AMAuthenticationManager.java revision cb2437f97da72f3556bace2a129fa5d48e1aa9cf
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Copyright (c) 2005 Sun Microsystems Inc. All Rights Reserved
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * The contents of this file are subject to the terms
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * of the Common Development and Distribution License
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * (the License). You may not use this file except in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * compliance with the License.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * You can obtain a copy of the License at
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * https://opensso.dev.java.net/public/CDDLv1.0.html or
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * See the License for the specific language governing
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * permission and limitations under the License.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * When distributing Covered Code, include this CDDL
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Header Notice in each file and include the License file
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * If applicable, add the following below the CDDL Header,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * with the fields enclosed by brackets [] replaced by
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * your own identifying information:
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * "Portions Copyrighted [year] [name of copyright owner]"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * $Id: AMAuthenticationManager.java,v 1.9 2009/08/05 19:57:27 qcheng Exp $
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Portions Copyrighted 2011-2015 ForgeRock AS.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Portions Copyrighted 2014 Nomura Research Institute, Ltd
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.authentication.service.AuthUtils;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.authentication.util.ISAuthConstants;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.security.AdminTokenAction;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.sm.ServiceConfigManager;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.sm.ServiceSchemaManager;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.sm.OrganizationConfigManager;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * This class provides interfaces to manage authentication module instances.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static final String BUNDLE_NAME = "amAuthConfig";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static final Debug DEBUG = Debug.getInstance(BUNDLE_NAME);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static final Set<String> AUTH_TYPES = new HashSet<String>();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static final Map<String, String> MODULE_SERVICE_NAMES = new ConcurrentHashMap<String, String>();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static final Set<String> GLOBAL_MODULE_NAMES = new HashSet<String>();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static final Map<String, Map<String, Set<String>>> MODULE_INSTANCE_TABLE = Collections.synchronizedMap(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster new HashMap<String, Map<String, Set<String>>>());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Constructs an instance of <code>AMAuthenticationManager</code> for the specified realm to manage the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * authentication module instances available to this realm.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param token Single sign on token of the user identity on whose behalf the operations are performed.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param org The realm in which the module instance management is performed.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws AMConfigurationException if Service Management related error occurs.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public AMAuthenticationManager(SSOToken token, String org) throws AMConfigurationException {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster this.realm = com.sun.identity.sm.DNMapper.orgNameToDN(org);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new AMConfigurationException(BUNDLE_NAME, "badRealm",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster synchronized (AMAuthenticationManager.class) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (!MODULE_INSTANCE_TABLE.containsKey(realm)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((installTime != null) && installTime.equalsIgnoreCase("false")){
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Re-initializes the module services.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * This method is meant for global authentication configuration change.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static synchronized void reInitializeAuthServices() {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Returns a Set contains all the authentication types that are plugged in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * this server.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return Set of String values of the authentication types available on
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * this server.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static Set<String> getAuthenticationTypes() {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Returns a Set contains all the module service names that are plugged in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * this server.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return Set of String values of the module service names available on
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * this server.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static Set<String> getAuthenticationServiceNames() {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Set<String> names = new HashSet<String>(MODULE_SERVICE_NAMES.values());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster DEBUG.message("Authenticator serviceNames: " + names);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Returns authentication service name of a module.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param moduleName Name of authentication module.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return authentication service name of a module.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static String getAuthenticationServiceName(String moduleName) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * This code makes the authentication type list static. In case the list
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * is expanded or shrinked, the server needs to be restarted.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static void initAuthenticationService() {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ServiceSchemaManager scm = new ServiceSchemaManager(ISAuthConstants.AUTH_SERVICE_NAME, token);
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major Set<String> authenticators = (Set<String>) schema.getAttributeDefaults().get(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Application is not one of the selectable instance type.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (!module.equals(ISAuthConstants.APPLICATION_MODULE)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String serviceName = MODULE_SERVICE_NAMES.get(module);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster serviceName = AuthUtils.getModuleServiceName(module);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster DEBUG.message("Global module names: " + GLOBAL_MODULE_NAMES);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster DEBUG.message("moduleServiceNames: " + MODULE_SERVICE_NAMES);
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major if ((installTime != null) && installTime.equalsIgnoreCase("false")){
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major DEBUG.error("Failed to get module types", smse);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * build the module instance table for the realm.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * format of this table:
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Table: key = realm, value = module Map for the realm.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * module Map for the realm:
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * key = module type, value = Set of module instances
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static void buildModuleInstanceTable(SSOToken token, String realm) {
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major for (String service : MODULE_SERVICE_NAMES.values()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster DEBUG.message("building module instance table error", e);
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major * Updates the static module instance table for the specified service in
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major * the realm.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param realm The realm in which the operation is processed.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param serviceName the service for which the table is built.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static synchronized void buildModuleInstanceForService(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster DEBUG.message("start moduleInstanceTable : " + MODULE_INSTANCE_TABLE +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster " for realm : " + realm + " and service : " + serviceName);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String moduleName = getModuleName(serviceName);
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major if ((moduleName != null) && (moduleName.length() != 0)) {
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major ServiceConfigManager scm = new ServiceConfigManager(serviceName, getAdminToken());
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major ServiceConfig config = scm.getOrganizationConfig(realm, null);
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major "buildModuleInstanceForService: Service="
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major + serviceName + " not configured in realm="+realm);
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major realm = com.sun.identity.sm.DNMapper.orgNameToDN(realm);
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major synchronized (MODULE_INSTANCE_TABLE) {
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major Map<String, Set<String>> moduleMap = MODULE_INSTANCE_TABLE.remove(realm);
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major * this code is to not manipulate the hashmap that might
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major * be in iteration by other threads
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major Map<String, Set<String>> newMap = new HashMap<String, Set<String>>(moduleMap);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Set<String> instanceSet = new HashSet<String>();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster defaultAttrs = config.getAttributesWithoutDefaults();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (defaultAttrs != null && !defaultAttrs.isEmpty()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster moduleMap = new HashMap<String, Set<String>>();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * this operation is safe as moduleMap is a local object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (moduleMap != null && !moduleMap.isEmpty()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster DEBUG.message("build module instance for service error: " , e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster DEBUG.message("return moduleInstanceTable: " + MODULE_INSTANCE_TABLE);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Updates the module instance table for the authentication service if the module instance table was already
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * cached for the provided realm.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param realm The realm where the configuration has changed.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param serviceName The authentication module's service name.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static synchronized void updateModuleInstanceTable(String realm, String serviceName) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster realm = com.sun.identity.sm.DNMapper.orgNameToDN(realm);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (MODULE_INSTANCE_TABLE.containsKey(realm)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster buildModuleInstanceForService(realm, serviceName);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // get the module name from its service name.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static String getModuleName(String serviceName) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster for (String moduleName : MODULE_SERVICE_NAMES.keySet()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (MODULE_SERVICE_NAMES.get(moduleName).equals(serviceName)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Returns an <code>AMAuthenticationSchema</code> object for the specified
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * authentication type.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param authType Type of the authentication module instance.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return <code>AMAuthenticationSchema</code> object of the specified
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * authentication type.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws AMConfigurationException if error occurred during retrieving
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * the service schema.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public AMAuthenticationSchema getAuthenticationSchema(String authType)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return getAuthenticationSchema(authType, token);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static AMAuthenticationSchema getAuthenticationSchema(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String authType, SSOToken token) throws AMConfigurationException {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster DEBUG.message("getting auth schema for " + authType);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ServiceSchemaManager scm = new ServiceSchemaManager(serviceName,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ServiceSchema orgSchema = scm.getOrganizationSchema();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ServiceSchema subSchema = orgSchema.getSubSchema(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // using the sub schema in new auth config.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // fall back to the org schema if the DIT is old.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Returns the <code>AMAuthenticationInstance</code> object whose name is
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * as specified.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Name uniqueness is required for the instances among the same realm, as
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * well as the instances that are available to this realm.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param authName Authentication instance name.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return The <code>AMAuthenticationInstance</code> object that is
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * associated with the authentication instance name.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public AMAuthenticationInstance getAuthenticationInstance(String authName) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return getAuthenticationInstance(authName, type);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Returns an <code>AMAuthenticationInstance</code> object with the give
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * authentication name and type.
} catch (SMSException e) {
return null;
return null;
} catch (SMSException e) {
} catch (SSOException e) {
} catch (SMSException e) {
return null;
return returnValue;
return instances;
return instances;
return retVal;
} catch (Exception e) {
e.getMessage());
return null;
return instanceSet;
) throws AMConfigurationException {
} catch (SSOException e) {
} catch (SMSException e) {
//In case of server mode AMAuthLevelManager will update AMAuthenticationManager about the change, and
} catch (Exception e) {
throw new AMConfigurationException(e);
throws AMConfigurationException {
//In case of server mode AMAuthLevelManager will update AMAuthenticationManager about the change, and
} catch (Exception e) {
throw new AMConfigurationException(e);
boolean returnValue = false;
} catch (Exception e) {
returnValue = true;
return returnValue;
boolean returnValue = false;
} catch (Exception e) {
+ xmlConfig);
returnValue = true;
return returnValue;