LocalSSOTokenSessionModule.java revision 226b1d9e6b9fc92ae532c0deef05c40d22ed44df
/*
* The contents of this file are subject to the terms of the Common Development and
* Distribution License (the License). You may not use this file except in compliance with the
* License.
*
* You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
* specific language governing permission and limitations under the License.
*
* When distributing Covered Software, include this CDDL Header Notice in each file and include
* the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
* Header, with the fields enclosed by brackets [] replaced by your own identifying
* information: "Portions copyright [year] [name of copyright owner]".
*
* Copyright 2015 ForgeRock AS.
*/
/**
* A local implementation of a SSOToken Session module, that is designed to be deployed in an OpenAM deployment
* not remotely, i.e. protecting resources on another server which uses OpenAM for authentication.
*
* The SSOToken module will validate the presents and validity of a SSOToken ID on a request, if present and valid then
* the request is allowed to proceed. The responsibilities of this module are only to validate but never to issue
* a SSOToken, for this the client must authenticate before trying to access the resource again.
*/
public class LocalSSOTokenSessionModule implements AsyncServerAuthModule {
private final AuthUtilsWrapper authUtilsWrapper;
private AuthnRequestUtils requestUtils;
private SSOTokenFactory factory;
private CallbackHandler handler;
/**
* Default constructor is initialised by the framework.
*/
public LocalSSOTokenSessionModule() {
authUtilsWrapper = new AuthUtilsWrapper();
}
/**
* Test constructor exposes required dependencies.
*
* @param requestUtils Required for processing ServletRequests.
* @param factory Required for generation of SSOTokens.
* @param authUtilsWrapper Required for getting cookie name.
*/
this.requestUtils = requestUtils;
this.authUtilsWrapper = authUtilsWrapper;
}
/**
* @return False if the dependencies have not been initialised.
*/
private boolean isInitialised() {
return getFactory() != null;
}
/**
* Use Guice to initalise the dependencies.
*/
private void initDependencies() {
}
public String getModuleId() {
return "OpenAM SSO Token Session Module";
}
/**
* No initialisation required for this module.
*
* @param requestPolicy {@inheritDoc}
* @param responsePolicy {@inheritDoc}
* @param handler {@inheritDoc}
* @param options {@inheritDoc}
* @return {@inheritDoc}
*/
public Promise<Void, AuthenticationException> initialize(MessagePolicy requestPolicy, MessagePolicy responsePolicy,
return newResultPromise(null);
}
/**
* {@inheritDoc}
*/
}
/**
* Validates the request by checking the validity of the SSOToken ID from the AM cookie.
* <p>
* If the SSOToken ID is a restricted token then the request must also contain a url parameter "requester" which
* must contain the application SSOToken ID of the application the restricted token was issued for.
*
* @param messageInfo {@inheritDoc}
* @param clientSubject {@inheritDoc}
* @param serviceSubject {@inheritDoc}
* @return {@inheritDoc}
*/
public Promise<AuthStatus, AuthenticationException> validateRequest(final MessageInfoContext messageInfo,
if (!isInitialised()) {
}
final HttpServletRequest request = (HttpServletRequest) messageInfo.asContext(HttpRequestContext.class).getAttributes().get(HttpServletRequest.class.getName());
try {
}
});
return newResultPromise((AuthStatus) o);
}
return newExceptionPromise(
new AuthenticationException("An error occurred whilst trying to use restricted token."));
}
}
}
/**
* Gets the AM cookie name, as set by AM.
*
* @return The AM cookie name.
*/
private String getCookieHeaderName() {
return authUtilsWrapper.getCookieName();
}
/**
* Validates the request by attempting to retrieve the SSOToken ID from the cookies on the request.
* If the SSOToken ID cookie is not present then the method returns AuthStatus.SEND_FAILURE, otherwise if it is
* present it is then used to retrieve the actual SSOToken from the SSOTokenManager, if valid then
* AuthStatus.SUCCESS will be returned, otherwise AuthStatus.SEND_FAILURE will be returned.
*
* @param request The HttpServletRequest.
* @param messageInfo A contextual object that encapsulates the client request and server response objects, and
* that may be used to save state across a sequence of calls made to the methods of this
* interface for the purpose of completing a secure message exchange.
* @param clientSubject A Subject that represents the source of the service request. It is used by the method
* implementation to store Principals and credentials validated in the request.
* @return AuthStatus.SUCCESS if the SSOToken ID is valid, otherwise AuthStatus.SEND_FAILURE.
* @throws AuthException If there is a problem validating the request.
*/
}
int authLevel;
try {
} catch (SSOException e) {
} catch (UnsupportedCallbackException e) {
} catch (IOException e) {
}
(Map<String, Object>) messageInfo.getRequestContextMap().get("org.forgerock.authentication.context");
//TODO add more properties to context map
return newResultPromise(SUCCESS);
}
}
return newResultPromise(getInvalidSSOTokenAuthStatus());
}
return SEND_FAILURE;
}
/**
* This module will always return AuthStatus.SEND_SUCCESS as it is not designed to return a SSOToken, ony to
* validate that one is present on the request.
*
* @param messageInfo {@inheritDoc}
* @param serviceSubject {@inheritDoc}
* @return {@inheritDoc}
*/
return newResultPromise(SEND_SUCCESS);
}
/**
* No cleaning for the Subject is required for this module.
*
* @param messageInfo {@inheritDoc}
* @param subject {@inheritDoc}
* @return {@inheritDoc}
*/
public Promise<Void, AuthenticationException> cleanSubject(MessageInfoContext messageInfo, Subject subject) {
return newResultPromise(null);
}
/**
* @return The AuthRequestUtils, Guice initialised if it has not been assigned.
*/
public AuthnRequestUtils getRequestUtils() {
return requestUtils;
}
/**
* @return The SSOTokenFactory, Guice initialised if it has not been assigned.
*/
public SSOTokenFactory getFactory() {
return factory;
}
}