AuthD.java revision 563b922249eadd0562ddea89c52ed308c2d31c0a
/**
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2005 Sun Microsystems Inc. All Rights Reserved
*
* The contents of this file are subject to the terms
* of the Common Development and Distribution License
* (the License). You may not use this file except in
* compliance with the License.
*
* You can obtain a copy of the License at
* See the License for the specific language governing
* permission and limitations under the License.
*
* When distributing Covered Code, include this CDDL
* Header Notice in each file and include the License file
* at opensso/legal/CDDLv1.0.txt.
* If applicable, add the following below the CDDL Header,
* with the fields enclosed by brackets [] replaced by
* your own identifying information:
* "Portions Copyrighted [year] [name of copyright owner]"
*
* $Id: AuthD.java,v 1.23 2009/11/25 12:02:02 manish_rustagi Exp $
*
* Portions Copyrighted 2010-2015 ForgeRock AS.
*/
/**
* This class is used to initialize the Authentication service and retrieve
* the Global attributes for the Authentication service.
* It also initializes the other dependent services in the OpenAM system and
* hence used as bootstrap class for the authentication server.
*/
public class AuthD implements ConfigurationListener {
/**
* Configured bundle name for auth service
*/
/**
* Debug instance for error / message logging
*/
/**
* Lazy initialisation holder idiom for the singleton instance.
*/
private static final class SingletonHolder {
static AuthD getInstance() {
}
return INSTANCE;
}
}
/**
* Lazy initialisation holder idiom for other lazily-loaded configuration.
*/
private static final class LazyConfig {
"/",
null);
}
private static final String specialUser =
// Admin Console properties
private static final String consoleProto =
private static final String consoleHost =
private static final String consolePort =
private static final boolean isConsoleRemote =
/**
* Default auth level for auth module
*/
/**
* Configured value for access logging
*/
static final int LOG_ACCESS = 0;
/**
* Configured value for error logging
*/
static final int LOG_ERROR = 1;
private static final boolean enforceJAASThread = SystemProperties.getAsBoolean(Constants.ENFORCE_JAAS_THREAD);
/**
* Configured directory server host name for auth
*/
/**
* Configured directory server port number for auth
*/
private static final boolean logStatus = "ACTIVE".equalsIgnoreCase(SystemProperties.get(Constants.AM_LOGSTATUS,
"INACTIVE"));
/**
* Configured revisionNumber for auth service
*/
public static int revisionNumber;
private final String defaultOrg;
private String platformLocale;
private final String platformCharset;
/**
* ResourceBundle for auth service
*/
private final SSOToken ssoAuthSession;
// session service schema
private ServiceSchema sessionSchema;
private String adminAuthModule;
/**
* Default auth level for module
*/
public String defaultAuthLevel;
private ServletContext servletContext;
private final String rootSuffix;
static {
if (debug.messageEnabled()) {
"\nDirectory PORT : "+ directoryPort);
}
}
private AuthD() {
try {
"amPlatform");
// Initialize AuthXMLHandler so that AdminTokenAction can
// generate DPro Session's SSOToken
}
}
/**
* Initialized auth service global attributes
* @throws SMSException if it fails to get auth service for name
* @throws SSOException if admin <code>SSOToken</code> is not valid
* @throws Exception
*/
private void initAuthServiceGlobalSettings() throws Exception {
ServiceSchemaManager scm = new ServiceSchemaManager(ISAuthConstants.AUTH_SERVICE_NAME, ssoAuthSession);
if (debug.messageEnabled()) {
}
new AuthConfigMonitor(scm);
}
/**
* Update the AuthService global and organization settings.
* most of the code is moved in from AuthenticatorManager.java.
* @param scm <code>ServiceSchemaManager</code> to be used for update
* @throws SMSException if it fails to update auth service
* @throws Exception
*/
// get Global type attributes for iPlanetAMAuthService
if (debug.messageEnabled()) {
}
if (dot > -1) {
} else {
}
}
if (debug.messageEnabled()) {
}
if (debug.messageEnabled()) {
}
}
/**
* Initialize the AuthConfiguration global attributes.
* @throws SMSException if it fails to get auth service for name
* @throws SSOException if admin <code>SSOToken</code> is not valid
* @throws Exception
*/
private void initAuthConfigGlobalSettings() throws Exception {
new AuthConfigMonitor(scm);
}
/**
* Update the AuthConfiguration organization attributes.
* @param scm <code>ServiceSchemaManager</code> to be used for update
* @throws SMSException if it fails to update auth service
*/
throws SMSException {
}
if (debug.messageEnabled()) {
}
}
/**
* Initialized platform service global attributes
* @throws SMSException if it fails to initialize platform service
* @throws SSOException if admin <code>SSOToken</code> is not valid
*/
private void initPlatformServiceGlobalSettings()
throws SMSException, SSOException {
new AuthConfigMonitor(scm);
}
/**
* Update the PlatformService global attributes.
* @param scm <code>ServiceSchemaManager</code> to be used for update
* @throws SMSException if it fails to initialize platform service
*/
throws SMSException {
if (debug.messageEnabled()) {
}
}
/**
* Initialize iPlanetAMSessionService Dynamic attributes
* @throws SMSException if it fails to initialize session service
* @throws SSOException if admin <code>SSOToken</code> is not valid
*/
private void initSessionServiceDynamicSettings()
throws SMSException, SSOException {
new AuthConfigMonitor(scm);
}
/**
* Update the SessionService dynamic attributes.
* @param scm <code>ServiceSchemaManager</code> to be used for update
* @throws SMSException if it fails to update session service
*/
throws SMSException {
if (debug.messageEnabled()) {
+ "\nAuthD.defaultMaxIdleTime=" + defaultMaxIdleTime
+ "\nAuthD.defaultMaxCachingTime=" + defaultMaxCachingTime);
}
}
/**
* Return max session time
* @return max session time
*/
}
/**
* Return max session idle time
* @return max session idle time
*/
}
/**
* Return max session caching time
* @return max session caching time
*/
}
/**
* Returns attribute map of the specified service in the specified
* organization.
*
* @param orgDN Organization DN in which the service exists.
* @param serviceName Service name of which the attributes are retrieved.
* @return Map containing the attributes of the service.
*/
try {
}
} catch (Exception e) {
if (debug.messageEnabled()) {
}
}
return Collections.emptyMap();
}
/**
* Sets the provided attribute map on the specified service in the specified organization.
*
* @param orgDN Organization DN in which the service exists.
* @param serviceName Service name of which the attributes are retrieved.
* @param attributes The attributes to set on the service.
*/
public void setOrgServiceAttributes(String orgDN, String serviceName, Map<String, Set<String>> attributes)
throws IdRepoException, SSOException {
} else {
//TODO add it somehow?
}
}
try {
return idRepo.getRealmIdentity();
} catch (Exception e) {
if (debug.messageEnabled()) {
}
}
return null;
}
/**
* Returns Authenticator singleton instance.
*
* @return Authenticator singleton instance.
*/
return SingletonHolder.getInstance();
}
/**
* Destroy sessionfor given <code>SessionID</code>
* @param sid <code>SessionID</code> to be destroyed
*/
}
/**
* Creates a new session.
*
* @param domain Domain Name.
* @param httpSession HTTP Session.
* @return new <code>InternalSession</code>
*/
public static InternalSession newSession(
boolean stateless) {
try {
}
return is;
}
/**
* Returns the session associated with a session ID.
*
* @param sessId Session ID.
* @return the <code>InternalSession</code> associated with a session ID.
*/
if (debug.messageEnabled()) {
}
}
}
return is;
}
/**
* Returns the session associated with a session ID.
*
* @param sid Session ID.
* @return the <code>InternalSession</code> associated with a session ID.
*/
}
return is;
}
/**
* Returns the session associated with an HTTP Servlet Request.
*
* @param req HTTP Servlet Request.
* @return the <code>InternalSession</code> associated with
* anHTTP Servlet Request.
*/
return getSession(sid);
}
////////////////////////////////////////////////////////////////
// AuthD utilities
////////////////////////////////////////////////////////////////
/**
* Returns an Authenticator for a specific module name.
*
* @param moduleName Module name example <code>LDAP</code>.
* @return Authenticator for a specific module name.
*/
}
/**
* Return configured Authenticators
* @return list of configured Authenticators
*/
public Iterator getAuthenticators() {
}
/**
* Return configured PlatformLocale
* @return configured PlatformLocale
*/
public String getPlatformLocale() {
return platformLocale;
}
/**
* Log Logout status
*/
try {
}
}
}
}
}
if (authMethName != null) {
}
}
.toString());
} catch (SSOException ssoExp) {
} catch (Exception e) {
}
}
////////////////////////////////////////////////////////////////
// Other utilities
////////////////////////////////////////////////////////////////
/**
* Writes a log record.
*
* @param s Array of data information for the log record.
* @param type Type of log either <code>LOG_ERROR</code> or
* <code>LOG_ACCESS</code>.
* @param messageName Message ID for the log record.
* @param ssoProperties Single Sign On Properties to be written to the
* log record. If this is <code>null</code>, properties will be
* retrieved from administrator Single Sign On Token.
*/
public void logIt(
String[] s,
int type,
try {
if(ssoProperties == null) {
} else {
}
switch (type) {
case LOG_ACCESS:
break;
case LOG_ERROR:
break;
default:
break;
}
} catch(IOException ex) {
}
}
}
/**
* Returns connection for AM store.
* Only used for backward compatibilty support,
* for retrieving user container DN and usernaming attr.
* @return connection for AM store
*/
public AMStoreConnection getSDK() {
try {
} catch (SSOException e) {
}
}
return dpStore;
}
void printProfileAttrs() {
if (!debug.messageEnabled()) {
return;
}
if (index > 0) {
}
if (debug.messageEnabled()) {
"\nadminAuthName->" + adminAuthName +
"\ndefaultOrg->" + defaultOrg +
"\nlocale->" + platformLocale +
"\ncharset>" + platformCharset);
}
}
static SessionService getSessionService() {
if (sessionService == null) {
}
return sessionService;
}
/**
* Return current sso session for auth
* @return current sso session for auth
*/
public SSOToken getSSOAuthSession() {
return ssoAuthSession;
}
if (authSession == null) {
}
}
return authSession;
}
}
public synchronized void notifyChanges() {
}
}
/**
* get inetDomainStatus attribute for the org
* @param orgName org name to check inetDomainStatus
* @return true if org is active
* @throws IdRepoException if can not can any information for org
* @throws SSOException if can not use <code>SSOToken</code> for admin
*/
throws IdRepoException, SSOException {
}
/**
* Returns <code>true</code> if distinguished user name is a super
* administrator DN.
*
* @param dn Distinguished name of user.
* @return <code>true</code> if user is super administrator.
*/
boolean isAdmin = false;
if (debug.messageEnabled()) {
}
if (superAdmin != null) {
if (debug.messageEnabled()) {
}
}
if (!isAdmin) {
}
}
if (debug.messageEnabled()) {
}
return isAdmin;
}
/**
* Returns <code>true</code> if and only if the user name belongs to a
* super user
*
* @param dn DN of the user
* @return <code>true</code> if the user is an admin user.
*/
}
/**
* Returns <code>true</code> if distinguished user name is a special user
* DN.
*
* @param dn Distinguished name of user.
* @return <code>true</code> if user is a special user.
*/
// dn in all the invocation is normalized.
boolean isSpecialUser = false;
while (st.hasMoreTokens()) {
if (specialAdminDN != null) {
if (debug.messageEnabled()) {
}
isSpecialUser = true;
break;
}
}
}
}
if (debug.messageEnabled()) {
}
return isSpecialUser;
}
/**
* Returns Resource bundle of a locale.
*
* @param locale Locale.
* @return Resource bundle of a locale.
*/
return bundle;
}
}
}
return rb;
}
/**
* Return default sleep time
* @return default sleep time
*/
public long getDefaultSleepTime() {
return defaultSleepTime * 1000;
}
/**
* Returns the organization DN.
* <p>
* If the organization name matches the root suffix or has the
* root suffix in it then the DN will be returned as string.
* Otherwise the DN will be constructed from the organization Name DN
* and the root suffix DN.
*
* @param userOrg Organization Name
* @return Organization DN of the organization
*/
return rootSuffixDN.toString();
}
} else {
}
if (debug.messageEnabled()) {
}
return orgDN;
}
/**
* Returns the dynamic replacement of the URL from the Success or Failure
* URLs.
*
* @param URL
* @param servletRequest
* @return the dynamic replacement of the URL from the Success or Failure
* URLs.
*/
}
if (debug.messageEnabled()) {
}
return url;
}
/**
* This function returns the dynamic replacement of the protocol
* from the Success or Failure urls
* @param rawURL Raw url with out real protocol
* @param servletRequest Servlet request has real protocol value
* @return the dynamic replacement of the protocol
* from the Success or Failure urls
*/
private String processDynamicVariables(
int index;
// protocol processing
if (isConsoleRemote) {
} else {
if ( servletRequest != null ) {
}
} else {
}
}
}
if (isConsoleRemote) {
} else {
if ( servletRequest != null ) {
}
//This is to remove extra ":"
} else {
}
}
}
if (isConsoleRemote) {
}
}
}
return rawURL;
}
/**
* Sets the Servlet Context.
*
* @param servletContext Servlet Context to be set.
*/
this.servletContext = servletContext;
if (debug.messageEnabled()) {
}
}
/**
* Returns the Servlet Context.
*
* @return Servlet Context.
*/
public ServletContext getServletContext() {
return servletContext;
}
/**
* Returns the OpenAM Identity Repository for an organization.
*
* @param orgDN name of the organization
* @return OpenAM Identity Repository.
*/
try {
if (amIdentityRepository == null) {
// We lost the race
}
}
if (debug.messageEnabled()) {
}
}
return amIdentityRepository;
}
/**
* Returns the Organization Configuration Manager for an organization.
*
* @param orgDN Name of the organization.
* @return Organization Configuration Manager for an organization.
*/
try {
if (orgConfigMgr == null) {
// We lost the race
}
}
if (debug.messageEnabled()) {
}
}
return orgConfigMgr;
}
/**
* Returns the <code>AMIdentity</code> object for the given parameters.
* If there is no such identity, or there is more then one matching identity,
* then an AuthException will be thrown.
*
* @param idType Identity Type.
* @param idName Identity Name.
* @param orgName organization name.
* @return <code>AMIdentity</code> object.
* @throws AuthException if there was no result, or if there was more results
* then one.
*/
throws AuthException {
if (debug.messageEnabled()) {
}
// Try getting the identity using IdUtils.getIdentity(...)
try {
if (debug.messageEnabled()) {
}
if (debug.messageEnabled()) {
"using IdUtil.getIdentity: " + amIdentity);
}
return (amIdentity);
}
} catch (IdRepoException e) {
// Ignore this exception and continue with search
if (debug.messageEnabled()) {
"getting Identity from IdUtils: "+e.getMessage());
}
} catch (SSOException ssoe) {
// Ignore this exception and continue with search
if (debug.messageEnabled()) {
}
}
// Obtain AMIdentity object by searching within IdRepo
try {
amIdentity = null;
idsc.setRecursive(true);
idsc.setAllReturnAttributes(false);
if (searchResults != null) {
}
// multiple user match found, throw exception,
// user need to login as super admin to fix it
"user '"+ idName);
}
}
} catch (SSOException sso) {
if (debug.messageEnabled()) {
}
} catch (IdRepoException ide) {
if (debug.messageEnabled()) {
}
}
if (amIdentity == null) {
}
return amIdentity;
}
/**
* Returns the authentication service or chain configured for the
* given organization.
*
* @param orgDN organization DN.
* @return the authentication service or chain configured for the
* given organization.
*/
try {
} catch (Exception e) {
}
return orgAuthConfig;
}
/**
* Checks whether an input URL is valid in an organization.
*
* @param url The URL to be validated.
* @param orgDN The organization DN.
* @return <code>true</code> if input URL is valid, <code>false</code> otherwise.
*/
}
/**
* Set of default URLs for login success
*/
return defaultSuccessURLSet;
}
/**
* Current default URL for login success
*/
return defaultSuccessURL;
}
this.defaultSuccessURL = defaultSuccessURL;
}
/**
* Set of default URLs for login failure
*/
return defaultFailureURLSet;
}
/**
* Current default URLs for login failure
*/
return defaultFailureURL;
}
this.defaultFailureURL = defaultFailureURL;
}
/**
* Set of default URLs for service success
*/
return defaultServiceSuccessURLSet;
}
/**
* Set of default URLs for service failure
*/
return defaultServiceFailureURLSet;
}
/**
* Flag to force to use JAAS thread.
* Default is false.
*/
static boolean isEnforceJAASThread() {
return enforceJAASThread;
}
}