/*
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2005 Sun Microsystems Inc. All Rights Reserved
*
* The contents of this file are subject to the terms
* of the Common Development and Distribution License
* (the License). You may not use this file except in
* compliance with the License.
*
* You can obtain a copy of the License at
* See the License for the specific language governing
* permission and limitations under the License.
*
* When distributing Covered Code, include this CDDL
* Header Notice in each file and include the License file
* at opensso/legal/CDDLv1.0.txt.
* If applicable, add the following below the CDDL Header,
* with the fields enclosed by brackets [] replaced by
* your own identifying information:
* "Portions Copyrighted [year] [name of copyright owner]"
*
* $Id: DNOrIPAddressListTokenRestriction.java,v 1.7 2009/10/29 17:33:29 ericow Exp $
*
* Portions Copyrighted 2011-2016 ForgeRock AS
*/
/**
* <code>DNOrIPAddressListTokenRestriction</code> implements
* {@link TokenRestriction} interface and handles the restriction of
* the <code>DN</code> or <code>IPAddress</code>
*/
/**
* boolean to indicate if the restriction checking is strictly based on DN
* or not during cookie hijacking mitigation mode.
* By default if DN is absent or cannot be determined,restriction is
* set to IP address of the client. This property if not defined in
* is assumed false.
* If strict DN checking is desired this property needs to be defined
* with value "true"
*/
private static boolean dnRestrictionOnly;
private static volatile boolean isInitialized = false;
"iplanet-am-session-dnrestrictiononly";
/**
* Default constructor for InternalSession deserialization.
*/
public DNOrIPAddressListTokenRestriction() {
}
/**
* Constructs <code>DNOrIPAddressListTokenRestriction</code> object based on
* the <code>DN</code> and list of host names to be restricted.
* @param dn the <code>DN</code> of the user
* @param hostNames list of host names.
* @param serviceSchemaManager the service's schema manager.
* @exception UnknownHostException if the host cannot be resolved.
*/
while (st.hasMoreTokens()) {
} else {
}
}
} else {
}
if (!isDNRestrictionOnly()) {
boolean hostmatch = false;
try {
hostmatch = true;
} catch (UnknownHostException e) {
if (DEBUG.warningEnabled()) {
}
throw new UnknownHostException(val);
}
}
}
}
}
if (DEBUG.messageEnabled()) {
}
throw new IllegalStateException("DNOrIPAddressListTokenRestriction.hashcode error creating SHA-1 hash, hash was null");
}
if (DEBUG.messageEnabled()) {
}
}
/**
* This method returns the restriction as a string.
*
*/
return asString;
}
/**
* Returns a hash code for this object.
*
* @return a hash code value for this object.
*/
public int hashCode() {
}
/**
* Returns a true if the restriction matches the context for which it was
* set.
*
* @param context The context from which the restriction needs to be
* checked. The context can be any from the following - the Single
* Sign on token of the Application against which the restriction
* against which the restriction is being compared
* @return true if the restriction is satisfied.
* @throws Exception is thrown if the there was an error.
*/
return false;
if (DEBUG.messageEnabled()) {
}
while(st.hasMoreTokens()) {
return true;
}
}
if (DEBUG.messageEnabled()) {
+ " does not match with restriction " + dn);
}
return false;
} else if (context instanceof InetAddress) {
if (isDNRestrictionOnly()) {
//returning true here lessens the security, but truth to be told
//sessionservice endpoint should not be accessible externally
if (DEBUG.warningEnabled()) {
+ "has been received as the restriction context, this could be a suspicious activity. "
}
return true;
} else {
if (DEBUG.messageEnabled()) {
+ "accepted");
}
}
} else {
if (DEBUG.warningEnabled()) {
}
return false;
}
}
/**
* Returns true of <code>other</code> meets these criteria.
* <ol type="1">
* <li>it is not null
* <li>it is an instance of {@link DNOrIPAddressListTokenRestriction}
* <li>it has the same distinguished name as this object and
* <li>it has the same set of IP addresses as this object.
* </ol>
*
* @param other the object to be used for comparison.
* @return true if <code>other</code> meets the above criteria.
*/
&& (other instanceof DNOrIPAddressListTokenRestriction)
}
/**
* Gets the value of the "iplanet-am-session-dnrestrictiononly" session global attribute.
* NOTE: It may be possible that this setting gets initialized more than once, but that should be fine as it
* shouldn't be a too expensive operation.
*
* @return Whether the DN restriction only is enabled.
*/
private boolean isDNRestrictionOnly() {
if (!isInitialized) {
try {
SESSION_DNRESTRICTIONONLY_ATTR_NAME, "false"));
if (DEBUG.messageEnabled()) {
}
isInitialized = true;
} catch (Exception e) {
if (DEBUG.messageEnabled()) {
}
}
}
return dnRestrictionOnly;
}
}