AuthClientUtils.java revision 0e8c9f52da2a5befd2b6822ee39d3b0dbafc8781
/**
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2005 Sun Microsystems Inc. All Rights Reserved
*
* The contents of this file are subject to the terms
* of the Common Development and Distribution License
* (the License). You may not use this file except in
* compliance with the License.
*
* You can obtain a copy of the License at
* See the License for the specific language governing
* permission and limitations under the License.
*
* When distributing Covered Code, include this CDDL
* Header Notice in each file and include the License file
* at opensso/legal/CDDLv1.0.txt.
* If applicable, add the following below the CDDL Header,
* with the fields enclosed by brackets [] replaced by
* your own identifying information:
* "Portions Copyrighted [year] [name of copyright owner]"
*
* $Id: AuthClientUtils.java,v 1.40 2010/01/22 03:31:01 222713 Exp $
*
* Portions Copyrighted 2010-2014 ForgeRock AS.
*/
public class AuthClientUtils {
private static boolean setRequestEncoding = false;
private static AMClientDetector clientDetector;
private static Client defaultClient;
private static ResourceBundle bundle;
private static final boolean urlRewriteInPath =
public static final String templatePath =
// dsame version
private static String dsameVersion =
// If true, version header will be added to responses, default is false
private static final boolean isVersionHeaderEnabled =
/* Constants.AM_COOKIE_NAME is the AM Cookie which
* gets set when the user has authenticated
*/
private static String cookieName=
/* Constants.AM_AUTH_COOKIE_NAME is the Auth Cookie which
* gets set during the authentication process.
*/
private static String authCookieName=
/* Constants.AM_DIST_AUTH_COOKIE_NAME is the Auth Cookie which
* gets set during the authentication process.
*/
private static String distAuthCookieName=
private static String persistentCookieName=
private static boolean setCookieToAllDomains = true;
private static String[] ignoreList = {
"IDtoken0", "IDtoken1", "IDtoken2", "IDButton", "AMAuthCookie", "encoded", "IDToken3"
};
private static boolean isSessionHijackingEnabled =
private static String hostUrlCookieName =
"sunIdentityServerAuthNServer");
private static String hostUrlCookieDomain =
private static final String distAuthCluster =
private static final String distAuthSites =
static {
// Initialzing variables
clientDetector = new AMClientDetector();
if (isClientDetectionEnabled()) {
}
}
} else {
}
setCookieToAllDomains = false;
}
if (utilDebug.messageEnabled()) {
}
try {
if (utilDebug.messageEnabled()) {
"AuthClientUtils.static(): "
+ "Cluster List is: " + distAuthCluster);
}
while (distAuthServersList.hasMoreTokens()) {
}
} else {
}
} catch (Exception e) {
e.toString());
}
}
try {
if (utilDebug.messageEnabled()) {
"AuthClientUtils.static(): "
+ "Dist Auth Site list is: " + distAuthSites);
}
while (distAuthSitesList.hasMoreTokens()) {
if (distAuthSet == null) {
}
} else {
if (utilDebug.messageEnabled()) {
"invalid dist auth server entry: " + distAuthServer);
}
continue;
}
}
} else {
} else {
if (utilDebug.messageEnabled()) {
"invalid dist auth server entry: " + distAuthSites);
}
}
}
}
if (utilDebug.messageEnabled()) {
"dist auth server to site: " + distAuthSitesMap);
}
}
//configuration sanity check
//configuration sanity check
//we need to ensure that set-cookie headers are always retained for the response.
if (utilDebug.messageEnabled()) {
}
}
/*
* Protected constructor to prevent any instances being created
* Needs to be protected to allow subclass AuthUtils
*/
protected AuthClientUtils() {
}
}
return Collections.EMPTY_LIST;
}
public static Hashtable parseRequestParameters(
return (decodeHash(request));
}
if (utilDebug.messageEnabled()) {
+ ", encoding=" + encoding);
}
@SuppressWarnings("unchecked")
encoded = "false";
}
while (names.hasMoreElements()) {
// This will nornally be the case when browser back button is
// used and the form is posted again with the base64 encoded
// parameters
while (st.hasMoreTokens()) {
}
}
}
// Again this will be the case when browser back
// button is used and the form is posted with the
// base64 encoded parameters including goto
}
}
}else{
}
}// while
return (data);
}
/**
* Returns the Logout cookie.
*
* @param sid Session ID.
* @param cookieDomain Cookie domain.
* @return logout cookie string.
*/
return (logoutCookie);
}
/**
* Returns the encrpted Logout cookie string .
* The format of this cookie is:
* <code>LOGOUT@protocol@servername@serverport@sessiondomain</code>.
*
* @param sid the SessionID
* @return encrypted logout cookie string.
*/
try {
new EncodeAction(
"LOGOUT" + "@" +
if (utilDebug.messageEnabled()) {
}
} catch (Exception e) {
if (utilDebug.messageEnabled()) {
}
}
return (logout_cookie );
}
/**
* Returns Cookie to be set in the response.
*
* @param cookieValue value of cookie
* @param cookieDomain domain for which cookie will be set.
* @return Cookie object.
*/
if (utilDebug.messageEnabled()) {
}
}
} else {
}
}
if (utilDebug.messageEnabled()) {
}
return (queryOrg);
}
// print cookies in the request
// use for debugging purposes
return;
}
if ( utilDebug.messageEnabled()) {
}
}
}
try {
if (utilDebug.messageEnabled()) {
}
if (reqParameters == null) {
return;
}
while (Edata.hasMoreElements()) {
if (utilDebug.messageEnabled()) {
}
}
}
}
} catch (Exception e) {
if (utilDebug.messageEnabled()) {
}
}
}
}
} else {
}
}
}
/**
* Creates a Cookie with the <code>cookieName</code>,
* <code>cookieValue</code> for the cookie domains specified.
*
* @param cookieName is the name of the cookie
* @param cookieValue is the value fo the cookie
* @param cookieDomain Domain for which the cookie is to be set.
* @return the cookie object.
*/
public static Cookie createCookie(
) {
if (utilDebug.messageEnabled()) {
}
try {
// hardcoded need to read from attribute and set cookie
// for all domains
"/", cookieDomain);
} catch (Exception e) {
if (utilDebug.messageEnabled()) {
+ e.getMessage());
}
}
if (utilDebug.messageEnabled()) {
}
return (cookie);
}
}
} else {
}
}
}
/* return the the error message for the error code */
return (errorMessage);
}
/* return the the error template for the error code */
return (errorTemplate);
}
// came here if cookie not found , return false
return(
||
}
// Get Original Redirect URL for Auth to redirect the Login request
try {
}
}
} catch (Exception e) {
if (utilDebug.messageEnabled()) {
+ e.toString());
}
return (null);
}
return (null);
}
/**
* Adds Logout cookie to URL.
*
* @param url is the url to be rewritten with the logout cookie
* @param logoutCookie is the logoutCookie String
* @param isCookieSupported is a boolean which indicates whether
* cookie support is true or false
* @return URL with the logout cookie appended to it.
*/
public static String addLogoutCookieToURL(
boolean isCookieSupported) {
} else {
} else {
}
if (utilDebug.messageEnabled()) {
}
}
/*if (utilDebug.messageEnabled()) {
* utilDebug.message("logoutURL is : "+ logoutURL);
*}
*/
return (logoutURL);
}
/**
* Returns the Session ID for the request.
* The cookie in the request for invalid sessions
* is in authentication cookie, <code>com.iplanet.am.auth.cookie</code>,
*
* @param request HttpServletRequest object.
* @return session id for this request.
*/
//Let's check the URL first in case this is a forwarded request from Federation. URL should have precedence
//over the actual cookie value, so this way a new federated auth can always start with a clear auth session.
}
}
return sessionID;
}
/**
* Returns the Session ID for this request. If Authetnication Cookie and
* Valid AM Cookie are there and request method is GET then use Valid
* AM Cookie else use Auth Cookie. The cookie in the request for invalid
* sessions is in auth cookie, <code>com.iplanet.am.auth.cookie</code>,
*
* @param request HTTP Servlet Request.
* @return Session ID for this request.
*/
if (authCookieSid == null) {
} else {
if (isGetRequest) {
} else {
}
}
if (utilDebug.messageEnabled()) {
}
return (sessionID);
}
/**
* Returns <code>true</code> if the request has the
* <code>arg=newsession</code> query parameter.
*
* @param reqDataHash Request Data Hashtable.
* returns <code>true</code> if this parameter is present.
*/
boolean newSessionArgExists =
if (utilDebug.messageEnabled()) {
}
return (newSessionArgExists);
}
// Get the AuthContext.IndexType given string index type value
if (utilDebug.messageEnabled()) {
}
if (strIndexType != null) {
}
}
if (utilDebug.messageEnabled()) {
}
return (indexType);
}
// Get the index name given index type from the existing valid session
try {
}
} catch (Exception e) {
if (utilDebug.messageEnabled()) {
}
return (indexName);
}
if (utilDebug.messageEnabled()) {
}
return (indexName);
}
// Get the first or latest index name from the string of index names
// separated by "|".
if (st.hasMoreTokens()) {
}
}
return (firstIndexName);
}
// search valve in the String
return (false);
}
try {
while (st.hasMoreTokens()) {
return (true);
}
}
} else {
return (true);
}
}
} catch (Exception e) {
}
return (false);
}
// Method to check if this is Session Upgrade
public static boolean checkSessionUpgrade(
boolean upgrade = false;
try {
if (utilDebug.messageEnabled()) {
}
if (utilDebug.messageEnabled()) {
}
upgrade = true;
}
if (utilDebug.messageEnabled()) {
}
upgrade = true;
}
if(utilDebug.messageEnabled()) {
+" service");
}
upgrade = true;
}
if (utilDebug.messageEnabled()) {
}
upgrade = true;
}
if (utilDebug.messageEnabled()) {
}
upgrade = true;
}
if (utilDebug.messageEnabled()) {
}
upgrade = true;
}
} catch (Exception e) {
}
if (utilDebug.messageEnabled()) {
}
return (upgrade);
}
/**
* Tells whether the incoming request corresponds to a session upgrade or ForceAuth.
*
* @param request The incoming HttpServletRequest.
* @return <code>true</code> if the request corresponds to a session upgrade or ForceAuth, <code>false</code>
* otherwise.
*/
if (!isForceAuth) {
try {
} catch (SSOException ssoe) {
if (utilDebug.messageEnabled()) {
}
}
}
return isForceAuth;
}
try {
return cookieURL;
}
}
} catch (SSOException ssoe) {
if (utilDebug.messageEnabled()) {
}
}
return null;
}
try {
} catch (SessionException se) {
if (utilDebug.messageEnabled()) {
}
}
return cookieURL;
}
public static boolean isClientDetectionEnabled() {
boolean clientDetectionEnabled = false;
if (clientDetector != null) {
} else {
}
if (utilDebug.messageEnabled()) {
}
return (clientDetectionEnabled);
}
/**
* Returns the client type. If client detection is enabled then
* client type is determined by the <code>ClientDetector</code> class otherwise
* <code>defaultClientType</code> set in
* <code>iplanet-am-client-detection-default-client-type</code>
* is assumed to be the client type.
*
* @param req HTTP Servlet Request.
* @return client type.
*/
if (utilDebug.messageEnabled()) {
}
}
return (getDefaultClientType());
}
/**
* Get default client
*/
public static String getDefaultClientType() {
if (defaultClient != null) {
try {
// add observer, so auth will be notified if the client changed
// defClient.addObserver(this);
} catch (Exception e) {
+ e.toString());
}
}
if (utilDebug.messageEnabled()) {
}
return (defaultClientType);
}
/**
* return the client Object associated with a clientType
* default instance is returned if the instance could not be found
*/
try {
}
}
return (defaultClient);
}
/**
* Returns the requested property from clientData (example fileIdentifer).
*
* @param clientType
* @param property
* @return the requested property from clientData.
*/
return null;
}
try {
// which means we did not get the client Property
// if this was not the default client type then lets
// try to get the default client Property
return (getDefaultProperty(property));
}
}
/**
* return the requested property for default client
*/
try {
}
return (null);
}
/**
* return the charset associated with the clientType
*/
if (isClientDetectionEnabled()) {
try {
if (utilDebug.warningEnabled()) {
+ " Client data was "
+ "not found, setting charset to UTF-8.");
}
}
if (utilDebug.messageEnabled()) {
" Client is : " + charset);
}
} else {
}
return (charset);
}
/**
* return the filePath associated with a clientType
*/
return (DEFAULT_FILE_PATH);
}
return (filePath);
}
/**
* return the contentType associated with a clientType
* if no contentType found then return the default
*/
if (contentType == null) {
return (DEFAULT_CONTENT_TYPE);
}
return (contentType);
}
/**
* for url rewriting with session id we need to know whether
* cookies are supported
* RFE 4412286
*/
return (DEFAULT_COOKIE_SUPPORT);
}
return (cookieSup);
}
/**
* determine if this client is an html client
*/
}
/* return true if cookiSupport is true or cookieDetection
* mode has been detected .This is used to determine
* whether cookie should be set in response or not.
*/
if (utilDebug.messageEnabled()) {
}
return (setCookie);
}
/* checks the cookieDetect , cookieSupport values to
* determine if cookie should be rewritten or set.
*/
if (utilDebug.messageEnabled()) {
}
return (setCookie);
}
/** Returns true if cookieDetect mode else false.
* @param cookieSupport , whether cookie is supported or not.
* @return true if cookieDetect mode else false
*/
boolean cookieDetect
= ((cookieSupport == null) ||
if (utilDebug.messageEnabled()) {
}
return (cookieDetect);
}
/**
* Extracts the client URL from the String passed
* URL passed is in the format clientType | URL
* @param urlString is a String , a URL
* @param index is the position of delimiter "|"
* @return Returns the client URL.
*/
if ((clientTypeInUrl != null) &&
}
}
}
if (utilDebug.messageEnabled()) {
}
return (clientURL);
}
/* return true if cookieSupport is false and cookie Detect
* mode (which is rewrite as well as set cookie the first
* time). This determines whether url should be rewritten
* or not.
*/
if (utilDebug.messageEnabled()) {
}
return (rewriteURL);
}
public static String getDSAMEVersion() {
return (dsameVersion);
}
public static boolean isVersionHeaderEnabled() {
return isVersionHeaderEnabled;
}
/**Returns the Auth Cookie Name.
*
* @return authCookieName, a String,the auth cookie name.
*/
public static String getAuthCookieName() {
return (authCookieName);
}
/**Returns the Dist Auth Cookie Name.
*
* @return authCookieName, a String, the dist auth cookie name.
*/
public static String getDistAuthCookieName() {
return (distAuthCookieName);
}
public static String getCookieName() {
return (cookieName);
}
public static String getPersistentCookieName() {
return (persistentCookieName);
}
public static String getlbCookieName() {
if (SystemProperties.isServerMode()) {
} else {
}
if(utilDebug.messageEnabled()){
"loadBalanceCookieName is:" + loadBalanceCookieName);
}
return loadBalanceCookieName;
}
public static String getlbCookieValue() {
if (SystemProperties.isServerMode()) {
try {
return (WebtopNaming.getLBCookieValue(
} catch (Exception e) {
return (null);
}
} else {
return SystemProperties.get(
}
}
try {
try {
"iPlanetAMPlatformService",token);
} catch (SMSException ex) {
// Ignore the exception and leave cookieDomains empty;
}
if (cookieDomains == null) {
}
} catch (SSOException ex) {
// unable to get SSOToken
}
}
}
return cookieDomains;
}
/**
* Find the cookie domains from the cookie domain list based on
* the hostname of the incoming request
*
* @param request HttpServletRequest request
* @return a set of the cookie domains
*/
if (setCookieToAllDomains) {
return allDomains;
}
if (!allDomains.isEmpty()) {
}
}
}
if (utilDebug.messageEnabled()) {
+ domains);
}
return domains;
}
/* This method returns the organization DN.
* The organization DN is deteremined based on
* the query parameters "org" OR "domain" OR
* the server host name. For backward compatibility
* the orgname will be determined from requestURI
* in the case where either query params OR server host
* name are not valid and orgDN cannot be found.
* The orgDN is determined based on and in order,by the SDK:
* 1. OrgDN - organization dn.
* 2. Domain - check if org is a domain by trying to get
* domain component
* 3 Org path- check if the orgName passed is a path (eg."/suborg1")
* 4. URL - check if the orgName passed is a DNS alias (URL).
* 5. If no orgDN is found null is returned.
* @param orgParam is the org or domain query param ,
* or the server host name
* @param noQueryParam is a boolean indicating that the
* the request did not have query.
* @param request is the HttpServletRequest object
* @return A String which is the organization DN
*/
// try to get the host name if org or domain Param is null
try {
}
if (utilDebug.messageEnabled()) {
}
}
// if orgName is null then match the DNS Alias Name
// This is for backward compatibility
if (index != -1) {
} else {
}
try {
} catch (Exception e) {
if (utilDebug.messageEnabled()) {
}
}
}
}
if (utilDebug.messageEnabled()) {
}
return (orgName);
}
/** This method determines the org parameter
* and determines the organization DN based on
* query parameters.
* The organization DN is determined based on
* the policy advice OR
* the query parameters "org" OR "domain" OR
* the server host name. For backward compatibility
* the orgname will be determined from requestURI
* in the case where either query params OR server host
* name are not valid and orgDN cannot be found.
* The orgDN is determined based on and in order,by the SDK:
* 1. OrgDN - organization dn.
* 2. Domain - check if org is a domain by trying to get
* domain component
* 3 Org path- check if the orgName passed is a path (eg."/suborg1")
* 4. URL - check if the orgName passed is a DNS alias (URL).
* 5. Policy Advice will be checked for realm advice, or realm component in
* the advice
* 6. If no orgDN is found null is returned.
*
* @param request HTTP Servlet Request object.
* @param requestHash Query Hashtable.
* @return Organization DN.
*/
public static String getDomainNameByRequest(
boolean noQueryParam=false;
}
//Policy Advice has precedence over GET parameter
}
if (utilDebug.messageEnabled()) {
}
// try to get the host name if org or domain Param is null
noQueryParam= true;
if (utilDebug.messageEnabled()) {
}
}
if (utilDebug.messageEnabled()) {
}
return (orgDN);
}
}
/**
* Returns the org or domain parameter passed as a query in the request.
*
* @param requestHash Hashtable containing the query parameters
* @return organization name.
*/
}
}
}
return orgParam;
}
try {
} catch (MalformedURLException ex) {
return (in);
}
}
/**
* Returns <code>true</code> if the host name in the URL is valid.
*
* @param hostName Host name.
* @return <code>true</code> if the host name in the URL is valid.
*/
if (utilDebug.messageEnabled()) {
}
if (retVal) {
} else {
}
if (utilDebug.messageEnabled()) {
}
return (retVal);
}
/**
* Returns the valid hostname from the fqdn map and constructs the correct
* URL. The request will be forwarded to the new URL.
*
* @param partialHostName Partial host name.
* @param servletRequest HTTP Servlet Request.
*/
public static String getValidFQDNResource(
) {
if (utilDebug.messageEnabled()) {
}
// get mapping from table
if (validHostName == null) {
}
if (utilDebug.messageEnabled()) {
}
if (utilDebug.messageEnabled()) {
}
return (requestURL);
}
/* get the host name from the servlet request's host header or
* get it using servletRequest:getServerName() in the case
* where host header is not found
*/
// get the host header
if (i != -1) {
}
} else {
}
if (utilDebug.messageEnabled()) {
}
return (hostname);
}
/* construct the url */
if (queryString != null) {
}
if (utilDebug.messageEnabled()) {
}
return (urlString);
}
boolean ignore = false;
ignore = true;
break;
}
}
return ignore;
}
encoded = "false";
}
//this is a forwarded request, we should only save the forwarded URL.
if (queryString != null) {
}
if (utilDebug.messageEnabled()) {
}
}
for ( ; parameters.hasMoreElements() ;) {
if(utilDebug.messageEnabled()) {
}
if(!ignoreParameter(parameter)){
// This will nornally be the case when browser back button is
// used and the form is posted again with the base64 encoded
// parameters
}
if ((queryParams != null) &&
if(utilDebug.messageEnabled()) {
+ queryParams);
}
// This function will encode all the parameters in
// SunQueryParamsString
}
} else {
// Again this will be the case when browser back
// button is used and the form is posted with the
// base64 encoded parameters including goto
}
}
}
}
if (parameters.hasMoreElements()) {
}
}
}
}
if (utilDebug.messageEnabled()) {
"returning URLEncoded login url : " +
}
}
/**
* This method takes in a String representing query parameters, and
* URL encodes "sunamcompositeadvice" parameter out of it.
*/
while (st.hasMoreTokens()) {
adviceString = str;
} else {
}
}
}
/**
* This method takes in a String representing base64 decoded
* SunQueryParamsString and URL encodes all the parameters
* included in its value
*/
while (st.hasMoreTokens()) {
value =
}
if(st.hasMoreTokens()){
}
}
}
}
// Get Original Redirect URL for Auth to redirect the Login request
try {
}
}
} catch (Exception e) {
if (utilDebug.messageEnabled()) {
+ e.toString());
}
return (ssoToken);
}
return (ssoToken);
}
// Check for Session Timed Out
// If Session is Timed Out Exception is thrown
boolean isTimedOut = false;
try {
isTimedOut = false;
}
}
} catch (Exception e) {
isTimedOut = true;
}
}
if (utilDebug.messageEnabled()) {
}
return isTimedOut;
}
if (utilDebug.messageEnabled()) {
}
if (commaIndex != -1) {
} else {
}
}
return (errorMsg);
return (templateName);
} else {
return (null);
}
}
boolean cookieSupported = true;
cookieSupported = false;
}
return (cookieSupported);
}
boolean cookieSet = false;
if (isClientDetectionEnabled() && cookieDetect) {
cookieSet = true;
}
return (cookieSet);
}
/*create Persistent Cookie */
if (maxAge >= 0) {
}
if (utilDebug.messageEnabled()) {
}
return (pCookie);
}
try {
if (utilDebug.messageEnabled()) {
}
lbCookie =
return (lbCookie);
} catch (Exception e) {
}
}
/**
* Returns the Cookie object created based on the <code>cookieName</code>,
* Session ID and <code>cookieDomain</code>.
* If <code>AuthContext,/code> status is not <code>SUCCESS</code> then
* cookie is created with authentication cookie Name, else AM Cookie Name
* will be used to create cookie.
*
* @param ac the AuthContext object
* @param cookieDomain the cookie domain for creating cookie.
* @return Cookie object.
*/
try {
cookieName = getCookieName();
}
if (CookieUtils.isCookieSecure()) {
}
} catch (Exception e) {
if (utilDebug.messageEnabled()) {
+ e.getMessage());
}
}
if (utilDebug.messageEnabled()) {
}
return (cookie);
}
/**
( Returns URL with the cookie value in the URL. The cookie in the
* and authentication cookie if session is invalid.
*
* @param url URL to be encoded.
* @param request HTTP Servlet Request.
* @param ac Authentication Context.
* @return the encoded URL.
*/
AuthContext ac) {
if (isCookieSupported(request)) {
return (url);
}
cookieName = getCookieName();
}
if (urlRewriteInPath) {
} else {
}
if (utilDebug.messageEnabled()) {
", \nRewritten URL = " + encodedURL);
}
return(encodedURL);
}
return (encodedURL);
}
/**
* Returns the resource based on the default values.
*
* @param request HTTP Servlet Request.
* @param fileName name of the file
* @param locale Locale used for the search.
* @param servletContext Servlet Context for server
* @return Path to the resource.
*/
public static String getDefaultFileName(
}
try {
//in case we are unable to determine the realm from the incoming
//requests, let's fallback to top level realm
}
try {
} catch (Exception e) {
}
if (utilDebug.messageEnabled()) {
}
return (templateFile);
}
/* get the root suffix , eg. o= isp */
public static String getRootSuffix() {
// rootSuffix is already normalized in SMSEntry
return (rootSuffix);
}
/* get the root dir to start lookup from./<default org>
* default is /default
*/
protected static String getFileRoot() {
if (utilDebug.messageEnabled()) {
}
if (rootOrgName != null) {
}
return (fileRoot);
}
/* insert chartset in the filename */
return (null);
}
if (i != -1) {
} else {
}
if (utilDebug.messageEnabled()) {
}
return (charsetFilename);
}
/* retrieve the resource (file) using resource lookup */
if ((clientType != null) &&
// non-HTML client
}
if (resourceName == null) {
}
if (utilDebug.messageEnabled()) {
}
return (resourceName);
}
/* constructs the filePath parameter for FileLookUp
* filePath = indexName (service name) + clientPath (eg. html).
*/
public static String getFilePath(HttpServletRequest request, AuthContext.IndexType indexType, String indexName) {
// only if index name is service type then need it
// as part of the filePath since service can have
// have different auth template
}
return null;
}
}
// To avoid issues with case-sensitive filesystems, always use the lowercase version of the serviceName
}
if (utilDebug.messageEnabled()) {
}
return newFilePath;
}
/* retrieves the org path to search resource
* eg. if orgDN = o=org1,o=org11,o=org12,dc=iplanet,dc=com
*/
if (utilDebug.messageEnabled()) {
}
orgName);
if (i != -1) {
} else {
break;
}
if (utilDebug.messageEnabled()) {
}
}
}
if (utilDebug.messageEnabled()) {
}
return (orgPath);
}
/**
* Returns the File name based on the given input values.
*
* @param fileName Name of the file.
* @param localeName Locale name.
* @param orgDN Organization distinguished name.
* @param servletRequest HTTP Servlet Request.
* @param servletContext Servlet Context for server.
* @param indexType AuthContext Index Type.
* @param indexName index name associated with the index type.
* @return File name of the resource.
*/
public static String getFileName(
) {
try {
// get the filePath Client filePath + serviceName
if (utilDebug.messageEnabled()) {
+ ", locale = " + localeName +
", filePath = " + filePath +
", orgPath = " + orgFilePath);
}
} catch (Exception e) {
}
if (utilDebug.messageEnabled()) {
}
return (templateFile);
}
//Let's check the URL first in case this is a forwarded request from Federation. URL should have precedence
//over the actual cookie value, so this way a new federated auth can always start with a clear auth session.
if (utilDebug.messageEnabled()) {
}
}
}
/**
* @deprecated use {@link #getDomainNameByRequest(
* javax.servlet.http.HttpServletRequest, java.util.Hashtable)} instead.
*/
//Policy Advice has precedence over GET parameter
}
if (utilDebug.messageEnabled()) {
}
// try to get the host name if org or domain Param is null
orgParam = "/";
if (utilDebug.messageEnabled()) {
}
}
if (utilDebug.messageEnabled()) {
}
return orgDN;
}
/**
* Parses the policy condition advice and checks for realm advices
* @param requestHash Request parameters
* @return realm defined in the policy advice, if defined - or nullđ
* @throws IllegalArgumentException if more than one realm is defined within
* the advice
* @see com.sun.identity.authentication.util.AMAuthUtils
*/
return null;
}
try {
return getRealmFromPolicyAdvice(decodedXml);
} catch (UnsupportedEncodingException uee) {
}
return null;
}
/**
* Parses the policy condition advice and checks for realm advices
* @param advice The policy advice XML
* @return realm defined in the policy advice, if defined - or nullđ
* @throws IllegalArgumentException if more than one realm is defined within
* the advice
* @see com.sun.identity.authentication.util.AMAuthUtils
*/
try {
} else {
//AMAuthUtils is not present at DAS, so let's parse
//the advice manually
if (idx != -1) {
}
}
//NB: this method is also used when the engine wants
//to show the error page from the correct realm, hence
//this will fail twice, resulting in a generic error
//page
throw new IllegalArgumentException("More than one realm defined in the Policy Advice");
}
}
}
}
} catch (PolicyException pe) {
}
return realm;
}
// Check whether the request is coming to the server who created the
// original Auth request or session
boolean local = false;
try {
if (utilDebug.messageEnabled()) {
}
local = true;
}
if (uriIndex != -1) {
}
if (utilDebug.messageEnabled()) {
+ platformList);
}
// if cookie URL is not in the Platform server list then
// consider as new authentication for that local server
local = true;
}
}
} catch (Exception e) {
if (utilDebug.messageEnabled()) {
}
}
return (local);
}
// Check whether the request is coming to the server who created the
// original Auth request or session
// This method needs to be merged with the one above.
if (uriIndex != -1) {
}
}
boolean isSiteMember = false;
try {
if (!distAuthSitesMap.isEmpty()) {
if (localSiteID == null) {
if (utilDebug.warningEnabled()) {
}
return false;
}
if (localSiteName != null) {
if (distAuthForSite == null) {
if (utilDebug.warningEnabled()) {
"unable to determine distAuthForSite: " + localSiteName);
}
return false;
}
isSiteMember = true;
if (utilDebug.messageEnabled()) {
}
}
} else {
isSiteMember = true;
}
} else {
isSiteMember = true;
}
}
return isSiteMember;
}
/**
* Sends the request to the original Auth server and receives the result
* data.
*
* @param request HttpServletRequest to be sent
* @param response HttpServletResponse to be received
* @param cookieURL URL of the original authentication server to be
* connected
*
* @return HashMap of the result data from the original server's response
*
*/
// Print request Headers
if (utilDebug.messageEnabled()) {
while (requestHeaders.hasMoreElements()) {
}
}
// Open URL connection
try {
if (queryString != null) {
} else {
}
if (utilDebug.messageEnabled()) {
}
conn.setFollowRedirects(false);
conn.setInstanceFollowRedirects(false);
// We should preserve the original host, so the target server will also see the accessed URL
// If we don't do this the server might going to deny the request because of invalid domain access.
// replay cookies
if (strCookies != null) {
if (utilDebug.messageEnabled()) {
}
}
// Sending Output to Original Auth server...
} else {
//First we should find out what GET parameters do we have.
if (queryString != null) {
if (idx != -1) {
}
}
}
}
"Content-Type", "application/x-www-form-urlencoded");
// merged parameter list containing both GET and POST parameters
// TODO: do we need to care about params that can be both in GET and POST?
} else {
}
}
if (utilDebug.messageEnabled()) {
}
conn.setDoOutput(true);
}
}
// Receiving input from Original Auth server...
if (utilDebug.messageEnabled()) {
+ conn.getResponseMessage());
}
// Check response code
// Input from Original servlet...
int len;
char[] buf = new char[1024];
}
if (utilDebug.messageEnabled()) {
}
} else {
}
if (client_type != null) {
}
if (redirect_url != null) {
try {
if (utilDebug.messageEnabled()) {
}
//relative redirect happened
}
if (utilDebug.messageEnabled()) {
}
} catch (MalformedURLException murle) {
//fallback to original handling
}
}
if (content_type != null) {
}
//replay received headers to the original response
} catch (IOException ioe) {
//the catcher will log the exception
} catch (Exception e) {
if (utilDebug.warningEnabled()) {
}
} finally {
try {
} catch (IOException ioe) {
if (utilDebug.messageEnabled()) {
}
}
}
}
return (origRequestData);
}
}
while (headerNames.hasMoreElements()) {
while (values.hasMoreElements()) {
if (utilDebug.messageEnabled()) {
}
}
}
}
}
private static void copyResponseHeaders(Map<String, List<String>> headers, HttpServletResponse response) {
if (headerValues != null) {
}
}
}
}
}
// Gets the request form data in the form of string
}
}
}
// Get cookies string from HTTP request object
// Process Cookies
if (utilDebug.messageEnabled()) {
}
cookieStr = new StringBuffer();
} else {
}
.append("=")
}
}
}
return (strCookies);
}
/**
* Sets server cookie to <code>HttpServletResponse</code> object
* @param aCookie auth context associated with lb cookie
* @param response <code>true</code> if it is persistent
* @throws AuthException if it fails to create pcookie
*/
throws AuthException {
domain);
}
} else {
}
}
}
/**
* Sets the redirectBackUrlCookie to be set as OpenSSO
* server URL when redirecting to external web site during authentication
* process.
* @param cookieName auth context associated with lb cookie
* @param cookieValue auth context associated with lb cookie
* @param response <code>true</code> if it is persistent
* @throws AuthException if it fails to create this cookie
*/
domain);
}
} else {
}
}
}
/**
* Clears server cookie.
*
* @param cookieName Cookie Name.
* @param response HTTP Servlet Response.
*/
if (utilDebug.messageEnabled()) {
}
}
} else {
}
}
}
// Returns Query String from request parameters Map
boolean first = true;
if (first) {
first = false;
} else {
}
}
}
}
/**
* Checks whether OpenSSO session cookie has to be made
* persistent.
*
* Only if value of <code>true</code> is providued for HTTP query
* parameter <code>Constants.PERSIST_AM_COOKIE</code> and this property is
* enabled or if persistent cookies are set globally.
*
* If either of these are true, AM session cookie will be made persistent
*
* @param reqDataHash http request parameters and values
* @return <code>true</code> if AM session cookie has to be made persistent,
* otherwise returns <code>false</code>
*/
boolean globalPersist =
if (globalPersist) {
if (utilDebug.messageEnabled()) {
}
return true;
}
boolean persistCookie = false;
boolean allowRequestPersist =
}
if (utilDebug.messageEnabled()) {
}
return persistCookie;
}
/**
* Returns true if the request has the ForceAuth=<code>true</code>
* query parameter or composite advise.
*
* @return true if this parameter is present otherwise false.
*/
if (utilDebug.messageEnabled()) {
}
if (forceFlag == false) {
}
}
return forceFlag;
}
/**
* Returns true if the composite Advice has the ForceAuth element
*
* @return true if this parameter is present otherwise false.
*/
boolean returnForcedAuth = false;
try {
if (utilDebug.messageEnabled()) {
+"= " + decodedAdviceXML);
+ adviceMap);
}
returnForcedAuth = true;
}
}
+ "Policy XML parsing ",polExp );
}
if (utilDebug.messageEnabled()) {
"= " + returnForcedAuth);
}
return returnForcedAuth;
}
/**
* Returns the service URI
* @return a String the Service URI
*/
public static String getServiceURI() {
if (SystemProperties.isServerMode()) {
} else {
}
}
if (isSessionHijackingEnabled) {
try {
} catch(ServerEntryNotFoundException e) {
}
if (hostUrlCookieValue == null ||
}
if (utilDebug.messageEnabled()) {
"hostUrlCookieName = " + hostUrlCookieName +
", hostUrlCookieDomain = " + hostUrlCookieDomain +
", hostUrlCookieValue = " + hostUrlCookieValue);
}
// Create Cookie
try {
} catch (Exception e) {
}
}
}
if (isSessionHijackingEnabled) {
// Create Cookie
try {
"LOGOUT", hostUrlCookieDomain);
} catch (Exception e) {
}
}
}
}
/**
* Returns the resource URL. The method checks value for "resourceURL"
* parameter first, if not present, checks value for "goto" parameter.
* If none exists, returns null.
* @param request HttpServletRequest object
* @return resourceURL based on the query parameters, returns null if
* resource URL could not be found.
*/
if (resourceUrl == null) {
}
return resourceUrl;
}
/**
* Returns an environment map which contains all query parameters
* and HTTP headers. Keys of the map are String, values of the map are
* Sets of String.
* @param request HttpServletRequest object.
* @return environment Map whose key is String, and value is Set of String.
*/
// add all query parameters
}
while (enum1.hasMoreElements()) {
}
}
}
}
// add all headers
while (enum1.hasMoreElements()) {
while (enum2.hasMoreElements()) {
}
}
}
}
return envParameters;
}
/**
* Returns unescaped text. This method replaces "|" with "|".
*
* @param text String to be unescaped.
* @return unescape special character text.
*/
}
/**
* Replaces <code>|</code> with "|".
*
* @return String with the special "|" character replaced with "|".
*/
// escape "|" as it will be used as separator
if (i != -1) {
int len = 0;
}
for (; i < len; i++) {
} else {
}
}
}
return text;
}
/**
* Returns the data from Realm qualified data. This could be authentication
* scheme or authentication level or service.
*
* @param realmQualifedData Realm qualified data. This could be Realm
* qualified authentication scheme or authentication level or service.
* @return String representing data. This could be authentication
* scheme or authentication level or service.
*/
public static String getDataFromRealmQualifiedData(
if (index != -1) {
} else {
}
}
if (utilDebug.messageEnabled()) {
}
return data;
}
/**
* Determines whether Zero Page Login (ZPL) should be allowed for this request. This includes checking whether
* ZPL is enabled for this AuthContext and, if so, whether the HTTP Referer header on the request matches the
* ZPL whitelist. POST requests are always enabled, but are still subject to the Referer whitelist.
*
* @param config the ZPL configuration.
* @param request the HTTP request.
* @return true if ZPL is allowed, otherwise false.
*/
public static boolean isZeroPageLoginAllowed(ZeroPageLoginConfig config, HttpServletRequest request) {
return false;
}
return config.isAllowedWithoutReferer();
}
}
return strIn;
}
try {
// Translate the individual field values in the encoding value.
// Do not use getBytes() instead convert unicode into bytes by
// casting. Using getBytes() results in conversion into platform
// encoding. It appears to work in C locale because default
// encoding is 8859-1 but fails in other locales like Japanese,
// Chinese.
int i = 0;
int offset = 0;
while (i < len) {
byte b = (byte) carr[i];
}
} else {
}
}
return strOut;
}
}