WEB-INF/jsp/admincheck.jsp

	admincheck.jsp revision 47865bca6b632be56381a140939bdd446eec4514
d6fa26d0adaec6c910115be34fe7a5a5f402c14fMark Andrews<%--
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User
71cef386fae61275b03e203825680b39fedaa8c6Tinderbox User   DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User   Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User   The contents of this file are subject to the terms
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User   of the Common Development and Distribution License
d6fa26d0adaec6c910115be34fe7a5a5f402c14fMark Andrews   (the License). You may not use this file except in
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User   compliance with the License.
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User   You can obtain a copy of the License at
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User   https://opensso.dev.java.net/public/CDDLv1.0.html or
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt   opensso/legal/CDDLv1.0.txt
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User   See the License for the specific language governing
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User   permission and limitations under the License.
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User   When distributing Covered Code, include this CDDL
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User   Header Notice in each file and include the License file
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User   at opensso/legal/CDDLv1.0.txt.
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User   If applicable, add the following below the CDDL Header,
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User   with the fields enclosed by brackets [] replaced by
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User   your own identifying information:
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User   "Portions Copyrighted [year] [name of copyright owner]"
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User   Portions copyright 2014 ForgeRock AS.
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User--%>
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User<%@ page import="com.iplanet.am.util.SystemProperties" %>
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User<%@ page import="com.iplanet.sso.SSOException" %>
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User<%@ page import="com.iplanet.sso.SSOToken" %>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<%@ page import="com.iplanet.sso.SSOTokenManager" %>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<%@ page import="com.sun.identity.common.DNUtils" %>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<%@ page import="com.sun.identity.idm.AMIdentity" %>
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User<%@ page import="com.sun.identity.idm.IdRepoException" %>
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User<%@ page import="com.sun.identity.idm.IdType" %>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<%@ page import="com.sun.identity.idm.IdUtils" %>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<%@ page import="com.sun.identity.shared.debug.Debug" %>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<%@ page import="com.sun.identity.shared.encode.Hash" %>
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User<%@ page import="com.sun.identity.shared.ldap.util.DN" %>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<%@ page import="com.sun.identity.sm.SMSEntry" %>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<%@ page import="javax.servlet.http.HttpServletRequest" %>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User<%@ page import="java.io.IOException" %>
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User<%@ page import="java.util.ResourceBundle" %>
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User<%@ page import="java.text.MessageFormat" %>
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<%!
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    /**
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User     * Ensures that the provided request contains an SSOToken with super user privileges.
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User     *
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User     * If the request contains an SSOToken with super user privileges, the SSOToken is
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User     * returned.
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User     *
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User     * If the request contains an SSOToken without super user privileges, the HTTP client
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User     * is informed that they are not authoriszed to access this page and null is returned.
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User     *
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User     * If the request does not contain an SSOToken, the HTTP client is redirected to the
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User     * login page with a follow on redirect back to the current page.
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User     *
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User     * @param request The HTTP request.
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User     * @param response The HTTP response.
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User     * @param out The JspWriter used to inform the HTTP client that they are unauthorized to view this page.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User     * @param currentPageUrl The path of the JSP page in which this file has been included, relative to AM root.
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User     * @return The SSOToken of the current user if they have one with super user privileges.
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User     * @throws IOException If attempting to write to out parameter fails.
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User     */
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User    public SSOToken requireAdminSSOToken(HttpServletRequest request,
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User                                         HttpServletResponse response,
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User                                         JspWriter out,
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User                                         String currentPageUrl) throws IOException {
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User        SSOToken ssoToken;
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User        try {
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User            // Obtain current user identity from ssoToken
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User            SSOTokenManager manager = SSOTokenManager.getInstance();
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User            ssoToken = manager.createSSOToken(request);
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User            manager.validateToken(ssoToken);
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User            AMIdentity user = new AMIdentity(ssoToken);
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User            // Obtain DN and identity for super user
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User            String adminUserDN = "";
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User            AMIdentity adminUserId = null;
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User            String adminUser = SystemProperties.get("com.sun.identity.authentication.super.user");
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User            if (adminUser != null) {
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User                adminUserDN = DNUtils.normalizeDN(adminUser);
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User                adminUserId = new AMIdentity(ssoToken, adminUser, IdType.USER, "/", null);
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User            }
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User            // Check if current user is super user
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User            if ((!adminUserDN.equals(DNUtils.normalizeDN(ssoToken.getPrincipal().getName()))) && (!user.equals(adminUserId))) {
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User                out.println(ResourceBundle.getBundle("encode", request.getLocale()).getString("no.permission"));
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User                ssoToken = null;
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User            }
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User        } catch (SSOException e) {
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User            // If the user has does not have a session force them to authenticate then redirect back here
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User            response.sendRedirect("UI/Login?goto=../" + currentPageUrl);
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User            ssoToken = null;
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User        } catch (IdRepoException e) {
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User            // If the SSOToken's universal identifier is invalid
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User            String errorMsgTemplate = ResourceBundle.getBundle("encode", request.getLocale()).getString("invalid.uid");
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User            out.println(MessageFormat.format(errorMsgTemplate, "UI/Logout?goto=../" + currentPageUrl));
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User            ssoToken = null;
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User        }
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User        return ssoToken;
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    }
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User%>
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User