SecurID.java revision 41202e15f589286770cacca433bbee5df379d00b
/**
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2005 Sun Microsystems Inc. All Rights Reserved
*
* The contents of this file are subject to the terms
* of the Common Development and Distribution License
* (the License). You may not use this file except in
* compliance with the License.
*
* You can obtain a copy of the License at
* See the License for the specific language governing
* permission and limitations under the License.
*
* When distributing Covered Code, include this CDDL
* Header Notice in each file and include the License file
* at opensso/legal/CDDLv1.0.txt.
* If applicable, add the following below the CDDL Header,
* with the fields enclosed by brackets [] replaced by
* your own identifying information:
* "Portions Copyrighted [year] [name of copyright owner]"
*
* $Id: SecurID.java,v 1.4 2009/11/10 17:51:48 ericow Exp $
*
*/
/*
* Portions Copyrighted 2011 ForgeRock AS
*/
/*
* need to implement the following methods:
* init(Subject subject, Map sharedState, Map options)
* process(Callback[] callbacks, int state)
* getPrincipal()
* shutdown()
*/
public class SecurID extends AMLoginModule {
private Map sharedState;
// this is per user auth session, but really per module instance
// configDone contains paths to sdconf.rec that have verified
private boolean getCredentialsFromSharedState;
static {
}
}
/*
* called for every new SecurID auth request session
* Map options contains the auth module instance's config values.
* for SecurID, the one of particular interest is
* iplanet-am-auth-securid-server-config-path, which
* is defined by ISAuthConstants.SECURID_CONFIG_PATH.
*
* this probably would have been a good place to get the
* AuthSessionFactory and AuthSession instances, but
* it doesn't look like you can throw an exception from init().
*
* another thing is that want to use the same config path througout
* the user's auth session, so get it here only. however, the
* checking of the path has to be done in process().
*/
try {
if (debug.messageEnabled()) {
}
this.sharedState = sharedState;
if (debug.messageEnabled()) {
"\n\tsharedState = " + sharedState +
"\n\toptions = " + options +
"\n\torg = " + thisOrg);
}
}
if (debug.messageEnabled()) {
}
} catch (Exception e) {
}
}
throws AuthLoginException
{
if (debug.messageEnabled()) {
", state=" + state);
}
boolean echo = false;
if (isPswd) {
}
if (isPswd) {
} else {
if (debug.messageEnabled()) {
}
}
}
private void verifyConfigPath () throws AuthLoginException {
// see if the filepath actually exists
if (debug.messageEnabled()) {
"SecurID:verifyConfigPath:checking Server File Path " +
}
if (!f.exists()) {
throw new AuthLoginException(bundleName,
"SecurIDSrvrPathNoExist", null);
} else {
if (debug.messageEnabled()) {
"SecurID:verifyConfigPath:found SecurID Server Path = " +
}
}
}
throws AuthLoginException
{
int rtnval = -1;
/*
* state starts at 1, numbering corresponds to order of screens.
* return -1 if done, next screen# if another screen
*/
wtOrgName = getRequestOrg();
if (debug.messageEnabled()) {
"\n\tstate = " + state);
}
/*
* see if this org not initialized.
* the path to sdconf.rec was gotten in init();
* verify that it exists once. after that, can
* get the AuthSessionFactory.getInstance every time,
* as it will return the same one, given the same path.
*/
// verify path to sdconf.rec
}
/*
* not particularly pretty getting the
* AuthSessionFactory instance every time, but the
* SecurID api states that it returns the same instance
* for the given path. plus this way saves having to
* keep track of stuff...
*/
try {
} catch (AuthAgentException e) {
null, e);
}
}
if (debug.messageEnabled()) {
"\n\tstate = " + state +
"\n\tconfig_path = " + STR_SECURID_CONFIG_PATH +
"\n\tuserTokenId = " + userTokenId +
"\n\tusername = " + username);
}
switch (state) {
{
return 1;
}
getCredentialsFromSharedState = true;
} else {
// null userid is a no-no
throw new AuthLoginException (bundleName,
"SecurIDUserIdNull", null);
}
callbacks[1]);
// null passcode is also a no-no
throw new AuthLoginException (bundleName,
"SecurIDPasscodeNull", null);
}
}
if (debug.messageEnabled()) {
}
// got the userid and passcode
try {
} catch (AuthAgentException aaex) {
+ aaex.getMessage());
throw new AuthLoginException (bundleName,
"SecurIDInitializeLex",
}
try {
if (debug.messageEnabled()) {
"SecurID.process:session.lock returns = " +
}
if (debug.messageEnabled()) {
"SecurID.process:session.check returns = " +
}
/*
* after sending userid and passcode, can get returns:
* ACCESS_OK
* ACCESS_DENIED
* NEW_PIN_REQUIRED
* NEXT_CODE_REQUIRED
*/
switch (authStatus) {
case AuthSession.ACCESS_OK:
break;
{
// if user can't choose their own pin
"SecurID.process:CANNOT_CHOOSE_PIN");
// submit new PIN
if (debug.messageEnabled()) {
"SecurID.process:CCP:pin rtns = " +
}
/*
* weird that we'd get an error
* submitting the PIN provided by
* the system...
* could do error handling here,
* or having the user submit a
* null pin will make things terminate
* subsequently...
*/
"SecurID.process:CCP:sys pin " +
"not accepted!");
try {
} catch (AuthAgentException aax) {
"SecurID.process:NPRCCP:" +
"close err = " +
aax.getMessage());
}
}
throw new AuthLoginException(
bundleName, "SecurIDLoginFailed",
}
} else {
/*
* weird that we'd get a null PIN
* from the system...
*/
"SecurID.process:CCP:newPin 0-length");
newPin = "";
try {
} catch (AuthAgentException aax) {
"SecurID.process:LSNP:" +
"close err = " +
aax.getMessage());
}
}
throw new AuthLoginException(
bundleName, "SecurIDLoginFailed",
}
/*
* then tell user the new PIN, and to do
* next token
*/
setDynamicText(true,
newPin);
rtnval =
// see if user wants user-gen or sys-gen
"SecurID.process:USER_SELECTABLE");
setDynamicText(false,
"SecurID.process:MUST_CHOOSE_PIN");
// user must provide new PIN
setDynamicText(true,
if (debug.messageEnabled()) {
msg);
}
} else { // huh?
"SecurID.process:NEW_PIN_REQUIRED:" +
"unknown pinState = " + pinState);
try {
} catch (AuthAgentException aax) {
"close err = " +
aax.getMessage());
}
throw new AuthLoginException(bundleName,
"SecurIDLoginFailed",
}
}
}
break;
break;
case AuthSession.ACCESS_DENIED:
default:
&& !isUseFirstPassEnabled())
{
getCredentialsFromSharedState = false;
break;
}
try {
} catch (AuthAgentException aax) {
}
}
throw new AuthLoginException(bundleName,
}
} catch (AuthAgentException aaex) {
try {
} catch (AuthAgentException aax) {
aax.getMessage());
}
}
aaex.getMessage());
throw new AuthLoginException (bundleName,
"SecurIDInitializeLex",
}
}
break;
{
// submit new PIN
callbacks[0]);
/*
* if no PIN provided, submit "" as the new PIN, and
*/
}
if (debug.messageEnabled()) {
}
try {
"ASCII")))
{
try {
} catch (AuthAgentException aax) {
aax.getMessage());
}
}
throw new AuthLoginException(bundleName,
"SecurIDNewPINNotASCII", null);
}
} catch (UnsupportedEncodingException ueex) {
try {
} catch (AuthAgentException aax) {
aax.getMessage());
}
}
throw new AuthLoginException(bundleName,
"SecurIDInputEncodingException", null);
}
try {
if (debug.messageEnabled()) {
}
setDynamicText(true,
"SecurID:process:New PIN specified is invalid.");
try {
} catch (AuthAgentException aax) {
aax.getMessage());
}
}
throw new AuthLoginException(bundleName,
"SecurIDAuthInvNewPin", null);
} else {
// hmmm...
"SecurID.process:unsure this pin response value.");
try {
} catch (AuthAgentException aax) {
aax.getMessage());
}
}
}
} catch (AuthAgentException aaex) {
// probably have to terminate the session
aaex.getMessage());
try {
} catch (AuthAgentException aax) {
aax.getMessage());
}
}
throw new AuthLoginException(bundleName,
"SecurIDAuthInvNewPin", null);
}
}
break;
{
// can do PIN+passcode or just passcode
// got the next token; submit it
callbacks[0]);
// must have something
}
if (debug.messageEnabled()) {
"SecurID.process:LOGIN_NEXT_TOKEN:token length = " +
}
try {
{
try {
} catch (AuthAgentException aax) {
aax.getMessage());
}
}
"SecurID.process:LOGIN_NEXT_TOKEN:" +
"nextToken not ascii");
throw new AuthLoginException(bundleName,
"SecurIDNextTokenNotASCII", null);
}
} catch (UnsupportedEncodingException ueex) {
try {
} catch (AuthAgentException aax) {
aax.getMessage());
}
}
"nextToken input encoding");
throw new AuthLoginException(bundleName,
"SecurIDInputEncodingException", null);
}
try {
if (debug.messageEnabled()) {
"next returns " + authStatus);
}
} catch (AuthAgentException aaex) {
"SecurID.process:LOGIN_NEXT_TOKEN:next() exception:" +
aaex.getMessage());
try {
} catch (AuthAgentException aax) {
aax.getMessage());
}
}
throw new AuthLoginException(bundleName,
"SecurIDInvNextToken", null);
}
// succeed
} else {
try {
} catch (AuthAgentException aax) {
aax.getMessage());
}
}
if (debug.messageEnabled()) {
"nextToken failure");
}
throw new AuthLoginException(bundleName,
"SecurIDInvNextToken", null);
}
}
break;
{
// server asked if sys-genned PIN wanted, user said...
if (debug.messageEnabled()) {
"SecurID.process:received answer(state 4) = " +
answer);
}
// must have something
boolean sysgenpin = false;
sysgenpin = true; // make it system generated
if (debug.messageEnabled()) {
"SecurID.process:made answer(state 4) = " +
}
sysgenpin = true;
}
if (sysgenpin) {
"SecurID.process:LOGIN_SYS_GEN_PIN:" +
"about to getSystemPin");
try {
if (debug.messageEnabled()) {
"newPin:pin() response = " + authStatus);
}
setDynamicText(true,
} catch (AuthAgentException aaex) {
// probably have to terminate the session
"SecurID.process:LSGP:getSystemPin/pin error = " +
aaex.getMessage());
try {
} catch (AuthAgentException aax) {
aax.getMessage());
}
}
&& !isUseFirstPassEnabled())
{
getCredentialsFromSharedState = false;
}
throw new AuthLoginException(bundleName,
"SecurIDAuthInvNewPin", null);
}
} else {
// user-generated PIN
try {
if (debug.messageEnabled()) {
"SecurID.process:LOGIN_SYS_GEN_PIN:" +
"about to get user-genned PIN, prompt = \n\t"+msg);
}
msg);
} catch (AuthAgentException aaex) {
// probably have to terminate the session
"session.getPinData exception: " +
aaex.getMessage());
try {
} catch (AuthAgentException aax) {
aax.getMessage());
}
}
throw new AuthLoginException(bundleName,
"SecurIDAuthInvNewPin", null);
}
}
}
break;
{
/*
* next token mode : case 2
* After new PIN mode, we have lock the user again.
*/
if (debug.messageEnabled()) {
username);
}
// username should contain the userid entered earlier
throw new AuthLoginException(bundleName,
"SecurIDPrevUserid", null);
}
// only one callback... the new pin + token
callbacks[0]);
/*
* if nothing provided,
*/
}
try {
{
try {
} catch (AuthAgentException aax) {
aax.getMessage());
}
}
throw new AuthLoginException(bundleName,
"SecurIDNextTokenNotASCII", null);
}
} catch (UnsupportedEncodingException ueex) {
try {
} catch (AuthAgentException aax) {
aax.getMessage());
}
}
throw new AuthLoginException(bundleName,
"SecurIDInputEncodingException", null);
}
try {
if (debug.messageEnabled()) {
}
if (debug.messageEnabled()) {
}
} catch (AuthAgentException aaex) {
aaex.getMessage());
try {
} catch (AuthAgentException aax) {
aax.getMessage());
}
}
throw new AuthLoginException(bundleName,
}
if (debug.messageEnabled()) {
}
// succeed
if (debug.messageEnabled()) {
" LOGIN_SUCCEED, username = " + username);
}
} else {
// login failed
if (debug.messageEnabled()) {
"gets NOT Succeed = " + authStatus);
}
try {
} catch (AuthAgentException aax) {
aax.getMessage());
}
}
throw new AuthLoginException(bundleName,
}
}
break;
default:
try {
} catch (AuthAgentException aax) {
aax.getMessage());
}
}
}
if (debug.messageEnabled()) {
"\n\tstate = " + state +
"\n\tuserTokenId = " + userTokenId +
"\n\tusername = " + username +
"\n\trtnval = " + rtnval);
}
try {
} catch (AuthAgentException aax) {
"SecurID.process:LOGIN_SUCCEED:close err = " +
aax.getMessage());
}
}
}
return (rtnval);
} // process
if (tmpPassword == null) {
// treat a NULL password as an empty password
tmpPassword = new char[0];
}
}
if (debug.messageEnabled()) {
}
if (pinData.isAlphanumeric()) {
} else {
}
}
if (userPrincipal != null) {
if (debug.messageEnabled()) {
"SecurID.getPrincipal:userPrincipal not null; " +
"userPrincipal = " + userPrincipal);
}
return userPrincipal;
} else if (userTokenId != null) {
if (debug.messageEnabled()) {
"SecurID.getPrincipal: userPrincipal null, userTokenId = "+
userTokenId + ", returning userPrincipal = " +
}
return userPrincipal;
} else {
if (debug.messageEnabled()) {
}
return null;
}
}
public void destroyModuleState() {
userTokenId = null;
}
public void nullifyUsedVars() {
sharedState = null;
}
public void shutdown() {
}
}