AuthUtils.java revision fc407e8870fb0f64f1be3c0aa456b2ab135bcec9
/**
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2005 Sun Microsystems Inc. All Rights Reserved
*
* The contents of this file are subject to the terms
* of the Common Development and Distribution License
* (the License). You may not use this file except in
* compliance with the License.
*
* You can obtain a copy of the License at
* See the License for the specific language governing
* permission and limitations under the License.
*
* When distributing Covered Code, include this CDDL
* Header Notice in each file and include the License file
* at opensso/legal/CDDLv1.0.txt.
* If applicable, add the following below the CDDL Header,
* with the fields enclosed by brackets [] replaced by
* your own identifying information:
* "Portions Copyrighted [year] [name of copyright owner]"
*
* $Id: AuthUtils.java,v 1.33 2009/12/15 16:39:47 qcheng Exp $
*
*/
/**
* Portions Copyrighted 2010-2014 ForgeRock AS
*/
public class AuthUtils extends AuthClientUtils {
/**
* Authentication type for Realm based authentication after
* Composite Advices
*/
public static final int REALM = 1;
/**
* Authentication type for Service based authentication after
* Composite Advices
*/
public static final int SERVICE = 2;
/**
* Authentication type for Module based authentication after
* Composite Advices
*/
public static final int MODULE = 3;
private static ResourceBundle bundle;
/*
* Private constructor to prevent any instances being created
*/
private AuthUtils() {
}
/* retrieve session */
if (utilDebug.messageEnabled()) {
}
return sess;
}
/* this method does the following
* 1. initializes authService (AuthD) if not already done.
* 2. parses the request parameters and stores in dataHash
* 3. Retrieves the AuthContext object from the global table
* 4. if this is found then updates the loginState request
* type to false and updates the parameter hash table in
* loginstate object.
* on error throws AuthException
*/
/**
* Returns the authentication context for a request.
*
* @param request HTTP Servlet Request.
* @param response HTTP Servlet Response.
* @param sid SessionID for this request.
* @param isSessionUpgrade <code>true</code> if session upgrade.
* @param isBackPost <code>true</code> if back posting.
* @return authentication context.
*/
public static AuthContextLocal getAuthContext(
boolean isSessionUpgrade,
boolean isBackPost) throws AuthException {
isSessionUpgrade,isBackPost,false);
}
/**
* Returns the authentication context for a request.
*
* @param request HTTP Servlet Request.
* @param response HTTP Servlet Response.
* @param sid SessionID for this request.
* @param isSessionUpgrade <code>true</code> if session upgrade.
* @param isBackPost <code>true</code> if back posting.
* @param isLogout <code>true</code> for logout.
* @return authentication context.
*/
public static AuthContextLocal getAuthContext(
boolean isSessionUpgrade,
boolean isBackPost,
boolean isLogout) throws AuthException {
// initialize auth service.
try {
// commented this since it debug file
// has too many messages and making the file large
// in size.
if (utilDebug.messageEnabled()) {
+ sid);
+ authContext);
}
try {
+ serviceURI;
} catch (SessionException e) {
if (utilDebug.messageEnabled()) {
+ e.toString());
}
}
if (utilDebug.messageEnabled()) {
+ "cookieURL : " + cookieURL);
}
(isLocalServer(cookieURL,true))) {
+ "Invalid Session Timed out");
throw new AuthException(
}
}
}
if (utilDebug.messageEnabled()) {
+ isBackPost);
}
return null;
}
try {
loginState = new LoginState();
}
if (isSessionUpgrade) {
} else if (isBackPost) {
}
if (utilDebug.messageEnabled()) {
}
} catch (AuthException ae) {
if (utilDebug.messageEnabled()) {
}
throw new AuthException(ae);
}
} else {
loginState.setRequestType(false);
}
if (utilDebug.messageEnabled()) {
+ ee.getMessage());
}
throw new AuthException(ee);
}
return authContext;
}
// processAuthContext checks for arg=newsession in the HttpServletRequest
// if request has arg=newsession then destroy session and create a new
// AuthContextLocal object.
// initialize auth service.
if (utilDebug.messageEnabled()) {
+ authContext );
}
// destroy auth context and create new one.
try{
loginState = new LoginState();
if (utilDebug.messageEnabled()) {
}
} catch (AuthException ae) {
if (utilDebug.messageEnabled()) {
}
}
} else {
boolean multipleTabsUsed =
}
/**
* This flag indicates that the same user is running the auth login
* process in mutiple tabs of the same browser and if the auth
* is zero user intervention custom auth module using Redirect
* Callback, then there would be a situation that the same
* authContext is being used by mutiple threads running the
* auth process, so avoid this mutiple thread interference keep
* the process in this while loop until all the submit requirements
* have been met. This is a specific customer use case.
*/
if (multipleTabsUsed) {
while (authContext.submittedRequirements()) {
+"to complete.");
}
}
} else {
if (authContext.submittedRequirements()) {
throw new AuthException(
}
}
// update loginState - requestHash , sess
if (utilDebug.messageEnabled()) {
}
if (checkForCookies(request)) {
loginState.setCookieDetect(false);
}
}
return authContext;
}
if (authContext != null) {
}
return loginState;
}
if (loginState != null) {
return loginState.getRequestParamHash();
} else {
return new Hashtable();
}
}
// retrieve the sid from the LoginState object
throws AuthException {
try {
if (authContext != null) {
if (loginState != null) {
}
}
}
} catch (Exception e) {
if (utilDebug.messageEnabled()) {
}
// no need to have error code since the method where this is called
// generates AUTH_ERROR
}
return sidString;
}
/**
* Returns the Cookie object created based on the cookie name,
* Session ID and cookie domain. If Session is in invalid State then
* cookie is created with authentication cookie name , if
* cookie.
*
* @param ac the AuthContext object
*@param cookieDomain the cookie domain for creating cookie
* @return Cookie object.
*/
try {
}
if (CookieUtils.isCookieSecure()) {
}
} catch (Exception e) {
if (utilDebug.messageEnabled()) {
}
}
if (utilDebug.messageEnabled()) {
}
return cookie;
}
/**
* Returns the Logout cookie.
*
* @param ac the AuthContextLocal object
* @param cookieDomain the cookieDomain
* @return Logout cookie .
*/
return logoutCookie;
}
/*
* Return logout url from LoginState object.
* Caller should check for possible null value returned.
*/
try {
if (loginState == null) {
// No default URL in case of logout. Taken care by LogoutBean.
return null;
}
if (utilDebug.messageEnabled()) {
else
}
return logoutURL;
} catch (Exception e) {
return null;
}
}
// returns true if request is new else false.
if (loginState.isNewRequest()) {
if (utilDebug.messageEnabled()) {
}
return true;
} else {
if (utilDebug.messageEnabled()) {
}
return false;
}
}
/* return the successful login url */
if (loginState == null) {
} else {
}
return successURL;
}
/* return the failed login url */
try {
if (loginState == null) {
}
if (utilDebug.messageEnabled()) {
+ loginFailedURL);
}
// remove the loginstate/authContext from the hashtable
//removeLoginStateFromHash(authContext);
// destroySession(authContext);
return loginFailedURL;
} catch (Exception e) {
return null;
}
}
/* return filename - will use FileLookUp API
* for UI only - this returns the relative path
*/
if (loginState != null) {
}
if (utilDebug.messageEnabled()) {
+ relFileName);
}
return relFileName;
}
}
public static boolean newSessionArgExists(
return true;
} else {
return false;
}
}
return false;
}
if (utilDebug.messageEnabled()) {
}
if (loginState==null) {
encodedURL = url;
} else {
}
if (utilDebug.messageEnabled()) {
}
return encodedURL;
}
// return the locale
// initialize auth service.
if (authContext == null) {
return ad.getPlatformLocale();
}
if (loginState == null) {
return ad.getPlatformLocale();
}
return loginState.getLocale();
}
try {
if (loginState != null) {
}
} catch (Exception e) {
}
}
if (authContext != null) {
}
}
/**
* Returns <code>true</code> if the session has timed out or the page has
* timed out.
*
* @param authContext the authentication context object for the request.
* @return <code>true</code> if timed out else false.
*/
boolean timedOut = false;
if (loginState != null) {
if (!timedOut) {
}
}
if (utilDebug.messageEnabled()) {
}
}
return timedOut;
}
/* return the value of argument iPSPCookie entered on the URL */
}
/* retrieve persistent cookie setting from core auth profile */
}
}
/* return persistent cookie */
String cookieDomain ) {
return null;
}
/* returns the username from the persistent cookie */
return loginState.searchPersistentCookie();
}
try {
if (utilDebug.messageEnabled()) {
}
return pCookie;
} catch (Exception e) {
}
}
try {
if (utilDebug.messageEnabled()) {
}
return lbCookie;
} catch (Exception e) {
}
}
throws AuthException {
}
} else {
}
}
}
/**
* called by UI if the username returned by
* searchPersistentCookie is null
* clear persistent cookie in the request
*/
int maxAge = 0;
return clearPCookie;
}
/* return the indexType for this request */
int type = 0;
try {
if (loginState != null) {
}
if (utilDebug.messageEnabled()) {
}
} catch (Exception e) {
if (utilDebug.messageEnabled()) {
+ e.toString());
}
}
return type;
}
/* return the indexType for this request */
try {
if (loginState != null) {
}
if (utilDebug.messageEnabled()) {
}
return indexType;
} catch (Exception e) {
if (utilDebug.messageEnabled()) {
}
return null;
}
}
/* return the indexName for this request */
try {
if (loginState != null) {
}
if (utilDebug.messageEnabled()) {
}
return indexName;
} catch (Exception e) {
if (utilDebug.messageEnabled()) {
}
return null;
}
}
if (loginState != null) {
}
if ( recdCallback != null ) {
if (utilDebug.messageEnabled()) {
+ i + "] :" + recdCallback[i]);
}
}
}
else {
}
return recdCallback;
}
/**
* Returns the resource based on the default values.
*
* @param request HTTP Servlet Request.
* @param fileName name of the file
* @return Path to the resource.
*/
public static String getDefaultFileName(
// initialize auth service.
try {
//in case we are unable to determine the realm from the incoming
//requests, let's fallback to top level realm
}
try {
} catch (Exception e) {
}
if (utilDebug.messageEnabled()) {
}
return templateFile;
}
/* returns the orgDN for the request */
if (loginState != null) {
}
if (utilDebug.messageEnabled()) {
}
return orgDN;
}
/* create auth context for org */
throws AuthException {
}
}
}
}
}
/** Returns the AuthContext Handle for the Request.
* @param orgName OrganizationName in request
* @param sessionID Session ID for this request
* @param isLogout a boolean which is true if it is a Logout request
* @param req HttpServletRequest
* @return AuthContextLocal object
*/
throws AuthException {
}
/* create auth context for org and sid, if sessionupgrade then
* save the previous authcontext and create new authcontext
* orgName - organization name to login to
* sessionId - sessionID of the request - "0" if new request
* isLogout - is this a logout request
* @param orgName OrganizationName in request
* @param sessionID Session ID for this request
* @param isLogout a boolean which is true if it is a Logout request
* @param req HttpServletRequest
* @param indexType Index Type
* @param indexName Index Name
* @return AuthContextLocal object
*/
throws AuthException {
xmlReq,false);
}
/* create auth context for org and sid, if sessionupgrade then
* save the previous authcontext and create new authcontext
* orgName - organization name to login too
* sessionId - sessionID of the request - "0" if new request
* isLogout - is this a logout request - if yes then no session
* upgrade - this is the case where session is VALID so need
* to use this flag to determine if session upgrade is needed.
* @param orgName OrganizationName in request
* @param sessionID Session ID for this request
* @param isLogout a boolean which is true if it is a Logout request
* @param req HttpServletRequest
* @param indexType Index Type
* @param indexName Index Name
* @param forceAuth force auth flag
* @return AuthContextLocal object
*/
throws AuthException {
boolean sessionUpgrade = false;
int sessionState = -1;
}
if (utilDebug.messageEnabled()) {
}
try {
// check if this sesson id is active, if yes then it
// is a session upgrade case.
if (loginState != null) {
} else {
}
sessionUpgrade = false;
} else {
if (utilDebug.messageEnabled()) {
}
if (forceAuth) {
sessionUpgrade = true;
} else {
}
} else {
sessionUpgrade = true;
}
}
if (utilDebug.messageEnabled()) {
}
}
}
if (utilDebug.messageEnabled()) {
+ authContext);
+ sessionUpgrade);
+ forceAuth);
}
}
xmlReq.setValidSessionNoUpgrade(true);
return null;
}
(sessionUpgrade)) {
try {
loginState = new LoginState();
}
if (sessionUpgrade) {
}
if (utilDebug.messageEnabled()) {
}
} catch (AuthException ae) {
if (utilDebug.messageEnabled()) {
}
throw new AuthException(ae);
}
} else {
// update loginState
try {
if (utilDebug.messageEnabled()) {
}
if (loginState != null) {
loginState.setRequestType(false);
}
if (utilDebug.messageEnabled()) {
}
}
}
if (forceAuth){
}
if (utilDebug.messageEnabled()) {
}
throw new AuthException(ee);
}
return authContext;
}
/**
* Returns a set of authentication modules whose authentication
* level equals to or greater than the specified authLevel. If no such
* module exists, an empty set will be returned.
*
* @param authLevel authentication level.
* @param organizationDN DN for the organization.
* @param clientType Client type, e.g. "genericHTML".
* @return Set of authentication modules whose authentication level
* equals to or greater that the specified authentication level.
*/
public static Set getAuthModules(
int authLevel,
String clientType) {
}
/* return the previous Internal Session */
return oldSession;
}
/* retreive the authcontext based on the req */
throws AuthException {
// initialize auth service.
try {
if (utilDebug.messageEnabled()) {
+ authContext);
}
if (utilDebug.messageEnabled()) {
}
}
return null;
} else {
return null;
}
return authContext;
}
} catch (Exception e) {
return null;
}
}
/* check if the session is active */
try {
if (utilDebug.messageEnabled()) {
}
boolean sessionValid = false;
sessionValid = true;
}
if (utilDebug.messageEnabled()) {
}
}
return sessionValid;
} catch (Exception e) {
return false;
}
}
/* retreive session property */
try {
}
} catch (Exception e) {
}
return value;
}
/* return session upgrade - true or false */
boolean isSessionUpgrade = false;
if (loginState != null) {
}
return isSessionUpgrade;
}
if (loginState==null) {
return;
}
if (utilDebug.messageEnabled()) {
}
}
if (loginState==null) {
return false;
}
return loginState.isCookieSupported();
}
if (loginState==null) {
return false;
}
return loginState.isCookieSet();
}
/**
* Returns true if cookies found in the request.
*
* @param req HTTP Servlet Request.
* @param ac authentication context.
* @return <code>true</code> if cookies found in request.
*/
if (loginState!=null) {
loginState.setCookieSet(false);
loginState.setCookieDetect(false);
}
// came here if cookie not found , return false
return (
||
}
if (loginState==null) {
return null;
}
return loginState.getLoginURL();
}
}
return authContext;
}
// Gets Callbacks per Page state
if (loginState != null) {
}
if ( recdCallback != null ) {
if (utilDebug.messageEnabled()) {
+ i + "] :" + recdCallback[i]);
}
}
}
else {
}
return recdCallback;
}
// Sets (saves) Callbacks per Page state
if (loginState != null) {
}
if (utilDebug.messageEnabled()) {
+ i + "] :" + callbacks[i]);
}
}
}
else {
}
}
/**
* Returns the SessionID . This is required to added the
* session server , port , protocol info to the Logout Cookie.
* SessionID is retrieved from Auth service if a handle on
* the authcontext object is there otherwise retrieve from
* the request object.
*
* @param authContext is the AuthContext which is
* handle to the auth service
* @param request is the HttpServletRequest object
* @return returns the SessionID
*/
if (authContext != null) {
try {
}
} catch (Exception e) {
}
}
}
if (utilDebug.messageEnabled()) {
}
return sessionId;
}
/**
* Returns true if cookie is supported otherwise false.
* the value is retrieved from the auth service if a
* handle on the auth context object is there otherwise
* check the HttpServletRequest object to see if the
* OpenSSO cookie is in the request header
*
* @param authContext is the handle to the auth service
* for the request
* @param request is the HttpServletRequest Object for the
* request
*
* @return boolean value indicating whether cookie is supported
* or not.
*/
boolean cookieSupported;
if (authContext != null) {
} else {
}
if (utilDebug.messageEnabled()) {
}
return cookieSupported;
}
/**
* Returns the previous index type after module is selected in authlevel
* or composite advices.
* @param ac the is the AuthContextLocal instance.
* @return AuthContext.IndexType.
*/
if (loginState != null) {
return loginState.getPreviousIndexType();
} else {
return null;
}
}
/**
* Returns whether the auth module is or the auth chain contains pure JAAS
* module(s).
* @param configName a string of the configuratoin name.
* @return 1 for pure JAAS module; -1 for module(s) provided by IS only.
*/
public static int isPureJAASModulePresent(
throws AuthLoginException {
if (AuthD.enforceJAASThread) {
return 1;
}
int returnValue = -1;
try {
} catch (Exception e) {
return 1;
}
throw new AuthLoginException("amAuth",
}
// re-use the obtained configuration
if (utilDebug.messageEnabled()) {
}
returnValue = 1;
break;
continue;
}
try {
).newInstance();
if (classObject instanceof AMLoginModule) {
if (utilDebug.messageEnabled()) {
" is instance of AMLoginModule");
}
synchronized(ISModuleClasses) {
}
}
} else {
if (utilDebug.messageEnabled()) {
}
synchronized(pureJAASModuleClasses) {
}
}
returnValue = 1;
break;
}
} catch (Exception e) {
if (utilDebug.messageEnabled()) {
}
synchronized(pureJAASModuleClasses) {
}
}
returnValue = 1;
break;
}
}
return returnValue;
}
/**
* Get the module service name in either
* iplanet-am-auth format<module.toLowerCase()>Service(old) or
* sunAMAuth<module>Service format(new).
*/
if (serviceName == null) {
try {
} catch (Exception e) {
}
}
return serviceName;
}
public static int getAuthRevisionNumber(){
try {
return scm.getRevisionNumber();
} catch (Exception e) {
if (utilDebug.messageEnabled()) {
}
}
return 0;
}
/**
* Returns success URL for this request. If <code>goto</code> parameter is
* in the current request then returns the <code>goto</code> parameter
* else returns the success URL set in the valid session.
*
* @param request HTTP Servlet Request.
* @param authContext authentication context for this request.
* @return success URL.
*/
public static String getSuccessURL(
if (loginState == null) {
} else {
}
}
if (utilDebug.messageEnabled()) {
}
return successURL;
}
// Returns the set of Module instances resulting from a 'composite advice'
try {
if (utilDebug.messageEnabled()) {
+ decodedAdviceXML);
+ adviceMap);
}
returnAuthInstances = new HashMap();
returnModuleInstances = new HashSet();
//returnAuthInstances = Collections.EMPTY_MAP;
break;
}
}
if (returnAuthInstances.isEmpty()) {
}
}
} catch (Exception e) {
if (utilDebug.messageEnabled()) {
, e);
}
}
if (utilDebug.messageEnabled()) {
"returnAuthInstances : " + returnAuthInstances);
}
return returnAuthInstances;
}
// Returns the set of module instances having lowest auth level from a
// given set of auth level values
if (utilDebug.messageEnabled()) {
+ authLevelvalues);
}
try {
// First get the lowest auth level value from a given set
//get the Realm qualified Auth Level value
try {
if (authLevel < minAuthlevel) {
if ((qualifiedRealm != null) &&
}
if (utilDebug.messageEnabled()) {
+ qualifiedRealm);
+ qualifiedOrgDN);
}
}
continue;
}
}
if (utilDebug.messageEnabled()) {
+ moduleInstances);
}
if ((moduleInstances != null) &&
(!moduleInstances.isEmpty())) {
returnModuleInstances = new HashSet();
while (iterInstances.hasNext()) {
//get the module instance value
}
}
} else {
}
if (utilDebug.messageEnabled()) {
"returnModuleInstances : " + returnModuleInstances +
" for auth level : " + minAuthlevel);
}
}
} catch (Exception e) {
if (utilDebug.messageEnabled()) {
, e);
}
}
return returnModuleInstances;
}
// returns AuthContextLocal object from Session object identified by 'sid'.
// if not found then check it in the HttpSession.
private static AuthContextLocal retrieveAuthContext(
}
return acLocal;
}
// retrieve the AuthContextLocal object from the Session object.
}
if (utilDebug.messageEnabled()) {
}
return localAC;
}
/**
* Removes the AuthContextLocal object in the Session object identified
* by the SessionID object parameter 'sid'.
*/
}
}
/**
* Returns the authentication service or chain configured for the
* given organization.
*
* @param orgDN organization DN.
* @return the authentication service or chain configured for the
* given organization.
*/
}
/**
* Returns true if remote Auth security is enabled and false otherwise
*
* @return the value of sunRemoteAuthSecurityEnabled attribute
*/
try {
"iPlanetAMAuthService", dUserToken);
}
}
if (utilDebug.messageEnabled()) {
}
return securityEnabled;
}
/**
* Returns the flag indicating a request "forward" after
* successful authentication.
*
* @param authContext AuthContextLocal object
* @param req HttpServletRequest object
* @return the boolean flag.
*/
if (!isForward) {
if (loginState != null) {
}
}
return isForward;
}
/**
* Returns <code>true</code> if the request has the
* <code>forward=true</code> query parameter.
*
* @param req HttpServletRequest object
* @return <code>true</code> if this parameter is present.
*/
boolean isForward =
if (utilDebug.messageEnabled()) {
}
return isForward;
}
/**
* Returns <code>Map</code> attributes
*
* @param serviceName Service Name
* @return <code>Map</code> of global attributes.
*/
try {
}
} catch (SMSException smsExp) {
);
} catch (SSOException ssoExp) {
);
}
if (utilDebug.messageEnabled()) {
}
return attrs;
}
if (cookieDomainSet.isEmpty()) {
} else {
response);
}
}
}
if (cookieValue != null) {
// clear Persistent Cookie
if (utilDebug.messageEnabled()) {
}
}
}
/*
* Get URL set by Post Process Plugin in HttpServletRequest.
* Caller should check for null return value.
*/
{
if (utilDebug.messageEnabled()) {
}
return null;
}
if (servletRequest != null) {
}
if (utilDebug.messageEnabled()) {
" Value : " + url);
}
else {
" Value : Not set - null or empty string");
}
}
return url;
}
/* Helper method to reset HttpServletRequest object before it is sent to
* Post Process Plugin so that it can set new values.
*/
{
if (servletRequest != null) {
}
}
/**
* Returns valid goto parameter for this request.
* Validate goto parameter set in the current request, then returns it
* if valid
* @param request the HttpServletRequest
* @param authContext authentication context for this request.
* @return successURL a String
*/
}
/**
* Returns valid goto parameter for this request.
* Validate goto parameter set in the current request, then returns it
* if valid
* @param request the HttpServletRequest
* @param orgDN organization DN
* @return successURL a String
*/
}
}
try {
//relative path doesn't need to be compared
//against goto valid domain list
if (!uri.isAbsolute()) {
return gotoUrl;
}
} catch (URISyntaxException urise) {
//gotoUrl violates RFC 2396
if (utilDebug.messageEnabled()) {
}
return null;
}
if (utilDebug.messageEnabled()) {
"invalid");
}
return null;
}
}
return gotoUrl;
}
/**
* Performs a logout on a given token ensuring the post auth classes are called
*
* @param sessionID The token id to logout
* @param request The HTTP request
* @param response The HTTP response
* @return true if the token was still valid before logout was called
* @throws SSOException If token is null or other SSO exceptions
*/
public static boolean logout(String sessionID, HttpServletRequest request, HttpServletResponse response)
throws SSOException {
}
/**
* Performs a logout on a given token ensuring the post auth classes are called
*
* @param intSession The <code>InternalSession</code> to logout
* @param token The <code>SSOToken</code> to logout
* @param request The HTTP request
* @param response The HTTP response
* @return true if the token was still valid before logout was called
* @throws SSOException If token is null or other SSO exceptions
*/
throws SSOException {
return false;
}
if (intSession != null) {
}
try {
if (loginContext != null) {
if (loginContext instanceof
} else {
}
}
}
if (intSession != null) {
}
try {
}
}
} else {
if (intSession != null) {
}
while (st.hasMoreTokens()) {
try {
}
}
}
}
}
boolean isTokenValid = false;
try {
if (utilDebug.messageEnabled()) {
}
}
} catch (SessionException se) {
if (utilDebug.warningEnabled()) {
+ " checking validity of SSO Token", se);
}
}
return isTokenValid;
}
}