalid.

Parameters:
accounts - Collection of AccountMO that the password must be valid for.
password - The password in question.
Returns:
Validity of the password. true if password is valid false otherwise.
Throws:
java.rmi.RemoteException - Thrown if unable to communicate with platform.
AuthorizationException - Thrown if client is unauthorized to read or change the password of any of the accounts.
PasswordRuleException - Thrown if the rules defined in the password policies for each of the services hosting the accounts could not be merged. They are mutually exclusive.
InvalidPasswordException - Thrown if password does not pass a password policy check.
ApplicationException - Thrown if the password could not be validated. This may possibly be caused by an account being removed by another client previous to this call.

validatePassword

public void validatePassword(java.util.Collection accounts,
                             java.lang.String password)
                      throws java.rmi.RemoteException,
                             AuthorizationException,
                             ApplicationException,
                             PasswordRuleException,
                             InvalidPasswordException
Determines whether the specified password is valid for all of the given accounts. If the password is not valid for just one of the accounts, the password will be classified as invalid.

Parameters:
accounts - Collection of AccountMO that the password must be valid for.
password - The password in question.
Throws:
java.rmi.RemoteException - Thrown if unable to communicate with platform.
AuthorizationException - Thrown if client is unauthorized to read or change the password of any of the accounts.
PasswordRuleException - Thrown if the rules defined in the password policies for each of the services hosting the accounts could not be merged. They are mutually exclusive.
InvalidPasswordException - Thrown if password does not pass a password policy check.
ApplicationException - Thrown if the password could not be validated. This may possibly be caused by an account being removed by another client previous to this call.

synchPasswords

public Request synchPasswords(PersonMO personMO,
                              java.lang.String password,
                              java.util.Date scheduledTime)
                       throws java.rmi.RemoteException,
                              AuthorizationException,
                              PasswordRuleException,
                              InvalidPasswordException,
                              ApplicationException
Synchronizes all of the given identity's account passwords to the given password. If the client does not have permission to synchronize password on person's accounts, an AuthorizationException will be thrown.

Parameters:
personMO - PersonMO representing the identity (person) whose passwords will be synchronized.
password - New password of accounts.
scheduledTime - The scheduled starting time of the process. If null, the process will start immediately. In case this method is invoked remotely, passing this parameter as the current date/time of the client machine is not a safe technique to use, since the date/time of the client machine may not be the same as the date/time of the ITIM server machine.
Returns:
Request object representing the operation's status.
Throws:
java.rmi.RemoteException - Thrown if unable to communicate with platform.
AuthorizationException - Thrown if client is unauthorized to synchronize change password on person's accounts.
PasswordRuleException - Thrown if the rules defined in the password policies for each of the services hosting the accounts could not be merged. They are mutually exclusive.
InvalidPasswordException - Thrown if password does not pass a password policy check.
ApplicationException - Thrown if unable to submit the request. This may possibly be caused by an account being removed by another client previous to this call.

synchPasswords

public Request synchPasswords(PersonMO personMO,
                              java.lang.String password,
                              java.util.Date scheduledTime,
                              boolean notifyByMail)
                       throws java.rmi.RemoteException,
                              AuthorizationException,
                              PasswordRuleException,
                              InvalidPasswordException,
                              ApplicationException
Synchronizes all of the given identity's account passwords to the given password. If the client does not have permission to synchronize password on person's accounts, an AuthorizationException will be thrown.

Parameters:
personMO - PersonMO representing the identity (person) whose passwords will be synchronized.
password - New password of accounts.
scheduledTime - The scheduled starting time of the process. If null, the process will start immediately. In case this method is invoked remotely, passing this parameter as the current date/time of the client machine is not a safe technique to use, since the date/time of the client machine may not be the same as the date/time of the ITIM server machine.
notifyByMail - boolean to send password notification by email
Returns:
Request object representing the operation's status.
Throws:
java.rmi.RemoteException - Thrown if unable to communicate with platform.
AuthorizationException - Thrown if client is unauthorized to synchronize change password on person's accounts.
PasswordRuleException - Thrown if the rules defined in the password policies for each of the services hosting the accounts could not be merged. They are mutually exclusive.
InvalidPasswordException - Thrown if password does not pass a password policy check.
ApplicationException - Thrown if unable to submit the request. This may possibly be caused by an account being removed by another client previous to this call.

synchPasswords

public Request synchPasswords(PersonMO personMO,
                              java.util.Date scheduledTime)
                       throws java.rmi.RemoteException,
                              AuthorizationException,
                              PasswordRuleException,
                              ApplicationException
Synchronizes all of the given identity's account passwords to a system generated password. The system generated password is the password generated by ITIM based on the combined password rules of accounts owned by the person. If the client does not have permission to synchronize password on person's accounts, an AuthorizationException will be thrown.

Parameters:
personMO - PersonMO representing the identity (person) whose passwords will be synchronized.
scheduledTime - The scheduled starting time of the process. If null, the process will start immediately. In case this method is invoked remotely, passing this parameter as the current date/time of the client machine is not a safe technique to use, since the date/time of the client machine may not be the same as the date/time of the ITIM server machine.
Returns:
Request object representing the operation's status.
Throws:
java.rmi.RemoteException - Thrown if unable to communicate with platform.
AuthorizationException - Thrown if client is unauthorized to synchronize change password on person's accounts.
PasswordRuleException - Thrown if the rules defined in the password policies for each of the services hosting the accounts could not be merged. They are mutually exclusive.
ApplicationException - Thrown if unable to submit the request. This may possibly be caused by an account being removed by another client previous to this call.


IBM Security Identity Manager 6.0.0
© Copyright International Business Machines Corporation 2007, 2012. All rights reserved. US Government Users Restricited Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.