/**
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2008 Sun Microsystems Inc. All Rights Reserved
*
* The contents of this file are subject to the terms
* of the Common Development and Distribution License
* (the License). You may not use this file except in
* compliance with the License.
*
* You can obtain a copy of the License at
* https://opensso.dev.java.net/public/CDDLv1.0.html or
* opensso/legal/CDDLv1.0.txt
* See the License for the specific language governing
* permission and limitations under the License.
*
* When distributing Covered Code, include this CDDL
* Header Notice in each file and include the License file
* at opensso/legal/CDDLv1.0.txt.
* If applicable, add the following below the CDDL Header,
* with the fields enclosed by brackets [] replaced by
* your own identifying information:
* "Portions Copyrighted [year] [name of copyright owner]"
*
* $Id: AmIdentityAsserterBase.java,v 1.4 2009/03/07 01:15:39 leiming Exp $
*
*/
package com.sun.identity.agents.websphere;
import java.io.IOException;
import java.io.PrintWriter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import com.ibm.websphere.security.WebTrustAssociationException;
import com.ibm.websphere.security.WebTrustAssociationFailedException;
import com.ibm.wsspi.security.tai.TAIResult;
import com.ibm.wsspi.security.token.AttributeNameConstants;
import com.sun.identity.agents.arch.AgentBase;
import com.sun.identity.agents.arch.AgentConfiguration;
import com.sun.identity.agents.arch.AgentException;
import com.sun.identity.agents.arch.Manager;
import com.sun.identity.agents.arch.ServiceFactory;
import com.sun.identity.agents.common.CommonFactory;
import com.sun.identity.agents.common.INotenforcedIPHelper;
import com.sun.identity.agents.common.INotenforcedURIHelper;
import com.sun.identity.agents.common.ISSOTokenValidator;
import com.sun.identity.agents.common.SSOValidationResult;
import com.sun.identity.agents.filter.AmFilterMode;
import com.sun.identity.agents.filter.AmFilterRequestContext;
import com.sun.identity.agents.filter.AmFilterResult;
import com.sun.identity.agents.filter.AmFilterResultStatus;
import com.sun.identity.agents.filter.IAmFilter;
import com.sun.identity.agents.filter.IFilterConfigurationConstants;
import com.sun.identity.agents.realm.AmRealmManager;
import com.sun.identity.agents.realm.IAmRealm;
import com.sun.identity.agents.util.IUtilConstants;
import com.sun.identity.agents.util.StringUtils;
/**
* Abstact class for Websphere/portal asserter.
*/
public abstract class AmIdentityAsserterBase extends AgentBase
implements IAmIdentityAsserter {
public AmIdentityAsserterBase(Manager manager) {
super(manager);
}
public void initialize() throws AgentException {
String strFilterMode = getConfigurationString(
IFilterConfigurationConstants.CONFIG_FILTER_MODE,
AmFilterMode.STR_MODE_ALL);
AmFilterMode mode = AmFilterMode.get(strFilterMode);
if (mode == null) {
throw new AgentException("Unknown filter mode: " + strFilterMode);
}
if (mode.equals(AmFilterMode.MODE_ALL) ||
mode.equals(AmFilterMode.MODE_J2EE_POLICY)) {
setActiveFlag(true);
} else {
setActiveFlag(false);
}
// Regardless of which mode the runtime is configured for, the
// TAI implementation only requries SSO functionality. The rest
// is delegated to the regular filter.
//
// Note that this filter is not an independent filter, but is
// created within the websphere module.
setAmFilter(ServiceFactory.getAmFilter(getManager(),
AmFilterMode.MODE_SSO_ONLY));
// Realm is used for memberships
setAmRealm(AmRealmManager.getAmRealmInstance());
boolean notEnforcedURIListcacheEnabled = getConfigurationBoolean(
IFilterConfigurationConstants.CONFIG_NOTENFORCED_LIST_CACHE_FLAG,
IFilterConfigurationConstants.DEFAULT_NOTENFORCED_LIST_CACHE_FLAG);
boolean isNotEnforcedURIListInverted = getConfigurationBoolean(
IFilterConfigurationConstants.CONFIG_INVERT_NOTENFORCED_LIST_FLAG,
IFilterConfigurationConstants.DEFAULT_INVERT_NOTENFORCED_LIST_FLAG);
int notEnforcedURIListCacheSize = getConfigurationInt(
IFilterConfigurationConstants.CONFIG_NOTENFORCED_LIST_CACHE_SIZE,
IFilterConfigurationConstants.DEFAULT_NOTENFORCED_LIST_CACHE_SIZE)/2;
String[] notEnforcedURIs = getConfigurationStrings(
IFilterConfigurationConstants.CONFIG_NOTENFORCED_LIST);
CommonFactory cf = new CommonFactory(getModule());
setNotEnforcedListURIHelper(cf.newNotenforcedURIHelper(
isNotEnforcedURIListInverted,
notEnforcedURIListcacheEnabled,
notEnforcedURIListCacheSize, notEnforcedURIs));
boolean notEnforcedIPListCacheEnabled = getConfigurationBoolean(
IFilterConfigurationConstants.CONFIG_NOTENFORCED_IP_CACHE_FLAG,
IFilterConfigurationConstants.DEFAULT_NOTENFORCED_IP_CACHE_FLAG);
int notEnforcedIPListCacheSize = getConfigurationInt(
IFilterConfigurationConstants.CONFIG_NOTENFORCED_IP_CACHE_SIZE,
IFilterConfigurationConstants.DEFAULT_NOTENFORCED_IP_CACHE_SIZE)/2;
boolean isNotEnforcedIPListInverted = getConfigurationBoolean(
IFilterConfigurationConstants.CONFIG_INVERT_NOTENFORCED_IP_FLAG,
IFilterConfigurationConstants.DEFAULT_INVERT_NOTENFORCED_IP_FLAG);
String[] notEnforcedIPs = getConfigurationStrings(
IFilterConfigurationConstants.CONFIG_NOTENFORCED_IP_LIST);
setNotEnforcedListIPHelper(cf.newNotenforcedIPHelper(
notEnforcedIPListCacheEnabled, notEnforcedIPListCacheSize,
isNotEnforcedIPListInverted, notEnforcedIPs));
setSSOTokenValidator(cf.newSSOTokenValidator());
if (isLogMessageEnabled()) {
logMessage("AmIdentityAsserter: initilaized");
}
}
public boolean needToProcessRequest(HttpServletRequest request)
throws WebTrustAssociationException {
boolean result = false;
if (isActive()) {
result = !isNotenforcedRequest(request);
}
if (isLogMessageEnabled()) {
logMessage("AmIdentityAsserter: request uri: "
+ request.getRequestURI() + ", is enforced: " + result);
}
return result;
}
public TAIResult processRequest(HttpServletRequest request,
HttpServletResponse response)
throws WebTrustAssociationFailedException {
TAIResult result = null;
try {
AmFilterResult filterResult =
getAmFilter().isAccessAllowed(request, response);
switch(filterResult.getStatus().getIntValue()) {
case AmFilterResultStatus.INT_STATUS_CONTINUE:
SSOValidationResult ssoValidationResult =
filterResult.getSSOValidationResult();
if (ssoValidationResult != null
&& ssoValidationResult.isValid()) {
result = getAuthenticatedResult(
request, response, ssoValidationResult);
} else {
result = getAnonymousResult(request, response);
}
break;
case AmFilterResultStatus.INT_STATUS_FORBIDDEN:
result = getForbiddenResult(request, response);
break;
case AmFilterResultStatus.INT_STATUS_REDIRECT:
result = getRedirectResult(request,
response, filterResult.getRedirectURL());
break;
case AmFilterResultStatus.INT_STATUS_SERVE_DATA:
result = getServeDataResult(request,
response, filterResult.getDataToServe());
break;
default:
throw new AgentException("Invalid filter result: "
+ filterResult);
}
} catch (Exception ex) {
logError("AmIdentityAsserter: Exception caught, denying access",
ex);
result = getForbiddenResult(request, response);
}
if (isLogMessageEnabled()) {
StringBuffer buff = new StringBuffer("TAIResult: status: ");
buff.append(result.getStatus()).append(", principal: ");
buff.append(result.getAuthenticatedPrincipal());
buff.append(", subject: ").append(result.getSubject());
logMessage("AmIdentityAsserter: result => " + buff.toString());
}
return result;
}
protected abstract TAIResult getAuthenticatedResult(
HttpServletRequest request, HttpServletResponse response,
SSOValidationResult ssoValidationResult)
throws Exception;
private TAIResult getAnonymousResult(HttpServletRequest request,
HttpServletResponse response)
throws Exception {
return TAIResult.create(HttpServletResponse.SC_OK,
IUtilConstants.ANONYMOUS_USER_NAME);
}
private TAIResult getForbiddenResult(HttpServletRequest request,
HttpServletResponse response)
throws WebTrustAssociationFailedException {
try {
response.sendError(HttpServletResponse.SC_FORBIDDEN);
} catch (IOException ex) {
logError("Unable to send 403 error code", ex);
throw new WebTrustAssociationFailedException(
"Invalid response state");
}
return TAIResult.create(HttpServletResponse.SC_FORBIDDEN);
}
private TAIResult getRedirectResult(HttpServletRequest request,
HttpServletResponse response, String redirectURL)
throws Exception {
response.sendRedirect(redirectURL);
return TAIResult.create(HttpServletResponse.SC_TEMPORARY_REDIRECT);
}
private TAIResult getServeDataResult(HttpServletRequest request,
HttpServletResponse response, String dataToServe)
throws Exception {
PrintWriter out = null;
try {
response.setContentType("text/html");
out = response.getWriter();
out.print(dataToServe);
out.flush();
out.close();
} catch(IOException ex) {
throw ex;
} finally {
if(out != null) {
out.close();
}
}
return TAIResult.create(HttpServletResponse.SC_ACCEPTED);
}
private boolean isNotenforcedRequest(HttpServletRequest request) {
String appName = getApplicationName(request);
String accessDeniedURI = getAccessDeniedURI(appName);
boolean pathInfoIgnored = getConfigurationBoolean(
IFilterConfigurationConstants.CONFIG_IGNORE_PATH_INFO,
IFilterConfigurationConstants.DEFAULT_IGNORE_PATH_INFO);
String requestURL = null;
if (pathInfoIgnored) {
requestURL = StringUtils.removePathInfo(request);
} else {
AmFilterRequestContext ctx = getRequestContext(request);
requestURL = ctx.getPolicyDestinationURL();
}
if (isLogMessageEnabled()) {
logMessage("AmIdentityAsserter.isNotenforcedRequest() - " +
"requested URL=> " + requestURL);
}
return (getNotEnforcedListURIHelper().isNotEnforced(
requestURL, accessDeniedURI) ||
getNotEnforcedListIPHelper().isNotenforced(
getClientIPAddress(request)));
}
/*
* create RequestContext just to get absolute requested URL.
*/
private AmFilterRequestContext getRequestContext(
HttpServletRequest request) {
AmFilterRequestContext requestContext = new AmFilterRequestContext(
request, null, null, null,
null, false, null,
null, null,
getAgentHost(request), getAgentPort(request),
getAgentProtocol(request));
return requestContext;
}
private String getAgentHost(HttpServletRequest request) {
String agentHost = getConfigurationString(
IFilterConfigurationConstants.CONFIG_AGENT_HOST);
if (agentHost == null) {
agentHost = request.getServerName();
}
return agentHost;
}
private String getAgentProtocol(HttpServletRequest request) {
String agentProtocol = getConfigurationString(
IFilterConfigurationConstants.CONFIG_AGENT_PROTOCOL);
if (agentProtocol == null) {
agentProtocol = request.getScheme();
}
return agentProtocol;
}
private int getAgentPort(HttpServletRequest request) {
int agentPort = getConfigurationInt(
IFilterConfigurationConstants.CONFIG_AGENT_PORT);
if (agentPort <= 0) {
agentPort = request.getServerPort();
}
return agentPort;
}
private String getApplicationName(HttpServletRequest request) {
String appName = null;
String contextPath = request.getContextPath();
if (contextPath.trim().length() == 0 ||
contextPath.trim().equals("/")) {
appName = AgentConfiguration.DEFAULT_WEB_APPLICATION_NAME;
} else {
appName = contextPath.substring(1);
}
return appName;
}
private String getAccessDeniedURI(String applicationName) {
return getManager().getApplicationConfigurationString(
IFilterConfigurationConstants.CONFIG_ACCESS_DENIED_URI,
applicationName);
}
private String getClientIPAddress(HttpServletRequest request) {
return getSSOTokenValidator().getClientIPAddress(request);
}
private void setAmFilter(IAmFilter amFilter) {
_amFilter = amFilter;
}
private IAmFilter getAmFilter() {
return _amFilter;
}
private void setAmRealm(IAmRealm amRealm) {
_amRealm = amRealm;
}
private IAmRealm getAmRealm() {
return _amRealm;
}
private void setSSOTokenValidator(ISSOTokenValidator validator) {
_ssoTokenValidator = validator;
}
private ISSOTokenValidator getSSOTokenValidator() {
return _ssoTokenValidator;
}
private void setNotEnforcedListIPHelper(INotenforcedIPHelper helper) {
_notEnforcedIPHelper = helper;
}
private INotenforcedIPHelper getNotEnforcedListIPHelper() {
return _notEnforcedIPHelper;
}
private void setNotEnforcedListURIHelper(INotenforcedURIHelper helper) {
_notEnforcedListURIHelper = helper;
}
private INotenforcedURIHelper getNotEnforcedListURIHelper() {
return _notEnforcedListURIHelper;
}
private void setActiveFlag(boolean flag) {
_isActive = flag;
if (isLogMessageEnabled()) {
logMessage("AmIdentityAsserter: is active = " + _isActive);
}
}
private boolean isActive() {
return _isActive;
}
private INotenforcedURIHelper _notEnforcedListURIHelper;
private INotenforcedIPHelper _notEnforcedIPHelper;
private ISSOTokenValidator _ssoTokenValidator;
private IAmFilter _amFilter;
private IAmRealm _amRealm;
private boolean _isActive;
}