AuthContextLocal.java revision 42a452a9f1193f232b34e7c22706b8fe44207d3d
/*
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2005 Sun Microsystems Inc. All Rights Reserved
*
* The contents of this file are subject to the terms
* of the Common Development and Distribution License
* (the License). You may not use this file except in
* compliance with the License.
*
* You can obtain a copy of the License at
* See the License for the specific language governing
* permission and limitations under the License.
*
* When distributing Covered Code, include this CDDL
* Header Notice in each file and include the License file
* at opensso/legal/CDDLv1.0.txt.
* If applicable, add the following below the CDDL Header,
* with the fields enclosed by brackets [] replaced by
* your own identifying information:
* "Portions Copyrighted [year] [name of copyright owner]"
*
* $Id: AuthContextLocal.java,v 1.12 2009/05/21 21:57:34 qcheng Exp $
*
* Portions Copyright 2013-2015 ForgeRock AS.
*/
/**
* The <code>AuthContextLocal</code> provides the implementation for
* authenticating users.
* <p>
* A typical caller instantiates this class and starts the login process.
* The caller then obtains an array of <code>Callback</code> objects,
* which contains the information required by the authentication plug-in
* module. The caller requests information from the user. On receiving
* the information from the user, the caller submits the same to this class.
* If more information is required, the above process continues until all
* the information required by the plug-ins/authentication modules, has
* been supplied. The caller then checks if the user has successfully
* been authenticated. If successfully authenticated, the caller can
* then get the <code>Subject</code> and <code>SSOToken</code> for the user;
* if not successfully authenticated, the caller obtains the AuthLoginException.
* <p>
* The implementation supports authenticating users either locally
* i.e., in process with all authentication modules configured or remotely
* in either of the modes).
* <p>
* The <code>getRequirements()</code> and <code>submitRequirements()</code>
* are used to pass the user credentials for authentication by the plugin
* modules,<code>getStatus()</code> returns the authentication status.
* <p>
* It should be serializable as a requirement to be stored in HttpSession.
*
* @supported.api
*/
public final class AuthContextLocal extends Object
/*
* Protected variables used locally
*/
// Debug & I18N class
/**
* Hold the debug instance
*/
/**
* Holds the locale-specific information
*/
protected static ResourceBundle bundle =
/**
* Holds organizationName
*/
protected String organizationName;
/**
* Holds the set of module instance names
*/
protected Set moduleInstanceNames;
/**
* Holds the index type
*/
/**
* Holds the index name
*/
/**
* Holds the login status
*/
/**
* Holds the host name
*/
/**
* Holds the http session
*/
protected HttpSession httpSession;
/**
* Holds Single Sign on Token
*/
/**
* AuthLoginException
*/
/**
* Holds call back information
*/
/**
* AuthLoginContext
*/
/**
* Holds LoginStatus
*/
public LoginStatus ls;
/**
* Holds subject
*/
/**
* character array for password
*/
protected char[] password;
/**
* Holds information about submittion of requirements
*/
private boolean inSubmitRequirements = false;
/**
* Creates <code>AuthContextLocal</code> instance is obtained for a given
* organization name, or sub organization name. <code>login</code> method is
* then used to start the authentication process.
*
* @param orgName name of the user's organization.
*
* @supported.api
*/
amlc = new AMLoginContext(this);
if (authDebug.messageEnabled()) {
}
reset();
}
/**
* Returns authentication module/s instances(or) plugin(s) configured
* for an organization, or sub-organization that was set during the
* <code>AuthContext</code> constructor.
*
* @return authentication module/s instances (or plugins).
* @throws UnsupportedOperationException if an error occurred.
*
* @supported.api
*/
public Set getModuleInstanceNames() {
return (moduleInstanceNames);
}
/**
* Starts the login process for the given <code>AuthContextLocal</code>
* object.
*
* @exception AuthLoginException if an error occurred during login.
* @supported.api
*/
public void login() throws AuthLoginException {
}
/**
* Starts the login process for the given <code>AuthContextLocal</code>s
* object for the given <code>Principal</code> and the user's password.
* This method should be called primarily
* when the authenticator knows there would no other
* credentials needed to complete the authentication process.
*
* @param principal <code>Principal</code> of the user to be authenticated.
* @param password password for the user.
* @throws AuthLoginException if an error occurred
* during login.
* @supported.api
*/
throws AuthLoginException {
// Make sure principal and password are not null
throw new AuthLoginException(amAuthContextLocal,
"invalid-username", null);
throw new AuthLoginException(amAuthContextLocal,
"invalid-password", null);
// Copy the password
}
/**
* Start the login process for the <code>AuthContextLocal</code> object
* identified by the index type and index name.
* The <code>IndexType</code> defines the possible kinds
* of "objects" or "resources" for which an authentication can
* be performed. Currently supported index types are
* users, roles, services (or application), levels and mechanism.
*
* @param type authentication index type.
* @param indexName authentication index name.
* @throws AuthLoginException if an error occurred
* during login.
* @supported.api
*/
throws AuthLoginException {
if (authDebug.messageEnabled()) {
}
}
/**
* Starts the login process for the given <code>AuthContextLocal</code>
* object for the given <code>Subject</code>.
* Refer to JAAS for description on <code>Subject</code>.
*
* @param subject <code>Subject</code> of the user to be authenticated.
* @throws AuthLoginException if an error occurred
* during login.
* @supported.api
*/
}
/**
* Starts the login process for the given <code>AuthContextLocal</code>
* object identified by the index type and index name.
* The <code>IndexType</code> defines the possible kinds
* of "objects" or "resources" for which an authentication can
* be performed.Currently supported index types are
* users, roles, services (or application), levels and mechanism.
* The locale specifies the user preferred locale setting.
*
* @param type authentication index type.
* @param indexName authentication index name.
* @param locale locale setting.
* @throws AuthLoginException if an error occurred during
* login process.
*/
public void login(
) throws AuthLoginException {
if (authDebug.messageEnabled()) {
" & locale : " + locale);
}
}
/**
* Starts the login process for the given <code>AuthContextLocal</code>
* object identified by the index type and index name.
* The <code>IndexType</code> defines the possible kinds
* of "objects" or "resources" for which an authentication can
* be performed.Currently supported index types are
* users, roles, services (or application), levels and mechanism.
* The locale specifies the user preferred locale setting.
*
* @param type authentication index type.
* @param indexName authentication index name.
* @param envMap Environment Map, key is String, value is set of string.
* this is applicable only when the type is
* <code>AuthContext.IndexType.RESOURCE</code>
* @param locale locale setting.
* @throws AuthLoginException if an error occurred during
* login process.
*/
public void login(
) throws AuthLoginException {
if (authDebug.messageEnabled()) {
" & locale : " + locale +
" & envMap : " + envMap);
}
}
/**
* Performs the Login for the given AuthContext
* @param type authentication index type
* @param indexName authentication index name
* @param principal principal name of the user to be authenticated
* @param password password for the user
* @param subject authentication subject
* @throws AuthLoginException if error occurs during login
*/
}
/**
* Performs the Login for the given AuthContext
* @param type authentication index type
* @param indexName authentication index name
* @param principal principal name of the user to be authenticated
* @param password password for the user
* @param subject authentication subject
* @param envMap Environment map, this is applicable only when the type
* is <code>AuthContext.IndexType.RESOURCE</code>
* @param locale locale setting
* @throws AuthLoginException if error occurs during login
*/
throws AuthLoginException {
try {
/*if (!getStatus().equals(AuthContext.Status.NOT_STARTED)) {
if (authDebug.messageEnabled()) {
authDebug.message("AuthContextLocal::login called " +
"when the current login status is : " + getStatus());
}
throw new AuthLoginException(amAuthContextLocal,
"invalidMethod", new Object[]{getStatus()});
}*/
// switch the login status
// specially processing for resouce/IP/Environement based auth
// call Policy Decision Util to find out the actual auth type
// required by policy
try {
} catch (PolicyException pe) {
// ignore, continue to default realm based authentication
// may need to revisit this in the future
}
if (authDebug.messageEnabled()) {
+ result);
}
// this is the redirection case (Policy Redirection Advice)
// append goto parameter for federation case
if ((redirectUrl != null) &&
} else {
}
}
}
} else {
// no policy decision, use default realm login
}
}
if (redirectUrl != null) {
}
if (authDebug.messageEnabled()) {
}
}
if (authDebug.messageEnabled()) {
"Status at the end of login() : " + loginStatus);
}
} catch (AuthLoginException e) {
if (authDebug.messageEnabled()) {
}
throw e;
}
}
/**
* Resets this instance of <code>AuthContextLocal</code>
* object, so that a new login process can be initiated.
* A new authentication process can started using any
* one of the <code>login</code> methods.
*/
public void reset() {
}
/**
* Returns the set of Principals the user has been authenticated as.
* This should be invoked only after successful authentication.
* If the authentication fails or the authentication is in process,
* this will return <code>null</code>.
*
* @return The set of Principals the user has been authenticated as.
* @supported.api
*/
public Subject getSubject() {
return (null);
}
}
return (subject);
}
/**
* Checks if the login process requires more information from the user to
* complete the authentication.
*
* @return <code>true</code> if more credentials are required
* from the user.
* @supported.api
*/
public boolean hasMoreRequirements() {
) {
return false;
} else {
return (informationRequired != null);
}
}
/**
* Checks if the login process requires more information from the user to
* complete the authentication
* @param noFilter falg to indicate if there is a Filter
* @return <code>true</code> if more credentials are required
* from the user.
*/
public boolean hasMoreRequirements(boolean noFilter) {
) {
return false;
} else {
}
}
/**
* Returns an array of <code>Callback</code> objects that
* must be populated by the user and returned back.
* These objects are requested by the authentication plug-ins,
* and these are usually displayed to the user. The user then provides
* the requested information for it to be authenticated.
*
* @return an array of <code>Callback</code> objects requesting credentials
* from user.
* @supported.api
*/
public Callback[] getRequirements() {
) {
return null;
} else {
return (informationRequired);
}
}
/**
* Returns an array of <code>Callback</code> objects that
* must be populated by the user and returned back.
* These objects are requested by the authentication plug-ins,
* and these are usually displayed to the user. The user then provides
* the requested information for it to be authenticated.
*
* @param noFilter flag to indicate if there is a Filter
* @return an array of <code>Callback</code> objects requesting credentials
* from user.
* @supported.api
*/
) {
return null;
} else {
}
}
/**
* Submit the populated <code>Callback</code> objects
* to the authentication plug-in modules. Called after
* <code>getRequirements</code> method and obtaining
* user's response to these requests.
*
* @param info array of <code>Callback</code> objects
* @supported.api
*/
inSubmitRequirements = true;
try{
if (!amlc.isPureJAAS()) {
}
}
if (authDebug.messageEnabled()) {
+ loginStatus);
}
} finally {
inSubmitRequirements = false;
}
}
/**
* Logs out the user and also invalidates the <code>SSOToken</code>
* associated with this <code>AuthContextLocal</code>.
*
* @throws AuthLoginException if an error occurred during logout
* @supported.api
*/
public void logout() throws AuthLoginException {
try {
} catch (Exception e) {
if (authDebug.messageEnabled()) {
+ e.getMessage());
}
null, e);
}
}
/**
* Returns login exception, if any, during
* the authentication process. Typically set when the login
* fails.
*
* @return login exception.
* @supported.api
*/
public AuthLoginException getLoginException() {
return (loginException);
}
/**
* Sets the login exception that represents errors during the
* authentication process.
*
* @param exception AuthLoginException to be set.
*/
}
/**
* Returns the current status of the authentication process.
*
* @return the current status of the authentication process.
* @supported.api
*/
}
}
}
}
}
}
if (authDebug.messageEnabled()) {
}
return (loginStatus);
}
/**
* Sets the login status. Used internally and
* not visible outside this package.
* @param status login status
*/
}
/**
* Returns the Single-Sign-On (SSO) Token for the authenticated
* user.Single-Sign-On token can be used as the authenticated token.
*
* @return single-sign-on token
* @supported.api
*/
public SSOToken getSSOToken() {
return (ssoToken);
}
/**
* Returns the Successful Login URL for the authenticated user.
*
* @return the Successful Login URL for the authenticated user.
*/
public String getSuccessURL() {
return amlc.getSuccessURL();
}
/**
* Returns the Failure Login URL for the authenticating user.
*
* @return the Failure Login URL for the authenticating user.
*/
public String getFailureURL() {
return amlc.getFailureURL();
}
/**
* Returns the the organization name that was set during the
* <code>AuthContextLocal</code> constructor.
*
* @return Organization name.
*
* @supported.api
*/
public String getOrganizationName() {
return (amlc.getOrganizationName());
}
/**
* Terminates an ongoing <code>login</code> call that has not yet completed.
*
* @throws AuthLoginException if an error occurred during abort.
*
* @supported.api
*/
public void abort() throws AuthLoginException {
try {
} catch (Exception e) {
if (authDebug.messageEnabled()) {
+ e.getMessage());
}
null, e);
}
}
/**
* Returns the error template.
*
* @return the error template.
*/
public String getErrorTemplate() {
return amlc.getErrorTemplate();
}
/**
* Returns the error message.
*
* @return the error message.
*/
public String getErrorMessage() {
return amlc.getErrorMessage();
}
/**
* Returns the error code.
*
* @return error code.
*/
public String getErrorCode() {
return amlc.getErrorCode();
}
/**
* Returns the current 'authIdentifier' of the authentication process as
* String Session ID.
*
* @return <code>authIdentifier</code> of the authentication process
*/
public String getAuthIdentifier() {
return amlc.getAuthIdentifier();
}
/**
* Returns the account lockout message. This can be either a dynamic
* message indicating the number of tries left or the the account
* deactivated message.
*
* @return account lockout message.
*/
public String getLockoutMsg() {
if (authDebug.messageEnabled()) {
}
return lockoutMsg;
}
/**
* Checks the account is locked out
* @return <code>true</code> if the account is locked,
* <code>false</code> otherwise
*/
public boolean isLockedOut() {
if (authDebug.messageEnabled()) {
}
return isLockedOut;
}
/**
* Sets the client's host name , this method is used in case of remote
* authentication,to set the client's hostname or IP address.
* This could be used by the policy component to restrict access
* to resources.
*
* @param hostname Host name.
*/
}
/**
* Returns the clients host name
* @return hostname
*/
protected String getClientHostName() {
return (hostName);
}
public boolean submittedRequirements() {
return inSubmitRequirements;
}
/**
* Sets the <code>HttpSession</code> that will be used by
* the SSO component to store the session information. In the
* absence of <code>HttpSession</code> the information is stored
* in <code>HashMap</code> and will have issues with fail-over.
* With session fail-over turned on <code>HttpSession</code>
* would be provide persistance storage mechanism for SSO.
*
* @param session HttpSession
*/
}
/**
* Returns the <code>HTTPSession</code> associated with the current
* authentication context
* @return httpSession
*/
protected HttpSession getHttpSession() {
return (httpSession);
}
/**
* Returns the array of <code>Callback</code> requirements objects
* @param recdCallbacks callbacks requirements
* @param noFilter boolean to indicate if filter exists
* @return an array of <code>Callback</code> objects
*/
protected static Callback[] getCallbacks(
boolean noFilter) {
if (recdCallbacks == null) {
return (null);
} else if (noFilter) {
return recdCallbacks;
} else {
if (authDebug.messageEnabled()) {
+ recdCallbacks[i]);
}
if (!(recdCallbacks[i] instanceof PagePropertiesCallback)) {
}
}
}
}
/**
* Sets the Login State
* @param state login state
*/
loginState = state;
}
/**
* Returns the login state
* @return loginState
*/
public LoginState getLoginState() {
return loginState;
}
/**
* Sets the Organization DN
* @param orgDN Organization DN
*/
}
/**
* Returns the Organization DN
* @return the Organization DN
*/
return orgDN;
}
/**
* Holds LDAP URL
*/
/**
* Holds principal name to be authenticated
*/
/**
* Holds Password for the user
*/
/**
* authentication subject
*/
/**
* authentication index type
*/
/**
* authentication index name
*/
/**
* locale setting
*/
/**
* Redirection URL
*/
}