DNOrIPAddressListTokenRestriction.java revision e6ff5d36907b3336d3ab0316cbfa6cdd781a20ee
/**
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2005 Sun Microsystems Inc. All Rights Reserved
*
* The contents of this file are subject to the terms
* of the Common Development and Distribution License
* (the License). You may not use this file except in
* compliance with the License.
*
* You can obtain a copy of the License at
* See the License for the specific language governing
* permission and limitations under the License.
*
* When distributing Covered Code, include this CDDL
* Header Notice in each file and include the License file
* at opensso/legal/CDDLv1.0.txt.
* If applicable, add the following below the CDDL Header,
* with the fields enclosed by brackets [] replaced by
* your own identifying information:
* "Portions Copyrighted [year] [name of copyright owner]"
*
* $Id: DNOrIPAddressListTokenRestriction.java,v 1.7 2009/10/29 17:33:29 ericow Exp $
*
*/
/**
* Portions Copyrighted 2011-2012 ForgeRock Inc
*/
/**
* <code>DNOrIPAddressListTokenRestriction</code> implements
* {@link TokenRestriction} interface and handles the restriction of
* the <code>DN</code> or <code>IPAddress</code>
*/
public class DNOrIPAddressListTokenRestriction implements TokenRestriction {
static final long serialVersionUID = 8352965917649287133L;
/**
* boolean to indicate if the restriction checking is strictly based on DN
* or not during cookie hijacking mitigation mode.
* By default if DN is absent or cannot be determined,restriction is
* set to IP address of the client. This property if not defined in
* is assumed false.
* If strict DN checking is desired this property needs to be defined
* with value "true"
*/
private static boolean dnRestrictionOnly;
private static final String SESSION_DNRESTRICTIONONLY_ATTR_NAME =
"iplanet-am-session-dnrestrictiononly";
static {
if (debug.messageEnabled()) {
"DNOrIPAddressListTokenRestriction"
+": fetching value for dnRestrictionOnly:"+
}
}
/**
* Constructs <code>DNOrIPAddressListTokenRestriction</code> object based on
* the <code>DN</code> and list of host names to be restricted.
* @param dn the <code>DN</code> of the user
* @param hostNames list of host names.
* @exception Exception if finding IP Address of host to be restricted or
* if something goes wrong.
*/
while (st.hasMoreTokens()) {
} else {
}
}
} else {
}
if (!dnRestrictionOnly) {
boolean hostmatch = false;
try {
hostmatch = true;
} catch (UnknownHostException e) {
"DNOrIPAddressListTokenRestriction.constructor: "
+ "failure resolving host " + val);
}
throw new UnknownHostException(val);
}
}
}
}
}
if (debug.messageEnabled()) {
}
throw new IllegalStateException("DNOrIPAddressListTokenRestriction.hashcode error creating SHA-1 hash, hash was null");
}
if (debug.messageEnabled()) {
}
}
/**
* This method returns the restriction as a string.
*
*/
return asString;
}
/**
* Returns a hash code for this object.
*
* @return a hash code value for this object.
*/
public int hashCode() {
}
/**
* Returns a true if the restriction matches the context for which it was
* set.
*
* @param context The context from which the restriction needs to be
* checked. The context can be any from the following - the Single
* Sign on token of the Application against which the restriction
* against which the restriction is being compared
* @return true if the restriction is satisfied.
* @throws Exception is thrown if the there was an error.
*/
return false;
"DNOrIPAddressListTokenRestriction"
+".isSatisfied(): context is instance of SSOToken");
}
while(st.hasMoreTokens()) {
return true;
}
}
if (debug.messageEnabled()) {
debug.message("DNOrIPAddressListTokenRestriction:isSatisfied SSOToken of " + udn + " does not match with restriction " + dn);
}
return false;
} else if (context instanceof InetAddress) {
if (dnRestrictionOnly) {
//returning true here lessens the security, but truth to be told
//sessionservice endpoint should not be accessible externally
"DNOrIPAddressListTokenRestriction.isSatisfied():"
+ "dnRestrictionOnly is true, but IP has been received "
+ "as the restriction context, this could be a "
+ "suspicious activity. Received InetAddress is: "
}
return true;
} else {
"DNOrIPAddressListTokenRestriction"
+".isSatisfied(): dnRestrictionOnly is false");
"DNOrIPAddressListTokenRestriction"
+".isSatisfied(): IP based"
+" restriction received and accepted");
}
}
} else {
+ context);
}
return false;
}
}
/**
* Returns true of <code>other</code> meets these criteria.
* <ol type="1">
* <li>it is not null
* <li>it is an instance of {@link DNOrIPAddressListTokenRestriction}
* <li>it has the same distinguished name as this object and
* <li>it has the same set of IP addresses as this object.
* </ol>
*
* @param other the object to be used for comparison.
* @return true if <code>other</code> meets the above criteria.
*/
&& (other instanceof DNOrIPAddressListTokenRestriction)
}
/**
* Gets the admin token for checking the dn restriciton property
* @return admin the admin {@link SSOToken}
*/
static SSOToken getAdminToken() {
try {
} catch (Exception e) {
"Failed to get the admin token for "
+ "dnRestrictionOnly property checking.", e);
}
return null;
}
static SessionService getSS() {
"DNOrIPAddressListTokenRestriction: "
+ " Failed to get the session service instance");
}
return ss;
}
/**
* Gets the value of the "iplanet-am-session-dnrestrictiononly"
* session global attribute.
*
* @return whether the DN restriction only is enabled
*/
private static boolean getDNRestrictionOnly() {
boolean dnRestrictionOnly = false;
try {
} catch (Exception e) {
"Failed to get the default dnRestrictionOnly"
+ "setting. => Set dnRestrictionOnly to "
+ "false", e);
}
}
return dnRestrictionOnly;
}
}