WEB-INF/jsp/admincheck.jsp

	admincheck.jsp revision 6ceaa6b5b3260339647790af916128914981a790
205N/A<%--
205N/A
205N/A   DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
205N/A
205N/A   Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
205N/A
205N/A   The contents of this file are subject to the terms
205N/A   of the Common Development and Distribution License
205N/A   (the License). You may not use this file except in
205N/A   compliance with the License.
205N/A
205N/A   You can obtain a copy of the License at
205N/A   https://opensso.dev.java.net/public/CDDLv1.0.html or
205N/A   opensso/legal/CDDLv1.0.txt
205N/A   See the License for the specific language governing
205N/A   permission and limitations under the License.
205N/A
205N/A   When distributing Covered Code, include this CDDL
205N/A   Header Notice in each file and include the License file
205N/A   at opensso/legal/CDDLv1.0.txt.
205N/A   If applicable, add the following below the CDDL Header,
205N/A   with the fields enclosed by brackets [] replaced by
205N/A   your own identifying information:
205N/A   "Portions Copyrighted [year] [name of copyright owner]"
205N/A
205N/A
205N/A   Portions copyright 2014-2015 ForgeRock AS.
205N/A--%>
205N/A
205N/A<%@ page import="com.iplanet.am.util.SystemProperties" %>
205N/A<%@ page import="com.iplanet.sso.SSOException" %>
205N/A<%@ page import="com.iplanet.sso.SSOToken" %>
205N/A<%@ page import="com.iplanet.sso.SSOTokenManager" %>
205N/A<%@ page import="com.sun.identity.common.DNUtils" %>
205N/A<%@ page import="com.sun.identity.idm.AMIdentity" %>
205N/A<%@ page import="com.sun.identity.idm.IdRepoException" %>
205N/A<%@ page import="com.sun.identity.idm.IdType" %>
205N/A<%@ page import="javax.servlet.http.HttpServletRequest" %>
205N/A<%@ page import="java.io.IOException" %>
205N/A<%@ page import="java.util.ResourceBundle" %>
205N/A<%@ page import="java.text.MessageFormat" %>
205N/A
205N/A<%!
205N/A    /**
205N/A     * Ensures that the provided request contains an SSOToken with super user privileges.
205N/A     *
205N/A     * If the request contains an SSOToken with super user privileges, the SSOToken is
205N/A     * returned.
205N/A     *
205N/A     * If the request contains an SSOToken without super user privileges, the HTTP client
205N/A     * is informed that they are not authoriszed to access this page and null is returned.
205N/A     *
205N/A     * If the request does not contain an SSOToken, the HTTP client is redirected to the
205N/A     * login page with a follow on redirect back to the current page.
205N/A     *
     * @param request The HTTP request.
     * @param response The HTTP response.
     * @param out The JspWriter used to inform the HTTP client that they are unauthorized to view this page.
     * @param currentPageUrl The path of the JSP page in which this file has been included, relative to AM root.
     * @return The SSOToken of the current user if they have one with super user privileges.
     * @throws IOException If attempting to write to out parameter fails.
     */
    public SSOToken requireAdminSSOToken(HttpServletRequest request,
                                         HttpServletResponse response,
                                         JspWriter out,
                                         String currentPageUrl) throws IOException {

        SSOToken ssoToken;

        try {

            // Obtain current user identity from ssoToken
            SSOTokenManager manager = SSOTokenManager.getInstance();
            ssoToken = manager.createSSOToken(request);
            manager.validateToken(ssoToken);
            AMIdentity user = new AMIdentity(ssoToken);

            // Obtain DN and identity for super user
            String adminUserDN = "";
            AMIdentity adminUserId = null;
            String adminUser = SystemProperties.get("com.sun.identity.authentication.super.user");
            if (adminUser != null) {
                adminUserDN = DNUtils.normalizeDN(adminUser);
                adminUserId = new AMIdentity(ssoToken, adminUser, IdType.USER, "/", null);
            }

            // Check if current user is super user
            if ((!adminUserDN.equals(DNUtils.normalizeDN(ssoToken.getPrincipal().getName()))) && (!user.equals(adminUserId))) {
                out.println(ResourceBundle.getBundle("encode", request.getLocale()).getString("no.permission"));
                ssoToken = null;
            }

        } catch (SSOException e) {
            // If the user has does not have a session force them to authenticate then redirect back here
            response.sendRedirect("UI/Login?goto=../" + currentPageUrl);
            ssoToken = null;

        } catch (IdRepoException e) {
            // If the SSOToken's universal identifier is invalid
            String errorMsgTemplate = ResourceBundle.getBundle("encode", request.getLocale()).getString("invalid.uid");
            out.println(MessageFormat.format(errorMsgTemplate, "UI/Logout?goto=../" + currentPageUrl));
            ssoToken = null;
        }

        return ssoToken;
    }

%>