8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Copyright (c) 2005 Sun Microsystems Inc. All Rights Reserved
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The contents of this file are subject to the terms
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * of the Common Development and Distribution License
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * (the License). You may not use this file except in
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * compliance with the License.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * You can obtain a copy of the License at
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * https://opensso.dev.java.net/public/CDDLv1.0.html or
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * See the License for the specific language governing
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * permission and limitations under the License.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * When distributing Covered Code, include this CDDL
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Header Notice in each file and include the License file
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * If applicable, add the following below the CDDL Header,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * with the fields enclosed by brackets [] replaced by
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * your own identifying information:
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * "Portions Copyrighted [year] [name of copyright owner]"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * $Id: DNOrIPAddressListTokenRestriction.java,v 1.7 2009/10/29 17:33:29 ericow Exp $
ea342a784cd8d924a42a5721a4b0c42b4d644a93Diego Colantoni * Portions Copyrighted 2011-2016 ForgeRock AS
ea342a784cd8d924a42a5721a4b0c42b4d644a93Diego Colantoniimport com.fasterxml.jackson.annotation.JsonIgnore;
ea342a784cd8d924a42a5721a4b0c42b4d644a93Diego Colantoniimport com.sun.identity.shared.datastruct.CollectionHelper;
ea342a784cd8d924a42a5721a4b0c42b4d644a93Diego Colantoniimport com.sun.identity.sm.ServiceSchemaManager;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>DNOrIPAddressListTokenRestriction</code> implements
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * {@link TokenRestriction} interface and handles the restriction of
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * the <code>DN</code> or <code>IPAddress</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterpublic class DNOrIPAddressListTokenRestriction implements TokenRestriction {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster static final long serialVersionUID = 8352965917649287133L;
1f7d36d655f5d4d021b4dd67ca200ac503f5a25ePeter Major private static final Debug DEBUG = Debug.getInstance("amSession");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private Set<InetAddress> addressList = new HashSet<InetAddress>();
e6ff5d36907b3336d3ab0316cbfa6cdd781a20eeJon Jonthomas /** SHA-1 hash of the concatenated string of DN and/or Host Name/IP Address.*/
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * boolean to indicate if the restriction checking is strictly based on DN
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * or not during cookie hijacking mitigation mode.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * By default if DN is absent or cannot be determined,restriction is
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * set to IP address of the client. This property if not defined in
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * is assumed false.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * If strict DN checking is desired this property needs to be defined
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * with value "true"
1f7d36d655f5d4d021b4dd67ca200ac503f5a25ePeter Major private static volatile boolean isInitialized = false;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private static final String SESSION_DNRESTRICTIONONLY_ATTR_NAME =
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "iplanet-am-session-dnrestrictiononly";
ea342a784cd8d924a42a5721a4b0c42b4d644a93Diego Colantoni private transient ServiceSchemaManager serviceSchemaManager;
1f7d36d655f5d4d021b4dd67ca200ac503f5a25ePeter Major * Default constructor for InternalSession deserialization.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Constructs <code>DNOrIPAddressListTokenRestriction</code> object based on
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * the <code>DN</code> and list of host names to be restricted.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param dn the <code>DN</code> of the user
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param hostNames list of host names.
ea342a784cd8d924a42a5721a4b0c42b4d644a93Diego Colantoni * @param serviceSchemaManager the service's schema manager.
ea342a784cd8d924a42a5721a4b0c42b4d644a93Diego Colantoni * @exception UnknownHostException if the host cannot be resolved.
ea342a784cd8d924a42a5721a4b0c42b4d644a93Diego Colantoni ServiceSchemaManager serviceSchemaManager) throws UnknownHostException {
ea342a784cd8d924a42a5721a4b0c42b4d644a93Diego Colantoni this.serviceSchemaManager = serviceSchemaManager;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster StringTokenizer st = new StringTokenizer(dn, "|");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster buf = new StringBuilder(Misc.canonicalize(st.nextToken()));
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster buf.append('|').append(Misc.canonicalize(st.nextToken()));
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster buf = new StringBuilder(Misc.canonicalize(dn));
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster boolean hostmatch = false;
1f7d36d655f5d4d021b4dd67ca200ac503f5a25ePeter Major DEBUG.warning("DNOrIPAddressListTokenRestriction.constructor: failure resolving host " + val);
ea342a784cd8d924a42a5721a4b0c42b4d644a93Diego Colantoni List<String> hostNamesList = new ArrayList<>(hostNames);
1f7d36d655f5d4d021b4dd67ca200ac503f5a25ePeter Major DEBUG.message("DNOrIPAddressListTokenRestriction.new " + asString);
e6ff5d36907b3336d3ab0316cbfa6cdd781a20eeJon Jonthomas throw new IllegalStateException("DNOrIPAddressListTokenRestriction.hashcode error creating SHA-1 hash, hash was null");
1f7d36d655f5d4d021b4dd67ca200ac503f5a25ePeter Major DEBUG.message("DNOrIPAddressListTokenRestriction.hashCode " + asString);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * This method returns the restriction as a string.
e6ff5d36907b3336d3ab0316cbfa6cdd781a20eeJon Jonthomas * @return A SHA-1 hash of the concatenated string of DN and/or Host Name/IP Address.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns a hash code for this object.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return a hash code value for this object.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns a true if the restriction matches the context for which it was
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param context The context from which the restriction needs to be
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * checked. The context can be any from the following - the Single
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Sign on token of the Application against which the restriction
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * is being compared - the IP Address/Host Name of the Application
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * against which the restriction is being compared
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return true if the restriction is satisfied.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @throws Exception is thrown if the there was an error.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public boolean isSatisfied(Object context) throws Exception {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return false;
1f7d36d655f5d4d021b4dd67ca200ac503f5a25ePeter Major DEBUG.message("DNOrIPAddressListTokenRestriction.isSatisfied(): context is instance of SSOToken");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String udn = Misc.canonicalize(usedBy.getPrincipal().getName());
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster StringTokenizer st = new StringTokenizer(dn, "|");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return true;
1f7d36d655f5d4d021b4dd67ca200ac503f5a25ePeter Major DEBUG.message("DNOrIPAddressListTokenRestriction:isSatisfied SSOToken of " + udn
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return false;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster //returning true here lessens the security, but truth to be told
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster //sessionservice endpoint should not be accessible externally
1f7d36d655f5d4d021b4dd67ca200ac503f5a25ePeter Major DEBUG.warning("DNOrIPAddressListTokenRestriction.isSatisfied():dnRestrictionOnly is true, but IP "
1f7d36d655f5d4d021b4dd67ca200ac503f5a25ePeter Major + "has been received as the restriction context, this could be a suspicious activity. "
1f7d36d655f5d4d021b4dd67ca200ac503f5a25ePeter Major + "Received InetAddress is: " + ((InetAddress) context).toString());
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return true;
1f7d36d655f5d4d021b4dd67ca200ac503f5a25ePeter Major DEBUG.message("DNOrIPAddressListTokenRestriction.isSatisfied(): dnRestrictionOnly is false");
1f7d36d655f5d4d021b4dd67ca200ac503f5a25ePeter Major DEBUG.message("DNOrIPAddressListTokenRestriction.isSatisfied(): IP based restriction received and "
1f7d36d655f5d4d021b4dd67ca200ac503f5a25ePeter Major + "accepted");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return addressList.contains((InetAddress) context);
1f7d36d655f5d4d021b4dd67ca200ac503f5a25ePeter Major DEBUG.warning("Unknown context type:" + context);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return false;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns true of <code>other</code> meets these criteria.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <ol type="1">
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <li>it is not null
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <li>it is an instance of {@link DNOrIPAddressListTokenRestriction}
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <li>it has the same distinguished name as this object and
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <li>it has the same set of IP addresses as this object.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param other the object to be used for comparison.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return true if <code>other</code> meets the above criteria.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster && (other instanceof DNOrIPAddressListTokenRestriction)
1f7d36d655f5d4d021b4dd67ca200ac503f5a25ePeter Major * Gets the value of the "iplanet-am-session-dnrestrictiononly" session global attribute.
1f7d36d655f5d4d021b4dd67ca200ac503f5a25ePeter Major * NOTE: It may be possible that this setting gets initialized more than once, but that should be fine as it
1f7d36d655f5d4d021b4dd67ca200ac503f5a25ePeter Major * shouldn't be a too expensive operation.
1f7d36d655f5d4d021b4dd67ca200ac503f5a25ePeter Major * @return Whether the DN restriction only is enabled.
ea342a784cd8d924a42a5721a4b0c42b4d644a93Diego Colantoni ServiceSchema schema = serviceSchemaManager.getGlobalSchema();
1f7d36d655f5d4d021b4dd67ca200ac503f5a25ePeter Major dnRestrictionOnly = Boolean.parseBoolean(CollectionHelper.getMapAttr(attrs,
1f7d36d655f5d4d021b4dd67ca200ac503f5a25ePeter Major DEBUG.message("DN restriction enabled: " + dnRestrictionOnly);
1f7d36d655f5d4d021b4dd67ca200ac503f5a25ePeter Major } catch (Exception e) {
1f7d36d655f5d4d021b4dd67ca200ac503f5a25ePeter Major DEBUG.message("Failed to get the default dnRestrictionOnly setting. => Setting to false", e);