/*
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2005 Sun Microsystems Inc. All Rights Reserved
*
* The contents of this file are subject to the terms
* of the Common Development and Distribution License
* (the License). You may not use this file except in
* compliance with the License.
*
* You can obtain a copy of the License at
* See the License for the specific language governing
* permission and limitations under the License.
*
* When distributing Covered Code, include this CDDL
* Header Notice in each file and include the License file
* at opensso/legal/CDDLv1.0.txt.
* If applicable, add the following below the CDDL Header,
* with the fields enclosed by brackets [] replaced by
* your own identifying information:
* "Portions Copyrighted [year] [name of copyright owner]"
*
* $Id: InternalSession.java,v 1.21 2009/03/20 21:05:25 weisun2 Exp $
*
* Portions Copyrighted 2011-2016 ForgeRock AS.
*/
/**
* The <code>InternalSession</code> class represents a Webtop internal session.
* <p>
* A session has four states: invalid, valid, inactive, and destroyed. The initial state of a session is invalid.
*
* @see SessionState
*
*/
/**
* Expiry time which is long enough to make sessions functionally non expiring.
*/
/*
* Session property names
*/
/*
* Support objects (do not serialize)
*/
/*
* System properties
*/
private static boolean isEnableHostLookUp = SystemProperties.getAsBoolean(Constants.ENABLE_HOST_LOOKUP);
/* Maximum frequency with which the access time in the repository will be updated. */
/* default idle time for invalid sessions */
@JsonProperty("maxDefaultIdleTime")
private static final long maxDefaultIdleTimeInMinutes =
/*
* State
*/
private boolean willExpireFlag;
private boolean isSessionUpgrade = false;
@JsonProperty("creationTime")
private long creationTimeInSeconds;
@JsonProperty("latestAccessTime")
private long latestAccessTimeInSeconds;
@JsonProperty("maxSessionTime")
private long maxSessionTimeInMinutes;
@JsonProperty("maxIdleTime")
private long maxIdleTimeInMinutes;
@JsonProperty("maxCachingTime")
private long maxCachingTimeInMinutes;
@JsonProperty("timedOutAt")
private final ConcurrentMap<SessionID, TokenRestriction> restrictedTokensBySid = new ConcurrentHashMap<>();
new ConcurrentHashMap<>();
/*
* The URL map for session events of THIS session only : SESSION_CREATION, IDLE_TIMEOUT, MAX_TIMEOUT, LOGOUT,
* REACTIVATION, DESTROY. Each URL in the map is associated with a set of token ids (master and potentially all of
* the restricted token ids associated with the master) that will be used in notification
*/
/* Session handle is used to prevent administrator from impersonating other users. */
/**
* Creates an instance of the Internal Session with its key dependencies exposed.
*
* Note: This InternalSession will be in an invalid state.
*
* @param sid Non null Session ID.
* @param service Non null SessionService.
* @param debug Debugging instance to use for all logging.
*/
sessionProperties = new Properties();
willExpireFlag = true;
}
/**
* Creates a new InternalSession with the given Session ID.
*
* Note: This InternalSession will be in an invalid state.
*
* @param sid SessionID Non null Session ID.
*/
this(sid,
}
/**
* Default constructor required for deserialisation, and should not be used elsewhere.
*
* When deserialised the code responsible for instantiating it will have no means of resolving dependencies.
*
* Instead this is deferred to
* {@link InternalSession#setSessionServiceDependencies(SessionService, SessionServiceConfig,
* InternalSessionEventBroker, SessionUtilsWrapper, SessionConstraint, Debug)}
*/
public InternalSession() {
// Intentionally left blank
}
/**
* The debug instance is not restored during deserialisation.
* @param debug Non null debug instance.
*/
}
/**
* The SessionService is not restored during deserialisation.
* @param service Non null SessionService.
*/
public void setSessionServiceDependencies(
SessionService service, SessionServiceConfig serviceConfig, InternalSessionEventBroker internalSessionEventBroker,
this.sessionService = service;
this.serviceConfig = serviceConfig;
this.sessionConstraint = sessionConstraint;
}
/**
* Returns the SessionID of this Internal Session.
* @return SessionID for the internal session object
*/
return sessionID;
}
/**
* Returns the type of Internal Session.
* @return <code>USER</code> or <code>APPLICATION</code>.
*/
return sessionType;
}
/**
* Set the type of Internal Session. User OR Application.
*
* @param type <code>USER</code> or <code>APPLICATION</code>.
*/
sessionType = type;
}
/**
* Returns Client ID, accessing this Internal Session.
*
* @return Client ID.
*/
return clientID;
}
/**
* Sets Client ID for this Internal Session.
*
* @param id
*/
}
/**
* Returns the Domain of the Client
*
* @return Client Domain
*/
return clientDomain;
}
/**
* Sets the Clieant's Domain.
*
* @param domain
* Client Domain
*/
}
/**
* Returns maximum time allowed for the Internal Session.
* @return the number of maximum minutes for the session
*/
public long getMaxSessionTime() {
return maxSessionTimeInMinutes;
}
/**
* Sets the maximum time (in minutes) allowed for the Internal Session
*
* @param maxSessionTimeInMinutes
* Maximum Session Time
*/
if (this.maxSessionTimeInMinutes != maxSessionTimeInMinutes) {
}
}
/**
* Returns the maximum idle time(in minutes) for the Internal Session.
* @return the number maximum idle minutes
*/
public long getMaxIdleTime() {
return maxIdleTimeInMinutes;
}
/**
* Sets the maximum idle time (in minutes) for the Internal Session.
*
* @param maxIdleTimeInMinutes
*/
}
/**
* Returns the maximum caching time(in minutes) allowed for the Internal
* Session.
* @return Maximum Cache Time
*/
public long getMaxCachingTime() {
return maxCachingTimeInMinutes;
}
/**
* Sets the maximum caching time(in minutes) for the Internal Session.
*
* @param t
* Maximum Caching Time
*/
public void setMaxCachingTime(long t) {
}
/**
* Returns the time(in seconds) for which the Internal Session has not been
* accessed.
* @return session idle time
*/
public long getIdleTime() {
}
/**
* Returns the total time left(in seconds) for the Internal Session. Returns 0 if the time left is negative.
* @return Time left for the internal session to be invalid
*/
public long getTimeLeft() {
}
/**
* @return <code>true</code> if the Internal session has timedout ,
* <code>false</code> otherwise
*/
public boolean isTimedOut() {
return timedOutTimeInSeconds != 0;
}
/**
* Cache the cookie string. No guarantees are made as to its continued persistence.
* @param cookieString The cookie string to persist.
*/
this.cookieStr = cookieString;
}
/**
* Returns the cached cookie string for this InternalSession. May be null.
* @return The cached cookie string. May be null.
*/
return cookieStr;
}
/**
* Return the SessionID object which represents this InternalSession.
* @return The session ID.
*/
return sessionID;
}
/**
* Returns the state of the Internal Session
* @return the session state can be VALID, INVALID, INACTIVE or DESTROYED
*/
return sessionState;
}
/**
* Get the authentication context associated with this session.
*
* @return the AuthContextLocal associated with this session
*/
return authContext;
}
/**
* Gets whether this session has an associated authenticationContext.
* @return true if this session has an authentication context.
*/
public boolean hasAuthenticationContext() {
return null != authContext;
}
/**
* Sets the authentication context.
*
* @param authContext the authentication context
*/
this.authContext = authContext;
}
/**
* Clears the authentication context from this session.
*/
public void clearAuthContext() {
this.authContext = null;
}
/**
* Returns the value of the specified key from the Internal Session property
* table.
*
* @param key
* Property key
* @return string value for the key from Internal Session table.
*/
}
/**
* Returns the Enumeration of property names of the Internal Session
* property table.
* @return list of properties in the Internal session table.
*/
return sessionProperties.propertyNames();
}
/**
* Helper method to check if a property is protected or not.
*
* We introduce a mechanism to protect certain "core" or "internal"
* properties from updates via remote SetProperty method of the
* SessionService. Allowing remote self-updates to session properties leads
* to a security vulnerability which allows unconstrained user impersonation
* or privilege elevation. See bug # 4814922 for more information
*
* protectedProperties contains a set of property names which can not be
* remotely updated. It is initially populated using static initializer. We
* also implemented an extra safety mechanism intended to protect from
* accidental reopening of this security hole in the future if a property
* name changes or new property is introduced without corresponding update
* of the static hardcoded list of protected properties below. This
* mechanism automatically adds any property to protectedProperties if it is
* set via local invocation of putProperty.
*
* However, some properties (such as Locale and CharSet) must be settable
* both locally and remotely. In order to make it configurable we use a
* second table called remotelyUpdateableProperties. Note that
* protectedProperties takes precedence over remotelyUpdateableProperties:
* remotelyUpdateableProperties will be consulted only if a property is not
* on the protectedProperties list already.
*
* The following tables defines the behavior of putProperty() and
* putExternalProperty() depending on whether property name is present in
* protectedProperties or remotelyUpdateableProperty list
*
* protectedProperties remotelyUpdateableProperties putProperty()
* putExternalProperty()
*
* in n/a sets value logs, does nothing
*
* out in sets value sets value
*
* out out sets value and sets value adds to protectedProperty
*
* @param key
* property name.
* @return true if property is protected else false.
*/
return protectedProperties.contains(key) || key.toLowerCase().startsWith(Constants.AM_PROTECTED_PROPERTY_PREFIX);
}
if (protectedPropertiesConfig != null) {
while (st.hasMoreTokens()) {
if (sessionDebug.messageEnabled()) {
}
}
}
return protectedProperties;
}
/**
* Sets the key-value pair in the InternalSession property table if it is
* not protected. If it is protected client should have permission to set
* it. This method is to be used in conjuction with
* SessionRequestHandler/SessionService invocation path If the property is
* protected, an attempt to remotely set a protected property is logged and
* the method throws an Exception. Otherwise invocation is delegated to
* internalPutProperty()
*
* Note that package default access is being used
*
* @param clientToken
* Token of the client setting external property.
* @param key
* Property key
* @param value
* Property value for the key
* @exception SessionException is thrown if the key is protected property.
*
*/
public void putExternalProperty(SSOToken clientToken, String key, String value) throws SessionException {
try {
} catch (SessionException se) {
throw se;
}
}
/**
* Sets the key-value pair in the Internal Session property table. This
* method should only be invoked locally by code running in the same server
* VM. Remote invocations should use putExternalProperty(). This is a simple
* wrapper around internalPutProperty(), which in addition calls to
* registerProtectedProperty() to make sure that if a property key is not
* already on the list of protected properties, it will be automatically
* added there (unless it is also on remotelyUpdateableProperties list!)
*
* @param key
* Property key
* @param value
* Property value for the key
*/
}
/**
* Sets the key-value pair in the Internal Session property table.
*
* @param key
* Property key
* @param value
* Property value for the key
*/
return;
}
if (isEnableHostLookUp) {
try {
} catch (UnknownHostException uhe) {
"InternalSession.internalputProperty():"
+ "Unable to get HostName for:" + value
+ " SessionException: ", uhe);
}
} else {
}
} else {
}
}
}
/**
* Sets the status of the isSessionUpgrade flag to which determines if the
* <code>Session</code> is in the upgrade state or not.
*
* @param value <code>true</code> if it is an upgrade
* <code>false</code> otherwise
*/
}
/**
* Gets the status of the <code>Session</code> if is an upgrade state
*
* @return <code>true</code> if the session is in upgrade state
* <code>false</code> otherwise
*/
public boolean getIsSessionUpgrade() {
return isSessionUpgrade;
}
/**
* Returns whether the InternalSession represented has been stored. If this is true, changes to this object will
* update the stored version.
* return <code>true</code> if the internal session is stored
* <code>false</code> otherwise
*/
public boolean isStored() {
return persistenceManager != null;
}
/**
* Changes the state of the session to ACTIVE after creation.
* @param userDN
* @return <code> true </code> if the session is successfully activated
* after creation , <code>false</code> otherwise
*/
// check userDN was provided
return false;
}
// check session quota constraints
if (sessionConstraint.checkQuotaAndPerformAction(this)) {
return false;
}
}
// safe to proceed with session activation
return true;
}
/*
* The session quota checking will be bypassed if:
* (1) the login user is the super user (not including users assigned the top level admin role), or
* (2) the token is an application token (e.g. Agent)
*/
private boolean shouldIgnoreSessionQuotaChecking() {
boolean ignore = false;
ignore = true;
}
return ignore;
}
/**
* Gets the User Universal ID
* @return UUID
*/
return getProperty(UNIVERSAL_IDENTIFIER);
}
/**
* Sets the willExpireFlag. This flag specify that whether the session will
* ever expire or not.
*/
public void setNonExpiring() {
willExpireFlag = false;
}
/**
* Sets session timeout time (in millis).
*
* @param timeoutTime The timeout time (in millis).
*/
}
return toSessionInfo(true);
}
/**
* Transfers the info about the Internal Session to Session Info.
* @return SessionInfo
*/
if (withIds) {
} else {
}
}
if (willExpireFlag) {
} else {
// Sessions such as authentication session will never be destroyed
info.setNeverExpiring(true);
}
//Adding the sessionHandle as a session property, so the sessionHandle is available in Session objects.
}
return info;
}
/**
* Sets the last time the client sent a request associated with this
* session, as the number of seconds since midnight January 1, 1970 GMT.
*
* Once updated the Session will be persisted.
*/
public void setLatestAccessTime() {
}
}
/**
* Sets the {@link SessionState} of the Internal Session.
*
* @param sessionState
*/
if (this.sessionState != sessionState) {
this.sessionState = sessionState;
}
}
/**
* Returns the URL of the Session events and the associated master and
* restricted token ids.
* @return Map of session event URLs and their associated SessionIDs.
*/
if (sessionIDs != null) {
} else {
}
}
return urls;
}
/**
* Adds a listener for the associated session ID.
* @param url The listening URL.
* @param sid The associated SessionID.
*/
if (previousValue != null) {
}
}
}
}
/**
* This setter method is used by the JSON serialization mechanism and should not be used for other purposes.
*
* @param restrictedTokensBySid The deserialized map of sid<->restricted tokens that should be stored in a
* ConcurrentHashMap.
*/
private void setRestrictedTokensBySid(ConcurrentMap<SessionID, TokenRestriction> restrictedTokensBySid) {
}
}
/**
* This setter method is used by the JSON serialization mechanism and should not be used for other purposes.
*
* @param sessionEventURLs The deserialized map of sessionEventURLs that should be stored in a ConcurrentHashMap.
*/
}
}
/**
* Returns the value of willExpireFlag.
*
*/
public boolean willExpire() {
return willExpireFlag;
}
/**
* Determine whether it is an application session.
*
* @return <code>true</code> if this is an application session, <code>false</code> otherwise.
*/
public boolean isAppSession() {
}
/**
* Determine whether it is a user session.
*
* @return <code>true</code> if this is a user session, <code>false</code> otherwise.
*/
public boolean isUserSession() {
}
/**
* Sets the creation time of the Internal Session, as the number of seconds
* since midnight January 1, 1970 GMT.
*/
private void setCreationTime() {
}
/**
* Add new restricted token pointing at the same session to the list.
*
* @param newRestrictedTokenId The session ID.
* @param restriction The token restriction.
* @return The restricted token id for this TokenRestriction.
*/
SessionID currentRestrictedTokenId = restrictedTokensByRestriction.putIfAbsent(restriction, newRestrictedTokenId);
if (currentRestrictedTokenId == null) {
return newRestrictedTokenId;
}
return currentRestrictedTokenId;
}
/**
* Returns the TokenRestriction for the given SessionID.
*
* @param sid Possibly null SessionID.
* @return Null indicates there is no restriction on the Session.
*/
}
/**
* Returns the SessionID of the restricted token for the provided restriction for this session.
*
* @param restriction restriction used to look up restricted token.
* @return restricted token sessionID.
*/
}
/**
* Returns the set (possibly empty) of restricted session IDs associated with this session. A restricted session
* ID can only be used when the associated {@link TokenRestriction} is satisfied. Typically this ties a particular
* user session to only be used via a particular agent or from a particular IP address.
* <p>
* The result is a copy of the current restricted token set: modifications to it will not change the set of
* restricted tokens associated with the session.
*
* @return the set of restricted tokens associated with this session. Never null but can be empty.
*/
}
/**
* Returns true if cookies are supported.
*
* @return true if cookie supported;
*/
public boolean getCookieSupport() {
boolean cookieSupport = false;
} else if (this.cookieMode != null) {
cookieSupport = this.cookieMode;
}
return cookieSupport;
}
/**
* set the cookieMode based on whether the request has cookies or not. This
* method is called from createSSOToken(request) method in SSOTokenManager.
*
* @param cookieMode ,
* Boolean value whether request has cookies or not.
*/
// TODO: Remove unused method
if (cookieMode != null) {
this.cookieMode = cookieMode;
}
}
/**
* Used during session deserialization. This method SHALL NOT be invoked by custom code.
*
* @param sessionHandle The sessionHandle to set.
*/
this.sessionHandle = sessionHandle;
//No need to update the session for failover, as this method is invoked only upon session
}
/**
* Returns the session handle.
*
* @return The session handle.
*/
return sessionHandle;
}
/**
* Computes session object expiration time as the smallest of the remaining idle time (or purge delay if the
* session has already timed out) or the session lifetime limit.
* <p>
* Time value is returned in the requested unit (accurate to millisecond) and uses the
* same epoch as {@link System#currentTimeMillis()}.
*
* @param timeUnit the time unit to return the result in.
* @return the result in the given units.
*/
}
/**
* Returns time at which session's lifetime expires.
* <p>
* Time value is returned in the requested unit (accurate to millisecond) and uses the
* same epoch as {@link System#currentTimeMillis()}.
*
* @see #getMaxSessionTime()
* @param timeUnit the time unit to return the result in.
* @return the result in the given units.
*/
return timeUnit.convert(creationTimeInSeconds + MINUTES.toSeconds(maxSessionTimeInMinutes), SECONDS);
}
/**
* Returns time at which session's idle time expires.
* <p>
* Time value is returned in the requested unit (accurate to millisecond) and uses the
* same epoch as {@link System#currentTimeMillis()}.
*
* @see #getMaxIdleTime()
* @param timeUnit the time unit to return the result in.
* @return the result in the given units.
*/
return timeUnit.convert(latestAccessTimeInSeconds + MINUTES.toSeconds(maxIdleTimeInMinutes), SECONDS);
}
/**
* @return True if the Session has reached an invalid state.
*/
public boolean isInvalid() {
}
}
private void notifyPersistenceManager() {
if (persistenceManager != null) {
persistenceManager.notifyUpdate(this);
}
}
sessionEventBroker.onEvent(new InternalSessionEvent(this, sessionEventType, Time.currentTimeMillis()));
}
}