/*
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2005 Sun Microsystems Inc. All Rights Reserved
*
* The contents of this file are subject to the terms
* of the Common Development and Distribution License
* (the License). You may not use this file except in
* compliance with the License.
*
* You can obtain a copy of the License at
* See the License for the specific language governing
* permission and limitations under the License.
*
* When distributing Covered Code, include this CDDL
* Header Notice in each file and include the License file
* at opensso/legal/CDDLv1.0.txt.
* If applicable, add the following below the CDDL Header,
* with the fields enclosed by brackets [] replaced by
* your own identifying information:
* "Portions Copyrighted [year] [name of copyright owner]"
*
* $Id: AuthContext.java,v 1.25 2009/11/21 01:12:59 qcheng Exp $
*
* Portions Copyrighted 2010-2015 ForgeRock AS.
*/
/**
* The <code>AuthContext</code> provides the implementation for
* authenticating users.
* <p>
* A typical caller instantiates this class and starts the login process.
* The caller then obtains an array of <code>Callback</code> objects,
* which contains the information required by the authentication plug-in
* module. The caller requests information from the user. On receiving
* the information from the user, the caller submits the same to this class.
* While more information is required, the above process continues until all
* the information required by the plug-ins/authentication modules, has
* been supplied. The caller then checks if the user has successfully
* been authenticated. If successfully authenticated, the caller can
* then get the <code>Subject</code> and <code>SSOToken</code> for the user;
* if not successfully authenticated, the caller obtains the
* <code>AuthLoginException</code>.
* <p>
* The implementation supports authenticating users either locally
* i.e., in process with all authentication modules configured or remotely
* in either of the modes).
*
* @supported.api
*/
private boolean includeReqRes =
"com.sun.identity.authentication.util.JSSPasswordUtil";
"com.sun.identity.security.keystore.AMCallbackHandler";
static boolean usingJSSEHandler =
// Debug & I18N class
private boolean forceAuth = false;
private boolean localSessionChecked = false;
/**
* Variables for checking auth service is running local
*/
public boolean localFlag = false;
/**
* Variables for local AuthService identifier
*/
// Variable to check if 6.3 style remote AuthN has to be performed
static boolean useOldStyleRemoteAuthentication;
static boolean useNewStyleRemoteAuthentication;
// this cookieTable is used to keep all the cookies retrieved from the
// the PLL layer and replay them in subsequent auth requests, mainly for
// persistence purpose.
/**
* Constructs an instance of <code>AuthContext</code> for a given
* organization name or sub organization name. This organization or
* sub-organization name must be either "/" separated
* ( where it starts with "/" ) , DN , Domain name or DNS Alias Name.
* <p>
* Caller would then use <code>login</code> to start the
* authentication process and use <code>getRequirements()</code> and
* <code>submitRequirements()</code> to pass the credentials
* needed for authentication by the plugin authentication modules.
* The method <code>getStatus()</code> returns the
* authentication status.
*
* @param orgName Name of the user's organization.
* @throws AuthLoginException if <code>AuthContext</code> creation fails.
* This exception is kept for backward compatibility only.
*
* @supported.api
*/
}
/**
* Constructs an instance of <code>AuthContext</code> for a given
* organization name, or sub organization name and the OpenAM server
* URL.
* This organization or sub-organization name must be either "/" separated
* ( where it starts with "/" ) , DN , Domain name or DNS Alias Name.
* And the <code>url</code> should specify the OpenAM server's protocol,
* host name, and port number,
* for example : <code>http://daye.red.iplanet.com:58080</code>
*
* Caller would then use <code>login</code> to start the
* authentication process and use <code>getRequirements()</code> and
* <code>submitRequirements()</code> to pass the credentials
* needed for authentication by the plugin authentication modules.
* The method <code>getStatus()</code> returns the
* authentication status.
*
* @param orgName name of the user's organization
* @param url URL of the OpenAm instance to talk to
* @throws AuthLoginException if <code>AuthContext</code> creation fails.
* This exception is kept for backward compatibility only.
*
* @supported.api
*/
}
/**
* Constructs an instance of <code>AuthContext</code> for a given
* organization name, or sub organization name and a nick name
* for the certificate to be used in SSL handshake if client authentication
* is turn on in the server side.
* This organization or sub-organization name must be either "/" separated
* ( where it starts with "/" ) , DN , Domain name or DNS Alias Name.
*
* This constructor would be mainly used for the Certificate based
* authentication. If the certificate database contains multiple matching
* certificates for SSL, this constructor must be called in order for the
* desired certificate to be used for the Certificate based authentication.
*
* Caller would then use <code>login</code> to start the
* authentication process and use <code>getRequirements()</code> and
* <code>submitRequirements()</code> to pass the credentials
* needed for authentication by the plugin authentication modules.
* The method <code>getStatus()</code> returns the
* authentication status.
*
* @param orgName name of the user's organization
* @param nickName nick name for the certificate to be used
* @throws AuthLoginException if <code>AuthContext</code> creation fails.
* This exception is kept for backward compatibility only.
*
* @supported.api
*/
throws AuthLoginException {
}
/**
* Constructs an instance of <code>AuthContext</code> for a given
* organization name, or sub organization name, a nick name
* for the certificate to be used in SSL handshake if client authentication
* is enabled on the server side and the OpenAM URL.
* This organization or sub-organization name must be either "/" separated
* ( where it starts with "/" ) , DN , Domain name or a DNS Alias Name.
* And the <code>url</code> should specify the OpenAM server's protocol,
* host name, and port number,
* for example : <code>http://daye.red.iplanet.com:58080</code>
* This constructor would be mainly used for the Certificate based
* authentication. If the certificate database contains multiple matching
* certificates for SSL, this constructor must be called in order for the
* desired certificate to be used for the Certificate based authentication.
*
* Caller would then use <code>login</code> to start the
* authentication process and use <code>getRequirements()</code> and
* <code>submitRequirements()</code> to pass the credentials
* needed for authentication by the plugin authentication modules.
* The method <code>getStatus()</code> returns the
* authentication status.
*
* @param orgName name of the user's organization
* @param nickName nick name for the certificate to be used
* @param url URL of the OpenAM server to talk to
* @throws AuthLoginException if <code>AuthContext</code> creation fails.
* This exception is kept for backward compatibility only.
*
* @supported.api
*/
throws AuthLoginException {
}
/**
* Constructs an instance of <code>AuthContext</code> for a given
* organization name, or sub organization name contained in the
* single sign on token.
*
* This constructor should be called for re-authentication of an
* authenticated user. single sign on token is the authenticated resource's
* Single-Sign-On Token. If the session properties based on
* the login method used matches those in the user's new
* authenticated session then session upgrade will be done.
* A new session containing properties from both old single sign on token
* and new session shall be returned and old session will be
* destroyed if authentication passes.
*
* Caller would then use <code>login</code> to start the
* authentication process and use <code>getRequirements()</code> and
* <code>submitRequirements()</code> to pass the credentials
* needed for authentication by the plugin authentication modules.
* The method <code>getStatus()</code> returns the
* authentication status.
*
* @param ssoToken single sign on token representing the resource's previous
* authenticated session.
* @throws AuthLoginException if <code>AuthContext</code> creation fails.
* This exception is kept for backward compatibility only.
*
* @supported.api
*/
}
/**
* Constructs an instance of <code>AuthContext</code> for a given
* organization name, or sub organization name contained in the
* single sign on token.
*
* This constructor should be called for re-authentication of an
* authenticated user. single sign on token is the authenticated resource's
* Single-Sign-On Token. If the session properties based on
* the login method used matches those in the user's new
* authenticated session then session upgrade will be done.
* If forceAuth flag is <code>true</code> then the existing session
* is used and no new session is created otherwise this constructor
* behaves same as the constructor with no forceAuth flag.
*
* Caller would then use <code>login</code> to start the
* authentication process and use <code>getRequirements()</code> and
* <code>submitRequirements()</code> to pass the credentials
* needed for authentication by the plugin authentication modules.
* The method <code>getStatus()</code> returns the
* authentication status.
*
* @param ssoToken single sign on token representing the resource's
* previous authenticated session.
* @param forceAuth indicates that authentication preocess has to be
* restarted and given single sign on token will be used and new
* session will not be created.
* @throws AuthLoginException if <code>AuthContext</code> creation fails.
* This exception is kept for backward compatibility only.
*
* @supported.api
*/
}
/**
* Starts the login process for the given <code>AuthContext</code> object.
*
* @exception AuthLoginException if an error occurred during login.
*
* @supported.api
*/
}
/**
* Starts the login process for the given <code>AuthContext</code> object.
*
* @param request The HttpServletRequest that was sent to start the authentication process.
* @param response The corresponding HttpServletResponse for the HttpServletRequest.
* @throws AuthLoginException If an error occurred during login.
*
* @supported.api
*/
public void login(HttpServletRequest request, HttpServletResponse response) throws AuthLoginException {
}
/**
* Starts the login process for the given <code>AuthContext</code> object
* identified by the index type and index name. The <code>IndexType</code>
* defines the possible kinds of "objects" or "resources" for which an
* authentication can be performed. Currently supported index types are
* users, roles, services (or application), levels, resources and
* mechanism/authentication modules.
*
* @param type Authentication index type.
* @param indexName Authentication index name.
* @exception AuthLoginException if an error occurred during login.
*
* @supported.api
*/
throws AuthLoginException {
}
/**
* Starts the login process for the given <code>AuthContext</code> object
* identified by the index type and index name.
* The <code>IndexType</code> defines the possible kinds of "objects"
* or "resources" for which an authentication can
* be performed. Currently supported index types are
* users, roles, services (or application), levels, resources and mechanism.
* It allows the caller to pass in the desired locale for this request.
*
* @param type authentication index type
* @param indexName authentication index name
* @param locale locale setting
*
* @exception AuthLoginException if an error occurred during login
*/
throws AuthLoginException {
}
/**
* Starts the login process for the given <code>AuthContext</code> object
* identified by the index type and index name and also completes
* the login process by submitting the given User credentials
* in the form of Callbacks.
* The <code>IndexType</code> defines the possible kinds of "objects"
* or "resources" for which an authentication can
* be performed. Currently supported index types are
* users, roles, services (or application), levels, resources and mechanism.
* <p>
* NOTE : This is a simplified wrapper method to eliminate multi-step calls
* to 'login' and submit credentials. This method is useful and will work
* only for those authentication modules which require only one set of
* callbacks or one page. This method can not be used to authenticate to
* authentication modules which require user interaction or multiple pages.
*
* @param type Authentication index type.
* @param indexName Authentication index name.
* @param userInfo User information/credentials in the form of array of
* <code>Callback</code> objects. The <code>Callback</code> objects
* array must be in the same order as defined in the authentication
* module properties file, otherwise authentication module code will
* not work.
* @return single-sign-on token for the valid user after successful
* authentication.
* @exception AuthLoginException if an error occurred during login.
*/
throws AuthLoginException {
while (hasMoreRequirements()) {
callbacks = getRequirements();
try {
} catch (Exception e) {
if (authDebug.messageEnabled()) {
"Error: submitRequirements with userInfo : "
+ e.getMessage());
}
throw new AuthLoginException(e);
}
}
}
try {
ssoToken = getSSOToken();
}
} catch (Exception e) {
if (authDebug.messageEnabled()) {
}
throw new AuthLoginException(e);
}
return ssoToken;
}
/**
* Starts the login process for the given <code>AuthContext</code> object
* identified by the index type and index name with default parameters.
* The <code>IndexType</code> defines the possible kinds of "objects"
* or "resources" for which an authentication can be performed. Currently
* supported index types are users, roles, services (or application),
* levels, resources and mechanism/authentication modules.
*
* @param indexType authentication index type.
* @param indexName authentication index name.
* @param params contains the default values for the callbacks. The order
* of this array matches the callbacks order for this login process.
* value for the <code>PasswordCallback</code> is also in String
* format, it will be converted to <code>char[]</code> when it is
* set to the callback. Internal processing for this string array
* uses <code>|</code> as separator. Hence <code>|</code> should not
* be used in these default values. Currently only
* <code>NameCallback</code> and <code>PasswordCallback</code> are
* supported.
* @exception AuthLoginException if an error occurred during login.
*
* @supported.api
*/
throws AuthLoginException {
}
throws AuthLoginException {
}
/**
* Starts the login process for the given <code>AuthContext</code> object
* identified by the index type and index name with certain parameters
* and environment map.
* The <code>IndexType</code> defines the possible kinds of "objects"
* or "resources" for which an authentication can be performed. Currently
* supported index types are users, roles, services (or application),
* levels, modules and resources.
*
* @param indexType authentication index type.
* @param indexName authentication index name.
* @param params contains the default values for the callbacks. The order
* of this array matches the callbacks order for this login process.
* value for the <code>PasswordCallback</code> is also in String
* format, it will be converted to <code>char[]</code> when it is
* set to the callback. Internal processing for this string array
* uses <code>|</code> as separator. Hence <code>|</code> should not
* be used in these default values. Currently only
* <code>NameCallback</code> and <code>PasswordCallback</code> are
* supported.
* object indicating the property name, value is a Set of String
* values for the property. Currenty this parameter only applicable
* when the indexTye is <code>AuthContext.IndexType.RESOURCE</code>.
* @exception AuthLoginException if an error occurred during login.
*
* @supported.api
*/
throws AuthLoginException {
}
public void login(
) throws AuthLoginException {
if (clientLocale == null) {
} else {
}
}
private void login(
) throws AuthLoginException {
}
private void login(
) throws AuthLoginException {
try {
} catch (Exception e) {
throw new AuthLoginException(e);
}
}
}
try {
if (authServiceURL == null) {
}
if (authServiceURL != null) {
if (authDebug.messageEnabled()) {
+ authServiceURL);
}
return;
}
} catch (AuthLoginException e) {
authException = e;
} catch (Exception e) {
+ ": " + e.getMessage(),e);
}
// failover when authURL is not specified
try {
} catch (Exception e) {
new Object[]{e.getMessage()});
}
if (authDebug.messageEnabled()) {
}
if (serviceURLs != null) {
e.hasMoreElements(); ) {
try {
return;
} catch (AuthLoginException ex) {
authException = ex;
}
}
}
}
if (authException != null) {
throw authException;
} else {
}
}
private void runLogin(
) throws AuthLoginException {
if (!localFlag) {
}
if (appSSOToken == null) {
appSSOToken = getAppSSOToken(false);
}
}
if (localFlag) {
try {
if (ssoTokenID == null) {
} else {
if (authDebug.messageEnabled()) {
+ "ForceAuth = "+forceAuth);
}
}
/*
* Set both the HttpRequest and HttpResponse on the login state so they are accessible by the Auth
* Modules.
*/
}
}
}
} catch (AuthException e) {
throw new AuthLoginException(e);
}
}
return;
}
// Check if 7.0 RR stype protocol needs to be used
// This will setup NewAuthContext and authHandles
if (loginException != null) {
throw loginException;
}
}
// Run Login
// reset the retry count
if (authDebug.messageEnabled()) {
}
// If "Login" fails and we have not set 6.3, 7.0 RR style protocol
// the server could be either 6.3 or 7.0 RR. Hence try "NewAuthContext"
// and then "Login"
if (!useNewStyleRemoteAuthentication &&
(receivedDocument == null ||
loginException != null) {
if (authDebug.messageEnabled()) {
"AuthN and setting the flag to use 6.3 style");
}
useOldStyleRemoteAuthentication = true;
// Server could be either 6.3 or 7.0 RR, try old style
// Construct the Request XML with New AuthContext parameters
if (loginException != null) {
throw loginException;
}
// Re-try login process with AuthIdentifier
// reset the retry count
} else if (!useNewStyleRemoteAuthentication) {
useNewStyleRemoteAuthentication = true;
}
if (loginException != null) {
throw loginException;
}
}
try {
// remote auth
if (authDebug.messageEnabled()) {
}
}
if (appSSOToken != null) {
}
if (!useOldStyleRemoteAuthentication) {
}
}
if (forceAuth) {
.append("true")
}
}
}
}
}
if (i != 0 ) {
}
}
}
// convert Map to XMLString as follows:
// <EnvValue>keyname|value1|value2|...</EnvValue>
}
}
}
}
if (includeReqRes) {
try {
} catch (IOException ioe) {
}
if (authDebug.messageEnabled()) {
}
}
encObj = "";
try {
} catch (IOException ioe) {
}
if (authDebug.messageEnabled()) {
}
}
} else {
if (authDebug.messageEnabled()) {
}
}
// process the request, which will check for exceptions
// and also get the authentication handle ID
// Check set the login status
// if the app token was refreshed, retry remote login
if (loginException != null &&
retryRunLogin > 0) {
if (authDebug.messageEnabled()) {
}
// reset as we are starting again
}
} catch (AuthLoginException le) {
// Login has failed
loginException = le;
}
}
try {
if (ssoTokenID != null) {
}
// process the request, which will check for exceptions
// and also get the authentication handle ID
// Check set the login status
} catch (AuthLoginException le) {
// Login has failed
loginException = le;
}
}
/**
* Returns the set of Principals or Subject the user has been
* authenticated as.
* This should be invoked only after successful authentication.
*
* @return <code>Subject</code> for the authenticated User.
* If the authentication fails or the authentication is in process,
* this will return <code>null</code>.
*
* @supported.api
*/
if (localFlag) {
return (null);
}
return (acLocal.getSubject());
} else {
return (null);
}
return (getSubject(receivedDocument));
}
}
/**
* Returns a <code>Map</code> object that
* that contains cookies set by AM server
*
* @return a <code>Map</code> of cookie name and
* <code>Cookie</code> object.
*/
return cookieTable;
}
/**
* Returns <code>true</code> if the login process requires more
* information from the user to complete the authentication.
* <p>
* NOTE: This method has to be called as a condition of a
* <code>while</code> loop in order to complete the authentication process
* and get the correct <code>Status</code> after submitting the
* requirements.
*
* @return <code>true</code> if more credentials are required from the user.
*
* @supported.api
*/
public boolean hasMoreRequirements() {
if (localFlag) {
return (acLocal.hasMoreRequirements(false));
} else {
return (false);
}
return (true);
}
}
/**
* Returns <code>true</code> if the login process requires more information
* from the user to complete the authentication.
*
* NOTE: This method has to be called as a condition of a <ode>while</code>
* loop in order to complete the authentication process and get the correct
* <code>Status</code> after submitting the requirements.
*
* @param noFilter flag indicates whether to filter
* <code>PagePropertiesCallback</code> or not. Value
* <code>true</code> will not filter
* <code>PagePropertiesCallback</code>.
* @return <code>true</code> if more credentials are required from the user.
*
* @supported.api
*/
if (localFlag) {
} else {
return (false);
}
return (true);
}
}
/**
* Returns an array of <code>Callback</code> objects that must be populated
* by the user and returned back. These objects are requested by the
* authentication plug-ins, and these are usually displayed to the user.
* The user then provides the requested information for it to be
* authenticated.
*
* @return an array of <code>Callback</code> objects requesting credentials
* from user
*
* @supported.api
*/
if (localFlag) {
return (null);
}
return (acLocal.getRequirements(false));
} else {
return (null);
}
return (getCallbacks(receivedDocument, false));
}
}
/**
* Returns an array of <code>Callback</code> objects that
* must be populated by the user and returned back.
* These objects are requested by the authentication plug-ins,
* and these are usually displayed to the user. The user then provides
* the requested information for it to be authenticated.
*
* @param noFilter boolean flag indicating whether to filter
* <code>PagePropertiesCallback</code> or not. Value <code>true</code> will
* not filter <code>PagePropertiesCallback</code>.
*
* @return an array of <code>Callback</code> objects requesting credentials
* from user
*
* @supported.api
*/
if (localFlag) {
return (null);
}
} else {
return (null);
}
}
}
/**
* Fetches the remote request from the context
*
* @return The Http Servlet Request
*/
return remoteRequest;
}
/**
* Fetches the remote response from the context
*
* @return The Http Servlet Response
*/
return remoteResponse;
}
/**
* Submits the populated <code>Callback</code> objects to the
* authentication plug-in modules. Called after <code>getRequirements</code>
* method and obtaining user's response to these requests.
*
* @param info Array of <code>Callback</code> objects.
*
* @supported.api
*/
}
if (authDebug.messageEnabled()) {
}
if (localFlag) {
// Check if we are still in login session
return;
}
}
return;
} else {
// Check if we are still in login session
return;
}
// Construct the XML
try {
if (appSSOToken != null) {
}
if (clientLocale != null) {
}
}
if (includeReqRes) {
// serialized request and response objects
try {
} catch (IOException ioe) {
}
if (authDebug.messageEnabled()) {
}
}
encObj = "";
try {
} catch (IOException ioe) {
}
if (authDebug.messageEnabled()) {
}
}
}
// Send the request to be processes
// Check set the login status
} catch (AuthLoginException le) {
// Login has failed
loginException = le;
}
}
}
/**
* Logs out the user and also invalidates the single sign on token
* associated with this <code>AuthContext</code>.
*
* @throws AuthLoginException if an error occurred during logout.
*
* @supported.api
*/
if (localFlag) {
return;
}
// Construct the XML
try {
(Object[])authHandles));
if (appSSOToken != null) {
}
// Send the request to be processes
// Check set the login status
} catch (AuthLoginException le) {
// Login has failed
loginException = le;
}
}
/**
* Logs out the user and also invalidates the single sign on token
* associated with this <code>AuthContext</code>.
*
* This method causes the logout to happen on the server and the
* correct SPI hooks to be called.
*
* @throws AuthLoginException if an error occurred during logout.
*
* @supported.api
*/
public void logoutUsingTokenID()
throws AuthLoginException {
if (localFlag) {
return;
}
try {
} catch (Exception e) {
throw new AuthLoginException(e);
}
}
}
// Construct the XML
try {
(Object[]) authHandles));
if (appSSOToken != null) {
}
// Send the request to be processes
// Check set the login status
} catch (AuthLoginException le) {
// Login has failed
loginException = le;
}
}
/**
* Returns login exception, if any, during the authentication process.
* Typically set when the login fails.
*
* @return login exception.
* @supported.api
*/
if (localFlag) {
return (acLocal.getLoginException());
} else {
return (loginException);
}
}
/**
* Returns the Single-Sign-On (SSO) Token for the authenticated
* user. If the user has not successfully authenticated
* <code>Exception</code> will be thrown.
* <p>
* Single sign token can be used as the authenticated token.
*
* @return Single-Sign-On token for the valid user after successful
* authentication.
* @throws L10NMessageImpl if the user is not authenticated or an error is
* encountered in retrieving the user's single sign on token.
* @supported.api
*/
if (localFlag) {
throw new L10NMessageImpl(
}
return (acLocal.getSSOToken());
} else {
// Get the loginStatus node
throw new L10NMessageImpl(
}
if (loginStatusNode == null) {
}
try {
createSSOToken(ssoTokenIDTmp, true);
} catch (SSOException ssoe) {
throw new L10NMessageImpl(
}
}
}
/**
* Returns the current status of the authentication process as
* <code>AuthContext.Status</code>.
*
* @return <code>Status</code> of the authentication process.
*
* @supported.api
*/
if (localFlag) {
} else {
return (loginStatus);
}
}
/**
* Returns the current Auth Identifier of the authentication
* process as String Session ID.
*
* @return Auth Identifier of the authentication process.
*/
if (localFlag) {
return (acLocal.getAuthIdentifier());
} else {
return (getAuthHandle());
}
}
/**
* Returns the Successful Login URL for the authenticated user.
*
* @return the Successful Login URL for the authenticated user.
* @throws Exception if it fails to get url for auth success
*/
if (localFlag) {
throw new
}
return (acLocal.getSuccessURL());
} else {
// Get the loginStatus node
throw new
}
if (loginStatusNode == null) {
}
}
}
/**
* Returns the Failure Login URL for the authenticating user.
*
* @return the Failure Login URL for the authenticating user
* @throws Exception if it fails to get url for auth failure
*/
if (localFlag) {
return (acLocal.getFailureURL());
} else {
// Get the loginStatus node
if (loginStatusNode == null) {
}
}
}
/**
* Resets this instance of <code>AuthContext</code> object, so that a new
* login process can be initiated. A new authentication process can started
* using any one of the <code>login</code> methods.
*/
public void reset() {
//organizationName = null;
//receivedDocument = null;
//loginException = null;
}
/**
* Returns the the organization name that was set during the
* <code>AuthContext</code> constructor.
*
* @return Organization name in the <code>AuthContext</code>.
*
* @supported.api
*/
return (this.organizationName);
}
/**
*
* Returns authentication module/s instances (or plugins) configured
* for a organization, or sub-organization name that was set during the
* <code>AuthContext</code> constructor.
*
* @return Set of Module instance names.
*
* @supported.api
*/
}
if (!localFlag) {
}
if (localFlag) {
return (acLocal.getModuleInstanceNames());
} else {
if (authServiceURL == null) {
try {
} catch (Exception e) {
return Collections.EMPTY_SET;
}
}
//Receive data
if (queryResultNode == null) {
return (null);
}
// Iteratate through moduleInstanceNames
if ( childNodes != null ) {
}
}
return (moduleInstanceNames);
}
}
/**
* Terminates an ongoing <code>login</code> call that has not yet completed.
*
* @exception AuthLoginException if an error occurred during abort.
*
* @supported.api
*/
if (localFlag) {
return;
}
// Construct the XML
try {
(Object[])authHandles));
if (appSSOToken != null) {
}
// Send the request to be processes
// Check set the login status
} catch (AuthLoginException le) {
// Login has failed
loginException = le;
}
}
/**
* Sets the password for the certificate database.
* It is required to call only once to initialize certificate database if
* the password is not set in the password file (specified as
* the value for <code>com.iplanet.am.admin.cli.certdb.passfile</code>
* in <code>AMConfig.properties</code>). If both are set, this method will
* overwrite the value in certificate password file.
*
* @param password Password for the certificate database.
*
* @supported.api
*/
try {
if (usingJSSEHandler) {
} else {
}
} catch (Exception e) {
e.printStackTrace();
}
}
/**
* Returns the error template.
*
* @return error template.
*/
if (localFlag) {
return (acLocal.getErrorTemplate());
} else {
if (receivedDocument == null) {
//something went terribly wrong, let's return with internal error template
}
if (exceptionNode != null) {
}
return errTemplate;
}
}
/**
* Returns the error message.
*
* @return error message.
*/
if (localFlag) {
return (acLocal.getErrorMessage());
} else {
if (receivedDocument == null) {
//something went terribly wrong, let's return with internal error message
}
if (exceptionNode != null) {
}
return errMessage;
}
}
/**
* Returns error code.
*
* @return error code with white space trimmed
*/
if (localFlag) {
return (acLocal.getErrorCode());
} else {
if (receivedDocument == null) {
//something went terribly wrong
return AMAuthErrorCode.AUTH_ERROR;
}
if (exceptionNode != null) {
}
} else {
return errCode;
}
}
}
/**
* Sets the client's hostname or IP address.This could be used
* by the policy component to restrict access to resources.
* This method is ineffective if the "Remote Auth Security" option under
* the global configuration of Core Authentication Service is not enabled.
* This method must be called before calling <code>login</code> method.
* If it is called after calling <code>login</code> then
* it is ineffective.
*
* @param hostname hostname or ip address
*
* @supported.api
*/
}
/**
* Returns the client's hostname or IP address as set by
* setClientHostName
*
*
* @supported.api
*/
return (hostName);
}
/**
* Sets locale based on user locale preferemce.
*
* @param loc locale preference of user
*/
clientLocale = loc;
}
/**
* Returns locale preference set in AuthConext
* @return - user prefered locale.
*/
return clientLocale;
}
// if the app token is invalid, refresh the token
appSSOToken = getAppSSOToken(true);
}
} else {
error = getErrorMessage();
}
}
return exception;
}
protected void checkAndSetLoginStatus(){
if (loginStatusNode == null) {
if (includeReqRes) {
}
} else {
//since there was no error, we should reset the loginException, to handle the case when the first auth
//server was not available.
// Get the status attribute
}
}
if (includeReqRes) {
}
if (authDebug.messageEnabled()) {
}
}
}
// Construct the XML
try {
(Object[])authHandles));
if (appSSOToken != null) {
}
}
// Send the request to be processes
// Check set the login status
} catch (AuthLoginException le) {
// Login has failed
loginException = le;
}
}
try {
if (authDebug.messageEnabled()) {
}
if ((localAuthServiceID != null) &&
) {
localFlag = true;
}
} catch (Exception e) {
}
}
throws AuthLoginException {
try {
}
if (authDebug.messageEnabled()) {
}
}
} catch (Exception e) {
null, e);
}
return (doc);
}
throws AuthLoginException {
if (exceptionNode != null) {
}
}
throws AuthLoginException {
if (responseNode == null) {
}
return (authID);
}
boolean noFilter) {
}
if (loginStatusNode == null) {
return (null);
}
if (subjectNode == null) {
return (null);
}
try {
if (authDebug.messageEnabled()) {
}
return sSubject;
} catch (Exception e) {
return null;
}
}
return ("");
}
}
/**
* Returns the account lockout message. This can be either a dynamic
* message indicating the number of tries left or the the account
* deactivated message.
*
* @return account lockout message.
*/
if (localFlag) {
} else {
// Account Lockout Warning Check by scanning the error
// message in the exception thrown by the server
if((lockoutMsg == null) ||
lockoutMsg = "";
}
}
return lockoutMsg;
}
/**
* Returns <code>true</code> if account is lock out.
*
* @return <code>true</code> if account is lock out.
*/
public boolean isLockedOut() {
boolean isLockedOut = false;
if (localFlag) {
} else {
// TBD
}
return isLockedOut;
}
/**
* The class <code>Status</code> defines the possible
* authentication states during the login process.
*
* @supported.all.api
*/
/**
* The <code>NOT_STARTED</code> status indicates that the login process
* has not yet started. Basically, it means that the method
* <code>login</code> has not been called.
*/
/**
* The <code>IN_PROGRESS</code> status indicates that the login process
* is in progress. Basically, it means that the <code>login</code>
* method has been called and that this object is waiting for the user
* to send authentication information.
*/
/**
*
* The <code>SUCCESS</code> indicates that the login process has
* succeeded.
*/
/**
* The <code>FAILED</code> indicates that the login process has failed.
*/
/**
*
* The <code>COMPLETED</code> indicates that the user has been
* successfully logged out.
*/
/**
* The <code>RESET</code> indicates that the login process has been
* reset or re-initialized.
*/
/**
* The <code>ORG_MISMATCH</code> indicates that the framework
* <code>org</code> and the <code>org</code> required by the user do
* not match.
*/
private Status() {
// do nothing
}
status = s;
}
/**
* Returns the string representation of the authentication status.
*
* @return String representation of authentication status.
*/
return (status);
}
/**
* Checks if two authentication status objects are equal.
*
* @param authStatus Reference object with which to compare.
* @return <code>true</code> if the objects are same.
*/
if (authStatus instanceof Status) {
}
return (false);
}
}
/**
* The class <code>IndexType</code> defines the possible kinds of "objects"
* or "resources" for which an authentication can be performed.
*
* @supported.all.api
*/
/**
* The <code>USER</code> index type indicates that the index name given
* corresponds to a user.
*/
/**
* The <code>ROLE</code> index type indicates that the index name given
* corresponds to a role.
*/
/**
*
* The <code>SERVICE</code> index type indicates that the index name
* given corresponds to a service (or application).
*/
/**
* The <code>LEVEL</code> index type indicates that the index name
* given corresponds to a given authentication level.
*/
/**
* The <code>MODULE_INSTANCE</code> index type indicates that the index
* name given corresponds to one of the authentication modules.
*/
new IndexType("module_instance");
/**
* The <code>RESOURCE</code> index type indicates that the index
* name given corresponds to a given policy protected resource URL.
*/
new IndexType("resource");
/**
* The <code>COMPOSITE_ADVICE</code> index type indicates that the
* index name given corresponds to string in the form of XML
* representing different Policy Authentication conditions, example
* <code>AuthSchemeCondition</code>, <code>AuthLevelCondition</code>,
* etc.
*/
new IndexType("composite_advice");
private IndexType() {
// do nothing
}
index = s;
}
/**
* Returns the string representation of the index type.
*
* @return String representation of index type.
*/
return (index);
}
/**
* Checks if two index type objects are equal.
*
* @param indexType Reference object with which to compare.
*
* @return <code>true</code> if the objects are same.
*/
}
return (false);
}
}
if (receivedDocument != null) {
try {
} catch (Exception e) {
// do nothing
}
}
handle = "0";
}
return handle;
}
) {
try {
} catch (Exception e) {
}
return authservice;
}
private void onSuccessLocal() {
if (localSessionChecked) {
return;
}
if (forceAuth) {
try {
} catch (SSOException ssoExp) {
ssoExp);
}
} else {
}
}
localSessionChecked = true;
}
/**
* Returns the application sso token. Can perform a check to ensure that
* the app token is still valid (requires a session refresh call to OpenAM)
*
* @param refresh true if we should check with OpenAM if the app token is valid
* @return a valid application's sso token.
*/
try {
} catch (AMSecurityPropertiesException aspe) {
if (authDebug.messageEnabled()) {
}
}
if (refresh) {
// ensure the token is valid
try {
if (authDebug.messageEnabled()) {
"App SSOToken is invalid, retrying");
}
try {
} catch (AMSecurityPropertiesException aspe) {
if (authDebug.messageEnabled()) {
}
}
}
} catch (SSOException ssoe) {
if (authDebug.messageEnabled()) {
}
try {
} catch (AMSecurityPropertiesException aspe) {
if (authDebug.errorEnabled()) {
}
}
}
}
if (authDebug.messageEnabled()) {
} else {
}
}
return appToken;
}
return acLocal;
}
}