AuthD.java revision 0f09985a1d42109ed4799de871b3691e1d844986
/**
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2005 Sun Microsystems Inc. All Rights Reserved
*
* The contents of this file are subject to the terms
* of the Common Development and Distribution License
* (the License). You may not use this file except in
* compliance with the License.
*
* You can obtain a copy of the License at
* See the License for the specific language governing
* permission and limitations under the License.
*
* When distributing Covered Code, include this CDDL
* Header Notice in each file and include the License file
* at opensso/legal/CDDLv1.0.txt.
* If applicable, add the following below the CDDL Header,
* with the fields enclosed by brackets [] replaced by
* your own identifying information:
* "Portions Copyrighted [year] [name of copyright owner]"
*
* $Id: AuthD.java,v 1.23 2009/11/25 12:02:02 manish_rustagi Exp $
*
*/
/**
* Portions Copyrighted 2010-2013 ForgeRock, Inc.
*/
/**
* This class is used to initialize the Authentication service and retrieve
* the Global attributes for the Authentication service.
* It also initializes the other dependent services in the OpenSSO system and
* hence used as bootstrap class for the authentication server.
*/
public class AuthD {
/**
* Debug instance for error / message logging
*/
private static AuthD authInstance;
private static boolean authInitFailed = false;
private static String specialUser =
// Admin Console properties
private static final String consoleProto =
private static final String consoleHost =
private static final String consolePort =
private static final boolean isConsoleRemote =
/**
* Default auth level for auth module
*/
/**
* Configured value for access logging
*/
public static final int LOG_ACCESS = 0;
/**
* Configured value for error logging
*/
public static final int LOG_ERROR = 1;
/**
* supported Auth Modules cache - lw
*/
/**
* Flag to force to use JAAS thread.
* Default is false.
*/
public static boolean enforceJAASThread = false;
/**
* Configured directory server host name for auth
*/
public static String directoryHostName =
/**
* Configured directory server port number for auth
*/
public static int directoryPort;
/**
* Configured revisionNumber for auth service
*/
public static int revisionNumber;
/**
* Configured bundle name for auth service
*/
private String defaultOrg;
private String platformLocale;
private String platformCharset;
/**
* ResourceBundle for auth service
*/
// client detection and client type variable
/**
* locale read from AMConfig.properties used for
* remote client auth.
*/
// auth default locale defined in iPlanetAMAuthService
private String defaultAuthLocale;
// platform service schema
// session service schema
// table for service templates
private static boolean logStatus = false;
/**
* Set of default URLs for login success
*/
/**
* Current default URLs for login success
*/
/**
* Set of default URLs for login failure
*/
/**
* Current default URLs for login failure
*/
/**
* Set of default URLs for service success
*/
/**
* Set of default URLs for service failure
*/
private String adminAuthModule;
/**
* Default auth level for module
*/
public String defaultAuthLevel;
private ServletContext servletContext;
static {
"INACTIVE");
logStatus = true;
}
// Get Directory Port value
try {
directoryPort = 0;
}
if (debug.messageEnabled()) {
"\nDirectory PORT : "+ directoryPort);
}
}
private AuthD() {
try {
"amPlatform");
// Initialize AuthXMLHandler so that AdminTokenAction can
// generate DPro Session's SSOToken
authInitFailed = false;
authInitFailed = true;
}
try {
} catch (Exception e) {
if (debug.messageEnabled()) {
}
}
}
/**
* Initialized auth service global attributes
* @throws SMSException if it fails to get auth service for name
* @throws SSOException if admin <code>SSOToken</code> is not valid
* @throws Exception
*/
private void initAuthServiceGlobalSettings()
if (debug.messageEnabled()) {
}
new AuthConfigMonitor(scm);
}
/**
* Update the AuthService global and organization settings.
* most of the code is moved in from AuthenticatorManager.java.
* @param scm <code>ServiceSchemaManager</code> to be used for update
* @throws SMSException if it fails to update auth service
* @throws Exception
*/
throws SMSException, Exception {
// get Global type attributes for iPlanetAMAuthService
if (debug.messageEnabled()) {
}
if (dot > -1) {
}
else {
}
}
if (debug.messageEnabled()) {
}
if (debug.messageEnabled()) {
}
}
/**
* Initialize the AuthConfiguration global attributes.
* @throws SMSException if it fails to get auth service for name
* @throws SSOException if admin <code>SSOToken</code> is not valid
* @throws Exception
*/
private void initAuthConfigGlobalSettings() throws SMSException,
new AuthConfigMonitor(scm);
}
/**
* Update the AuthConfiguration organization attributes.
* @param scm <code>ServiceSchemaManager</code> to be used for update
* @throws SMSException if it fails to update auth service
*/
throws SMSException {
}
if (debug.messageEnabled()) {
}
}
/**
* Initialized platform service global attributes
* @throws SMSException if it fails to initialize platform service
* @throws SSOException if admin <code>SSOToken</code> is not valid
*/
private void initPlatformServiceGlobalSettings()
throws SMSException, SSOException {
new AuthConfigMonitor(scm);
}
/**
* Update the PlatformService global attributes.
* @param scm <code>ServiceSchemaManager</code> to be used for update
* @throws SMSException if it fails to initialize platform service
*/
throws SMSException {
if (debug.messageEnabled()) {
}
}
/**
* Initialize iPlanetAMSessionService Dynamic attributes
* @throws SMSException if it fails to initialize session service
* @throws SSOException if admin <code>SSOToken</code> is not valid
*/
private void initSessionServiceDynamicSettings()
throws SMSException, SSOException {
new AuthConfigMonitor(scm);
}
/**
* Update the SessionService dynamic attributes.
* @param scm <code>ServiceSchemaManager</code> to be used for update
* @throws SMSException if it fails to update session service
*/
throws SMSException {
if (debug.messageEnabled()) {
+ "\nAuthD.defaultMaxIdleTime=" + defaultMaxIdleTime
+ "\nAuthD.defaultMaxCachingTime=" + defaultMaxCachingTime);
}
}
/**
* Return max session time
* @return max session time
*/
}
/**
* Return max session idle time
* @return max session idle time
*/
}
/**
* Return max session caching time
* @return max session caching time
*/
}
/**
* Returns attribute map of the specified service in the specified
* organization.
*
* @param orgDN Organization DN in which the service exists.
* @param serviceName Service name of which the attributes are retrieved.
* @return Map containing the attributes of the service.
*/
try {
}
} catch (Exception e) {
if (debug.messageEnabled()) {
}
}
return map;
}
/**
* Returns Authenticator singleton instance.
*
* @return Authenticator singleton instance.
*/
if (authInstance == null) {
synchronized(AuthD.class) {
if (authInstance == null) {
authInstance = new AuthD();
if (authInitFailed) {
authInstance = null;
}
}
}
}
return authInstance;
}
/**
* Destroy sessionfor given <code>SessionID</code>
* @param sid <code>SessionID</code> to be destroyed
*/
}
/**
* Logout sessionfor given <code>SessionID</code>
* @param sid <code>SessionID</code> to be logout
*/
}
/**
* Creates a new session.
*
* @param domain Domain Name.
* @param httpSession HTTP Session.
* @return new <code>InternalSession</code>
*/
public static InternalSession newSession(
try {
}
return is;
}
/**
* Returns the session associated with a session ID.
*
* @param sessId Session ID.
* @return the <code>InternalSession</code> associated with a session ID.
*/
if (debug.messageEnabled()) {
}
}
}
return is;
}
/**
* Returns the session associated with a session ID.
*
* @param sid Session ID.
* @return the <code>InternalSession</code> associated with a session ID.
*/
}
return is;
}
/**
* Returns the session associated with an HTTP Servlet Request.
*
* @param req HTTP Servlet Request.
* @return the <code>InternalSession</code> associated with
* anHTTP Servlet Request.
*/
return getSession(sid);
}
////////////////////////////////////////////////////////////////
// AuthD utilities
////////////////////////////////////////////////////////////////
/**
* Returns an Authenticator for a specific module name.
*
* @param moduleName Module name example <code>LDAP</code>.
* @return Authenticator for a specific module name.
*/
}
/**
* Returns <code>true</code> if the specified module is one of the
* authenticators.
*
* @param module Module name example <code>LDAP</code>.
* @return <code>true</code> if the specified module is one of the
* authenticators.
*/
}
/**
* Return configured Authenticators
* @return list of configured Authenticators
*/
public Iterator getAuthenticators() {
}
/**
* Return number configured Authenticators
* @return number configured Authenticators
*/
public int getAuthenticatorCount() {
return authMethods.size();
}
/**
* Return configured PlatformCharset
* @return configured PlatformCharset
*/
public String getPlatformCharset() {
return platformCharset;
}
/**
* Return configured PlatformLocale
* @return configured PlatformLocale
*/
public String getPlatformLocale() {
return platformLocale;
}
/**
* Return configured <code>Locale</code> for auth service
* @return configured <code>Locale</code> for auth service
*/
public String getCoreAuthLocaleFromAuthService() {
/* Method used by LoginState to find out core
* auth locale is defined or not
*/
return defaultAuthLocale;
}
/**
* Return default <code>Locale</code> for auth service
* @return default <code>Locale</code> for auth service
*/
public String getDefaultAuthLocale() {
/* Since this method returned a fallback locale "en_US"
* and is a public method,
* It is configured to return en_US in case defaultAuthLocale == null
*/
return "en_US";
return defaultAuthLocale;
}
/**
* Log Logout status
*/
try {
.toUpperCase());
}
}
}
}
}
if (authMethName != null) {
}
}
.toString());
} catch (SSOException ssoExp) {
} catch (Exception e) {
}
}
////////////////////////////////////////////////////////////////
// Other utilities
////////////////////////////////////////////////////////////////
/**
* Writes a log record.
*
* @param s Array of data information for the log record.
* @param type Type of log either <code>LOG_ERROR</code> or
* <code>LOG_ACCESS</code>.
* @param messageName Message ID for the log record.
* @param ssoProperties Single Sign On Properties to be written to the
* log record. If this is <code>null</code>, properties will be
* retrieved from administrator Single Sign On Token.
*/
public void logIt(
String[] s,
int type,
try {
"Authentication");
if(ssoProperties == null) {
} else {
}
switch (type) {
case LOG_ACCESS:
break;
case LOG_ERROR:
break;
default:
break;
}
} catch(IOException ex) {
}
}
}
/**
* Returns connection for AM store.
* Only used for backward compatibilty support,
* for retrieving user container DN and usernaming attr.
* @return connection for AM store
*/
public AMStoreConnection getSDK() {
try {
} catch (SSOException e) {
}
}
return dpStore;
}
void printProfileAttrs() {
if (!debug.messageEnabled()) {
return;
}
if (index > 0) {
}
if (debug.messageEnabled()) {
"\nadminAuthName->" + adminAuthName +
"\ndefaultOrg->" + defaultOrg +
"\nlocale->" + platformLocale +
"\ncharset>" + platformCharset);
}
}
static SessionService getSS() {
}
return ss;
}
/**
* Return default organization
* @return default organization
*/
public String getDefaultOrg() {
return defaultOrg;
}
/**
* Return current session for auth
* @return current session for auth
*/
public Session getAuthSession() {
return authSession;
}
/**
* Return current sso session for auth
* @return current sso session for auth
*/
public SSOToken getSSOAuthSession() {
return ssoAuthSession;
}
if (authSession == null) {
if (authSession == null) {
throw new SessionException(BUNDLE_NAME,
"gettingSessionFailed", null);
}
id);
}
}
}
/**
* get inetDomainStatus attribute for the org
* @param orgName org name to check inetDomainStatus
* @return true if org is active
* @throws IdRepoException if can not can any information for org
* @throws SSOException if can not use <code>SSOToken</code> for admin
*/
throws IdRepoException, SSOException {
}
/**
* Returns <code>true</code> if distinguished user name is a super
* administrator DN.
*
* @param dn Distinguished name of user.
* @return <code>true</code> if user is super administrator.
*/
boolean isAdmin = false;
if (debug.messageEnabled()) {
}
if (superAdmin != null) {
if (debug.messageEnabled()) {
}
}
if (!isAdmin) {
}
}
if (debug.messageEnabled()) {
}
return isAdmin;
}
/**
* Returns <code>true</code> if and only if the user name belongs to a
* super user
*
* @param dn DN of the user
* @return <code>true</code> if the user is an admin user.
*/
if (superUserIdentity == null) {
superUserIdentity = new AMIdentity(
"/",
null);
}
}
/**
* Returns <code>true</code> if distinguished user name is a special user
* DN.
*
* @param dn Distinguished name of user.
* @return <code>true</code> if user is a special user.
*/
// dn in all the invocation is normalized.
boolean isSpecialUser = false;
while (st.hasMoreTokens()) {
if (specialAdminDN != null) {
if (debug.messageEnabled()) {
}
isSpecialUser = true;
break;
}
}
}
}
if (debug.messageEnabled()) {
}
return isSpecialUser;
}
/**
* Returns Resource bundle of a locale.
*
* @param locale Locale.
* @return Resource bundle of a locale.
*/
return bundle;
}
}
}
return rb;
}
/**
* Return default sleep time
* @return default sleep time
*/
public long getDefaultSleepTime() {
return defaultSleepTime * 1000;
}
/**
* Returns the organization DN.
* <p>
* If the organization name matches the root suffix or has the
* root suffix in it then the DN will be returned as string.
* Otherwise the DN will be constructed from the organization Name DN
* and the root suffix DN.
*
* @param userOrg Organization Name
* @return Organization DN of the organization
*/
if (debug.messageEnabled()) {
}
) {
} else {
}
if (debug.messageEnabled()) {
}
}
/**
* Returns the dynamic replacement of the URL from the Success or Failure
* URLs.
*
* @param URL
* @param servletRequest
* @return the dynamic replacement of the URL from the Success or Failure
* URLs.
*/
}
if (debug.messageEnabled()) {
}
return url;
}
/**
* This function returns the dynamic replacement of the protocol
* from the Success or Failure urls
* @param rawURL Raw url with out real protocol
* @param servletRequest Servlet request has real protocol value
* @return the dynamic replacement of the protocol
* from the Success or Failure urls
*/
private String processDynamicVariables(
int index;
// protocol processing
if (isConsoleRemote) {
} else {
if ( servletRequest != null ) {
}
} else {
}
}
}
if (isConsoleRemote) {
} else {
if ( servletRequest != null ) {
}
//This is to remove extra ":"
} else {
}
}
}
if (isConsoleRemote) {
}
}
}
return rawURL;
}
/**
* Sets the Servlet Context.
*
* @param servletContext Servlet Context to be set.
*/
this.servletContext = servletContext;
if (debug.messageEnabled()) {
}
}
/**
* Returns the Servlet Context.
*
* @return Servlet Context.
*/
public ServletContext getServletContext() {
return servletContext;
}
/**
* Returns the OpenSSO Identity Repository for an organization.
*
* @param orgDN name of the organization
* @return OpenSSO Identity Repository.
*/
try {
}
if (amIdentityRepository == null) {
synchronized (idRepoMap) {
}
}
if (debug.messageEnabled()) {
}
}
return amIdentityRepository;
}
/**
* Returns the Organization Configuration Manager for an organization.
*
* @param orgDN Name of the organization.
* @return Organization Configuration Manager for an organization.
*/
try {
}
synchronized (orgMap) {
if (orgConfigMgr == null) {
}
}
if (debug.messageEnabled()) {
}
}
return orgConfigMgr;
}
/**
* Returns the <code>AMIdentity</code> object for the given parameters.
* If there is no such identity, or there is more then one matching identity,
* then an AuthException will be thrown.
*
* @param idType Identity Type.
* @param idName Identity Name.
* @param orgName organization name.
* @return <code>AMIdentity</code> object.
* @throws AuthException if there was no result, or if there was more results
* then one.
*/
throws AuthException {
if (debug.messageEnabled()) {
}
// Try getting the identity using IdUtils.getIdentity(...)
try {
if (debug.messageEnabled()) {
}
if (debug.messageEnabled()) {
"using IdUtil.getIdentity: " + amIdentity);
}
return (amIdentity);
}
} catch (IdRepoException e) {
// Ignore this exception and continue with search
if (debug.messageEnabled()) {
"getting Identity from IdUtils: "+e.getMessage());
}
} catch (SSOException ssoe) {
// Ignore this exception and continue with search
if (debug.messageEnabled()) {
}
}
// Obtain AMIdentity object by searching within IdRepo
try {
amIdentity = null;
idsc.setRecursive(true);
idsc.setAllReturnAttributes(false);
if (searchResults != null) {
}
// multiple user match found, throw exception,
// user need to login as super admin to fix it
"user '"+ idName);
}
}
} catch (SSOException sso) {
if (debug.messageEnabled()) {
}
} catch (IdRepoException ide) {
if (debug.messageEnabled()) {
}
}
if (amIdentity == null) {
}
return amIdentity;
}
/**
* Returns the Super Admin user Name.
*
* @return super admin user name.
*/
public String getSuperUserName() {
return superAdmin;
}
/**
* Returns the authentication service or chain configured for the
* given organization.
*
* @param orgDN organization DN.
* @return the authentication service or chain configured for the
* given organization.
*/
try {
} catch (Exception e) {
}
return orgAuthConfig;
}
/**
* Returns a list of domains defined by iplanet-am-auth-valid-goto-domains
* in iPlanetAMAuthService plus organization aliases
*
* @param orgDN organization DN.
* @return a Set object containing a list of valid domains, null if
* iplanet-am-auth-valid-goto-domains is empty.
*/
try {
if (debug.messageEnabled()) {
}
} catch(Exception e) {
"Error in getValidGotoUrlDomains : ", e);
}
return validGotoUrlDomains;
}
/**
* Checks whether an input URL is valid in an organization
*
* @param url a String representing a URL to be validated
* @param orgDN organization DN.
* @return true if input URL is valid, else false.
*/
if ((!orgValidDomains.isEmpty()) &&
} else {
synchronized (orgValidDomains) {
}
}
}
return true;
}
try{
return patternMatcher.match(
}catch (MalformedURLException me) {
return false;
}
}
}