47865bca6b632be56381a140939bdd446eec4514Craig McDonnell DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
47865bca6b632be56381a140939bdd446eec4514Craig McDonnell Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
47865bca6b632be56381a140939bdd446eec4514Craig McDonnell The contents of this file are subject to the terms
47865bca6b632be56381a140939bdd446eec4514Craig McDonnell of the Common Development and Distribution License
47865bca6b632be56381a140939bdd446eec4514Craig McDonnell (the License). You may not use this file except in
47865bca6b632be56381a140939bdd446eec4514Craig McDonnell compliance with the License.
47865bca6b632be56381a140939bdd446eec4514Craig McDonnell You can obtain a copy of the License at
47865bca6b632be56381a140939bdd446eec4514Craig McDonnell https://opensso.dev.java.net/public/CDDLv1.0.html or
47865bca6b632be56381a140939bdd446eec4514Craig McDonnell See the License for the specific language governing
47865bca6b632be56381a140939bdd446eec4514Craig McDonnell permission and limitations under the License.
47865bca6b632be56381a140939bdd446eec4514Craig McDonnell When distributing Covered Code, include this CDDL
47865bca6b632be56381a140939bdd446eec4514Craig McDonnell Header Notice in each file and include the License file
47865bca6b632be56381a140939bdd446eec4514Craig McDonnell If applicable, add the following below the CDDL Header,
47865bca6b632be56381a140939bdd446eec4514Craig McDonnell with the fields enclosed by brackets [] replaced by
47865bca6b632be56381a140939bdd446eec4514Craig McDonnell your own identifying information:
47865bca6b632be56381a140939bdd446eec4514Craig McDonnell "Portions Copyrighted [year] [name of copyright owner]"
6ceaa6b5b3260339647790af916128914981a790Mark de Reeper Portions copyright 2014-2015 ForgeRock AS.
47865bca6b632be56381a140939bdd446eec4514Craig McDonnell<%@ page import="com.iplanet.am.util.SystemProperties" %>
47865bca6b632be56381a140939bdd446eec4514Craig McDonnell<%@ page import="com.iplanet.sso.SSOException" %>
47865bca6b632be56381a140939bdd446eec4514Craig McDonnell<%@ page import="com.iplanet.sso.SSOToken" %>
47865bca6b632be56381a140939bdd446eec4514Craig McDonnell<%@ page import="com.iplanet.sso.SSOTokenManager" %>
47865bca6b632be56381a140939bdd446eec4514Craig McDonnell<%@ page import="com.sun.identity.common.DNUtils" %>
47865bca6b632be56381a140939bdd446eec4514Craig McDonnell<%@ page import="com.sun.identity.idm.AMIdentity" %>
47865bca6b632be56381a140939bdd446eec4514Craig McDonnell<%@ page import="com.sun.identity.idm.IdRepoException" %>
47865bca6b632be56381a140939bdd446eec4514Craig McDonnell<%@ page import="com.sun.identity.idm.IdType" %>
47865bca6b632be56381a140939bdd446eec4514Craig McDonnell<%@ page import="javax.servlet.http.HttpServletRequest" %>
47865bca6b632be56381a140939bdd446eec4514Craig McDonnell<%@ page import="java.io.IOException" %>
47865bca6b632be56381a140939bdd446eec4514Craig McDonnell<%@ page import="java.util.ResourceBundle" %>
47865bca6b632be56381a140939bdd446eec4514Craig McDonnell<%@ page import="java.text.MessageFormat" %>
47865bca6b632be56381a140939bdd446eec4514Craig McDonnell * Ensures that the provided request contains an SSOToken with super user privileges.
47865bca6b632be56381a140939bdd446eec4514Craig McDonnell * If the request contains an SSOToken with super user privileges, the SSOToken is
47865bca6b632be56381a140939bdd446eec4514Craig McDonnell * If the request contains an SSOToken without super user privileges, the HTTP client
47865bca6b632be56381a140939bdd446eec4514Craig McDonnell * is informed that they are not authoriszed to access this page and null is returned.
47865bca6b632be56381a140939bdd446eec4514Craig McDonnell * If the request does not contain an SSOToken, the HTTP client is redirected to the
47865bca6b632be56381a140939bdd446eec4514Craig McDonnell * login page with a follow on redirect back to the current page.
47865bca6b632be56381a140939bdd446eec4514Craig McDonnell * @param request The HTTP request.
47865bca6b632be56381a140939bdd446eec4514Craig McDonnell * @param response The HTTP response.
47865bca6b632be56381a140939bdd446eec4514Craig McDonnell * @param out The JspWriter used to inform the HTTP client that they are unauthorized to view this page.
47865bca6b632be56381a140939bdd446eec4514Craig McDonnell * @param currentPageUrl The path of the JSP page in which this file has been included, relative to AM root.
47865bca6b632be56381a140939bdd446eec4514Craig McDonnell * @return The SSOToken of the current user if they have one with super user privileges.
47865bca6b632be56381a140939bdd446eec4514Craig McDonnell * @throws IOException If attempting to write to out parameter fails.
47865bca6b632be56381a140939bdd446eec4514Craig McDonnell public SSOToken requireAdminSSOToken(HttpServletRequest request,
47865bca6b632be56381a140939bdd446eec4514Craig McDonnell HttpServletResponse response,
47865bca6b632be56381a140939bdd446eec4514Craig McDonnell JspWriter out,
47865bca6b632be56381a140939bdd446eec4514Craig McDonnell String currentPageUrl) throws IOException {
47865bca6b632be56381a140939bdd446eec4514Craig McDonnell SSOToken ssoToken;
47865bca6b632be56381a140939bdd446eec4514Craig McDonnell // Obtain current user identity from ssoToken
47865bca6b632be56381a140939bdd446eec4514Craig McDonnell SSOTokenManager manager = SSOTokenManager.getInstance();
47865bca6b632be56381a140939bdd446eec4514Craig McDonnell ssoToken = manager.createSSOToken(request);
47865bca6b632be56381a140939bdd446eec4514Craig McDonnell AMIdentity user = new AMIdentity(ssoToken);
47865bca6b632be56381a140939bdd446eec4514Craig McDonnell // Obtain DN and identity for super user
47865bca6b632be56381a140939bdd446eec4514Craig McDonnell String adminUserDN = "";
47865bca6b632be56381a140939bdd446eec4514Craig McDonnell AMIdentity adminUserId = null;
47865bca6b632be56381a140939bdd446eec4514Craig McDonnell String adminUser = SystemProperties.get("com.sun.identity.authentication.super.user");
47865bca6b632be56381a140939bdd446eec4514Craig McDonnell if (adminUser != null) {
47865bca6b632be56381a140939bdd446eec4514Craig McDonnell adminUserDN = DNUtils.normalizeDN(adminUser);
47865bca6b632be56381a140939bdd446eec4514Craig McDonnell adminUserId = new AMIdentity(ssoToken, adminUser, IdType.USER, "/", null);
47865bca6b632be56381a140939bdd446eec4514Craig McDonnell // Check if current user is super user
47865bca6b632be56381a140939bdd446eec4514Craig McDonnell if ((!adminUserDN.equals(DNUtils.normalizeDN(ssoToken.getPrincipal().getName()))) && (!user.equals(adminUserId))) {
47865bca6b632be56381a140939bdd446eec4514Craig McDonnell out.println(ResourceBundle.getBundle("encode", request.getLocale()).getString("no.permission"));
47865bca6b632be56381a140939bdd446eec4514Craig McDonnell ssoToken = null;
47865bca6b632be56381a140939bdd446eec4514Craig McDonnell } catch (SSOException e) {
47865bca6b632be56381a140939bdd446eec4514Craig McDonnell // If the user has does not have a session force them to authenticate then redirect back here
47865bca6b632be56381a140939bdd446eec4514Craig McDonnell response.sendRedirect("UI/Login?goto=../" + currentPageUrl);
47865bca6b632be56381a140939bdd446eec4514Craig McDonnell ssoToken = null;
47865bca6b632be56381a140939bdd446eec4514Craig McDonnell } catch (IdRepoException e) {
47865bca6b632be56381a140939bdd446eec4514Craig McDonnell // If the SSOToken's universal identifier is invalid
47865bca6b632be56381a140939bdd446eec4514Craig McDonnell String errorMsgTemplate = ResourceBundle.getBundle("encode", request.getLocale()).getString("invalid.uid");
47865bca6b632be56381a140939bdd446eec4514Craig McDonnell out.println(MessageFormat.format(errorMsgTemplate, "UI/Logout?goto=../" + currentPageUrl));
47865bca6b632be56381a140939bdd446eec4514Craig McDonnell ssoToken = null;
47865bca6b632be56381a140939bdd446eec4514Craig McDonnell return ssoToken;