DNOrIPAddressListTokenRestriction.java revision 8af80418ba1ec431c8027fa9668e5678658d3611
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Copyright (c) 2005 Sun Microsystems Inc. All Rights Reserved
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The contents of this file are subject to the terms
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * of the Common Development and Distribution License
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * (the License). You may not use this file except in
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * compliance with the License.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * You can obtain a copy of the License at
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * https://opensso.dev.java.net/public/CDDLv1.0.html or
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * See the License for the specific language governing
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * permission and limitations under the License.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * When distributing Covered Code, include this CDDL
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Header Notice in each file and include the License file
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * If applicable, add the following below the CDDL Header,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * with the fields enclosed by brackets [] replaced by
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * your own identifying information:
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * "Portions Copyrighted [year] [name of copyright owner]"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * $Id: DNOrIPAddressListTokenRestriction.java,v 1.7 2009/10/29 17:33:29 ericow Exp $
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Portions Copyrighted 2011-2012 ForgeRock Inc
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.iplanet.dpro.session.service.SessionService;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.security.AdminTokenAction;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.shared.datastruct.CollectionHelper;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.sm.ServiceSchemaManager;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>DNOrIPAddressListTokenRestriction</code> implements
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * {@link TokenRestriction} interface and handles the restriction of
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * the <code>DN</code> or <code>IPAddress</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterpublic class DNOrIPAddressListTokenRestriction implements TokenRestriction {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster static final long serialVersionUID = 8352965917649287133L;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private Set<InetAddress> addressList = new HashSet<InetAddress>();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * boolean to indicate if the restriction checking is strictly based on DN
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * or not during cookie hijacking mitigation mode.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * By default if DN is absent or cannot be determined,restriction is
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * set to IP address of the client. This property if not defined in
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * is assumed false.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * If strict DN checking is desired this property needs to be defined
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * with value "true"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private static boolean dnRestrictionOnly;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private static final String SESSION_DNRESTRICTIONONLY_ATTR_NAME =
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "iplanet-am-session-dnrestrictiononly";
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private static final String AM_SESSION_SERVICE = "iPlanetAMSessionService";
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "DNOrIPAddressListTokenRestriction"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster +": fetching value for dnRestrictionOnly:"+
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Constructs <code>DNOrIPAddressListTokenRestriction</code> object based on
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * the <code>DN</code> and list of host names to be restricted.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param dn the <code>DN</code> of the user
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param hostNames list of host names.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception Exception if finding IP Address of host to be restricted or
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * if something goes wrong.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public DNOrIPAddressListTokenRestriction(String dn, List<String> hostNames) throws Exception {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster StringTokenizer st = new StringTokenizer(dn, "|");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster buf = new StringBuilder(Misc.canonicalize(st.nextToken()));
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster buf.append('|').append(Misc.canonicalize(st.nextToken()));
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster buf = new StringBuilder(Misc.canonicalize(dn));
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster boolean hostmatch = false;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (SessionService.sessionDebug.warningEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "DNOrIPAddressListTokenRestriction.constructor: "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("DNOrIPAddressListTokenRestriction.new " + asString);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * This method returns the restriction as a string.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return A concatenated string of DN and/or Host Name/IP Address.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns a hash code for this object.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return a hash code value for this object.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public int hashCode() {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns a true if the restriction matches the context for which it was
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param context The context from which the restriction needs to be
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * checked. The context can be any from the following - the Single
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Sign on token of the Application against which the restriction
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * is being compared - the IP Address/Host Name of the Application
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * against which the restriction is being compared
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return true if the restriction is satisfied.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @throws Exception is thrown if the there was an error.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public boolean isSatisfied(Object context) throws Exception {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return false;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (SessionService.sessionDebug.messageEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "DNOrIPAddressListTokenRestriction"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster +".isSatisfied(): context is instance of SSOToken");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String udn = Misc.canonicalize(usedBy.getPrincipal().getName());
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster StringTokenizer st = new StringTokenizer(dn, "|");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return true;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("DNOrIPAddressListTokenRestriction:isSatisfied SSOToken of " + udn + " does not match with restriction " + dn);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return false;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster //returning true here lessens the security, but truth to be told
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster //sessionservice endpoint should not be accessible externally
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (SessionService.sessionDebug.warningEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "DNOrIPAddressListTokenRestriction.isSatisfied():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "dnRestrictionOnly is true, but IP has been received "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "as the restriction context, this could be a "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "suspicious activity. Received InetAddress is: "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return true;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (SessionService.sessionDebug.messageEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "DNOrIPAddressListTokenRestriction"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster +".isSatisfied(): dnRestrictionOnly is false");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "DNOrIPAddressListTokenRestriction"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster +".isSatisfied(): IP based"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster +" restriction received and accepted");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return addressList.contains((InetAddress) context);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (SessionService.sessionDebug.warningEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster SessionService.sessionDebug.warning("Unknown context type:"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return false;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns true of <code>other</code> meets these criteria.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <ol type="1">
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <li>it is not null
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <li>it is an instance of {@link DNOrIPAddressListTokenRestriction}
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <li>it has the same distinguished name as this object and
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <li>it has the same set of IP addresses as this object.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param other the object to be used for comparison.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return true if <code>other</code> meets the above criteria.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster && (other instanceof DNOrIPAddressListTokenRestriction)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Gets the admin token for checking the dn restriciton property
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return admin the admin {@link SSOToken}
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return (SSOToken) AccessController.doPrivileged(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "Failed to get the admin token for "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "dnRestrictionOnly property checking.", e);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster SessionService ss = SessionService.getSessionService();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "DNOrIPAddressListTokenRestriction: "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + " Failed to get the session service instance");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Gets the value of the "iplanet-am-session-dnrestrictiononly"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * session global attribute.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return whether the DN restriction only is enabled
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private static boolean getDNRestrictionOnly() {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster boolean dnRestrictionOnly = false;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster ServiceSchemaManager ssm = new ServiceSchemaManager(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster attrs, SESSION_DNRESTRICTIONONLY_ATTR_NAME, "false")).booleanValue();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (SessionService.sessionDebug.messageEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "Failed to get the default dnRestrictionOnly"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "setting. => Set dnRestrictionOnly to "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "false", e);