admincheck.jsp revision ae4ee6e50386a7dd03bacc6118902609b145379b
33d0a7767d53cb366039fd0ac4f63cf8a9c351b0Tinderbox User DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User The contents of this file are subject to the terms
b091b4bb803b830d2d5a9e71b6648b669655d7dcFrancis Dupont of the Common Development and Distribution License
d6fa26d0adaec6c910115be34fe7a5a5f402c14fMark Andrews (the License). You may not use this file except in
b091b4bb803b830d2d5a9e71b6648b669655d7dcFrancis Dupont compliance with the License.
b091b4bb803b830d2d5a9e71b6648b669655d7dcFrancis Dupont You can obtain a copy of the License at
33d0a7767d53cb366039fd0ac4f63cf8a9c351b0Tinderbox User https://opensso.dev.java.net/public/CDDLv1.0.html or
33d0a7767d53cb366039fd0ac4f63cf8a9c351b0Tinderbox User See the License for the specific language governing
b091b4bb803b830d2d5a9e71b6648b669655d7dcFrancis Dupont permission and limitations under the License.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User When distributing Covered Code, include this CDDL
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User Header Notice in each file and include the License file
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User If applicable, add the following below the CDDL Header,
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User with the fields enclosed by brackets [] replaced by
b091b4bb803b830d2d5a9e71b6648b669655d7dcFrancis Dupont your own identifying information:
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User "Portions Copyrighted [year] [name of copyright owner]"
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User Portions copyright 2014 ForgeRock AS.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<%@ page import="com.iplanet.am.util.SystemProperties" %>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<%@ page import="com.iplanet.sso.SSOException" %>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<%@ page import="com.iplanet.sso.SSOToken" %>
b091b4bb803b830d2d5a9e71b6648b669655d7dcFrancis Dupont<%@ page import="com.iplanet.sso.SSOTokenManager" %>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<%@ page import="com.sun.identity.common.DNUtils" %>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<%@ page import="com.sun.identity.idm.AMIdentity" %>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<%@ page import="com.sun.identity.idm.IdRepoException" %>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<%@ page import="com.sun.identity.idm.IdType" %>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<%@ page import="com.sun.identity.idm.IdUtils" %>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<%@ page import="com.sun.identity.shared.debug.Debug" %>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<%@ page import="com.sun.identity.shared.encode.Hash" %>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<%@ page import="com.sun.identity.shared.ldap.util.DN" %>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<%@ page import="com.sun.identity.sm.SMSEntry" %>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<%@ page import="javax.servlet.http.HttpServletRequest" %>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<%@ page import="java.io.IOException" %>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<%@ page import="java.util.ResourceBundle" %>
33d0a7767d53cb366039fd0ac4f63cf8a9c351b0Tinderbox User<%@ page import="java.text.MessageFormat" %>
b091b4bb803b830d2d5a9e71b6648b669655d7dcFrancis Dupont * Ensures that the provided request contains an SSOToken with super user privileges.
33d0a7767d53cb366039fd0ac4f63cf8a9c351b0Tinderbox User * If the request contains an SSOToken with super user privileges, the SSOToken is
33d0a7767d53cb366039fd0ac4f63cf8a9c351b0Tinderbox User * If the request contains an SSOToken without super user privileges, the HTTP client
b091b4bb803b830d2d5a9e71b6648b669655d7dcFrancis Dupont * is informed that they are not authoriszed to access this page and null is returned.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User * If the request does not contain an SSOToken, the HTTP client is redirected to the
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User * login page with a follow on redirect back to the current page.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User * @param request The HTTP request.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User * @param response The HTTP response.
b091b4bb803b830d2d5a9e71b6648b669655d7dcFrancis Dupont * @param out The JspWriter used to inform the HTTP client that they are unauthorized to view this page.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User * @param currentPageUrl The path of the JSP page in which this file has been included, relative to AM root.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User * @return The SSOToken of the current user if they have one with super user privileges.
b091b4bb803b830d2d5a9e71b6648b669655d7dcFrancis Dupont * @throws IOException If attempting to write to out parameter fails.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User public SSOToken requireAdminSSOToken(HttpServletRequest request,
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User HttpServletResponse response,
b091b4bb803b830d2d5a9e71b6648b669655d7dcFrancis Dupont JspWriter out,
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User String currentPageUrl) throws IOException {
b091b4bb803b830d2d5a9e71b6648b669655d7dcFrancis Dupont SSOToken ssoToken;
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User // Obtain current user identity from ssoToken
b091b4bb803b830d2d5a9e71b6648b669655d7dcFrancis Dupont SSOTokenManager manager = SSOTokenManager.getInstance();
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User ssoToken = manager.createSSOToken(request);
b091b4bb803b830d2d5a9e71b6648b669655d7dcFrancis Dupont AMIdentity user = new AMIdentity(ssoToken);
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User // Obtain DN and identity for super user
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User String adminUserDN = "";
b091b4bb803b830d2d5a9e71b6648b669655d7dcFrancis Dupont AMIdentity adminUserId = null;
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User String adminUser = SystemProperties.get("com.sun.identity.authentication.super.user");
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User if (adminUser != null) {
b091b4bb803b830d2d5a9e71b6648b669655d7dcFrancis Dupont adminUserDN = DNUtils.normalizeDN(adminUser);
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User adminUserId = new AMIdentity(ssoToken, adminUser, IdType.USER, "/", null);
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User // Check if current user is super user
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User if ((!adminUserDN.equals(DNUtils.normalizeDN(ssoToken.getPrincipal().getName()))) && (!user.equals(adminUserId))) {
b091b4bb803b830d2d5a9e71b6648b669655d7dcFrancis Dupont out.println(ResourceBundle.getBundle("encode", request.getLocale()).getString("no.permission"));
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User ssoToken = null;
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User } catch (SSOException e) {
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User // If the user has does not have a session force them to authenticate then redirect back here
b091b4bb803b830d2d5a9e71b6648b669655d7dcFrancis Dupont response.sendRedirect("UI/Login?goto=../" + currentPageUrl);
33d0a7767d53cb366039fd0ac4f63cf8a9c351b0Tinderbox User ssoToken = null;
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User } catch (IdRepoException e) {
b091b4bb803b830d2d5a9e71b6648b669655d7dcFrancis Dupont // If the SSOToken's universal identifier is invalid
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User String errorMsgTemplate = ResourceBundle.getBundle("encode", request.getLocale()).getString("invalid.uid");
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User out.println(MessageFormat.format(errorMsgTemplate, "UI/Logout?goto=../" + currentPageUrl));
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User ssoToken = null;
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User return ssoToken;