SessionRequestHandler.java revision bf2a56fd7e5b3bb37378e87e32829a01402d27f0
53247d28ba99538f841a13ea2cde01c3faa3ef36kenneth_suter * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
53247d28ba99538f841a13ea2cde01c3faa3ef36kenneth_suter * Copyright (c) 2005 Sun Microsystems Inc. All Rights Reserved
53247d28ba99538f841a13ea2cde01c3faa3ef36kenneth_suter * The contents of this file are subject to the terms
53247d28ba99538f841a13ea2cde01c3faa3ef36kenneth_suter * of the Common Development and Distribution License
53247d28ba99538f841a13ea2cde01c3faa3ef36kenneth_suter * (the License). You may not use this file except in
53247d28ba99538f841a13ea2cde01c3faa3ef36kenneth_suter * compliance with the License.
53247d28ba99538f841a13ea2cde01c3faa3ef36kenneth_suter * You can obtain a copy of the License at
53247d28ba99538f841a13ea2cde01c3faa3ef36kenneth_suter * https://opensso.dev.java.net/public/CDDLv1.0.html or
53247d28ba99538f841a13ea2cde01c3faa3ef36kenneth_suter * See the License for the specific language governing
53247d28ba99538f841a13ea2cde01c3faa3ef36kenneth_suter * permission and limitations under the License.
53247d28ba99538f841a13ea2cde01c3faa3ef36kenneth_suter * When distributing Covered Code, include this CDDL
53247d28ba99538f841a13ea2cde01c3faa3ef36kenneth_suter * Header Notice in each file and include the License file
53247d28ba99538f841a13ea2cde01c3faa3ef36kenneth_suter * If applicable, add the following below the CDDL Header,
53247d28ba99538f841a13ea2cde01c3faa3ef36kenneth_suter * with the fields enclosed by brackets [] replaced by
53247d28ba99538f841a13ea2cde01c3faa3ef36kenneth_suter * your own identifying information:
88b21ceea35c266dd8f33fbafd9973d443efe96fmrossign * "Portions Copyrighted [year] [name of copyright owner]"
44927ac95bbf5d52e9dae2100e09b58f1f01f8dbgbellato * $Id: SessionRequestHandler.java,v 1.9 2009/04/02 04:11:44 ericow Exp $
44927ac95bbf5d52e9dae2100e09b58f1f01f8dbgbellato * Portions Copyrighted 2011-2016 ForgeRock AS.
53247d28ba99538f841a13ea2cde01c3faa3ef36kenneth_suterimport static org.forgerock.openam.audit.AuditConstants.Component.*;
53247d28ba99538f841a13ea2cde01c3faa3ef36kenneth_suterimport static org.forgerock.openam.session.SessionConstants.*;
53247d28ba99538f841a13ea2cde01c3faa3ef36kenneth_suterimport org.forgerock.guice.core.InjectorHolder;
53247d28ba99538f841a13ea2cde01c3faa3ef36kenneth_suterimport org.forgerock.openam.session.SessionCache;
53247d28ba99538f841a13ea2cde01c3faa3ef36kenneth_suterimport org.forgerock.openam.session.SessionPLLSender;
53247d28ba99538f841a13ea2cde01c3faa3ef36kenneth_suterimport org.forgerock.openam.session.SessionServiceURLService;
53247d28ba99538f841a13ea2cde01c3faa3ef36kenneth_suterimport org.forgerock.openam.sso.providers.stateless.StatelessSessionFactory;
53247d28ba99538f841a13ea2cde01c3faa3ef36kenneth_suterimport com.iplanet.dpro.session.SessionException;
53247d28ba99538f841a13ea2cde01c3faa3ef36kenneth_suterimport com.iplanet.dpro.session.share.SessionBundle;
53247d28ba99538f841a13ea2cde01c3faa3ef36kenneth_suterimport com.iplanet.dpro.session.share.SessionInfo;
53247d28ba99538f841a13ea2cde01c3faa3ef36kenneth_suterimport com.iplanet.dpro.session.share.SessionRequest;
53247d28ba99538f841a13ea2cde01c3faa3ef36kenneth_suterimport com.iplanet.dpro.session.share.SessionResponse;
53247d28ba99538f841a13ea2cde01c3faa3ef36kenneth_suterimport com.iplanet.services.comm.server.PLLAuditor;
dbc7d9a87959bb94723ca1f56e22cbd9044fb416gbellatoimport com.iplanet.services.comm.server.RequestHandler;
53247d28ba99538f841a13ea2cde01c3faa3ef36kenneth_suterimport com.sun.identity.session.util.RestrictedTokenAction;
6bb100d3f180f6f3c740b20e09cb6bdc304cddcfpgambaimport com.sun.identity.session.util.RestrictedTokenContext;
53247d28ba99538f841a13ea2cde01c3faa3ef36kenneth_suter * Responsible for processing a PLL request and routing it to the appropriate handler which will respond to the caller
53247d28ba99538f841a13ea2cde01c3faa3ef36kenneth_suter * the results of the operation.
5c5d8d41fd26273525b669e084095ef2172457b6mrossign * The operations available from this handler split into two broad categories:
53247d28ba99538f841a13ea2cde01c3faa3ef36kenneth_suter * In the first group, the request is targeting either all LOCAL sessions or a single local session identified by another
53247d28ba99538f841a13ea2cde01c3faa3ef36kenneth_suter * request parameter. The session ID in this case is only used to authenticate the operation. That session is not
d25372dc8e65a9ed019a88fdf659ca61313f1b31jcduff * expected to be local to this server (although it might). These operations are:
44927ac95bbf5d52e9dae2100e09b58f1f01f8dbgbellato * <li>GetValidSessions</li>
44927ac95bbf5d52e9dae2100e09b58f1f01f8dbgbellato * <li>GetSessionCount</li>
5c5d8d41fd26273525b669e084095ef2172457b6mrossign * In the second group, the request is targeting a single session identified by a session ID, which is supposed to be
dbc7d9a87959bb94723ca1f56e22cbd9044fb416gbellato * hosted by this server instance. The session ID is used both as an id for the target session and to authenticate the
dbc7d9a87959bb94723ca1f56e22cbd9044fb416gbellato * operation (i.e. operations are performed on the callers own session). The operations in this group are:
53247d28ba99538f841a13ea2cde01c3faa3ef36kenneth_suter * <li>GetSession</li>
53247d28ba99538f841a13ea2cde01c3faa3ef36kenneth_suter * <li>Logout</li>
dbc7d9a87959bb94723ca1f56e22cbd9044fb416gbellato * <li>AddSessionListener</li>
53247d28ba99538f841a13ea2cde01c3faa3ef36kenneth_suter * <li>SetProperty</li>
dbc7d9a87959bb94723ca1f56e22cbd9044fb416gbellato * <li>DestroySession</li>
53247d28ba99538f841a13ea2cde01c3faa3ef36kenneth_suterpublic class SessionRequestHandler implements RequestHandler {
d25372dc8e65a9ed019a88fdf659ca61313f1b31jcduff private final StatelessSessionFactory statelessSessionFactory;
8c6a14e9610d08491d2e2415c0c603441ddb4968kenneth_suter private static final SessionServiceURLService SESSION_SERVICE_URL_SERVICE = InjectorHolder.getInstance(SessionServiceURLService.class);
c4cdb34ae21ebbbc11586715cfa777fd2a75b8e0gbellato private static final SessionCache sessionCache = InjectorHolder.getInstance(SessionCache.class);
c4cdb34ae21ebbbc11586715cfa777fd2a75b8e0gbellato private static final SessionPLLSender sessionPLLSender = InjectorHolder.getInstance(SessionPLLSender.class);
53247d28ba99538f841a13ea2cde01c3faa3ef36kenneth_suter sessionService = InjectorHolder.getInstance(SessionService.class);
53247d28ba99538f841a13ea2cde01c3faa3ef36kenneth_suter sessionDebug = InjectorHolder.getInstance(Key.get(Debug.class, Names.named(SESSION_DEBUG)));
44927ac95bbf5d52e9dae2100e09b58f1f01f8dbgbellato serverConfig = InjectorHolder.getInstance(SessionServerConfig.class);
53247d28ba99538f841a13ea2cde01c3faa3ef36kenneth_suter statelessSessionFactory = InjectorHolder.getInstance(StatelessSessionFactory.class);
dbc7d9a87959bb94723ca1f56e22cbd9044fb416gbellato * Understands how to resolve a Token based on its SessionID.
53247d28ba99538f841a13ea2cde01c3faa3ef36kenneth_suter * Stateless Sessions by their very nature do not need to be stored in memory, and so
dbc7d9a87959bb94723ca1f56e22cbd9044fb416gbellato * can be resolved in a different way to Stateful Sessions.
32ae71dc042a0705476818a67d5abcebf52689b9lfrost * @param sessionID Non null Session ID.
32ae71dc042a0705476818a67d5abcebf52689b9lfrost * @return Null if no matching Session could be found, otherwise a non null
32ae71dc042a0705476818a67d5abcebf52689b9lfrost * Session instance.
53247d28ba99538f841a13ea2cde01c3faa3ef36kenneth_suter * @throws SessionException If there was an error resolving the Session.
53247d28ba99538f841a13ea2cde01c3faa3ef36kenneth_suter private Session resolveSession(SessionID sessionID) throws SessionException {
dbc7d9a87959bb94723ca1f56e22cbd9044fb416gbellato if (statelessSessionFactory.containsJwt(sessionID)) {
53247d28ba99538f841a13ea2cde01c3faa3ef36kenneth_suter return statelessSessionFactory.generate(sessionID);
53247d28ba99538f841a13ea2cde01c3faa3ef36kenneth_suter public ResponseSet process(PLLAuditor auditor,
4d325b0e734b14038f641390866198852cb8a3dfludovicp ResponseSet rset = new ResponseSet(SessionService.SESSION_SERVICE);
d6d2f1fe7f71b877214d2adee570f1b44b115a99gbellato Response res = processRequest(auditor, req, servletRequest);
d25372dc8e65a9ed019a88fdf659ca61313f1b31jcduff final SessionRequest sreq = SessionRequest.parseXML(req.getContent());
53247d28ba99538f841a13ea2cde01c3faa3ef36kenneth_suter SessionResponse sres = new SessionResponse(sreq.getRequestID(), sreq.getMethodID());
53247d28ba99538f841a13ea2cde01c3faa3ef36kenneth_suter // use remote client IP as default RestrictedToken context
44927ac95bbf5d52e9dae2100e09b58f1f01f8dbgbellato context = SessionUtils.getClientAddress(servletRequest);
53247d28ba99538f841a13ea2cde01c3faa3ef36kenneth_suter sessionDebug.error("SessionRequestHandler encountered exception", ex);
53247d28ba99538f841a13ea2cde01c3faa3ef36kenneth_suter return auditedExceptionResponse(auditor, sres);
53247d28ba99538f841a13ea2cde01c3faa3ef36kenneth_suter context = RestrictedTokenContext.unmarshal(requester);
44927ac95bbf5d52e9dae2100e09b58f1f01f8dbgbellato SSOTokenManager ssoTokenManager = SSOTokenManager.getInstance();
d361f9c126f69149b31512e1da2566cd05205f11gbellato sres.setException(SessionBundle.getString("appTokenInvalid") + requester);
72203eb185213ac610d2d9f4d2cd58d222aa72fdpgamba "SessionRequestHandler.processRequest:"
cd1e79978ef93553e6bee585a61e63256596f9eccoulbeck + "app token invalid, sending Session response"
6bb100d3f180f6f3c740b20e09cb6bdc304cddcfpgamba +" with Exception");
6bb100d3f180f6f3c740b20e09cb6bdc304cddcfpgamba sres.setException(SessionBundle.getString("appTokenInvalid") + requester);
6bb100d3f180f6f3c740b20e09cb6bdc304cddcfpgamba sres = (SessionResponse) RestrictedTokenContext.doUsing(context,
6bb100d3f180f6f3c740b20e09cb6bdc304cddcfpgamba return fsre.getResponse(); // This request needs to be forwarded to another server.
cd1e79978ef93553e6bee585a61e63256596f9eccoulbeck sessionDebug.message("processSessionRequest caught exception: {}", se.getMessage(), se);
cd1e79978ef93553e6bee585a61e63256596f9eccoulbeck return handleException(sreq, new SessionID(sreq.getSessionID()), se.getMessage());
de0a11aeb6a2954fb43eecd2e646eb2d03c41f71pgamba sessionDebug.message("processSessionRequest caught exception: {}", se.getResponseMessage(), se);
cd1e79978ef93553e6bee585a61e63256596f9eccoulbeck return handleException(sreq, se.getSid(), se.getResponseMessage());
eb4e26a8f06d28b2b79f2ce6f1ffd9611dd2c82apgamba sessionDebug.error("SessionRequestHandler encountered exception", ex);
5faab39c66ccd49a6c2bc1f9408f5fd131f33e00pgamba private Response auditedExceptionResponse(PLLAuditor auditor, SessionResponse sres) {
38517882c5bafd5ce8f2f6388542cc27ae307682matthew_swift private SessionResponse processSessionRequest(PLLAuditor auditor, SessionRequest req) throws SessionException,
38517882c5bafd5ce8f2f6388542cc27ae307682matthew_swift SessionRequestException, ForwardSessionRequestException {
df880e8f097ecf074c379e7137f2672437ac858fmatthew // Log the access attempt without session properties, then continue.
4d325b0e734b14038f641390866198852cb8a3dfludovicp private void verifyRequestingSessionIsNotRestrictedToken(Session requesterSession)
d25372dc8e65a9ed019a88fdf659ca61313f1b31jcduff if (requesterSession.getProperty(TOKEN_RESTRICTION_PROP) != null) {
d25372dc8e65a9ed019a88fdf659ca61313f1b31jcduff throw new SessionRequestException(requesterSession.getSessionID(), SessionBundle.getString("noPrivilege"));
d25372dc8e65a9ed019a88fdf659ca61313f1b31jcduff private void verifyValidRequest(SessionRequest req, Session requesterSession) throws SessionException,
d25372dc8e65a9ed019a88fdf659ca61313f1b31jcduff SessionRequestException, ForwardSessionRequestException {
d25372dc8e65a9ed019a88fdf659ca61313f1b31jcduff SessionID targetSid = requesterSession.getSessionID();
d25372dc8e65a9ed019a88fdf659ca61313f1b31jcduff if (req.getMethodID() == SessionRequest.DestroySession) {
d25372dc8e65a9ed019a88fdf659ca61313f1b31jcduff targetSid = new SessionID(req.getDestroySessionID());
d25372dc8e65a9ed019a88fdf659ca61313f1b31jcduff verifyRequestingSessionIsNotRestrictedToken(requesterSession);
d25372dc8e65a9ed019a88fdf659ca61313f1b31jcduff } else if (req.getMethodID() == SessionRequest.SetProperty) {
d25372dc8e65a9ed019a88fdf659ca61313f1b31jcduff sessionDebug.warning("SessionRequestHandler.processRequest: Client does not have permission to set"
d25372dc8e65a9ed019a88fdf659ca61313f1b31jcduff throw new SessionRequestException(requesterSession.getSessionID(), SessionBundle.getString("noPrivilege"));
d25372dc8e65a9ed019a88fdf659ca61313f1b31jcduff verifyRequestingSessionIsNotRestrictedToken(requesterSession);
c4cdb34ae21ebbbc11586715cfa777fd2a75b8e0gbellato throw new SessionRequestException(requesterSession.getSessionID(), SessionBundle.getString("unknownRequestMethod"));
c4cdb34ae21ebbbc11586715cfa777fd2a75b8e0gbellato * Verify that this server is the correct host for the session and the session can be found(or recovered) locally.
c4cdb34ae21ebbbc11586715cfa777fd2a75b8e0gbellato * This function will become much simpler with removal of home servers, or possibly no longer be required.
df938720b09e4894f016a263c3465fd08bf8e001gbellato private void verifyTargetSessionIsLocal(SessionRequest req, SessionID sid) throws SessionException,
9cb5b32bcc04eea45d4c1fb0e29ddc0dbe54a7b7gbellato SessionRequestException, ForwardSessionRequestException {
9cb5b32bcc04eea45d4c1fb0e29ddc0dbe54a7b7gbellato String hostServerID = sessionService.getCurrentHostServer(sid);
eef6695bc3b88e10d60477095ebddd4b9499481fpgamba forward(SESSION_SERVICE_URL_SERVICE.getSessionServiceURL(hostServerID), req));
eef6695bc3b88e10d60477095ebddd4b9499481fpgamba // attempt retry
fcedc930b58fc0ebac2b9d622b6f0a03dd6e5b1cludovicp // proceed with failover
fcedc930b58fc0ebac2b9d622b6f0a03dd6e5b1cludovicp String retryHostServerID = sessionService.getCurrentHostServer(sid);
aca8fb94414cb0e7cd21e6d0c205b95f9dc03500mrossign // we have a shot at retrying here
aca8fb94414cb0e7cd21e6d0c205b95f9dc03500mrossign // if it is remote, forward it
aca8fb94414cb0e7cd21e6d0c205b95f9dc03500mrossign // otherwise treat it as a case of local
aca8fb94414cb0e7cd21e6d0c205b95f9dc03500mrossign if (!serverConfig.isLocalServer(retryHostServerID)) {
aca8fb94414cb0e7cd21e6d0c205b95f9dc03500mrossign forward(SESSION_SERVICE_URL_SERVICE.getSessionServiceURL(hostServerID), req));
aca8fb94414cb0e7cd21e6d0c205b95f9dc03500mrossign throw new SessionRequestException(sid, SessionBundle.getString("sessionNotObtained"));
aca8fb94414cb0e7cd21e6d0c205b95f9dc03500mrossign * Request method-specific processing
aca8fb94414cb0e7cd21e6d0c205b95f9dc03500mrossign private SessionResponse processMethod(SessionRequest req, Session requesterSession) throws SessionException {
aca8fb94414cb0e7cd21e6d0c205b95f9dc03500mrossign SessionResponse res = new SessionResponse(req.getRequestID(), req.getMethodID());
aca8fb94414cb0e7cd21e6d0c205b95f9dc03500mrossign if (statelessSessionFactory.containsJwt(requesterSession.getSessionID())) {
aca8fb94414cb0e7cd21e6d0c205b95f9dc03500mrossign // We need to validate the session before creating the sessioninfo to ensure that the
aca8fb94414cb0e7cd21e6d0c205b95f9dc03500mrossign // stateless session hasn't timed out yet, and hasn't been blacklisted either.
aca8fb94414cb0e7cd21e6d0c205b95f9dc03500mrossign SSOTokenManager tokenManager = SSOTokenManager.getInstance();
aca8fb94414cb0e7cd21e6d0c205b95f9dc03500mrossign final SSOToken statelessToken = tokenManager.createSSOToken(req.getSessionID());
85f6e15f35fa13ce5e3d0ed1716c8986b048745emrossign throw new SessionException(SessionBundle.getString("invalidSessionID")
a1c9828e57e2182a61d9f36a4b6ec9f26ff26d75gbellato res.addSessionInfo(sessionService.getSessionInfo(requesterSession.getSessionID(), req.getResetFlag()));
88c08d96c418ba598fe4e7d09fed7f0d25fa3165mrossign return handleException(req, requesterSession.getSessionID(), SessionBundle.getString("invalidSessionID"));
88c08d96c418ba598fe4e7d09fed7f0d25fa3165mrossign SearchResults<SessionInfo> infoSearchResults = sessionService.getValidSessions(requesterSession, pattern);
85f6e15f35fa13ce5e3d0ed1716c8986b048745emrossign sessionInfo.addAll(infoSearchResults.getSearchResults());
85f6e15f35fa13ce5e3d0ed1716c8986b048745emrossign sessionService.destroySession(requesterSession, new SessionID(req.getDestroySessionID()));
71cab92c05c90fc373c265102f8ae046f9f1a758pgamba sessionService.logout(requesterSession.getSessionID());
4e346ef680b70ff86b0397d5bf797ac3593e682apgamba sessionService.addSessionListener(requesterSession.getSessionID(), req.getNotificationURL());
4e346ef680b70ff86b0397d5bf797ac3593e682apgamba sessionService.setExternalProperty(this.clientToken, requesterSession.getSessionID(), req.getPropertyName(), req.getPropertyValue());
4d325b0e734b14038f641390866198852cb8a3dfludovicp Object sessions = SessionCount.getSessionsFromLocalServer(uuid);
4d325b0e734b14038f641390866198852cb8a3dfludovicp return handleException(req, requesterSession.getSessionID(), SessionBundle.getString("unknownRequestMethod"));
4d325b0e734b14038f641390866198852cb8a3dfludovicp private void auditAccessAttempt(PLLAuditor auditor, Session session) {
4d325b0e734b14038f641390866198852cb8a3dfludovicp auditor.setTrackingId(session.getProperty(Constants.AM_CTX_ID));
4d325b0e734b14038f641390866198852cb8a3dfludovicp auditor.setRealm(session.getProperty(Constants.ORGANIZATION));
4d325b0e734b14038f641390866198852cb8a3dfludovicp // Don't audit with session information.
4d325b0e734b14038f641390866198852cb8a3dfludovicp private SessionResponse forward(URL svcurl, SessionRequest sreq)
bd6195724c9bc709dfeec54ad3717519726d3c86ludovicp Object context = RestrictedTokenContext.getCurrent();
7bfdea1bf45b6bcec4b0e02df8a8114893a6fc02ludovicp sreq.setRequester(RestrictedTokenContext.marshal(context));
df880e8f097ecf074c379e7137f2672437ac858fmatthew SessionResponse sres = sessionPLLSender.sendPLLRequest(svcurl, sreq);
afd6ce83f9ecfa7b375c1f72eb5f279bbd01568cmatthew * !!!!! IMPORTANT !!!!! DO NOT REMOVE "sid" FROM
afd6ce83f9ecfa7b375c1f72eb5f279bbd01568cmatthew * EXCEPTIONMESSAGE Logic kludge in legacy Agent 2.0
afd6ce83f9ecfa7b375c1f72eb5f279bbd01568cmatthew * code will break If it can not find SID value in
afd6ce83f9ecfa7b375c1f72eb5f279bbd01568cmatthew * the exception message returned by Session
afd6ce83f9ecfa7b375c1f72eb5f279bbd01568cmatthew * Service. This dependency should be eventually
afd6ce83f9ecfa7b375c1f72eb5f279bbd01568cmatthew * removed once we migrate customers to a newer
afd6ce83f9ecfa7b375c1f72eb5f279bbd01568cmatthew * agent code base or switch to a new version of
afd6ce83f9ecfa7b375c1f72eb5f279bbd01568cmatthew * Session Service interface
afd6ce83f9ecfa7b375c1f72eb5f279bbd01568cmatthew private SessionResponse handleException(SessionRequest req, SessionID sid, String error) {
afd6ce83f9ecfa7b375c1f72eb5f279bbd01568cmatthew SessionResponse response = new SessionResponse(req.getRequestID(), req.getMethodID());
afd6ce83f9ecfa7b375c1f72eb5f279bbd01568cmatthew private class SessionRequestException extends Exception {
afd6ce83f9ecfa7b375c1f72eb5f279bbd01568cmatthew public SessionRequestException(SessionID sid, String responseMessage) {
afd6ce83f9ecfa7b375c1f72eb5f279bbd01568cmatthew // This exception is not ideal, but will be removed when crosstalk is removed, and allows the code to better be
afd6ce83f9ecfa7b375c1f72eb5f279bbd01568cmatthew // refactored at this point in time.
afd6ce83f9ecfa7b375c1f72eb5f279bbd01568cmatthew private class ForwardSessionRequestException extends Exception {