AuthUtils.java revision 7d46f125408af7521e0e8021e0da5609fb8f7ec2
/**
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2005 Sun Microsystems Inc. All Rights Reserved
*
* The contents of this file are subject to the terms
* of the Common Development and Distribution License
* (the License). You may not use this file except in
* compliance with the License.
*
* You can obtain a copy of the License at
* See the License for the specific language governing
* permission and limitations under the License.
*
* When distributing Covered Code, include this CDDL
* Header Notice in each file and include the License file
* at opensso/legal/CDDLv1.0.txt.
* If applicable, add the following below the CDDL Header,
* with the fields enclosed by brackets [] replaced by
* your own identifying information:
* "Portions Copyrighted [year] [name of copyright owner]"
*
* $Id: AuthUtils.java,v 1.33 2009/12/15 16:39:47 qcheng Exp $
*
* Portions Copyrighted 2010-2016 ForgeRock AS.
*/
public class AuthUtils extends AuthClientUtils {
/**
* Authentication type for Realm based authentication after
* Composite Advices
*/
public static final int REALM = 1;
/**
* Authentication type for Service based authentication after
* Composite Advices
*/
public static final int SERVICE = 2;
/**
* Authentication type for Module based authentication after
* Composite Advices
*/
public static final int MODULE = 3;
/**
* Name of parameter used to indicate authn process MUST be run.
*/
private static final SessionServiceURLService SESSION_SERVICE_URL_SERVICE = SessionServiceURLService.getInstance();
private static AuthenticationProcessEventAuditor auditor;
/*
* Private constructor to prevent any instances being created
*/
private AuthUtils() {
}
/* retrieve session */
if (utilDebug.messageEnabled()) {
}
return sess;
}
/* this method does the following
* 1. initializes authService (AuthD) if not already done.
* 2. parses the request parameters and stores in dataHash
* 3. Retrieves the AuthContext object from the global table
* 4. if this is found then updates the loginState request
* type to false and updates the parameter hash table in
* loginstate object.
* on error throws AuthException
*/
/**
* Returns the authentication context for a request.
*
* @param request HTTP Servlet Request.
* @param response HTTP Servlet Response.
* @param sid SessionID for this request.
* @param isSessionUpgrade <code>true</code> if session upgrade.
* @param isBackPost <code>true</code> if back posting.
* @return authentication context.
*/
final HttpServletResponse response,
final boolean isSessionUpgrade,
final boolean isBackPost) throws AuthException {
}
/**
* Returns the authentication context for a request.
*
* @param request HTTP Servlet Request.
* @param response HTTP Servlet Response.
* @param sessionId SessionID for this request.
* @param isSessionUpgrade <code>true</code> if session upgrade.
* @param isBackPost <code>true</code> if back posting.
* @param isLogout <code>true</code> for logout.
* @return authentication context.
*/
final HttpServletResponse response,
final boolean isSessionUpgrade,
final boolean isBackPost,
final boolean isLogout,
final boolean isRestAuth) throws AuthException {
// initialize auth service.
try {
if (utilDebug.messageEnabled()) {
}
} else if (StringUtils.isNotEmpty(authCookieValue) && (!authCookieValue.equalsIgnoreCase("LOGOUT"))) {
}
if (sessionIdForURL != null) {
try {
+ serviceURI;
} catch (SessionException e) {
}
}
}
}
if (utilDebug.messageEnabled()) {
+ isBackPost);
}
return null;
}
try {
loginState = new LoginState();
}
if (isSessionUpgrade) {
} else if (isBackPost) {
}
if (utilDebug.messageEnabled()) {
}
} catch (AuthException ae) {
if (utilDebug.messageEnabled()) {
}
throw new AuthException(ae);
}
} else {
loginState.setNewRequest(false);
}
if (utilDebug.messageEnabled()) {
+ ee.getMessage());
}
throw new AuthException(ee);
}
return authContext;
}
// processAuthContext checks for arg=newsession in the HttpServletRequest
// if request has arg=newsession then destroy session and create a new
// AuthContextLocal object.
final HttpServletRequest request,
final HttpServletResponse response,
if (utilDebug.messageEnabled()) {
}
processedAuthContext = rebuildAuthContext(request, response, decodedRequestData, sessionId, loginState);
} else {
boolean multipleTabsUsed = SystemPropertiesManager.getAsBoolean(Constants.MULTIPLE_TABS_USED, false);
/*
* This flag indicates that the same user is running the auth login
* process in multiple tabs of the same browser and if the auth
* is zero user intervention custom auth module using Redirect
* Callback, then there would be a situation that the same
* authContext is being used by multiple threads running the
* auth process, so avoid this multiple thread interference keep
* the process in this while loop until all the submit requirements
* have been met. This is a specific customer use case.
*/
if (multipleTabsUsed) {
while (processedAuthContext.submittedRequirements()) {
if (authDebugLogger.messageEnabled()) {
}
}
} else {
throw new AuthException(
}
}
// update loginState - requestHash , sess
if (utilDebug.messageEnabled()) {
}
if (checkForCookies(request)) {
loginState.setCookieDetect(false);
}
}
return processedAuthContext;
}
// destroy auth context and create new one.
final HttpServletResponse response,
try {
processedAuthContext = newLoginState.createAuthContext(request, response, sessionId, decodedRequestData);
} catch (AuthException ae) {
}
return processedAuthContext;
}
if (authContext != null) {
}
return loginState;
}
// retrieve the sid from the LoginState object
if (authContext != null) {
if (loginState != null) {
}
}
}
return null;
}
/**
* Returns the Cookie object created based on the cookie name,
* Session ID and cookie domain. If Session is in invalid State then
* cookie is created with authentication cookie name , if
* cookie.
*
* @param ac the AuthContext object
*@param cookieDomain the cookie domain for creating cookie
* @return Cookie object.
*/
try {
}
if (CookieUtils.isCookieSecure()) {
}
} catch (Exception e) {
if (utilDebug.messageEnabled()) {
}
}
if (utilDebug.messageEnabled()) {
}
return cookie;
}
/**
* Returns the Logout cookie.
*
* @param ac the AuthContextLocal object
* @param cookieDomain the cookieDomain
* @return Logout cookie .
*/
return logoutCookie;
}
// returns true if request is new else false.
if (loginState.isNewRequest()) {
if (utilDebug.messageEnabled()) {
}
return true;
} else {
if (utilDebug.messageEnabled()) {
}
return false;
}
}
/* return the successful login url */
if (loginState == null) {
} else {
}
return successURL;
}
/* return the failed login url */
try {
if (loginState == null) {
}
if (utilDebug.messageEnabled()) {
+ loginFailedURL);
}
// remove the loginstate/authContext from the hashtable
//removeLoginStateFromHash(authContext);
// destroySession(authContext);
return loginFailedURL;
} catch (Exception e) {
return null;
}
}
/* return filename - will use FileLookUp API
* for UI only - this returns the relative path
*/
if (loginState != null) {
}
if (utilDebug.messageEnabled()) {
+ relFileName);
}
return relFileName;
}
}
public static boolean newSessionArgExists(final Map<String, String> decodedRequestData, final SessionID sessionId) {
return false;
}
}
if (utilDebug.messageEnabled()) {
}
if (loginState==null) {
encodedURL = url;
} else {
}
if (utilDebug.messageEnabled()) {
}
return encodedURL;
}
// return the locale
// initialize auth service.
if (authContext == null) {
return ad.getPlatformLocale();
}
if (loginState == null) {
return ad.getPlatformLocale();
}
return loginState.getLocale();
}
try {
if (loginState != null) {
}
} catch (Exception e) {
}
}
if (authContext != null) {
}
}
/**
* Returns <code>true</code> if the session has timed out or the page has
* timed out.
*
* @param authContext the authentication context object for the request.
* @return <code>true</code> if timed out else false.
*/
boolean timedOut = false;
if (loginState != null) {
if (!timedOut) {
}
}
if (utilDebug.messageEnabled()) {
}
}
return timedOut;
}
try {
if (utilDebug.messageEnabled()) {
}
return lbCookie;
} catch (Exception e) {
}
}
throws AuthException {
}
} else {
}
}
}
/* return the indexType for this request */
int type = 0;
try {
if (loginState != null) {
}
if (utilDebug.messageEnabled()) {
}
} catch (Exception e) {
if (utilDebug.messageEnabled()) {
+ e.toString());
}
}
return type;
}
/* return the indexType for this request */
try {
if (loginState != null) {
}
if (utilDebug.messageEnabled()) {
}
return indexType;
} catch (Exception e) {
if (utilDebug.messageEnabled()) {
}
return null;
}
}
/* return the indexName for this request */
try {
if (loginState != null) {
}
if (utilDebug.messageEnabled()) {
}
return indexName;
} catch (Exception e) {
if (utilDebug.messageEnabled()) {
}
return null;
}
}
if (loginState != null) {
}
if ( recdCallback != null ) {
if (utilDebug.messageEnabled()) {
+ i + "] :" + recdCallback[i]);
}
}
}
else {
}
return recdCallback;
}
/**
* Returns the resource based on the default values.
*
* @param request HTTP Servlet Request.
* @param fileName name of the file
* @return Path to the resource.
*/
public static String getDefaultFileName(
// initialize auth service.
try {
//in case we are unable to determine the realm from the incoming
//requests, let's fallback to top level realm
}
try {
} catch (Exception e) {
}
if (utilDebug.messageEnabled()) {
}
return templateFile;
}
/* returns the orgDN for the request */
if (loginState != null) {
}
if (utilDebug.messageEnabled()) {
}
return orgDN;
}
/* create auth context for org */
throws AuthException {
}
}
}
}
}
/** Returns the AuthContext Handle for the Request.
* @param orgName OrganizationName in request
* @param sessionID Session ID for this request
* @param isLogout a boolean which is true if it is a Logout request
* @param req HttpServletRequest
* @return AuthContextLocal object
*/
throws AuthException {
}
/* create auth context for org and sid, if sessionupgrade then
* save the previous authcontext and create new authcontext
* orgName - organization name to login to
* sessionId - sessionID of the request - "0" if new request
* isLogout - is this a logout request
* @param orgName OrganizationName in request
* @param sessionID Session ID for this request
* @param isLogout a boolean which is true if it is a Logout request
* @param req HttpServletRequest
* @param indexType Index Type
* @param indexName Index Name
* @return AuthContextLocal object
*/
throws AuthException {
xmlReq,false);
}
/* create auth context for org and sid, if sessionupgrade then
* save the previous authcontext and create new authcontext
* orgName - organization name to login too
* sessionId - sessionID of the request - "0" if new request
* isLogout - is this a logout request - if yes then no session
* upgrade - this is the case where session is VALID so need
* to use this flag to determine if session upgrade is needed.
* @param orgName OrganizationName in request
* @param sessionID Session ID for this request
* @param isLogout a boolean which is true if it is a Logout request
* @param req HttpServletRequest
* @param indexType Index Type
* @param indexName Index Name
* @param forceAuth force auth flag
* @return AuthContextLocal object
*/
final boolean isLogout,
final HttpServletRequest req,
final AuthXMLRequest xmlReq,
final boolean forceAuth) throws AuthException {
boolean sessionUpgrade = false;
int sessionState = -1;
}
if (utilDebug.messageEnabled()) {
}
try {
// check if this sesson id is active, if yes then it
// is a session upgrade case.
if (loginState != null) {
} else {
}
sessionUpgrade = false;
} else {
if (utilDebug.messageEnabled()) {
}
if (forceAuth) {
sessionUpgrade = true;
} else {
}
} else {
sessionUpgrade = true;
}
}
if (utilDebug.messageEnabled()) {
}
}
}
if (utilDebug.messageEnabled()) {
+ authContext);
+ sessionUpgrade);
+ forceAuth);
}
}
xmlReq.setValidSessionNoUpgrade(true);
return null;
}
(sessionUpgrade)) {
try {
loginState = new LoginState();
}
if (sessionUpgrade) {
}
if (utilDebug.messageEnabled()) {
}
} catch (AuthException ae) {
if (utilDebug.messageEnabled()) {
}
throw new AuthException(ae);
}
} else {
// update loginState
try {
if (utilDebug.messageEnabled()) {
}
if (loginState != null) {
loginState.setNewRequest(false);
}
if (utilDebug.messageEnabled()) {
}
}
}
if (forceAuth){
}
if (utilDebug.messageEnabled()) {
}
throw new AuthException(ee);
}
return authContext;
}
/**
* Returns a set of authentication modules whose authentication
* level equals to or greater than the specified authLevel. If no such
* module exists, an empty set will be returned.
*
* @param authLevel authentication level.
* @param organizationDN DN for the organization.
* @param clientType Client type, e.g. "genericHTML".
* @return Set of authentication modules whose authentication level
* equals to or greater that the specified authentication level.
*/
public static Set getAuthModules(
int authLevel,
String clientType) {
}
/* return the previous Internal Session */
return oldSession;
}
/* retreive session property */
try {
}
} catch (Exception e) {
}
return value;
}
/* return session upgrade - true or false */
boolean isSessionUpgrade = false;
if (loginState != null) {
}
return isSessionUpgrade;
}
if (loginState==null) {
return;
}
if (utilDebug.messageEnabled()) {
}
}
if (loginState==null) {
return false;
}
return loginState.isCookieSupported();
}
if (loginState==null) {
return false;
}
return loginState.isCookieSet();
}
/**
* Returns true if cookies found in the request.
*
* @param req HTTP Servlet Request.
* @param ac authentication context.
* @return <code>true</code> if cookies found in request.
*/
if (loginState!=null) {
loginState.setCookieSet(false);
loginState.setCookieDetect(false);
}
// came here if cookie not found , return false
return (
||
}
if (loginState==null) {
return null;
}
return loginState.getLoginURL();
}
// Gets Callbacks per Page state
if (loginState != null) {
}
if ( recdCallback != null ) {
if (utilDebug.messageEnabled()) {
+ i + "] :" + recdCallback[i]);
}
}
}
else {
}
return recdCallback;
}
// Sets (saves) Callbacks per Page state
if (loginState != null) {
}
if (utilDebug.messageEnabled()) {
+ i + "] :" + callbacks[i]);
}
}
}
else {
}
}
/**
* Get the module service name in either
* iplanet-am-auth format<module.toLowerCase()>Service(old) or
* sunAMAuth<module>Service format(new).
*/
if (serviceName == null) {
try {
} catch (Exception e) {
}
}
return serviceName;
}
public static int getAuthRevisionNumber(){
try {
return scm.getRevisionNumber();
} catch (Exception e) {
if (utilDebug.messageEnabled()) {
}
}
return 0;
}
/**
* Returns success URL for this request. If <code>goto</code> parameter is
* in the current request then returns the <code>goto</code> parameter
* else returns the success URL set in the valid session.
*
* @param request HTTP Servlet Request.
* @param authContext authentication context for this request.
* @return success URL.
*/
public static String getSuccessURL(
}
// Returns the set of Module instances resulting from a 'composite advice'
public static Map processCompositeAdviceXML(String xmlCompositeAdvice, String orgDN, String clientType) {
try {
if (utilDebug.messageEnabled()) {
+ decodedAdviceXML);
+ adviceMap);
}
returnAuthInstances = new HashMap();
returnModuleInstances = new HashSet();
//returnAuthInstances = Collections.EMPTY_MAP;
break;
}
}
if (returnAuthInstances.isEmpty()) {
}
}
} catch (Exception e) {
if (utilDebug.messageEnabled()) {
, e);
}
}
if (utilDebug.messageEnabled()) {
"returnAuthInstances : " + returnAuthInstances);
}
return returnAuthInstances;
}
// Returns the set of module instances having lowest auth level from a
// given set of auth level values
if (utilDebug.messageEnabled()) {
+ authLevelvalues);
}
try {
// First get the lowest auth level value from a given set
//get the Realm qualified Auth Level value
try {
if (authLevel < minAuthlevel) {
if ((qualifiedRealm != null) &&
}
if (utilDebug.messageEnabled()) {
+ qualifiedRealm);
+ qualifiedOrgDN);
}
}
continue;
}
}
if (utilDebug.messageEnabled()) {
+ moduleInstances);
}
if ((moduleInstances != null) &&
(!moduleInstances.isEmpty())) {
returnModuleInstances = new HashSet();
while (iterInstances.hasNext()) {
//get the module instance value
}
}
} else {
}
if (utilDebug.messageEnabled()) {
"returnModuleInstances : " + returnModuleInstances +
" for auth level : " + minAuthlevel);
}
}
} catch (Exception e) {
if (utilDebug.messageEnabled()) {
, e);
}
}
return returnModuleInstances;
}
return false;
}
if (null == internalSession) {
return false;
}
return internalSession.hasAuthenticationContext();
}
// retrieve the AuthContextLocal object from the Session object.
return null;
}
if (internalSession != null) {
}
if (utilDebug.messageEnabled()) {
}
return localAC;
}
/**
* Removes the AuthContextLocal object in the Session object identified
* by the SessionID object parameter 'sid'.
*/
}
}
/**
* Returns the authentication service or chain configured for the
* given organization.
*
* @param orgDN organization DN.
* @return the authentication service or chain configured for the
* given organization.
*/
}
/**
* Returns true if remote Auth security is enabled and false otherwise
*
* @return the value of sunRemoteAuthSecurityEnabled attribute
*/
try {
"iPlanetAMAuthService", dUserToken);
}
}
if (utilDebug.messageEnabled()) {
}
return securityEnabled;
}
/**
* Returns the flag indicating a request "forward" after
* successful authentication.
*
* @param authContext AuthContextLocal object
* @param req HttpServletRequest object
* @return the boolean flag.
*/
if (!isForward) {
if (loginState != null) {
}
}
return isForward;
}
/**
* Returns <code>true</code> if the request has the
* <code>forward=true</code> query parameter.
*
* @param req HttpServletRequest object
* @return <code>true</code> if this parameter is present.
*/
boolean isForward =
if (utilDebug.messageEnabled()) {
}
return isForward;
}
/**
* Returns <code>Map</code> attributes
*
* @param serviceName Service Name
* @return <code>Map</code> of global attributes.
*/
try {
}
} catch (SMSException smsExp) {
);
} catch (SSOException ssoExp) {
);
}
if (utilDebug.messageEnabled()) {
}
return attrs;
}
if (cookieDomainSet.isEmpty()) {
} else {
response);
}
}
}
}
/*
* Get URL set by Post Process Plugin in HttpServletRequest.
* Caller should check for null return value.
*/
{
if (utilDebug.messageEnabled()) {
}
return null;
}
if (servletRequest != null) {
}
if (utilDebug.messageEnabled()) {
" Value : " + url);
}
else {
" Value : Not set - null or empty string");
}
}
return url;
}
/* Helper method to reset HttpServletRequest object before it is sent to
* Post Process Plugin so that it can set new values.
*/
{
if (servletRequest != null) {
}
}
/**
* Returns valid goto parameter for this request. Validate goto parameter set in the current request, then returns
* it if valid.
*
* @param request The HttpServletRequest.
* @param orgDN Organization DN.
* @return The validated goto URL.
*/
return REDIRECT_URL_VALIDATOR.getRedirectUrl(
}
/**
* Performs a logout on a given token ensuring the post auth classes are called
*
* @param sessionID The token id to logout
* @param request The HTTP request
* @param response The HTTP response
* @return true if the token was still valid before logout was called
* @throws SSOException If token is null or other SSO exceptions
*/
public static boolean logout(String sessionID, HttpServletRequest request, HttpServletResponse response)
throws SSOException {
}
/**
* Performs a logout on a given token ensuring the post auth classes are called
*
* @param intSession The <code>InternalSession</code> to logout
* @param token The <code>SSOToken</code> to logout
* @param request The HTTP request
* @param response The HTTP response
* @return true if the token was still valid before logout was called
* @throws SSOException If token is null or other SSO exceptions
*/
throws SSOException {
return false;
}
if (intSession != null) {
try {
if (loginContext != null) {
}
}
}
if (intSession != null) {
}
try {
}
}
} else {
if (intSession != null) {
} else {
if (utilDebug.messageEnabled()) {
}
}
while (st.hasMoreTokens()) {
try {
}
}
}
}
boolean isTokenValid = false;
try {
if (isTokenValid) {
if (utilDebug.messageEnabled()) {
}
}
} catch (SSOException se) {
if (utilDebug.warningEnabled()) {
+ " checking validity of SSO Token", se);
}
}
return isTokenValid;
}
if (SystemProperties.isServerMode()) {
}
}
}
/**
* Gets the ZPL configuration for the given realm.
*
* @param realm the realm to get the ZPL configuration for. Not null.
* @return the ZPL configuration object. Never null.
* @throws SSOException if there is a problem authenticating the configuration lookup.
* @throws SMSException if there is a problem fetching the configuration data.
*/
public static ZeroPageLoginConfig getZeroPageLoginConfig(final String realm) throws SSOException, SMSException {
final ServiceConfigManager mgr = new ServiceConfigManager(ISAuthConstants.AUTH_SERVICE_NAME, token);
@SuppressWarnings("unchecked")
return new ZeroPageLoginConfig(
CollectionHelper.getBooleanMapAttr(configMap, Constants.ZERO_PAGE_LOGIN_ALLOW_MISSING_REFERER, true)
);
}
}