LoginState.java revision 3139cb45e7d32c9d558fde972b5db7d3e6e92b2c
* Copyright (c) 2005 Sun Microsystems Inc. All Rights Reserved
* The contents of this file are subject to the terms
* of the Common Development and Distribution License
* (the License). You may not use this file except in
* compliance with the License.
* You can obtain a copy of the License at
* https://opensso.dev.java.net/public/CDDLv1.0.html or
* opensso/legal/CDDLv1.0.txt
* See the License for the specific language governing
* permission and limitations under the License.
* When distributing Covered Code, include this CDDL
* Header Notice in each file and include the License file
* at opensso/legal/CDDLv1.0.txt.
* If applicable, add the following below the CDDL Header,
* with the fields enclosed by brackets [] replaced by
* your own identifying information:
* "Portions Copyrighted [year] [name of copyright owner]"
* $Id: LoginState.java,v 1.57 2010/01/20 21:30:40 qcheng Exp $
* Portions Copyrighted 2010-2016 ForgeRock AS.
* Portions Copyrighted 2016 Nomura Research Institute, Ltd.
package com.sun.identity.authentication.service;
import static java.util.Collections.unmodifiableSet;
import static org.forgerock.openam.audit.AuditConstants.AuthenticationFailureReason.*;
import static org.forgerock.openam.session.SessionConstants.*;
import static org.forgerock.openam.utils.CollectionUtils.asSet;
import static org.forgerock.openam.utils.Time.newDate;
import java.net.InetAddress;
import java.security.AccessController;
import java.security.NoSuchAlgorithmException;
import java.security.Principal;
import java.security.SecureRandom;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.ServiceLoader;
import java.util.Set;
import java.util.StringTokenizer;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.NameCallback;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang.StringUtils;
import org.forgerock.guava.common.base.Joiner;
import org.forgerock.guava.common.collect.ImmutableList;
import org.forgerock.guice.core.InjectorHolder;
import org.forgerock.openam.authentication.service.DefaultSessionPropertyUpgrader;
import org.forgerock.openam.authentication.service.LoginContext;
import org.forgerock.openam.authentication.service.SessionPropertyUpgrader;
import org.forgerock.openam.authentication.service.SessionUpgradeHandler;
import org.forgerock.openam.authentication.service.activators.ForceAuthSessionActivator;
import org.forgerock.openam.identity.idm.IdentityUtils;
import org.forgerock.openam.ldap.LDAPUtils;
import org.forgerock.openam.session.SessionURL;
import org.forgerock.openam.session.service.SessionAccessManager;
import org.forgerock.openam.sso.providers.stateless.StatelessAdminRestriction;
import org.forgerock.openam.sso.providers.stateless.StatelessSession;
import org.forgerock.openam.utils.ClientUtils;
import org.forgerock.opendj.ldap.DN;
import org.forgerock.opendj.ldap.SearchScope;
import com.iplanet.am.sdk.AMException;
import com.iplanet.am.sdk.AMObject;
import com.iplanet.am.sdk.AMStoreConnection;
import com.iplanet.am.util.Misc;
import com.iplanet.am.util.SystemProperties;
import com.iplanet.dpro.session.SessionException;
import com.iplanet.dpro.session.SessionID;
import com.iplanet.dpro.session.service.AuthenticationSessionStore;
import com.iplanet.dpro.session.service.InternalSession;
import com.iplanet.sso.SSOException;
import com.iplanet.sso.SSOToken;
import com.iplanet.sso.SSOTokenManager;
import com.sun.identity.authentication.AuthContext;
import com.sun.identity.authentication.audit.AuthenticationProcessEventAuditor;
import com.sun.identity.authentication.client.ZeroPageLoginConfig;
import com.sun.identity.authentication.config.AMAuthConfigUtils;
import com.sun.identity.authentication.config.AMAuthenticationInstance;
import com.sun.identity.authentication.config.AMAuthenticationManager;
import com.sun.identity.authentication.config.AMConfigurationException;
import com.sun.identity.authentication.server.AuthContextLocal;
import com.sun.identity.authentication.spi.AMLoginModule;
import com.sun.identity.authentication.spi.AMPostAuthProcessInterface;
import com.sun.identity.authentication.spi.AuthenticationException;
import com.sun.identity.authentication.util.AMAuthUtils;
import com.sun.identity.authentication.util.ISAuthConstants;
import com.sun.identity.common.DNUtils;
import com.sun.identity.common.ISLocaleContext;
import com.sun.identity.common.admin.AdminInterfaceUtils;
import com.sun.identity.idm.AMIdentity;
import com.sun.identity.idm.AMIdentityRepository;
import com.sun.identity.idm.IdRepoException;
import com.sun.identity.idm.IdSearchControl;
import com.sun.identity.idm.IdSearchOpModifier;
import com.sun.identity.idm.IdSearchResults;
import com.sun.identity.idm.IdType;
import com.sun.identity.idm.IdUtils;
import com.sun.identity.log.LogConstants;
import com.sun.identity.security.AdminTokenAction;
import com.sun.identity.session.util.SessionUtils;
import com.sun.identity.shared.Constants;
import com.sun.identity.shared.DateUtils;
import com.sun.identity.shared.datastruct.CollectionHelper;
import com.sun.identity.shared.debug.Debug;
import com.sun.identity.shared.encode.Base64;
import com.sun.identity.sm.DNMapper;
import com.sun.identity.sm.OrganizationConfigManager;
import com.sun.identity.sm.SMSEntry;
import com.sun.identity.sm.ServiceConfig;
import com.sun.identity.sm.ServiceManager;
* This class maintains the User's login state information from the time user
* requests for authentication till the time the user either logs out of the
* OpenAM system or the session is destroyed by any privileged application of
* the OpenAM system.
public class LoginState {
/* Define internal users
* For these users we would allow authentication only at root realm
* and require to be authenticated to configuration datastore.
public static final Set<String> INTERNAL_USERS = unmodifiableSet(asSet("amadmin", "dsameuser", "urlaccessagent"));
private static final boolean URL_REWRITE_IN_PATH = SystemProperties.getAsBoolean(Constants.REWRITE_AS_PATH);
private static final String NO_SESSION_QUERY_PARAM = "noSession";
private static final Set<String> USER_ATTRIBUTES;
private static final long AGENT_SESSION_IDLE_TIME;
private static final SecureRandom SECURE_RANDOM;
private static final Debug DEBUG = Debug.getInstance(ISAuthConstants.AUTH_BUNDLE_NAME);
private static final List<String> SHARED_STATE_ATTRIBUTES =
private static volatile List<SessionUpgradeHandler> sessionUpgradeHandlers = null;
* Lazy initialisation holder to allow unit testing without loading the world.
private static class LazyConfig {
private static final AuthD AUTHD = AuthD.getAuth();
private static final SessionPropertyUpgrader SESSION_PROPERTY_UPGRADER = loadPropertyUpgrader();
static {
Set<String> attrs = new HashSet<String>();
USER_ATTRIBUTES = unmodifiableSet(attrs);
// App session timeout is default to 0 => non-expiring
long agSessIdleTime = SystemProperties.getAsLong(Constants.AGENT_SESSION_IDLE_TIME, 0L);
long minAgentSessionIdleTime = 30L;
AGENT_SESSION_IDLE_TIME = (agSessIdleTime > 0 && agSessIdleTime < minAgentSessionIdleTime)
? minAgentSessionIdleTime : agSessIdleTime;
// Obtain the secureRandom instance
try {
SECURE_RANDOM = SecureRandom.getInstance("SHA1PRNG");
} catch (NoSuchAlgorithmException ex) {
DEBUG.error("LoginState.static() : LoginState : SecureRandom.getInstance() Failed", ex);
throw new IllegalStateException("Unable to obtain SecureRandom", ex);
private boolean mandatory2fa;
private boolean userIDGeneratorEnabled;
private String userIDGeneratorClassName;
private boolean loginFailureLockoutMode = false;
private boolean loginFailureLockoutStoreInDS = true;
private String accountLife = null;
private long loginFailureLockoutDuration = 0;
private int loginFailureLockoutMultiplier = 0;
private long loginFailureLockoutTime = 300000;
private int loginFailureLockoutCount = 5;
private String loginLockoutNotification = null;
private String loginLockoutAttrName = null;
private String loginLockoutAttrValue = null;
private String invalidAttemptsDataAttrName = null;
private int loginLockoutUserWarning = 3;
private String failureTokenId = null;
private Callback[] receivedCallbackInfo;
private Callback[] prevCallback;
private Callback[] submittedCallbackInfo;
private final Map<String, Callback[]> callbacksPerState = new HashMap<String, Callback[]>();
private SessionID sessionReference = null;
private HttpServletRequest servletRequest;
private HttpServletResponse servletResponse;
private String orgName;
private String userOrg;
private String orgDN = null;
private int loginStatus = LoginStatus.AUTH_IN_PROGRESS;
private Map<String, String> requestHash;
private boolean newRequest; // new or existing request
private Set<String> aliasAttrNames = null;
private String userContainerDN = null;
private String userNamingAttr = null;
private boolean dynamicProfileCreation = false;
private boolean ignoreUserProfile = false;
private boolean createWithAlias = false;
private Subject subject;
private String token = null;
private String userDN = null;
private int maxSession;
private int idleTime;
private int cacheTime;
private int authLevel = 0;
private int moduleAuthLevel = Integer.MIN_VALUE;
private String client = null;
private String authMethName = "";
private String pAuthMethName = null;
private String queryOrg = null;
private SessionID finalSessionId;
private String activatedSessionTrackingId;
private boolean cookieSupported = true;
private boolean cookieSet = false;
private boolean userEnabled = true;
private AMIdentity amIdentityRole = null;
private AuthContext.IndexType indexType;
private String indexName = null;
private AuthContext.IndexType prevIndexType = null;
private Set<String> userAliasList = null;
private String gotoOnFailURL = null;
private String failureLoginURL = null;
private String successLoginURL = null;
private String moduleSuccessLoginURL = null;
private String moduleFailureLoginURL = null;
private String clientOrgSuccessLoginURL = null;
private String defaultOrgSuccessLoginURL = null;
private String clientOrgFailureLoginURL = null;
private String defaultOrgFailureLoginURL = null;
private final Map<String, String> requestMap = new HashMap<>();
private Set<String> domainAuthenticators = null;
private Set<String> moduleInstances = null;
private boolean sessionUpgrade = false;
private String loginURL = null;
private long pageTimeOut = 60;
private long lastCallbackSent = 0;
private AMIdentity amIdentityUser = null;
// error code
private String errorCode = null;
private String errorMessage = null;
private String errorTemplate = null;
private String moduleErrorTemplate = null;
private String lockoutMsg = null;
// timed out
private boolean timedOut = false;
private String principalList = null;
private X509Certificate cert = null;
private String defaultUserSuccessURL;
private String clientUserSuccessURL;
private String clientUserFailureURL;
private String defaultUserFailureURL;
private String clientSuccessRoleURL;
private String defaultSuccessRoleURL;
private String clientFailureRoleURL;
private String defaultFailureRoleURL;
private String userAuthConfig = "";
private String orgAuthConfig = null;
private String orgAdminAuthConfig = null;
private String roleAuthConfig = null;
private Set<String> orgPostLoginClassSet = Collections.emptySet();
private Map<String, Set<String>> serviceAttributesMap = new HashMap<>();
private String moduleErrorMessage = null;
private String tempDefaultURL = null;
private boolean isLocaleSet = false;
private boolean cookieDetect = false;
private Map<String, Object> userCreationAttributes = null;
private Set<String> externalAliasList = null;
private final Set<String> successModuleSet = new HashSet<String>();
private final Set<String> failureModuleSet = new HashSet<String>();
private String failureModuleList = ISAuthConstants.EMPTY_STRING;
private String fqdnFailureLoginURL = null;
private Map<String, String> moduleMap = null;
private Map<String, Set<String>> roleAttributeMap = null;
private Set<String> identityTypes = Collections.emptySet();
private Set<String> userSessionMapping = Collections.emptySet();
private AMIdentityRepository amIdRepo = null;
private int compositeAdviceType;
private String compositeAdvice;
private String qualifiedOrgDN = null;
// Variable indicating a request "forward" after
// authentication success
private boolean forwardSuccess = false;
private boolean modulesInSession = false;
// Indicates Session is stateless
public boolean stateless = false;
* Indicates if orgnization is active
private boolean inetDomainStatus = true;
* Default roles for user
private Set<String> defaultRoles = null;
* Default auth level for each auth module
private String defaultAuthLevel = "0";
private ZeroPageLoginConfig zeroPageLoginConfig;
private SessionID oldSessionReference = null;
private StatelessSession oldStatelessSession = null;
private SSOToken oldSSOToken = null;
private boolean forceAuth;
private boolean cookieTimeToLiveEnabledFlag = false;
private int cookieTimeToLive = 0;
// Enable Module based Auth
private boolean enableModuleBasedAuth = true;
private ISLocaleContext localeContext = new ISLocaleContext();
* The sharedState Map of the {@link AMLoginModule} and subclasses.
private Map<Object, Object> sharedState;
* Stores the principals corresponding to the successful authentication modules within the current authentication
* session.
private final Set<String> authenticatedPrincipals = new HashSet<String>();
private final AuthenticationProcessEventAuditor auditor = InjectorHolder.getInstance(
private final StatelessAdminRestriction restriction =
private final SessionAccessManager sessionAccessManager =
private final AuthenticationSessionStore authenticationSessionStore =
* Attempts to load the configured session property upgrader class.
private static SessionPropertyUpgrader loadPropertyUpgrader() {
String upgraderClass = SystemProperties.get(Constants.SESSION_UPGRADER_IMPL,
SessionPropertyUpgrader upgrader = null;
try {
upgrader = Class.forName(upgraderClass).asSubclass(SessionPropertyUpgrader.class).newInstance();
if (DEBUG.messageEnabled()) {
DEBUG.message("SessionUpgrader implementation ('" + upgraderClass
+ ") successfully loaded.");
} catch (Exception ex) {
DEBUG.error("Unable to load the following Session Upgrader implementation: " +
upgraderClass + "\nFallbacking to DefaultSessionUpgrader", ex);
upgrader = new DefaultSessionPropertyUpgrader();
return upgrader;
* Converts a byte array to a hex string.
private static String byteArrayToHexString(byte[] byteArray) {
int readBytes = byteArray.length;
StringBuilder hexData = new StringBuilder();
int onebyte;
for (int i = 0; i < readBytes; i++) {
onebyte = ((0x000000ff & byteArray[i]) | 0xffffff00);
return hexData.toString();
String getDefaultAuthLevel() {
return defaultAuthLevel;
* Returns servlet request object.
* @return servlet request object.
public HttpServletRequest getHttpServletRequest() {
return servletRequest;
* Sets servlet request.
* @param servletRequest Servlet request.
public void setHttpServletRequest(HttpServletRequest servletRequest) {
this.servletRequest = servletRequest;
* Returns session, Returns null if session state is <code>INACTIVE</code>
* or <code>DESTROYED</code>.
* @return session;
public InternalSession getSession() {
if (null == sessionReference) {
if (DEBUG.messageEnabled()) {
"Session is null :" + sessionReference);
return null;
InternalSession session = getReferencedSession();
if (session == null || session.getState() == INACTIVE ||
session.getState() == DESTROYED) {
if (DEBUG.messageEnabled()) {
"Session is INACTIVE OR DESTROYED :" + session);
return null;
return session;
* Sets the internal session for the request.
* @param sess Internal session for the request.
public void setSession(InternalSession sess) {
if (sess != null) {
this.sessionReference = sess.getSessionID();
this.finalSessionId = sess.getID();
} else {
this.sessionReference = null;
this.finalSessionId = null;
* Sets the session id, independently of the session. Used by stateless session activation to update the
* serialised session id while leaving the InternalSession null.
* @param sid the new session id to set.
void setSessionID(SessionID sid) {
this.finalSessionId = sid;
* Sets the callbacks recieved and notify waiting thread.
* @param callback
* @param amLoginContext
void setReceivedCallback(
Callback[] callback,
AMLoginContext amLoginContext) {
synchronized (amLoginContext) {
submittedCallbackInfo = null;
receivedCallbackInfo = callback;
prevCallback = callback;
* Sets the callbacks recieved and notify waiting thread.
* Used in non-jaas thread mode only.
* @param callback
void setReceivedCallback_NoThread(Callback[] callback) {
submittedCallbackInfo = null;
receivedCallbackInfo = callback;
prevCallback = callback;
* Sets the callbacks submitted by login module and notify waiting thread.
* @param callback
* @param amLoginContext
void setSubmittedCallback(
Callback[] callback,
AMLoginContext amLoginContext) {
synchronized (amLoginContext) {
prevCallback = receivedCallbackInfo;
receivedCallbackInfo = null;
submittedCallbackInfo = callback;
* Sets the callbacks submitted by login module and notify waiting thread.
* Used in non-jaas thread mode only.
* @param callback
void setSubmittedCallback_NoThread(Callback[] callback) {
prevCallback = receivedCallbackInfo;
receivedCallbackInfo = null;
submittedCallbackInfo = callback;
* Returns recieved callback info from loginmodule.
* @return recieved callback info from loginmodule.
public Callback[] getReceivedInfo() {
return receivedCallbackInfo;
* Returns callbacks submitted by client.
* @return callbacks submitted by client.
Callback[] getSubmittedInfo() {
return submittedCallbackInfo;
* Returns the organization DN example <code>o=iplanet.com,o=isp</code>.
* @return the organization DN example <code>o=iplanet.com,o=isp</code>.
public String getOrgDN() {
if (orgDN == null) {
try {
orgDN = LazyConfig.AUTHD.getOrgDN(userOrg);
} catch (Exception e) {
DEBUG.message("Error getting orgDN: ", e);
return orgDN;
* Returns the organization name.
* @return the organization name.
public String getOrgName() {
if (orgName == null) {
orgName = DNMapper.orgNameToRealmName(getOrgDN());
return orgName;
* Returns the authentication login status.
* @return the authentication login status.
public int getLoginStatus() {
return loginStatus;
* Sets the authentication login status.
* @param loginStatus authentication login status.
public synchronized void setLoginStatus(int loginStatus) {
this.loginStatus = loginStatus;
* Sets the request parameters hash.
* Side Effect: Also updates the requestMap at the same time.
* @param requestHash Request parameters hash.
public void setParamHash(Map<String, String> requestHash) {
this.requestHash = requestHash;
/* copy these parameters to HashMap */
* Sets the request type.
* @param newRequest <code>true</code> for new request type;
* <code>false</code> for existing request type.
void setNewRequest(boolean newRequest) {
this.newRequest = newRequest;
* Returns the request type.
* @return the request type.
boolean isNewRequest() {
return newRequest;
* Returns <code>true</code> if dynamic profile is enabled.
* @return <code>true</code> if dynamic profile is enabled.
public boolean isDynamicProfileCreationEnabled() {
return dynamicProfileCreation;
* Gets the external ID of the activated session. See {@link com.sun.identity.shared.Constants#AM_CTX_ID}
* @return the external session ID string.
public String getActivatedSessionTrackingId() {
return activatedSessionTrackingId;
* Populates the organization profile.
* @throws AuthException
private void populateOrgProfile() throws AuthException {
try {
// get inetdomainstatus for the org
// check if org is active
inetDomainStatus = LazyConfig.AUTHD.getInetDomainStatus(getOrgDN());
if (!inetDomainStatus) {
// org inactive
auditor.auditLoginFailure(this, REALM_INACTIVE);
throw new AuthException(AMAuthErrorCode.AUTH_ORG_INACTIVE, null);
// get handle to org config manager object to retrieve auth service
// attributes.
OrganizationConfigManager orgConfigMgr =
ServiceConfig svcConfig =
Map<String, Set<String>> attrs = svcConfig.getAttributes();
stateless = CollectionHelper.getBooleanMapAttr(attrs, ISAuthConstants.AUTH_STATELESS_SESSIONS, false);
aliasAttrNames = attrs.get(ISAuthConstants.AUTH_ALIAS_ATTR);
identityTypes = attrs.get(ISAuthConstants.AUTH_ID_TYPE_ATTR);
userSessionMapping = attrs.get(ISAuthConstants.
userNamingAttr = CollectionHelper.getMapAttr(
attrs, ISAuthConstants.AUTH_NAMING_ATTR, "uid");
defaultRoles = attrs.get(ISAuthConstants.AUTH_DEFAULT_ROLE);
String tmp = CollectionHelper.getMapAttr(
attrs, ISAuthConstants.DYNAMIC_PROFILE);
if (tmp.equalsIgnoreCase("true")) {
dynamicProfileCreation = true;
} else if (tmp.equalsIgnoreCase("ignore")) {
ignoreUserProfile = true;
} else if (tmp.equalsIgnoreCase("createAlias")) {
createWithAlias = true;
dynamicProfileCreation = true;
tmp = CollectionHelper.getMapAttr(attrs, Constants.ZERO_PAGE_LOGIN_ENABLED);
boolean zplEnabled = Boolean.valueOf(tmp);
Set<String> zplWhitelist = attrs.get(Constants.ZERO_PAGE_LOGIN_WHITELIST);
if (zplWhitelist == null) {
zplWhitelist = Collections.emptySet();
boolean allowZPLWithoutReferer = CollectionHelper.getBooleanMapAttr(attrs,
this.zeroPageLoginConfig = new ZeroPageLoginConfig(zplEnabled, zplWhitelist, allowZPLWithoutReferer);
AMAuthenticationManager authManager =
new AMAuthenticationManager(LazyConfig.AUTHD.getSSOAuthSession(), getOrgDN());
domainAuthenticators = authManager.getAllowedModuleNames();
if (domainAuthenticators == null) {
domainAuthenticators = Collections.emptySet();
defaultAuthLevel = CollectionHelper.getMapAttr(
attrs, ISAuthConstants.DEFAULT_AUTH_LEVEL, LazyConfig.AUTHD.defaultAuthLevel);
Set<String> orgSuccessLoginURLSet = attrs.get(ISAuthConstants.LOGIN_SUCCESS_URL);
if (orgSuccessLoginURLSet == null) {
orgSuccessLoginURLSet = Collections.emptySet();
clientOrgSuccessLoginURL = getRedirectUrl(orgSuccessLoginURLSet);
defaultOrgSuccessLoginURL = tempDefaultURL;
Set<String> orgFailureLoginURLSet = attrs.get(ISAuthConstants.LOGIN_FAILURE_URL);
if (orgFailureLoginURLSet == null) {
orgFailureLoginURLSet = Collections.emptySet();
clientOrgFailureLoginURL = getRedirectUrl(orgFailureLoginURLSet);
defaultOrgFailureLoginURL = tempDefaultURL;
orgAuthConfig = CollectionHelper.getMapAttr(attrs, ISAuthConstants.AUTHCONFIG_ORG);
orgAdminAuthConfig = CollectionHelper.getMapAttr(attrs, ISAuthConstants.AUTHCONFIG_ADMIN);
orgPostLoginClassSet = attrs.get(ISAuthConstants.POST_LOGIN_PROCESS);
if (orgPostLoginClassSet == null) {
orgPostLoginClassSet = Collections.emptySet();
tmp = CollectionHelper.getMapAttr(attrs, ISAuthConstants.MODULE_BASED_AUTH);
if (tmp != null) {
if (tmp.equalsIgnoreCase("false")) {
enableModuleBasedAuth = false;
// retrieve account locking specific attributes
tmp = CollectionHelper.getMapAttr(attrs, ISAuthConstants.LOGIN_FAILURE_LOCKOUT);
if (tmp != null) {
if (tmp.equalsIgnoreCase("true")) {
tmp = CollectionHelper.getMapAttr(attrs, ISAuthConstants.LOGIN_FAILURE_STORE_IN_DS);
if (tmp != null) {
if (tmp.equalsIgnoreCase("false")) {
tmp = CollectionHelper.getMapAttr(attrs, ISAuthConstants.LOCKOUT_DURATION);
if (tmp != null) {
try {
} catch (NumberFormatException e) {
DEBUG.error("auth-lockout-duration bad format.");
setLoginFailureLockoutDuration(getLoginFailureLockoutDuration() * 60 * 1000);
tmp = Misc.getMapAttr(attrs, ISAuthConstants.LOCKOUT_MULTIPLIER);
if (tmp != null) {
try {
} catch (NumberFormatException e) {
DEBUG.error("auth-lockout-multiplier bad format.");
tmp = CollectionHelper.getMapAttr(attrs, ISAuthConstants.LOGIN_FAILURE_COUNT);
if (tmp != null) {
try {
} catch (NumberFormatException e) {
DEBUG.error("auth-lockout-count bad format.");
tmp = CollectionHelper.getMapAttr(attrs, ISAuthConstants.LOGIN_FAILURE_DURATION);
if (tmp != null) {
try {
} catch (NumberFormatException e) {
DEBUG.error("auth-login-failure-duration bad format.");
setLoginFailureLockoutTime(getLoginFailureLockoutTime() * 60 * 1000);
tmp = CollectionHelper.getMapAttr(attrs, ISAuthConstants.LOCKOUT_WARN_USER);
if (tmp != null) {
try {
} catch (NumberFormatException e) {
DEBUG.error("auth-lockout-warn-user bad format.");
setLoginLockoutNotification(CollectionHelper.getMapAttr(attrs, ISAuthConstants.LOCKOUT_EMAIL));
tmp = CollectionHelper.getMapAttr(attrs, ISAuthConstants.USERNAME_GENERATOR);
if (tmp != null) {
tmp = CollectionHelper.getMapAttr(attrs, ISAuthConstants.TWO_FACTOR_AUTH_MANDATORY);
if (tmp != null) {
setUserIDGeneratorClassName(CollectionHelper.getMapAttr(attrs, ISAuthConstants.USERNAME_GENERATOR_CLASS));
tmp = CollectionHelper.getMapAttr(attrs, ISAuthConstants.LOCKOUT_ATTR_NAME);
tmp = CollectionHelper.getMapAttr(attrs, ISAuthConstants.LOCKOUT_ATTR_VALUE);
if (DEBUG.messageEnabled()) {
DEBUG.message("Getting Org Profile: " + orgDN
+ "\nlocale->" + localeContext.getLocale()
+ "\ncharset->" + localeContext.getMIMECharset()
+ "\ndynamicProfileCreation->" + dynamicProfileCreation
+ "\ndefaultAuthLevel->" + defaultAuthLevel
+ "\norgSucessLoginURLSet->" + orgSuccessLoginURLSet
+ "\norgFailureLoginURLSet->" + orgFailureLoginURLSet
+ "\nclientSuccessLoginURL ->" + clientOrgSuccessLoginURL
+ "\ndefaultSuccessLoginURL ->" + defaultOrgSuccessLoginURL
+ "\norgPostLoginClassSet ->" + orgPostLoginClassSet
+ "\norgAuthConfig ->" + orgAuthConfig
+ "\norgAdminAuthConfig ->" + orgAdminAuthConfig
+ "\nclientFailureLoginURL ->" + clientOrgFailureLoginURL
+ "\ndefaultFailureLoginURL ->" + defaultOrgFailureLoginURL
+ "\nenableModuleBasedAuth ->" + enableModuleBasedAuth
+ "\nloginFailureLockoutMode->" + isLoginFailureLockoutMode()
+ "\nloginFailureLockoutStoreInDS->"
+ isLoginFailureLockoutStoreInDS()
+ "\nloginFailureLockoutCount->" + getLoginFailureLockoutCount()
+ "\nloginFailureLockoutTime->" + getLoginFailureLockoutTime()
+ "\nloginLockoutUserWarning->" + getLoginLockoutUserWarning()
+ "\nloginLockoutNotification->" + getLoginLockoutNotification()
+ "\ninvalidAttemptsDataAttrName->" + getInvalidAttemptsDataAttrName()
+ "\nzeroPageLoginConfig->" + zeroPageLoginConfig
+ "\nidentityTypes->" + identityTypes
+ "\naliasAttrNames ->" + aliasAttrNames);
} catch (AuthException ae) {
DEBUG.error("Error in populateOrgProfile", ae);
throw new AuthException(ae);
} catch (Exception ex) {
DEBUG.error("Error in populateOrgProfile", ex);
throw new AuthException(AMAuthErrorCode.AUTH_ERROR, null);
* Populates the global profile.
* @throws AuthException
private void populateGlobalProfile() throws AuthException {
Map attrs = AuthUtils.getGlobalAttributes("iPlanetAMAuthService");
String tmpModules = Misc.getMapAttr(attrs, ISAuthConstants.KEEP_MODULES_IN_SESSION);
modulesInSession = Boolean.parseBoolean(tmpModules);
if (DEBUG.messageEnabled()) {
DEBUG.message("LoginState.populateGlobalProfile: Getting Global Profile: " +
"\nmodulesInSession ->" + modulesInSession);
* Returns the authenticated subject.
* @return Authenticated subject
public Subject getSubject() {
return subject;
* Sets the authenticated subject.
* @param subject Authenticated subject.
public void setSubject(Subject subject) {
this.subject = subject;
* Returns session idle time.
* @return session idle time.
public int getIdleTime() {
return idleTime;
* Returns session cache time.
* @return session cache time.
public int getCacheTime() {
return cacheTime;
* Returns user DN.
* @return user DN.
public String getUserDN() {
if (DEBUG.messageEnabled()) {
DEBUG.message("getUserDN: " + userDN);
return userDN;
* Returns authentication level.
* @return authentication level.
public int getAuthLevel() {
/* for AMLoginModule */
/* It is not a clean way to call setAuthLevel() in
* this method. To make reference to authLevel(like
* in sessionUpgrade()), make sure setAuthLevel() has
* been called before, NOT getAuthLevel() ! or it will
* return zero.
return authLevel;
* Sets the authentication level.
* checks if <code>moduleAuthLevel</code> is set and if
* it is greater then the authentications level then
* <code>moduleAuthLevel</code> will be the set level.
* @param authLevel Authentication Level.
public void setAuthLevel(String authLevel) {
// check if module Level is set and is greater
// then authenticated modules level
if (authLevel == null) {
this.authLevel = 0;
} else {
try {
this.authLevel = Integer.parseInt(authLevel);
} catch (NumberFormatException e) {
this.authLevel = 0;
if (this.authLevel < moduleAuthLevel) {
this.authLevel = moduleAuthLevel;
if (DEBUG.messageEnabled()) {
DEBUG.message("AuthLevel is set to : " + this.authLevel);
* Returns the client address.
* @return the client address.
public String getClient() {
if (client != null) {
return client;
String clientHost = "";
try {
String cli = null;
if (requestHash != null) {
cli = (String) requestHash.get("client");
if (DEBUG.messageEnabled()) {
DEBUG.message("getClient : servletRequest is : " + servletRequest);
DEBUG.message("getClient : cli is : " + cli);
if (cli == null || cli.length() == 0) {
if (servletRequest != null) {
clientHost = ClientUtils.getClientIPAddress(servletRequest);
} else {
InetAddress localHost = InetAddress.getLocalHost();
clientHost = localHost.getHostAddress();
} catch (Exception e) {
if (DEBUG.messageEnabled()) {
DEBUG.message("Error getting client Type ", e);
if (DEBUG.messageEnabled()) {
DEBUG.message("Client is : " + clientHost);
client = clientHost;
return clientHost;
* Sets the client address.
* @param remoteAddr Client address.
public void setClient(String remoteAddr) {
client = remoteAddr;
* convert a token to DN
* @param token0 <code>SSOToken</code> ID has user principal
* @return DN for user principal
private String tokenToDN(String token0) {
try {
String token = token0.toLowerCase();
int pipe = token.indexOf("|");
if (pipe != -1) {
token = token.substring(0, pipe);
// Return if module returns the token in the form of DN
if (DN.valueOf(token).isInScopeOf(getOrgDN(), SearchScope.WHOLE_SUBTREE)) {
return token;
if (LazyConfig.AUTHD.isSuperAdmin(token)) {
return token;
// check if Application module user
// Application module user starts with
// amService-
String applicationUser =
if (token.startsWith(applicationUser)) {
return "cn=" + token + ",ou=DSAME Users," +
String id = DNUtils.DNtoName(token);
String userDN = userNamingAttr + "=" + id + "," + userContainerDN;
if (DEBUG.messageEnabled()) {
DEBUG.message("token=" + token0 + ", id=" + id +
", DN=" + userDN);
return userDN;
} catch (Exception e) {
DEBUG.error("tokenToDN : " + e.getMessage());
return token0;
* Returns the client type.
* @return the client type.
public String getClientType() {
return (servletRequest != null) ?
AuthUtils.getClientType(servletRequest) : AuthUtils.getDefaultClientType();
* Activates session on successful authentication.
* <p/>
* Unless the noSession query parameter was set on the request and then in that case no new permanent session is
* activated and <code>true</code>.
* @param subject
* @param ac
* @param loginContext instance of JAAS <code>LoginContext</code>
* @return <code>true</code> if user session is activated successfully, <code>false if failed to activated</code>
* or <code>true</code> if the noSession parameter is set to true.
public boolean activateSession(Subject subject, AuthContextLocal ac, LoginContext loginContext) throws AuthException {
try {
if (DEBUG.messageEnabled()) {
DEBUG.message("activateSession - Token is : " + token);
DEBUG.message("activateSession - userDN is : " + userDN);
if (indexType != null || indexName != null) {
setSuccessLoginURL(indexType, indexName);
} else {
setSuccessLoginURL(AuthContext.IndexType.SERVICE, getAuthConfigName(indexType, indexName));
InternalSession internalSession = getReferencedSession();
final boolean isSessionActivated = getSessionActivator().activateSession(this, AuthD.getSessionService(),
internalSession, subject, loginContext);
if (isSessionActivated) {
this.activatedSessionTrackingId = internalSession.getProperty(Constants.AM_CTX_ID);
if (sessionUpgrade && !forceAuth && isSessionActivated && oldStatelessSession == null) {
return isSessionActivated;
} catch (AuthException ae) {
DEBUG.error("Error setting session properties: ", ae);
throw ae;
} catch (Exception e) {
DEBUG.error("Error activating session: ", e);
throw new AuthException("sessionActivationFailed", null);
private SessionActivator getSessionActivator() {
if (isNoSession()) {
return NoSessionActivator.INSTANCE;
if (restriction.isRestricted(getUserDN())) {
DEBUG.message("Using stateful session activation for super admin");
return DefaultSessionActivator.INSTANCE;
if (stateless) {
return StatelessSessionActivator.INSTANCE;
if (forceAuth) {
return ForceAuthSessionActivator.getInstance();
return DefaultSessionActivator.INSTANCE;
void setOldStatelessSession(StatelessSession session) {
this.oldStatelessSession = session;
* Populates session with properties.
* @param session
* @throws AuthException
void setSessionProperties(InternalSession session) throws AuthException {
if (DEBUG.messageEnabled()) {
DEBUG.message("LoginState getSession = " +
session + " \nrequest token = " + token);
if (token == null) {
throw new AuthException(AMAuthErrorCode.AUTH_ERROR, null);
String cookieSupport = (cookieSupported) ? "true" : "false";
// for user based DN is already set
if (userDN == null) {
userDN = getUserDN(amIdentityUser);
AMIdentity newAMIdentity = null;
String oldUserDN = null;
String oldAuthenticationModuleInstanceName = null;
AMIdentity oldAMIdentity = null;
InternalSession oldSession = getReferencedOldSession();
if (oldSession != null || oldStatelessSession != null) {
if (oldSession != null) {
oldUserDN = oldSession.getProperty(ISAuthConstants.PRINCIPAL);
oldAuthenticationModuleInstanceName = oldSession.getProperty(ISAuthConstants.AUTH_TYPE);
} else {
try {
oldUserDN = oldStatelessSession.getProperty(ISAuthConstants.PRINCIPAL);
oldAuthenticationModuleInstanceName = oldStatelessSession.getProperty(ISAuthConstants.AUTH_TYPE);
} catch (SessionException e) {
throw new AuthException(AMAuthErrorCode.SESSION_UPGRADE_FAILED, null);
if (!ignoreUserProfile) {
newAMIdentity = LazyConfig.AUTHD.getIdentity(IdType.USER, userDN, getOrgDN());
oldAMIdentity = LazyConfig.AUTHD.getIdentity(IdType.USER, oldUserDN, getOrgDN());
if (DEBUG.messageEnabled()) {
DEBUG.message("LoginState.setSessionProperties()" +
" newAMIdentity is: " + newAMIdentity);
DEBUG.message("LoginState.setSessionProperties()" +
" oldAMIdentity is: " + oldAMIdentity);
if (DEBUG.messageEnabled()) {
DEBUG.message("LoginState.setSessionProperties()" +
" userDN is: " + userDN);
DEBUG.message("LoginState.setSessionProperties()" +
" oldUserDN is: " + oldUserDN);
DEBUG.message("LoginState.setSessionProperties()" +
" sessionUpgrade is: " + sessionUpgrade);
if (sessionUpgrade) {
String oldAuthenticationModuleClassName = null;
if ((oldAuthenticationModuleInstanceName != null) &&
(!oldAuthenticationModuleInstanceName.contains("|"))) {
try {
SSOToken adminToken =
AMAuthenticationManager authManager =
new AMAuthenticationManager(adminToken, getOrgName());
AMAuthenticationInstance authInstance =
oldAuthenticationModuleClassName =
} catch (AMConfigurationException ace) {
if (DEBUG.messageEnabled()) {
+ ":Unable to create AMAuthenticationManager"
+ "Instance:"
+ ace.getMessage());
throw new AuthException(ace);
if ("Anonymous".equalsIgnoreCase(oldAuthenticationModuleClassName)) {
} else if (!ignoreUserProfile) {
if ((oldAMIdentity != null) && oldAMIdentity.equals(newAMIdentity)) {
} else {
if (DEBUG.messageEnabled()) {
DEBUG.message("LoginState.setSessionProperties()" +
"Resetting session upgrade to false " +
"since oldAMIdentity and newAMIdentity doesn't match");
throw new AuthException(
} else {
if ((oldUserDN != null) && (DNUtils.normalizeDN(userDN)).equals(DNUtils.normalizeDN(oldUserDN))) {
} else {
if (DEBUG.messageEnabled()) {
DEBUG.message("LoginState.setSessionProperties()" +
"Resetting session upgrade to false " +
"since Old UserDN and New UserDN doesn't match");
throw new AuthException(
if (forceAuth && sessionUpgrade) {
session = oldSession;
Date authInstantDate = newDate();
String authInstant = DateUtils.toUTCDateFormat(authInstantDate);
String moduleAuthTime = null;
if (sessionUpgrade) {
try {
if (oldStatelessSession != null) {
oldSSOToken = SSOTokenManager.getInstance().createSSOToken(oldStatelessSession.getID().toString());
} else {
oldSSOToken = SSOTokenManager.getInstance().createSSOToken(oldSession.getID().toString());
} catch (SSOException ssoExp) {
DEBUG.error("LoginState.setSessionProperties: Cannot get "
+ "oldSSOToken.");
Map<String, String> moduleTimeMap = null;
if (oldSSOToken != null) {
moduleTimeMap = AMAuthUtils.getModuleAuthTimeMap(oldSSOToken);
if (moduleTimeMap == null) {
moduleTimeMap = new HashMap<String, String>();
StringTokenizer tokenizer = new StringTokenizer(authMethName,
while (tokenizer.hasMoreTokens()) {
String moduleName = tokenizer.nextToken();
moduleTimeMap.put(moduleName, authInstant);
boolean firstElement = true;
for (Map.Entry<String, String> entry : moduleTimeMap.entrySet()) {
String moduleName = entry.getKey();
String authTime = entry.getValue();
StringBuilder sb = new StringBuilder();
if (!firstElement) {
firstElement = false;
if (moduleAuthTime == null) {
moduleAuthTime = (sb.append(moduleName).append(
} else {
moduleAuthTime += sb.append(moduleName).append(
//Sets the User profile option used, in session.
String userProfile = ISAuthConstants.REQUIRED;
if (dynamicProfileCreation) {
userProfile = ISAuthConstants.CREATE;
} else if (ignoreUserProfile) {
userProfile = ISAuthConstants.IGNORE;
} else if (createWithAlias) {
userProfile = ISAuthConstants.CREATE_WITH_ALIAS;
session.putProperty(ISAuthConstants.USER_PROFILE, userProfile);
String defaultLoginURL = null;
HttpServletRequest request = getHttpServletRequest();
if (request != null) {
loginURL = AuthUtils.constructLoginURL(request);
int questionMark = loginURL.indexOf("?");
defaultLoginURL = loginURL;
if (questionMark != -1) {
defaultLoginURL = loginURL.substring(0, questionMark);
session.putProperty(ISAuthConstants.LOGIN_URL, defaultLoginURL);
session.putProperty(ISAuthConstants.FULL_LOGIN_URL, loginURL);
String sessionSuccessURL = LazyConfig.AUTHD.processURL(successLoginURL, servletRequest);
sessionSuccessURL = encodeURL(sessionSuccessURL, true);
if (sessionSuccessURL != null) {
session.putProperty(ISAuthConstants.SUCCESS_URL, sessionSuccessURL);
// Get the universal ID
String univId = null;
if (amIdentityUser != null) {
univId = IdUtils.getUniversalId(amIdentityUser);
String userId = DNUtils.DNtoName(userDN);
if (DEBUG.messageEnabled()) {
"setSessionProperties Principal = " + userDN + "\n" +
"UserId = " + token + "\n" +
"client = " + getClient() + "\n" +
"Organization = " + orgDN + "\n" +
"locale = " + localeContext.getLocale() + "\n" +
"charset = " + localeContext.getMIMECharset() + "\n" +
"idleTime = " + idleTime + "\n" +
"cacheTime = " + cacheTime + "\n" +
"maxSession = " + maxSession + "\n" +
"AuthLevel = " + authLevel + "\n" +
"AuthType = " + authMethName + "\n" +
"Subject = " + subject.toString() + "\n" +
"UniversalId = " + univId + "\n" +
"cookieSupport = " + cookieSupport + "\n" +
"principals = " + principalList + "\n" +
"defaultLoginURL = " + defaultLoginURL + "\n" +
"successURL = " + sessionSuccessURL + "\n" +
"IndexType = " + indexType + "\n" +
"UserProfile = " + userProfile + "\n" +
"AuthInstant = " + authInstant + "\n" +
"ModuleAuthTime = " + moduleAuthTime);
try {
if ((isApplicationModule(authMethName) &&
(LazyConfig.AUTHD.isSuperUser(userDN) || LazyConfig.AUTHD.isSpecialUser(userDN)))
|| isAgent(amIdentityUser)) {
if (isAgent(amIdentityUser) && AGENT_SESSION_IDLE_TIME > 0) {
if (DEBUG.messageEnabled()) {
DEBUG.message("setSessionProperties for agent " +
userDN + " with idletimeout to " +
session.setMaxSessionTime(Long.MAX_VALUE / 60);
} else {
if (DEBUG.messageEnabled()) {
DEBUG.message("setSessionProperties for non-expiring session");
} else {
DEBUG.message("request: in putProperty stuff");
if ((client = getClient()) != null) {
session.putProperty(ISAuthConstants.HOST, client);
if (!sessionUpgrade) {
session.putProperty(ISAuthConstants.AUTH_TYPE, authMethName);
session.putProperty(ISAuthConstants.PRINCIPAL, userDN);
if (userId == null && userDN != null) {
DN dnObj = DN.valueOf(userDN);
if (dnObj.size() > 0) {
userId = LDAPUtils.rdnValueFromDn(dnObj);
session.putProperty(ISAuthConstants.USER_ID, userId);
session.putProperty(ISAuthConstants.USER_TOKEN, token);
session.putProperty(ISAuthConstants.ORGANIZATION, getOrgDN());
session.putProperty(ISAuthConstants.CLIENT_TYPE, getClientType());
session.putProperty(ISAuthConstants.AUTH_INSTANT, authInstant);
if ((moduleAuthTime != null) && (moduleAuthTime.length() != 0)) {
if (principalList != null) {
session.putProperty(ISAuthConstants.PRINCIPALS, principalList);
if (indexType != null) {
if (univId != null) {
session.putProperty(Constants.UNIVERSAL_IDENTIFIER, univId);
} else if (userDN != null) {
session.putProperty(Constants.UNIVERSAL_IDENTIFIER, userDN);
if ((indexType == AuthContext.IndexType.ROLE) &&
(indexName != null)
) {
if (!sessionUpgrade) {
session.putProperty(ISAuthConstants.ROLE, indexName);
if (!sessionUpgrade) {
String finalAuthConfig = getAuthConfigName(indexType, indexName);
if ((finalAuthConfig != null) && (
finalAuthConfig.length() != 0)) {
if ((userSessionMapping != null) &&
!(userSessionMapping.isEmpty()) && !ignoreUserProfile) {
for (final String mapping : userSessionMapping) {
if ((mapping != null) && (mapping.length() != 0)) {
StringTokenizer tokenizer = new StringTokenizer(
mapping, "|");
String userAttribute = null;
String sessionAttribute = null;
if (tokenizer.hasMoreTokens()) {
userAttribute = tokenizer.nextToken();
if (tokenizer.hasMoreTokens()) {
sessionAttribute = tokenizer.nextToken();
if ((userAttribute != null) &&
(userAttribute.length() != 0)) {
Set userAttrValueSet = amIdentityUser.getAttribute(
if ((userAttrValueSet != null) &&
!(userAttrValueSet.isEmpty())) {
Iterator valueIter = userAttrValueSet.
StringBuilder strBuffValues = new StringBuilder();
while (valueIter.hasNext()) {
String userAttrValue = (String)
if (strBuffValues.length() == 0) {
} else {
if (sessionAttribute != null) {
+ "." + sessionAttribute,
} else {
+ "." + userAttribute,
// Set Attribute Map for Authentication module
AuthenticationPrincipalDataRetriever principalDataRetriever =
if (principalDataRetriever != null) {
Map<String, String> attrMap = principalDataRetriever.getAttrMapForAuthenticationModule(subject);
if (attrMap != null && !attrMap.isEmpty()) {
for (Map.Entry<String, String> entry : attrMap.entrySet()) {
String attrName = entry.getKey();
String attrValue = entry.getValue();
session.putProperty(attrName, attrValue);
if (DEBUG.messageEnabled()) {
DEBUG.message("AttrMap for SAML : " + attrName + " , " + attrValue);
} catch (Exception e) {
DEBUG.error("Exception in setSession ", e);
throw new AuthException(e);
* Returns the <code>inetDomainStatus</code>.
* @return <code>inetDomainStatus</code>.
public boolean getInetDomainStatus() {
return inetDomainStatus;
* Returns the query Organization.
* @return Query Organization.
String getQueryOrg() {
return queryOrg;
* Sets the query organization.
* @param queryOrg Query organization.
void setQueryOrg(String queryOrg) {
this.queryOrg = queryOrg;
* Returns locale.
* @return locale.
public String getLocale() {
if (!isLocaleSet) {
return SystemProperties.get(Constants.AM_LOCALE);
} else {
return localeContext.getLocale().toString();
* Sets locale
* @param locale locale setting
public void setLocale(String locale) {
isLocaleSet = true;
/* destroy session */
void destroySession() {
if (sessionReference != null) {
finalSessionId = null;
sessionReference = null;
* Returns Session ID.
* @return Session ID.
public SessionID getSid() {
return finalSessionId;
public boolean getForceFlag() {
return forceAuth;
public void setForceAuth(boolean force) {
forceAuth = force;
* Enables AM session cookie time to live
* @param flag if <code>true</code> enables AM session cookie time to live,
* otherwise disables AM session cookie time to live
public void enableCookieTimeToLive(boolean flag) {
cookieTimeToLiveEnabledFlag = flag;
if (DEBUG.messageEnabled()) {
DEBUG.message("LoginState.enableCookieTimeToLive(): enable=" + cookieTimeToLiveEnabledFlag);
* Checks whether AM session cookie time to live is enabled
* @return <code>true</code> if AM session cookie time to live
* is enabled, otherwise returns <code>false</code>
public boolean isCookieTimeToLiveEnabled() {
if (DEBUG.messageEnabled()) {
DEBUG.message("LoginState.isCookieTimeToLiveEnabled(): enabled=" + cookieTimeToLiveEnabledFlag);
return cookieTimeToLiveEnabledFlag;
* Returns AM session cookie time to live
* @return AM session cookie time to live in seconds
public int getCookieTimeToLive() {
if (DEBUG.messageEnabled()) {
DEBUG.message("LoginState.getCookieTimeToLive(): cookieTimeToLive=" + cookieTimeToLive);
return cookieTimeToLive;
* Sets AM session cookie time to live
* @param timeToLive AM session cookie time to live in seconds
public void setCookieTimeToLive(int timeToLive) {
cookieTimeToLive = timeToLive;
if (DEBUG.messageEnabled()) {
DEBUG.message("LoginState.setCookieTimeToLive(): cookieTimeToLive=" + cookieTimeToLive);
* Returns user domain.
* @return user domain.
private String getUserDomain(
HttpServletRequest request,
SessionID sid,
Map<String, String> requestHash) {
String userOrg;
if (AuthUtils.newSessionArgExists(requestHash, sid) && sid.toString().length() > 0) {
userOrg = sid.getSessionDomain();
} else {
userOrg = AuthUtils.getDomainNameByRequest(request, requestHash);
if (DEBUG.messageEnabled()) {
DEBUG.message("returning from getUserDomain : " + userOrg);
return userOrg;
* Returns authentication context for new request.
* @return Authentication context for new request.
* @throws AuthException if it fails to instantiate <code>AuthContext</code>
AuthContextLocal createAuthContext(
HttpServletRequest request,
HttpServletResponse response,
SessionID sid,
Map<String, String> requestHash
) throws AuthException {
// Get / Construct the Original Login URL
this.loginURL = AuthUtils.constructLoginURL(request);
// Get query param indicating a request "forward" after
// successful authentication.
this.forwardSuccess = AuthUtils.forwardSuccessExists(request);
// set the locale
if (DEBUG.messageEnabled()) {
DEBUG.message("locale : " + localeContext.getLocale());
this.userOrg = getUserDomain(request, sid, requestHash);
if (DEBUG.messageEnabled()) {
DEBUG.message("createAuthContext: userOrg is : " + userOrg);
if ((this.userOrg == null) || this.userOrg.length() == 0) {
DEBUG.message("domain is null, error condition");
logFailed(LazyConfig.AUTHD.bundle.getString("invalidDomain"), "INVALIDDOMAIN");
auditor.auditLoginFailure(this, INVALID_REALM);
throw new AuthException(AMAuthErrorCode.AUTH_INVALID_DOMAIN, null);
if (DEBUG.messageEnabled()) {
DEBUG.message("AuthUtil:getAuthContext: Creating new AuthContextLocal & LoginState");
AuthContextLocal authContext = new AuthContextLocal(this.userOrg);
newRequest = true;
servletRequest = request;
servletResponse = response;
client = getClient();
this.finalSessionId = sid;
if (DEBUG.messageEnabled()) {
DEBUG.message("requestType : " + newRequest);
DEBUG.message("client : " + client);
DEBUG.message("sid : " + sid);
try {
createSession(request, authContext);
} catch (Exception e) {
DEBUG.error("Exception creating session .. :", e);
throw new AuthException(e);
String cookieSupport = AuthUtils.getCookieSupport(getClientType());
cookieDetect = AuthUtils.getCookieDetect(cookieSupport);
if ((cookieSupport != null) && cookieSupport.equals("false")) {
cookieSupported = false;
if (DEBUG.messageEnabled()) {
DEBUG.message("cookieSupport is : " + cookieSupport);
DEBUG.message("cookieDetect is .. : " + cookieDetect);
DEBUG.message("cookieSupported is .. : " + cookieSupported);
if (AuthUtils.isClientDetectionEnabled() && cookieDetect) {
cookieSet = true;
amIdRepo = LazyConfig.AUTHD.getAMIdentityRepository(getOrgDN());
return authContext;
/* create new session */
private void createSession(
HttpServletRequest req,
AuthContextLocal authContext
) throws AuthException {
DEBUG.message("LoginState: createSession: Creating new session: ");
InternalSession session = LazyConfig.AUTHD.newSession(getOrgDN(), false);
DEBUG.message("Save authContext in InternalSession");
finalSessionId = session.getID();
sessionReference = session.getSessionID();
if (DEBUG.messageEnabled()) {
"LoginState:createSession: New session/sid=" + finalSessionId);
DEBUG.message("LoginState:New session: ac=" + authContext);
* Returns the single sign on token associated with the session.
* @return the single sign on token associated with the session.
* @throws SSOException
public SSOToken getSSOToken() throws SSOException {
if (null == sessionReference || isNoSession()) {
return null;
InternalSession session = sessionAccessManager.getInternalSession(sessionReference);
if (!stateless && (session == null || session.getState() == INACTIVE)) {
return null;
try {
SSOTokenManager ssoManager = SSOTokenManager.getInstance();
SSOToken ssoToken = ssoManager.createSSOToken(finalSessionId.toString());
return ssoToken;
} catch (SSOException ex) {
DEBUG.message("Error retrieving SSOToken :", ex);
throw new SSOException(AuthD.BUNDLE_NAME,
AMAuthErrorCode.AUTH_ERROR, null);
* Returns URL with the cookie value in the URL.
* @param url URL.
* @return Encoded URL.
public String encodeURL(String url) {
return encodeURL(url, false);
* Returns URL with the cookie value in the URL.
* The cookie in the rewritten url will have
* the AM cookie if session is active/inactive and
* auth cookie if cookie is invalid
* @return the encoded URL
public String encodeURL(final String url, final boolean useAMCookie) {
if (DEBUG.messageEnabled()) {
DEBUG.message("in encodeURL");
boolean appendSessCookieInURL = SystemProperties.getAsBoolean(Constants.APPEND_SESS_COOKIE_IN_URL, true);
if (!appendSessCookieInURL) {
return url;
if (DEBUG.messageEnabled()) {
DEBUG.message("cookieDetect : " + cookieDetect);
DEBUG.message("cookieSupported : " + cookieSupported);
if (!cookieDetect && cookieSupported) {
return url;
InternalSession session = getReferencedSession();
if (null == session) {
return url;
String cookieName = AuthUtils.getCookieName();
if (!useAMCookie && session.getState() == INVALID) {
cookieName = AuthUtils.getAuthCookieName();
String encodedURL;
encodedURL = SessionURL.getInstance().encodeInternalSessionURL(
url, SessionUtils.SEMICOLON, false, cookieName, session);
} else {
encodedURL = SessionURL.getInstance().encodeInternalSessionURL(
url, SessionUtils.QUERY, false, cookieName, session);
if (DEBUG.messageEnabled()) {
DEBUG.message("AuthRequest encodeURL : URL=" + url +
", Rewritten URL=" + encodedURL);
return (encodedURL);
private InternalSession getReferencedSession() {
if (null == sessionReference) {
return null;
return AuthD.getSession(sessionReference);
private InternalSession getReferencedOldSession() {
if (null == oldSessionReference) {
return null;
return AuthD.getSession(oldSessionReference);
* Returns the filename . This method uses ResourceLookup API
* to locate the resource/file. The resource/file search path is
* <pre>
* fileRoot_locale/orgPath/filePath/filename
* fileRoot/orgPath/filePath/filename
* default_locale/orgPath/filePath/filename
* default/orgPath/filePath/filename
* where filePath =
* clientPath (html/wml etc) + serviceName
* eg. if orgDN = o=solaris.eng,o=eng.com,o=sun.com,dc=iplanet,dc=com
* clientPath = html
* service name = paycheck
* locale=en
* filename=Login.jsp
* </pre>
* then the search will be as follows :
* <pre>
* iplanet_en/sun.com/eng.com/solaris.eng/html/paycheck/Login.jsp
* iplanet_en/sun.com/eng.com/solaris.eng/html/Login.jsp
* iplanet_en/sun.com/eng.com/solaris.eng/Login.jsp
* iplanet_en/sun.com/eng.com/html/paycheck/Login.jsp
* iplanet_en/sun.com/eng.com/html/Login.jsp
* iplanet_en/sun.com/eng.com/Login.jsp
* iplanet_en/sun.com/html/paycheck/Login.jsp
* iplanet_en/sun.com/html/Login.jsp
* iplanet_en/sun.com/Login.jsp
* iplanet_en/html/paycheck/Login.jsp
* iplanet_en/html/Login.jsp
* iplanet_en/Login.jsp
* iplanet/sun.com/eng.com/solaris.eng/html/paycheck/Login.jsp
* iplanet/sun.com/eng.com/solaris.eng/html/Login.jsp
* iplanet/sun.com/eng.com/solaris.eng/Login.jsp
* iplanet/sun.com/eng.com/html/paycheck/Login.jsp
* iplanet/sun.com/eng.com/html/Login.jsp
* iplanet/sun.com/eng.com/Login.jsp
* iplanet/sun.com/html/paycheck/Login.jsp
* iplanet/sun.com/html/Login.jsp
* iplanet/sun.com/Login.jsp
* iplanet/html/paycheck/Login.jsp
* iplanet/html/Login.jsp
* iplanet/Login.jsp
* default_en/sun.com/eng.com/solaris.eng/html/paycheck/Login.jsp
* default_en/sun.com/eng.com/solaris.eng/html/Login.jsp
* default_en/sun.com/eng.com/solaris.eng/Login.jsp
* default_en/sun.com/eng.com/html/paycheck/Login.jsp
* default_en/sun.com/eng.com/html/Login.jsp
* default_en/sun.com/eng.com/Login.jsp
* default_en/sun.com/html/paycheck/Login.jsp
* default_en/sun.com/html/Login.jsp
* default_en/sun.com/Login.jsp
* default_en/html/paycheck/Login.jsp
* default_en/html/Login.jsp
* default_en/Login.jsp
* default/sun.com/eng.com/solaris.eng/html/paycheck/Login.jsp
* default/sun.com/eng.com/solaris.eng/html/Login.jsp
* default/sun.com/eng.com/solaris.eng/Login.jsp
* default/sun.com/eng.com/html/paycheck/Login.jsp
* default/sun.com/eng.com/html/Login.jsp
* default/sun.com/eng.com/Login.jsp
* default/sun.com/html/paycheck/Login.jsp
* default/sun.com/html/Login.jsp
* default/sun.com/Login.jsp
* default/html/paycheck/Login.jsp
* default/html/Login.jsp
* default/Login.jsp
* </pre>
* In case of non-HTML client, it will try to find
* <code>Login_&lt;charset>.jsp</code>.
* If not found, it then try <coed>Login.jsp</code>.
* @return configured jsp file name
public String getFileName(String fileName) {
return AuthUtils.getFileName(fileName, getLocale(), getOrgDN(),
servletRequest, LazyConfig.AUTHD.getServletContext(), indexType, indexName);
* Create user profile.
* @return <code>true</code> if profile is successfully created.
private boolean createUserProfile(String token, Set aliasList) {
try {
if (!dynamicProfileCreation) {
DEBUG.message("Error this user requires a profile to login");
return false;
// If the module is "Application" then do not create user profile
if (isApplicationModule(authMethName)) {
DEBUG.message("No profile created for Application module");
return false;
if (DEBUG.messageEnabled()) {
DEBUG.message("Creating user entry: " + token);
DEBUG.message("aliasList : " + aliasList);
if (userCreationAttributes == null) {
userCreationAttributes = new HashMap<String, Object>();
// get alias list
Map<String, Object> aliasMap = Collections.emptyMap();
if ((aliasList != null) && !aliasList.isEmpty()) {
// set alias attribute
DEBUG.message("Adding alias list to user profile");
if ((externalAliasList != null) &&
(!externalAliasList.isEmpty())) {
aliasMap.put(ISAuthConstants.USER_ALIAS_ATTR, aliasList);
if (!aliasMap.isEmpty()) {
if (DEBUG.messageEnabled()) {
DEBUG.message("userCreationAttributes is : "
+ userCreationAttributes);
Set<String> userPasswordSet = new HashSet<String>(1);
byte bytes[] = new byte[20];
ISAuthConstants.ATTR_USER_PASSWORD, userPasswordSet);
amIdentityUser =
createUserIdentity(token, userCreationAttributes, defaultRoles);
userDN = getUserDN(amIdentityUser);
Map userAttributes = amIdentityUser.getAttributes();
if (amIdentityRole != null) {
// retrieve the session attributes for the default role
Map sattrs = amIdentityRole.getServiceAttributes(
if (sattrs != null && !sattrs.isEmpty()) {
populateUserAttributes(userAttributes, true, null);
return true;
} catch (Exception ex) {
DEBUG.error("Cannot create user profile for: " + token);
if (DEBUG.messageEnabled()) {
DEBUG.message("Stack trace: ", ex);
return false;
private int[] getDefaultSessionAttributes(String orgDN) {
Map<String, Set<String>> map =
LazyConfig.AUTHD.getOrgServiceAttributes(orgDN, ISAuthConstants.SESSION_SERVICE_NAME);
return new int[] {
CollectionHelper.getIntMapAttr(map, ISAuthConstants.MAX_SESSION_TIME,
LazyConfig.AUTHD.getDefaultMaxSessionTime(), DEBUG),
CollectionHelper.getIntMapAttr(map, ISAuthConstants.SESS_MAX_IDLE_TIME,
LazyConfig.AUTHD.getDefaultMaxIdleTime(), DEBUG),
CollectionHelper.getIntMapAttr(map, ISAuthConstants.SESS_MAX_CACHING_TIME,
LazyConfig.AUTHD.getDefaultMaxCachingTime(), DEBUG) };
private void populateUserAttributes(Map<String, Set<String>> userAttributes, boolean loginStatus,
AMIdentity amIdentity) throws AMException {
int[] sessionAttrs = getDefaultSessionAttributes(getOrgDN());
if (DEBUG.messageEnabled()) {
DEBUG.message("default max session time: " + sessionAttrs[0]
+ "\ndefault max idle time: " + sessionAttrs[1]
+ "\ndefault max caching time: " + sessionAttrs[2]);
try {
userAuthConfig = CollectionHelper.getMapAttr(
userAttributes, ISAuthConstants.AUTHCONFIG_USER, null);
if (!loginStatus) {
Set<String> userFailureURLSet = userAttributes.get(ISAuthConstants.USER_FAILURE_URL);
clientUserFailureURL = getRedirectUrl(userFailureURLSet);
defaultUserFailureURL = tempDefaultURL;
Set<String> failureRoleURLSet = userAttributes.get(ISAuthConstants.LOGIN_FAILURE_URL);
clientFailureRoleURL = getRedirectUrl(failureRoleURLSet);
defaultFailureRoleURL = tempDefaultURL;
maxSession = CollectionHelper.getIntMapAttr(
userAttributes, ISAuthConstants.MAX_SESSION_TIME,
sessionAttrs[0], DEBUG);
idleTime = CollectionHelper.getIntMapAttr(
userAttributes, ISAuthConstants.SESS_MAX_IDLE_TIME, sessionAttrs[1], DEBUG);
cacheTime = CollectionHelper.getIntMapAttr(
userAttributes, ISAuthConstants.SESS_MAX_CACHING_TIME, sessionAttrs[2],
// Status determination
String tmp = CollectionHelper.getMapAttr(
userAttributes, ISAuthConstants.INETUSER_STATUS, "active");
// OPEN ISSUE- amIdentity.isActive return true even if
// user status is set to inactive.
if (amIdentity != null) {
tmp = amIdentity.isActive() ? "active" : "inactive";
String tmp1 = CollectionHelper.getMapAttr(
userAttributes, ISAuthConstants.LOGIN_STATUS, "active");
String tmp2 = CollectionHelper.getMapAttr(
userAttributes, ISAuthConstants.NSACCOUNT_LOCK, ISAuthConstants.FALSE_VALUE);
if (DEBUG.messageEnabled()) {
DEBUG.message("entity status is : " + tmp);
DEBUG.message("user-login-status is : " + tmp1);
DEBUG.message("nsaccountlock is : " + tmp2);
if (!tmp1.equalsIgnoreCase("active") ||
!tmp.equalsIgnoreCase("active") ||
!tmp2.equalsIgnoreCase("false")) {
userEnabled = false;
String ulocale = CollectionHelper.getMapAttr(
userAttributes, ISAuthConstants.PREFERRED_LOCALE, null);
userAliasList = (Set) userAttributes.get(ISAuthConstants.USER_ALIAS_ATTR);
// add value from attributes in iplanet-am-auth-alias-attr-name
if (aliasAttrNames != null && !aliasAttrNames.isEmpty()) {
Iterator<String> it = aliasAttrNames.iterator();
while (it.hasNext()) {
String attrName = it.next();
Set attrVals = (Set) userAttributes.get(attrName);
if (attrVals != null) {
if (userAliasList == null) {
userAliasList = new HashSet<String>();
userAttributes, ISAuthConstants.ACCOUNT_LIFE));
// retrieve the user default success url
// at user's role level
Set<String> userSuccessURLSet = userAttributes.get(ISAuthConstants.USER_SUCCESS_URL);
clientUserSuccessURL = getRedirectUrl(userSuccessURLSet);
defaultUserSuccessURL = tempDefaultURL;
Set<String> successRoleURLSet = userAttributes.get(ISAuthConstants.LOGIN_SUCCESS_URL);
clientSuccessRoleURL = getRedirectUrl(successRoleURLSet);
defaultSuccessRoleURL = tempDefaultURL;
if (DEBUG.messageEnabled()) {
DEBUG.message("Populate User attributes" +
"\n idle->" + idleTime +
"\n cache->" + cacheTime +
"\n max->" + maxSession +
"\n userLoginEnabled->" + userEnabled +
"\n charset->" + localeContext.getMIMECharset() +
"\n locale->" + localeContext.getLocale().toString() +
"\n userAlias-> :" + userAliasList +
"\n userSuccessURLSet-> :" + userSuccessURLSet +
"\n clientUserSuccessURL-> :" + clientUserSuccessURL +
"\n defaultUserSuccessURL-> :" + defaultUserSuccessURL +
"\n clientUserFailureURL-> :" + clientUserFailureURL +
"\n defaultUserFailureURL-> :" + defaultUserFailureURL +
"\n clientSuccessRoleURL -> :" + clientSuccessRoleURL +
"\n defaultSuccessRoleURL -> :" + defaultSuccessRoleURL +
"\n clientFailureRoleURL -> :" + clientFailureRoleURL +
"\n defaultFailureRoleURL -> :" + defaultFailureRoleURL +
"\n userAuthConfig -> : " + userAuthConfig +
"\n accountLife->" + getAccountLife());
} catch (Exception e) {
if (DEBUG.messageEnabled()) {
DEBUG.message("Eception in populateUserAttributes : ", e);
throw new AMException(e.getMessage(), e.toString());
* Returns <code>true</code> if user profile found.
* @param token
* @param populate
* @return <code>true</code> if user profile found.
* @throws AuthException if multiple user match found in search
boolean getUserProfile(String token, boolean populate)
throws AuthException {
try {
return getUserProfile(token, populate, true);
} catch (Exception e) {
if (DEBUG.messageEnabled()) {
DEBUG.message("getUserProfile(string,boolean)", e);
throw new AuthException(e);
* Returns <code>true</code> if user profile found.
* @param user userID for profile
* @param populate
* @param loginStatus current login status for profile
* @return <code>true</code> if user profile found.
* @throws AuthException if multiple user match found in search
private boolean getUserProfile(
String user,
boolean populate,
boolean loginStatus
) throws AuthException {
// Fix to cover SDK Bug which returns a user object
// even if the user is null or empty string
// if this check is not added SDK goes into a loop
if ((user == null) || (user.length() == 0)) {
throw new AuthException(AMAuthErrorCode.AUTH_ERROR, null);
IdType idt = null;
try {
if (DEBUG.messageEnabled()) {
DEBUG.message("In getUserProfile : Search for user " + user);
Set<AMIdentity> amIdentitySet = Collections.emptySet();
IdSearchResults searchResults = null;
if (LazyConfig.AUTHD.isSuperAdmin(user)) {
// get the AMIdentity to get the universal
// id of amAdmin, currently there is no support
// for special users so the universal id in
// the ssotoken will be amAdmin's id.
AMIdentity amIdentity = LazyConfig.AUTHD.getIdentity(IdType.USER,
user, getOrgDN());
amIdentitySet = new HashSet<AMIdentity>();
} else {
// Try getting the AMIdentity object assuming AMSDK
// is present i.e., using IdUtils
try {
if (DEBUG.messageEnabled()) {
DEBUG.message("LoginState: gettingIdentity " +
"using IdUtil.getIdentity: " + user +
" Org: " + getOrgDN());
AMIdentity amIdentity = IdUtils.getIdentity(
LazyConfig.AUTHD.getSSOAuthSession(), user, getOrgDN());
if (amIdentity != null &&
amIdentity.getAttributes() != null) {
amIdentitySet = new HashSet<>();
idt = amIdentity.getType();
if (DEBUG.messageEnabled()) {
DEBUG.message("LoginState: getIdentity " +
"using IdUtil.getIdentity: " + amIdentity);
} catch (IdRepoException e) {
// Ignore the exception and continue
if (DEBUG.messageEnabled()) {
DEBUG.message("LoginState: getting identity " +
"Got IdRepException in IdUtils.getIdentity", e);
} catch (SSOException se) {
// Ignore the exception and continue
if (DEBUG.messageEnabled()) {
DEBUG.message("LoginState: getting identity " +
"Got SSOException in IdUtils.getIdentity", se);
// If amIdentitySet is still empty, or IdType does not match
// search for all configured Identity Types
if (amIdentitySet == Collections.EMPTY_SET ||
idt != null && !identityTypes.contains(idt.getName())) {
if (DEBUG.messageEnabled()) {
DEBUG.message("LoginState: getIdentity " +
"performing IdRepo search to obtain AMIdentity");
String userTokenID = DNUtils.DNtoName(user);
if (DEBUG.messageEnabled()) {
DEBUG.message("Search for Identity " + userTokenID);
Set<String> tmpIdentityTypes = new HashSet<String>(identityTypes);
if (identityTypes.contains("user")) {
searchResults = searchIdentity(IdUtils.getType("user"), userTokenID, populate);
if (searchResults != null) {
amIdentitySet = searchResults.getSearchResults();
if (amIdentitySet.isEmpty()) {
for (final String strIdType : tmpIdentityTypes) {
// Get identity by searching
searchResults = searchIdentity(IdUtils.getType(strIdType), userTokenID, populate);
if (searchResults != null) {
amIdentitySet = searchResults.getSearchResults();
if (!amIdentitySet.isEmpty()) {
if (DEBUG.messageEnabled()) {
DEBUG.message("result is :" + amIdentitySet);
if (amIdentitySet.isEmpty()) {
return false;
// check if there is multiple match
if (amIdentitySet.size() > 1) {
// multiple user match found, throw exception,
// user need to login as super admin to fix it
DEBUG.error("getUserProfile : Multiple matches found for " +
"user '" + token + "' in org " + orgDN +
"\nPlease make sure user is unique within the login " +
"organization, and contact your admin to fix the problem");
throw new AuthException(AMAuthErrorCode.AUTH_ERROR, null);
amIdentityUser = amIdentitySet.iterator().next();
userDN = getUserDN(amIdentityUser);
idt = amIdentityUser.getType();
if (DEBUG.messageEnabled()) {
DEBUG.message("userDN is : " + userDN);
DEBUG.message("userID(token) is : " + token);
DEBUG.message("idType is : " + idt);
if (populate) {
Map basicAttrs = null;
Map serviceAttrs = null;
if (searchResults != null) {
basicAttrs = (Map) searchResults.getResultAttributes().get(amIdentityUser);
} else {
basicAttrs = amIdentityUser.getAttributes();
if (amIdentityRole != null) {
// role based auth. the specified role takes preference.
DEBUG.message("retrieving session service from role");
if (amIdentityRole != null) {
//Fix for OPENAM-612 - this request is cached most of the time
Set oc = amIdentityRole.getAttribute("objectclass");
if (oc != null && oc.contains("iplanet-am-session-service")) {
serviceAttrs = amIdentityRole.getServiceAttributes(
} else if (idt.equals(IdType.USER)) {
DEBUG.message("retrieving session service from user");
//Fix for OPENAM-612 - this request is cached most of the time
Set oc = amIdentityUser.getAttribute("objectclass");
if (oc != null && oc.contains("iplanet-am-session-service")) {
serviceAttrs = amIdentityUser.getServiceAttributes(
if (serviceAttrs != null && !serviceAttrs.isEmpty()) {
populateUserAttributes(basicAttrs, loginStatus, amIdentityUser);
return true;
} catch (SSOException ex) {
if (DEBUG.messageEnabled()) {
DEBUG.message("Stack trace: ", ex);
} catch (AMException ex) {
DEBUG.error("No aliases for: " + aliasAttrNames + "=" + token);
if (DEBUG.messageEnabled()) {
DEBUG.message("Stack trace: ", ex);
} catch (IdRepoException ee) {
if (DEBUG.messageEnabled()) {
DEBUG.error("IdReporException ", ee);
return false;
* Populate all the default user attribute for profile
* @throws AMException if it fails to populate default user attributes
private void populateDefaultUserAttributes() throws AMException {
int[] sessionAttrs = getDefaultSessionAttributes(getOrgDN());
maxSession = sessionAttrs[0];
idleTime = sessionAttrs[1];
cacheTime = sessionAttrs[2];
userEnabled = true;
if (DEBUG.messageEnabled()) {
DEBUG.message("Populate Default User attributes" +
"\n idle->" + idleTime +
"\n cache->" + cacheTime +
"\n max->" + maxSession +
"\n userLoginEnabled->" + userEnabled +
"\n clientUserSuccessURL ->" + clientUserSuccessURL +
"\n defaultUserSuccessURL ->" + defaultUserSuccessURL +
"\n clientUserFailureURL ->" + clientUserFailureURL +
"\n defaultUserFailureURL ->" + defaultUserFailureURL +
"\n clientSuccessRoleURL ->" + clientSuccessRoleURL +
"\n defaultSuccessRoleURL ->" + defaultSuccessRoleURL +
"\n clientFailureRoleURL ->" + clientFailureRoleURL +
"\n defaultFailureRoleURL ->" + defaultFailureRoleURL +
"\n userAuthConfig ->" + userAuthConfig +
"\n charset->" + localeContext.getMIMECharset() +
"\n locale->" + localeContext.getLocale().toString());
* Search the user profile
* if <code>IndexType</code> is USER and if number of tokens is 1 and
* token is <code>superAdmin</code> then return. If more then 1 tokens
* are found then make sure the user tokens are in
* <code>iplanet-am-useralias-list</code>
* <p/>
* If <code>IndexType</code> is <code>LEVEL</code>, <code>MODULE</code>
* then there is only 1 user token retrieve the profile for the
* authenticated user and create profile if dynamic profile creation
* enabled.
* <p/>
* If <code>IndexType</code> is <code>ORG</code>, <code>SERVICE</code>,
* <code>ROLE</code> then retrieve the user profile for first token, if the
* profile is found and <code>user-alias-list</code> contains other
* tokens then continue, else try to retrieve remaining tokens till a match
* is found.
* <p/>
* Checks all the users in the tokenSet are active else error
* For ROLE based authentication checks if all user belong to the same Role.
* @param subject
* @param indexType
* @param indexName
* @return <code>true</code> if it found user profile
* @throws AuthException
boolean searchUserProfile(
Subject subject,
AuthContext.IndexType indexType,
String indexName
) throws AuthException {
Set<String> tokenSet = getTokenFromPrincipal(subject);
// check for all users user authenticated as
if (DEBUG.messageEnabled()) {
DEBUG.message("in searchUserProfile");
DEBUG.message("indexType is.. :" + indexType);
DEBUG.message("indexName is.. :" + indexName);
DEBUG.message("Subject is.. :" + subject);
DEBUG.message("token is.. :" + token);
DEBUG.message("tokenSet is.. :" + tokenSet);
DEBUG.message("ignoreUserProfile.. :" + ignoreUserProfile);
DEBUG.message("userDN is.. :" + userDN);
// retreive the tokens from the subject
try {
boolean gotUserProfile = true;
if (((ignoreUserProfile && !isApplicationModule(indexName))) ||
(isApplicationModule(indexName) && LazyConfig.AUTHD.isSuperAdmin(userDN))) {
if (LazyConfig.AUTHD.isSuperAdmin(userDN)) {
amIdentityUser = LazyConfig.AUTHD.getIdentity(IdType.USER, userDN, getOrgDN());
} else {
amIdentityUser =
new AMIdentity(null, userDN, IdType.USER, getOrgDN(), null);
userDN = getUserDN(amIdentityUser);
return true;
// for IndexType USER check all the token user
// authenticated as is present
// in the user-alias-list
if ((indexType == AuthContext.IndexType.USER)) {
if (token == null) {
return false;
getUserProfile(token, true);
Map<String, Boolean> aliasFound = searchUserAliases(token, tokenSet);
if (!checkAliasList(aliasFound)) {
if (createWithAlias) {
if (amIdentityUser == null) {
addAliasToUserProfile(amIdentityUser, aliasFound);
} else {
addAliasToUserProfile(token, aliasFound);
} else {
throw new AuthException(
AMAuthErrorCode.AUTH_LOGIN_FAILED, null);
} else {
boolean gotProfile = true;
if (tokenSet.isEmpty()) {
DEBUG.message("tokenset empty");
throw new AuthException(AMAuthErrorCode.AUTH_ERROR, null);
} else if (tokenSet.size() == 1) {
if (isAccountLocked(getUserUniversalId(token))) {
DEBUG.message("User account \"{}\" locked", token);
throw new AuthException(AMAuthErrorCode.AUTH_USER_LOCKED, null);
DEBUG.message("tokenset size is 1");
gotUserProfile = getCreateUserProfile(true);
if (!userEnabled) {
throw new AuthException(
AMAuthErrorCode.AUTH_USER_INACTIVE, null);
if (LazyConfig.AUTHD.isSuperAdmin(userDN)) {
return true;
if (gotUserProfile) {
if (indexType == AuthContext.IndexType.ROLE) {
boolean userRoleFound = getUserForRole(
if (DEBUG.messageEnabled()) {
DEBUG.message("userRoleFound: "
+ userRoleFound);
if (!userRoleFound) {
auditor.auditLoginFailure(this, USER_NOT_FOUND);
throw new AuthException(
AMAuthErrorCode.AUTH_USER_NOT_FOUND, null);
} else { // came here multiple users found
DEBUG.message("came here !! multiple modules , users ");
// initialize variables required
String validToken = null;
boolean foundUserAlias = false;
boolean userRoleFound = true;
Map<String, Boolean> userEnabledMap = new HashMap<String, Boolean>();
Map<String, Boolean> userRoleFoundMap = new HashMap<String, Boolean>();
Map<String, Boolean> foundAliasMap = new HashMap<String, Boolean>();
Map<String, Boolean> gotUserProfileMap = new HashMap<String, Boolean>();
String aliasToken = null;
for (final String tok : tokenSet) {
token = tok;
if (DEBUG.messageEnabled()) {
DEBUG.message("BEGIN WHILE: Token is.. : "
+ token);
gotUserProfile = getUserProfile(token, true);
gotUserProfileMap.put(token, gotUserProfile);
if (DEBUG.messageEnabled()) {
DEBUG.message("gotUserProfile : " + gotUserProfile);
if (gotUserProfile) {
if (validToken == null) {
validToken = token;
userEnabledMap.put(token, userEnabled);
if (indexType == AuthContext.IndexType.ROLE) {
userRoleFound = getUserForRole(
userRoleFoundMap.put(token, userRoleFound);
foundAliasMap = searchUserAliases(token, tokenSet);
if (foundUserAlias =
getFoundUserAlias(foundAliasMap)) {
aliasToken = token;
if (DEBUG.messageEnabled()) {
"found aliases exiting while:"
+ foundAliasMap);
} // end while
if (DEBUG.messageEnabled()) {
DEBUG.message("Alias Token is : " + aliasToken);
DEBUG.message("Profile Token :" + validToken);
DEBUG.message("Token is : " + token);
if (aliasToken != null) {
token = aliasToken;
boolean userEnabled = getUserEnabled(userEnabledMap);
if (!userEnabled) {
throw new AuthException(
AMAuthErrorCode.AUTH_USER_INACTIVE, null);
if (indexType == AuthContext.IndexType.ROLE) {
userRoleFound = getUserRoleFound(userRoleFoundMap);
if (!userRoleFound) {
auditor.auditLoginFailure(this, USER_NOT_FOUND);
throw new AuthException(
AMAuthErrorCode.AUTH_USER_NOT_FOUND, null);
gotUserProfile = getGotUserProfile(gotUserProfileMap);
DEBUG.message("userEnabled : true");
/* if user profile is found but other tokens in do
* are not found in iplanet-am-user-alias list and
* if dynamic profile creation with user alias is
* enabled then add tokens to iplanet-am-user-alias-list
* to the token's profile
if ((gotUserProfile) && (!foundUserAlias)) {
if (createWithAlias) {
if (DEBUG.messageEnabled()) {
DEBUG.message("dynamicProfileCreation : "
+ dynamicProfileCreation);
DEBUG.message("foundUserAliasMap : "
+ foundAliasMap);
DEBUG.message("foundUserAliasMap : "
+ foundUserAlias);
addAliasToUserProfile(validToken, foundAliasMap);
} else { //end dynamic profile creation
throw new AuthException(
AMAuthErrorCode.AUTH_LOGIN_FAILED, null);
if (createWithAlias && !gotUserProfile) {
gotUserProfile = createUserProfileForTokens(tokenSet);
if (DEBUG.messageEnabled()) {
DEBUG.message("LoginState:searchUserProfile:returning: "
+ gotUserProfile);
return gotUserProfile;
} catch (AuthException e) {
throw new AuthException(e);
} catch (Exception e) {
DEBUG.error("Error retrieving profile", e);
throw new AuthException(e);
* Returns user's profile , if not found then create user profile.
* @param populate indicate if populate all default user attributes
* @return <code>true</code> if created user profile successfully
* @throws AuthException if fails create user profile
private boolean getCreateUserProfile(boolean populate)
throws AuthException {
boolean gotProfile = false;
if (userDN != null) {
gotProfile = getUserProfile(userDN, populate);
} else {
gotProfile = getUserProfile(token, populate);
if (!gotProfile) {
if (!LazyConfig.AUTHD.isSuperAdmin(userDN)) {
gotProfile = createUserProfile(token, null);
return gotProfile;
/* if multiple users in the Subject then create User profile
* for the first user and add the other tokens in the alias
* list
* NOTE: Currently we pick up the first token and just add the
* other tokens to the alias list. Can make it configurable by
* specifying isPrimary against a module in the JAAS confiugration
* then read that and whichever module is PRIMARY , create profile
* for that user and add the other user to the aliasList.
private boolean createUserProfileForTokens(Set<String> tokenSet) {
// retrieve the first token
// put the other tokens in a list
// these will put in the alias list attribute
// of first token's profile
Set<String> tokensList = new HashSet<String>();
String token = null;
Iterator<String> tokenIterator = tokenSet.iterator();
while (tokenIterator.hasNext()) {
token = tokenIterator.next();
if (LazyConfig.AUTHD.isSuperAdmin(token)) {
while (tokenIterator.hasNext()) {
String alias = tokenIterator.next();
if (DEBUG.messageEnabled()) {
DEBUG.message("alias list add token:" + alias);
if (DEBUG.messageEnabled()) {
DEBUG.message("Tokens List is.. :" + tokensList);
try {
return createUserProfile(token, tokensList);
} catch (Exception e) {
DEBUG.error("Cannot create user profile for: " + token);
if (DEBUG.messageEnabled()) {
DEBUG.message("Stack trace: ", e);
return false;
/* search the user-alias-list for token names */
private Map<String, Boolean> searchUserAliases(String userToken, Set<String> tokenSet) {
Map<String, Boolean> foundUserAliasMap = new HashMap<String, Boolean>();
if (DEBUG.messageEnabled()) {
DEBUG.message("userAliastList is.. :" + userAliasList);
DEBUG.message("userToken is.. :" + userToken);
DEBUG.message("tokenSet is.. :" + tokenSet);
if ((tokenSet != null) && (!tokenSet.isEmpty())) {
// iterate through the tokens in the token set
// and check if the tokens are in the user alias
// list of the user token. if yes then update
// the found user alias map with the token and boolean
// true else boolean false.
for (final String authToken : tokenSet) {
if ((userAliasList != null) && !userAliasList.isEmpty()) {
if (DEBUG.messageEnabled()) {
DEBUG.message("AuthToken is : " + authToken);
DEBUG.message("userToken is : " + userToken);
if (((authToken != null)
&& authToken.equalsIgnoreCase(userToken))
&& (!foundUserAliasMap.containsKey(authToken))) {
foundUserAliasMap.put(authToken, Boolean.TRUE);
} else if (userAliasList.contains(authToken)) {
foundUserAliasMap.put(authToken, Boolean.TRUE);
} else {
foundUserAliasMap.put(authToken, Boolean.FALSE);
} else {
if ((authToken != null)
&& authToken.equalsIgnoreCase(userToken)) {
foundUserAliasMap.put(authToken, Boolean.TRUE);
} else {
foundUserAliasMap.put(authToken, Boolean.FALSE);
if (DEBUG.messageEnabled()) {
DEBUG.message("searchUserAliases: foundUserAliasMap : "
+ foundUserAliasMap);
return foundUserAliasMap;
* Returns tokens from Principals of a subject
* returns a Set of tokens
* TODO - DN to Universal ID?
* @param subject Principals of a subject associated with
* <code>SSOToken</code>
* @return set of <code>SSOToken</code> associated with subject
private Set<String> getTokenFromPrincipal(Subject subject) {
Set<String> tokenSet = new HashSet<>();
List<String> principalNames = new ArrayList<>(subject.getPrincipals().size());
for (Principal p : subject.getPrincipals()) {
token = p.getName();
if (token != null && !principalNames.contains(token)) {
if (LDAPUtils.isDN(token)) {
userDN = token;
token = DNUtils.DNtoName(token);
} else if (!LDAPUtils.isDN(token) && userDN == null) {
userDN = token;
if (!tokenSet.contains(token)) {
if (DEBUG.messageEnabled()) {
DEBUG.message("principal name is... :" + this.token);
principalList = Joiner.on('|').join(principalNames);
if (DEBUG.messageEnabled()) {
DEBUG.message("Principal List is :" + principalList);
return tokenSet;
* Returns <code>true</code> if user is active.
* @return <code>true</code> if user is active.
boolean isUserEnabled() {
return userEnabled;
* Returns the DN for role.
* @param roleName Name of role.
* @return the DN for role.
private AMIdentity getIdentityRole(String roleName) {
if (amIdentityRole == null) {
amIdentityRole = searchIdentityRole(roleName);
return amIdentityRole;
* Returns Identity Role.
* @param role Name of role.
* @return Identity Role.
private AMIdentity searchIdentityRole(String role) {
if (DEBUG.messageEnabled()) {
DEBUG.message("rolename : " + role);
if (role == null) {
return null;
AMIdentity amIdRole = null;
try {
// search for this role name in organization
amIdRole = getRole(role);
} catch (Exception e) {
DEBUG.error("getRole: Error : ", e);
return amIdRole;
* Sets auth module name.
* @param authMethName Module Name.
void setAuthModuleName(String authMethName) {
if (DEBUG.messageEnabled()) {
DEBUG.message("authethName" + authMethName);
DEBUG.message("pAuthMethName " + pAuthMethName);
StringBuilder sb = null;
if ((this.pAuthMethName != null) && (this.pAuthMethName.length() > 0)) {
sb = new StringBuilder().append(this.pAuthMethName);
if ((authMethName != null) && (authMethName.length() > 0)) {
if (sb != null) {
} else {
sb = new StringBuilder().append(authMethName);
if (sb != null) {
this.authMethName = sb.toString();
if (DEBUG.messageEnabled()) {
DEBUG.message("setAuthModuleName: " + this.authMethName);
* Get the auth module name(s).
* @return The list of auth module names in a pipe separated string.
public String getAuthModuleNames() {
return authMethName;
* Returns <code>true</code> if the user belongs to role.
* @param amIdentityRole Role object.
* @return <code>true</code> if the user belongs to role.
private boolean getUserForRole(AMIdentity amIdentityRole) {
boolean foundUser = false;
try {
if (amIdentityUser.isMember(amIdentityRole)) {
foundUser = true;
} catch (Exception e) {
if (DEBUG.messageEnabled()) {
DEBUG.message("Error getRoleName : ", e);
return foundUser;
* Returns the configuration for whether Zero Page Login (ZPL) should be allowed or not.
* @return the ZPL configuration
public ZeroPageLoginConfig getZeroPageLoginConfig() {
return zeroPageLoginConfig;
void setToken(String token) {
this.token = token;
* Return saved request parameters in <code>Hashtable</code>
* @return saved request parameters in <code>Hashtable</code>
public Map<String, String> getRequestParamHash() {
return requestHash;
/* check if the user list has inactive user */
private boolean getUserEnabled(Map<String, Boolean> userEnabledMap) {
userEnabled = !userEnabledMap.containsValue(Boolean.FALSE);
return userEnabled;
/* check if the users belong to role */
private boolean getUserRoleFound(Map<String, Boolean> userRoleFoundMap) {
boolean userRoleFound = true;
if (userRoleFoundMap.containsValue(Boolean.FALSE)) {
userRoleFound = false;
return userRoleFound;
/* check if the users map to the same user */
private boolean getFoundUserAlias(Map<String, Boolean> foundAliasMap) {
if (DEBUG.messageEnabled()) {
DEBUG.message("foundAliasMap :" + foundAliasMap);
boolean foundUserAlias = true;
if (foundAliasMap == null || foundAliasMap.isEmpty() ||
foundAliasMap.containsValue(Boolean.FALSE)) {
foundUserAlias = false;
if (DEBUG.messageEnabled()) {
DEBUG.message("foundUserAlias : " + foundUserAlias);
return foundUserAlias;
/* check if profile for the user was retrieve */
private boolean getGotUserProfile(Map<String, Boolean> gotUserProfileMap) {
if (DEBUG.messageEnabled()) {
DEBUG.message("GotUserProfileMAP is: " + gotUserProfileMap);
boolean gotUserProfile = false;
if (gotUserProfileMap.containsValue(Boolean.TRUE)) {
gotUserProfile = true;
if (DEBUG.messageEnabled()) {
DEBUG.message("gotUserProfile :" + gotUserProfile);
return gotUserProfile;
/* add token to iplanet-am-user-alias-list of the token which has
* a profile
private void addAliasToUserProfile(String token, Map<String, Boolean> foundUserAliasMap)
throws AuthException {
if (DEBUG.messageEnabled()) {
DEBUG.message("Token : " + token);
AMIdentity amIdentityUser =
LazyConfig.AUTHD.getIdentity(IdType.USER, token, getOrgDN());
addAliasToUserProfile(amIdentityUser, foundUserAliasMap);
/* add token to iplanet-am-user-alias-list of the identity which has
* a profile
private void addAliasToUserProfile(AMIdentity amIdentity, Map<String, Boolean> foundUserAliasMap) {
if (DEBUG.messageEnabled()) {
DEBUG.message("foundUserAliasMap : " + foundUserAliasMap);
try {
if ((foundUserAliasMap != null) && !foundUserAliasMap.isEmpty()) {
// set alias attribute
Set<String> aliasKeySet = foundUserAliasMap.keySet();
Iterator<String> aliasIterator = aliasKeySet.iterator();
while (aliasIterator.hasNext()) {
String token1 = aliasIterator.next();
if ((token != null && !token.equalsIgnoreCase(token1)) &&
(!userAliasList.contains(token1))) {
DEBUG.message("Adding alias list to user profile");
Map<String, Set<String>> aliasMap = new HashMap<String, Set<String>>();
if ((externalAliasList != null)
&& (!externalAliasList.isEmpty())) {
aliasMap.put(ISAuthConstants.USER_ALIAS_ATTR, userAliasList);
} catch (Exception e) {
DEBUG.error("Exception : " + e.getMessage(), e);
/* check alias list for tokens , if superAdmin token
* exists then amAdmin need not exist in the user-alias-list
private boolean checkAliasList(Map<String, Boolean> userAliasList) {
if (DEBUG.messageEnabled()) {
DEBUG.message("UserAliasList is.. : " + userAliasList);
boolean aliasFound = true;
Set<String> aliasKeySet = userAliasList.keySet();
Iterator<String> aliasIterator = aliasKeySet.iterator();
while (aliasIterator.hasNext()) {
Object token1 = aliasIterator.next();
if (DEBUG.messageEnabled()) {
DEBUG.message("Token is.. : " + token1);
String newToken = tokenToDN((String) token1);
if (!LazyConfig.AUTHD.isSuperAdmin(newToken)) {
Boolean val = userAliasList.get(token1);
if (val.toString().equals("false")) {
aliasFound = false;
return aliasFound;
* set Load Balance Cookie
* @param cookieDomain name of cookie domain for persistent cookie
* @return persistent cookie in request
* @throws SSOException
* @throws AMException
Cookie setlbCookie(String cookieDomain)
throws SSOException, AMException {
String cookieName = AuthUtils.getlbCookieName();
String cookieValue = AuthUtils.getlbCookieValue();
Cookie lbCookie = AuthUtils.createCookie(cookieName, cookieValue, -1, cookieDomain);
return lbCookie;
* Returns the current index type.
* @return the current index type.
public AuthContext.IndexType getIndexType() {
return indexType;
* Sets the indexType.
* @param indexType name of indexType to be set
void setIndexType(AuthContext.IndexType indexType) {
this.indexType = indexType;
* Returns the previous index type in authentication level after module
* selection.
* @return the previous index type in authentication level after module
* selection.
AuthContext.IndexType getPreviousIndexType() {
return prevIndexType;
* Sets the previous index type in authlevel after the choice is made.
* @param prevIndexType name of indexType to be set
void setPreviousIndexType(AuthContext.IndexType prevIndexType) {
this.prevIndexType = prevIndexType;
* Sets gotoOnFail URL.
private void setDecodedGoToOnFailURL() {
String arg = (String) requestHash.get("gotoOnFail");
if (arg != null && arg.length() != 0) {
gotoOnFailURL = arg;
* Returns success login URL.
* @return success login URL.
String getSuccessLoginURL() {
String postProcessGoto = AuthUtils.getPostProcessURL(servletRequest,
//check from postAuthModule URL is set
//if not try to retrieve it from session property
//Success URL from Post Auth takes precedence
InternalSession session = getReferencedSession();
if ((postProcessGoto == null) && (session != null))
postProcessGoto =
if ((postProcessGoto != null) && (postProcessGoto.length() > 0)) {
return postProcessGoto;
String currentGoto = (servletRequest == null) ?
null : servletRequest.getParameter("goto");
if (DEBUG.messageEnabled()) {
DEBUG.message("currentGoto : " + currentGoto);
if ((currentGoto != null) && (currentGoto.length() != 0) &&
(!currentGoto.equalsIgnoreCase("null"))) {
String encoded = servletRequest.getParameter("encoded");
if (encoded != null && encoded.equals("true")) {
String decodedGoTo = Base64.decodeAsUTF8String(currentGoto);
if (decodedGoTo == null && DEBUG.warningEnabled()) {
DEBUG.warning("As parameter 'encoded' is true, goto '{}' should be base64 encoded", currentGoto);
currentGoto = decodedGoTo;
if (!LazyConfig.AUTHD.isGotoUrlValid(currentGoto, getOrgDN())) {
if (DEBUG.messageEnabled()) {
DEBUG.message("LoginState.getSuccessLoginURL():Original goto URL is " + currentGoto
+ " which is invalid");
currentGoto = null;
String fqdnURL;
if ((currentGoto != null) && (currentGoto.length() != 0) && (!currentGoto.equalsIgnoreCase("null"))) {
fqdnURL = LazyConfig.AUTHD.processURL(currentGoto, servletRequest);
} else {
fqdnURL = LazyConfig.AUTHD.processURL(successLoginURL, servletRequest);
String encodedSuccessURL = encodeURL(fqdnURL, true);
if (DEBUG.messageEnabled()) {
DEBUG.message("get fqdnURL : " + fqdnURL);
DEBUG.message("get successLoginURL : "
+ successLoginURL);
DEBUG.message("get encodedSuccessURL : "
+ encodedSuccessURL);
return encodedSuccessURL;
* Sets success login URL.
* @param url success login URL.
public void setSuccessLoginURL(String url) {
/* this is for AMLoginModule to set the success url */
if (DEBUG.messageEnabled()) {
DEBUG.message("URL : from modle : " + url);
moduleSuccessLoginURL = url;
private String getSuccessURLForRole() {
String roleURL = null;
try {
Map roleAttrMap = getRoleServiceAttributes();
roleURL = getRoleURLFromAttribute(roleAttrMap,
} catch (Exception e) {
if (DEBUG.messageEnabled()) {
DEBUG.message("Execption:getSuccessURLForRole : ", e);
return roleURL;
private String getFailureURLForRole() {
String roleFailureURL = null;
try {
Map roleAttrMap = getRoleServiceAttributes();
roleFailureURL = getRoleURLFromAttribute(roleAttrMap,
} catch (Exception e) {
if (DEBUG.messageEnabled()) {
DEBUG.message("Error retrieving url ");
DEBUG.message("Exception : ", e);
return roleFailureURL;
* Returns the AMTemplate for role.
* @return the AMTemplate for role.
* @throws Exception if fails to get role attribute
private Map<String, Set<String>> getRoleServiceAttributes() throws Exception {
try {
if (roleAttributeMap == null) {
Map roleServiceAttrMap = amIdentityRole.
String serviceName = (String) ((Set) roleServiceAttrMap.get(
if ((serviceName != null) &&
(!serviceName.equals(ISAuthConstants.BLANK))) {
roleAuthConfig = serviceName;
roleAttributeMap = getServiceAttributes(serviceName);
if (roleAttributeMap == null) {
roleAttributeMap = Collections.emptyMap();
if (DEBUG.messageEnabled()) {
DEBUG.message("Returning Service Attributes: " +
DEBUG.message("for Role : " + amIdentityRole.getName());
return roleAttributeMap;
} catch (Exception e) {
DEBUG.error("Error getting Role Attributes : ", e);
throw new Exception(AMAuthErrorCode.AUTH_ERROR);
* Returns success url for a service.
* @param indexName name of auth index
* @return success url for a service.
private String getSuccessURLForService(String indexName) {
String successServiceURL = null;
try {
if ((serviceAttributesMap != null)
&& (serviceAttributesMap.isEmpty())) {
serviceAttributesMap = getServiceAttributes(indexName);
if (DEBUG.messageEnabled()) {
DEBUG.message("AttributeMAP is.. :" + serviceAttributesMap);
successServiceURL = getServiceURLFromAttribute(
serviceAttributesMap, ISAuthConstants.LOGIN_SUCCESS_URL);
if (DEBUG.messageEnabled()) {
DEBUG.message("service successURL : " + successServiceURL);
} catch (Exception e) {
if (DEBUG.messageEnabled()) {
DEBUG.message("Error retrieving url ");
DEBUG.message("Exception : ", e);
return successServiceURL;
* Returns the service login failure URL.
* @param indexName name of auth index
* @return the service login failure URL.
private String getFailureURLForService(String indexName) {
String serviceFailureURL = null;
try {
if (serviceAttributesMap.isEmpty()) {
serviceAttributesMap = getServiceAttributes(indexName);
serviceFailureURL = getServiceURLFromAttribute(
serviceAttributesMap, ISAuthConstants.LOGIN_FAILURE_URL);
if (DEBUG.messageEnabled()) {
DEBUG.message("Service failureURL: " + serviceFailureURL);
} catch (Exception e) {
if (DEBUG.messageEnabled()) {
DEBUG.message("Error retrieving url ");
DEBUG.message("Exception : ", e);
return serviceFailureURL;
* Returns service login url attributes.
* @param indexName name of auth index
* @return service login url attributes.
* @throws Exception if fails to get service attribute
private Map<String, Set<String>> getServiceAttributes(String indexName) throws Exception {
try {
String orgDN = getOrgDN();
Map<String, Set<String>> attributeDataMap;
attributeDataMap = AuthServiceListener.getServiceAttributeCache(orgDN, indexName);
if (attributeDataMap != null) {
return attributeDataMap;
attributeDataMap = AMAuthConfigUtils.getNamedConfig(indexName, orgDN, LazyConfig.AUTHD.getSSOAuthSession());
AuthServiceListener.setServiceAttributeCache(orgDN, indexName, attributeDataMap);
return attributeDataMap;
} catch (Exception e) {
if (DEBUG.messageEnabled()) {
DEBUG.message("Error getting service attribute: ");
DEBUG.message(" Exception : " + e.getMessage());
throw new Exception(e.getMessage());
/* create an instance of PostLoginProcessInterface Class */
private AMPostAuthProcessInterface getPostLoginProcessInstance(String className) {
if (DEBUG.messageEnabled()) {
DEBUG.message("postLoginProcess Class Name is : " + className);
if ((className == null) || (className.length() == 0)) {
return null;
try {
AMPostAuthProcessInterface loginPostProcessInstance =
return loginPostProcessInstance;
} catch (ClassNotFoundException ce) {
if (DEBUG.messageEnabled()) {
DEBUG.message("Class not Found :", ce);
return null;
} catch (Exception e) {
if (DEBUG.messageEnabled()) {
DEBUG.message("Error: ", e);
return null;
* this is called by AMLoginContext on a successful authentication to set
* the <code>successURL</code> based on the <code>indexType</code>,
* <code>indexName</code> order to figure out Success Login URL is :
* Authentication Method Success URL Order
* <pre>
* ==========================================================================
* Org,Level,Module,User
* 1. set by module
* 2. goto parameter
* 3. URL set for the clientType in iplanet-am-user-success-url
* in User Entry
* 4. URL set for the clientType in
* iplanet-am-auth-login-success-url set at user's Role
* 5. URL set for clientType in iplanet-am-auth-login-success-url
* set at Org
* 6. URL set for clientType in iplanet-am-auth-login-success-url
* - Organization Schema
* 7. iplanet-am-user-success-url set in User Entry
* 8. iplanet-am-auth-login-success-url set at user's Role
* 9. iplanet-am-auth-login-success-url set at Org
* 10. iplanet-am-auth-login-success-url - Organization Schema
* Role
* 1. set by module
* 2. goto parameter
* 3. URL matching clientType in iplanet-am-user-success-url
* set in User Entry
* 4. URL matching clientType in iplanet-am-auth-login-success-url
* set at the role user authenticates to.
* 5. URL matching clientType in iplanet-am-auth-login-success-url
* set at user's Role
* 6. URL matching clientType in iplanet-am-auth-login-success-url
* set at Org
* 7. URL matching clientType in iplanet-am-auth-login-success-url
* - Organization Schema
* 8. iplanet-am-user-success-url set in User Entry
* 9. iplanet-am-auth-login-success-url set at the
* role user authenticates to.
* 10. iplanet-am-auth-login-success-url set at user's Role
* 11. iplanet-am-auth-login-success-url set at Org
* 12. iplanet-am-auth-login-success-url - Organization Schema
* Service
* 1. set by module
* 2. goto parameter
* 3. URL matching clientType in iplanet-am-user-success-url
* set in User Entry
* 4. URL matching clientType in iplanet-am-auth-login-success-url
* set at the service entry.
* 5. URL matching clientType in iplanet-am-auth-login-success-url
* set at user's Role
* 6. URL matching clientType in iplanet-am-auth-login-success-url
* set at Org
* 7. URL matchhing clientType in iplanet-am-auth-login-success-url
* - Organization Schema
* 8. iplanet-am-user-success-url set in User Entry
* 9. iplanet-am-auth-login-success-url set at the service entry.
* 10. iplanet-am-auth-login-success-url set at user's Role
* 11. iplanet-am-auth-login-success-url set at Org
* 12. iplanet-am-auth-login-success-url - Organization Schema
* </pre>
* NOTE: same order used for failure URL.
* @param indexType
* @param indexName
private void setSuccessLoginURL(
AuthContext.IndexType indexType,
String indexName) {
/* if module sets the url then return the URL module set */
if (DEBUG.messageEnabled()) {
DEBUG.message("moduleSucessLoginURL : " + moduleSuccessLoginURL);
if ((moduleSuccessLoginURL != null) &&
(moduleSuccessLoginURL.length() != 0)) {
successLoginURL = moduleSuccessLoginURL;
/* if goto parameter was specified then return the gotoURL */
/*if ( (gotoURL != null) && (!gotoURL.length() == 0) ) {
successLoginURL = gotoURL;
return ;
String defSuccessURL = null;
/* if user profile has successurl set for the client type then return
* else get the default user url and continue
if ((clientUserSuccessURL != null) &&
(clientUserSuccessURL.length() != 0)
) {
successLoginURL = clientUserSuccessURL;
if (successLoginURL != null) {
defSuccessURL = defaultUserSuccessURL;
if (indexType == AuthContext.IndexType.ROLE) {
String successURL = getSuccessURLForRole();
if ((successURL != null) && (successURL.length() != 0)) {
successLoginURL = successURL;
if (defSuccessURL == null || defSuccessURL.length() == 0) {
defSuccessURL = tempDefaultURL;
if (indexType == AuthContext.IndexType.SERVICE) {
String successURL = getSuccessURLForService(indexName);
if ((successURL != null) && (successURL.length() != 0)) {
successLoginURL = successURL;
if (defSuccessURL == null || defSuccessURL.length() == 0) {
defSuccessURL = tempDefaultURL;
if ((clientSuccessRoleURL != null) &&
(clientSuccessRoleURL.length() != 0)
) {
successLoginURL = clientSuccessRoleURL;
if (defSuccessURL == null || defSuccessURL.length() == 0) {
defSuccessURL = defaultSuccessRoleURL;
if ((clientOrgSuccessLoginURL != null) &&
(clientOrgSuccessLoginURL.length() != 0)
) {
successLoginURL = clientOrgSuccessLoginURL;
if (defSuccessURL == null || defSuccessURL.length() == 0) {
defSuccessURL = defaultOrgSuccessLoginURL;
// get global default
String defaultSuccessURL;
if (indexType == AuthContext.IndexType.SERVICE ||
indexType == AuthContext.IndexType.ROLE) {
defaultSuccessURL = getRedirectUrl(LazyConfig.AUTHD.getDefaultServiceSuccessURLSet());
} else {
defaultSuccessURL = getRedirectUrl(LazyConfig.AUTHD.getDefaultSuccessURLSet());
if ((defaultSuccessURL != null) && (defaultSuccessURL.length() != 0)) {
successLoginURL = defaultSuccessURL;
if (defSuccessURL == null || defSuccessURL.length() == 0) {
defSuccessURL = tempDefaultURL;
// now assign back to the success url
successLoginURL = defSuccessURL;
if (DEBUG.messageEnabled()) {
DEBUG.message("SUCCESS Login url : " + successLoginURL);
* Sets failure login URL.
* @param indexType
* @param indexName
void setFailureLoginURL(
AuthContext.IndexType indexType,
String indexName) {
* this is called by AMLoginContext on a failed authentication to set
* the successURL based on the indexType,indexName
// if module set the url then return the URL module set
if ((moduleFailureLoginURL != null) &&
(moduleFailureLoginURL.length() != 0)) {
failureLoginURL = moduleFailureLoginURL;
if (DEBUG.messageEnabled()) {
DEBUG.message("failureTokenId in setFailureLoginURL = "
+ getFailureTokenId());
String defFailureURL = null;
/* if user profile has failure url set then return */
if (getFailureTokenId() != null) {
// get the user profile
try {
getUserProfile(getFailureTokenId(), true, false);
if ((clientUserFailureURL != null) &&
(clientUserFailureURL.length() != 0)) {
failureLoginURL = clientUserFailureURL;
defFailureURL = defaultUserFailureURL;
} catch (Exception e) {
if (DEBUG.messageEnabled()) {
DEBUG.message("Error retreiving profile for : " +
getFailureTokenId(), e);
if (indexType == AuthContext.IndexType.ROLE) {
String failureURL = getFailureURLForRole();
if ((failureURL != null) && (failureURL.length() != 0)) {
failureLoginURL = failureURL;
if ((defFailureURL == null) || (defFailureURL.length() == 0)) {
defFailureURL = tempDefaultURL;
if (indexType == AuthContext.IndexType.SERVICE) {
String failureURL = getFailureURLForService(indexName);
if ((failureURL != null) && (failureURL.length() != 0)) {
failureLoginURL = failureURL;
if ((defFailureURL == null) || (defFailureURL.length() == 0)) {
defFailureURL = tempDefaultURL;
if ((clientFailureRoleURL != null) &&
(clientFailureRoleURL.length() != 0)
) {
failureLoginURL = clientFailureRoleURL;
if ((defFailureURL == null) || (defFailureURL.length() == 0)) {
defFailureURL = defaultFailureRoleURL;
if ((clientOrgFailureLoginURL != null) &&
(clientOrgFailureLoginURL.length() != 0)
) {
failureLoginURL = clientOrgFailureLoginURL;
if ((defFailureURL == null) || (defFailureURL.length() == 0)) {
defFailureURL = defaultOrgFailureLoginURL;
String defaultFailureURL;
if (indexType == AuthContext.IndexType.SERVICE ||
indexType == AuthContext.IndexType.ROLE) {
defaultFailureURL = getRedirectUrl(LazyConfig.AUTHD.getDefaultServiceFailureURLSet());
} else {
defaultFailureURL = getRedirectUrl(LazyConfig.AUTHD.getDefaultFailureURLSet());
if ((defaultFailureURL != null) && (defaultFailureURL.length() != 0)) {
failureLoginURL = defaultFailureURL;
if ((defFailureURL == null) || (defFailureURL.length() == 0)) {
defFailureURL = tempDefaultURL;
// now assign back to the Failure url
failureLoginURL = defFailureURL;
if (DEBUG.messageEnabled()) {
DEBUG.message("defaultFailureURL : " + failureLoginURL);
* Returns failure login URL.
* @return failure login URL.
String getFailureLoginURL() {
String postProcessURL = AuthUtils.getPostProcessURL(servletRequest,
if (postProcessURL != null) {
return postProcessURL;
if (gotoOnFailURL != null && !gotoOnFailURL.isEmpty()) {
if (!LazyConfig.AUTHD.isGotoUrlValid(gotoOnFailURL, getOrgDN())) {
if (DEBUG.messageEnabled()) {
DEBUG.message("LoginState.getFailureLoginURL(): Original gotoOnFail URL is " + gotoOnFailURL
+ " which is invalid");
gotoOnFailURL = null;
if (gotoOnFailURL != null && !gotoOnFailURL.isEmpty() && !gotoOnFailURL.equalsIgnoreCase("null")) {
fqdnFailureLoginURL = LazyConfig.AUTHD.processURL(gotoOnFailURL, servletRequest);
} else if (fqdnFailureLoginURL == null || !fqdnFailureLoginURL.isEmpty()) {
fqdnFailureLoginURL = LazyConfig.AUTHD.processURL(failureLoginURL, servletRequest);
return fqdnFailureLoginURL;
* Sets failure login URL.
* @param url failure login URL.
public void setFailureLoginURL(String url) {
/* this is for AMLoginModule to set the failure url */
moduleFailureLoginURL = url;
String getLogoutURL() {
return AuthUtils.getPostProcessURL(servletRequest, AMPostAuthProcessInterface.POST_PROCESS_LOGOUT_URL);
* Returns the role login url attribute value.
* @param roleAttrMap map object has login url attribute
* @param attrName attribute name for login url
* @return the role login url attribute value.
private String getRoleURLFromAttribute(Map roleAttrMap, String attrName) {
try {
Set roleURLSet = (Set) roleAttrMap.get(attrName);
return getRedirectUrl(roleURLSet);
} catch (Exception e) {
if (DEBUG.messageEnabled()) {
DEBUG.message("Error getting role attribute ", e);
return null;
* Returns service url from attribute value.
* @param attributeMap map object has service url attribute
* @param attrName attribute name for service url
* @return service url from attribute value.
private String getServiceURLFromAttribute(Map attributeMap, String attrName) {
Set serviceURLSet =
(Set) attributeMap.get(attrName);
String serviceURL = getRedirectUrl(serviceURLSet);
if (DEBUG.messageEnabled()) {
DEBUG.message("attr map: " + attributeMap +
"\nserviceURL : " + serviceURL);
return serviceURL;
* Returns servlet response object.
* @return servlet response object.
public HttpServletResponse getHttpServletResponse() {
return servletResponse;
* Sets servlet response.
* @param servletResponse servletResponse object to be set
public void setHttpServletResponse(HttpServletResponse servletResponse) {
this.servletResponse = servletResponse;
* Return previously received callback
* @return previously received callback
Callback[] getRecdCallback() {
return prevCallback;
* Set previously received callback
* @param prevCallback previously received callback
synchronized void setPrevCallback(Callback[] prevCallback) {
this.prevCallback = prevCallback;
* @return <code>true</code> if noSession mode was enabled in the request.
boolean isNoSession() {
return Boolean.parseBoolean(requestMap.get(NO_SESSION_QUERY_PARAM))
|| (servletRequest != null && Boolean.parseBoolean(
(String) servletRequest.getAttribute(ISAuthConstants.NO_SESSION_REQUEST_ATTR)));
* Indicates loginFailureLockoutStoreInDS mode is enabled.
String getAccountLife() {
return accountLife;
protected String getUserToken() {
return token;
boolean getEnableModuleBasedAuth() {
return enableModuleBasedAuth;
public boolean getLoginFailureLockoutMode() {
return isLoginFailureLockoutMode();
public boolean getLoginFailureLockoutStoreInDS() {
return isLoginFailureLockoutStoreInDS();
* Default max time for loginFailureLockout.
public long getLoginFailureLockoutTime() {
return loginFailureLockoutTime;
* Default count for loginFailureLockout.
public int getLoginFailureLockoutCount() {
return loginFailureLockoutCount;
* Default notification for loginFailureLockout.
public String getLoginLockoutNotification() {
return loginLockoutNotification;
public void incrementFailCount(String failedUserId) {
if (failedUserId != null) {
AMAccountLockout amAccountLockout = new AMAccountLockout(this);
boolean accountLocked = amAccountLockout.isLockedOut(failedUserId);
if ((!accountLocked) && (amAccountLockout.isLockoutEnabled())) {
if (DEBUG.messageEnabled()) {
DEBUG.message("LoginState::incrementFailCount incremented fail count for " + failedUserId);
} else {
DEBUG.error("LoginState::incrementFailCount called with null user id");
public boolean isAccountLocked(String username) {
AMAccountLockout amAccountLockout = new AMAccountLockout(this);
return amAccountLockout.isLockedOut(username) || amAccountLockout.isAccountLocked(username);
* Default number of count for loginFailureLockout warning
*/ /**
* Returns lockout warning message.
* @return lockout warning message.
public int getLoginLockoutUserWarning() {
return loginLockoutUserWarning;
* Returns the error code .
* @return the error code .
public String getErrorCode() {
return errorCode;
* Sets the error code.
* @param errorCode Error code.
public void setErrorCode(String errorCode) {
this.errorCode = errorCode;
* Returns the error message.
* @return the error message.
public String getErrorMessage() {
return errorMessage;
* Sets the error message.
* @param errorMessage Error message.
public void setErrorMessage(String errorMessage) {
this.errorMessage = errorMessage;
* Returns the error template generated by framework.
* @return the error template generated by framework.
public String getErrorTemplate() {
return errorTemplate;
* Sets the error template generated by framework.
* @param errorTemplate Error template.
public void setErrorTemplate(String errorTemplate) {
this.errorTemplate = errorTemplate;
* Returns the error template set by module.
* @return Error template set by module.
String getModuleErrorTemplate() {
return moduleErrorTemplate;
* Sets the error module template sent by login module.
* @param moduleErrorTemplate Module error template.
public void setModuleErrorTemplate(String moduleErrorTemplate) {
this.moduleErrorTemplate = moduleErrorTemplate;
* Returns <code>true</code> if page times out.
* @return <code>true</code> if page times out.
public boolean isTimedOut() {
return timedOut;
* Sets the time out value.
* @param timedOut <code>true</code> to set timed out.
void setTimedOut(boolean timedOut) {
this.timedOut = timedOut;
* Returns the lockout message.
* @return the lockout message.
public String getLockoutMsg() {
return lockoutMsg;
* Sets the lockout message.
* @param lockoutMsg the lockout message.
public void setLockoutMsg(String lockoutMsg) {
if (DEBUG.messageEnabled()) {
DEBUG.message("setLockoutMsg :" + lockoutMsg);
this.lockoutMsg = lockoutMsg;
* Returns the index name.
* @return the index name.
public String getIndexName() {
return this.indexName;
* Set index name
* @param indexName indexName to be set
public void setIndexName(String indexName) {
this.indexName = indexName;
* Creates <code>AuthContextLocal</code> for new requests.
* @return the created <code>AuthContextLocal</code>
* @throws AuthException if fails to create <code>AuthContextLocal</code>
AuthContextLocal createAuthContext(
SessionID sid,
String orgName,
HttpServletRequest req
) throws AuthException {
this.userOrg = getDomainNameByOrg(orgName);
if (DEBUG.messageEnabled()) {
DEBUG.message("createAuthContext: userOrg is : " + userOrg);
if ((this.userOrg == null) || (this.userOrg.equals(""))) {
DEBUG.error("domain is null, error condtion");
logFailed(LazyConfig.AUTHD.bundle.getString("invalidDomain"), "INVALIDDOMAIN");
auditor.auditLoginFailure(this, INVALID_REALM);
throw new AuthException(AMAuthErrorCode.AUTH_INVALID_DOMAIN, null);
if (DEBUG.messageEnabled()) {
DEBUG.message("AuthUtil::getAuthContext::Creating new " +
"AuthContextLocal & LoginState");
AuthContextLocal authContext = new AuthContextLocal(this.userOrg);
newRequest = true;
this.finalSessionId = sid;
if (DEBUG.messageEnabled()) {
DEBUG.message("requestType : " + newRequest);
DEBUG.message("sid : " + sid);
DEBUG.message("orgName passed: " + orgName);
try {
createSession(req, authContext);
} catch (Exception e) {
DEBUG.error("Exception creating session .. :", e);
throw new AuthException(AMAuthErrorCode.AUTH_ERROR, null);
amIdRepo = LazyConfig.AUTHD.getAMIdentityRepository(getOrgDN());
isLocaleSet = false;
return authContext;
* Sets the module <code>AuthLevel</code>.
* The authentication level being set cannot be downgraded
* below that set by the module configuration.This method
* is called by <code>AMLoginModule</code> SPI
* @param authLevel authentication level string to be set
* @return <code>true</code> if setting is successful, false otherwise
public boolean setModuleAuthLevel(int authLevel) {
boolean levelSet = false;
moduleAuthLevel = authLevel;
if (this.authLevel < moduleAuthLevel) {
this.authLevel = moduleAuthLevel;
levelSet = true;
if (DEBUG.messageEnabled()) {
DEBUG.message("spi authLevel :" + authLevel);
"module configuration authLevel :" + this.authLevel);
DEBUG.message("levelSet :" + levelSet);
return levelSet;
* This method is used for requests coming from the
* <code>AuthContext</code> API to determine the <code>orgDN</code> of the
* request. The <code>orgDN</code> is determined based on and in order:
* <pre>
* 1. Domain - check if org is a domain by trying to get domain component
* 2. OrgDN/path- check if the orgName passed is a path (eg."/suborg1")
* 3. URL - check if the orgName passed is a DNS alias (URL).
* 4. If no orgDN is found null is returned.
* </pre>
* @param orgName is the name of the Organization or Suborganzation whose
* <code>orgDN</code> is to be determined.
* @return a String which is the orgDN of the request
String getDomainNameByOrg(String orgName) {
String orgDN = null;
try {
orgDN = AuthUtils.getOrganizationDN(orgName, false, null);
} catch (Exception e) {
if (DEBUG.messageEnabled()) {
DEBUG.message("Incorrect orgName passed:" + orgName, e);
return orgDN;
* Returns the module instances for a organization.
* @return the module instances for a organization.
Set<String> getModuleInstances() {
try {
if ((moduleInstances != null) && (!moduleInstances.isEmpty())) {
return moduleInstances;
moduleInstances = domainAuthenticators;
if (DEBUG.messageEnabled()) {
DEBUG.message("moduleInstances are : " + moduleInstances);
} catch (Exception e) {
if (DEBUG.messageEnabled()) {
DEBUG.message("Error getting moduleInstances ", e);
if (moduleInstances == null) {
moduleInstances = Collections.emptySet();
return moduleInstances;
* Returns the allowed authentication modules for organization
* @return the allowed authentication modules for organization
Set<String> getDomainAuthenticators() {
return domainAuthenticators;
* Returns the X509 certificate.
* @return the X509 certificate.
public X509Certificate getX509Certificate(HttpServletRequest servletrequest) {
if ((servletrequest != null) && (servletrequest.isSecure())) {
Object obj = servletrequest.getAttribute(
X509Certificate[] allCerts = (X509Certificate[]) obj;
if ((allCerts != null) && (allCerts.length != 0)) {
if (DEBUG.messageEnabled()) {
DEBUG.message("LoginState.getX509Certificate :" +
"length of cert array " + allCerts.length);
cert = allCerts[0];
return cert;
void logSuccess() {
try {
String logSuccess = LazyConfig.AUTHD.bundle.getString("loginSuccess");
ArrayList<String> dataList = new ArrayList<String>();
StringBuilder messageId = new StringBuilder();
if (indexType != null) {
if (indexName != null) {
dataList.add("isNoSession=" + isNoSession());
String[] data = dataList.toArray(new String[dataList.size()]);
String contextId = null;
SSOToken localSSOToken = null;
if (!isNoSession()) {
localSSOToken = getSSOToken();
if (localSSOToken != null) {
contextId = localSSOToken.getProperty(Constants.AM_CTX_ID);
Hashtable<String, String> props = new Hashtable<String, String>();
if (client != null) {
props.put(LogConstants.IP_ADDR, client);
if (userDN != null) {
props.put(LogConstants.LOGIN_ID, userDN);
if (orgDN != null) {
props.put(LogConstants.DOMAIN, orgDN);
if (authMethName != null) {
props.put(LogConstants.MODULE_NAME, authMethName);
InternalSession session = getReferencedSession();
if (session != null) {
props.put(LogConstants.LOGIN_ID_SID, finalSessionId.toString());
if (contextId != null) {
props.put(LogConstants.CONTEXT_ID, contextId);
LazyConfig.AUTHD.logIt(data, AuthD.LOG_ACCESS, messageId.toString(), props);
} catch (Exception e) {
DEBUG.message("Error creating logSuccess message", e);
* Adds log message to authentication access log.
* @param msgId I18n key of the localized message.
* @param logId Logging message Id
public void logSuccess(String msgId, String logId) {
try {
String logSuccess = LazyConfig.AUTHD.bundle.getString(msgId);
List<String> dataList = new ArrayList<String>();
dataList.add("isNoSession=" + isNoSession());
String[] data = dataList.toArray(new String[dataList.size()]);
Hashtable<String, String> props = new Hashtable<String, String>();
if (client != null) {
props.put(LogConstants.IP_ADDR, client);
if (userDN != null) {
props.put(LogConstants.LOGIN_ID, userDN);
if (orgDN != null) {
props.put(LogConstants.DOMAIN, orgDN);
if (authMethName != null) {
props.put(LogConstants.MODULE_NAME, authMethName);
InternalSession session = getReferencedSession();
if (session != null) {
props.put(LogConstants.LOGIN_ID_SID, finalSessionId.toString());
LazyConfig.AUTHD.logIt(data, AuthD.LOG_ACCESS, logId, props);
} catch (Exception e) {
DEBUG.message("Error creating logSuccess message", e);
* Log login failed
* @param str message for login failed
void logFailed(String str) {
logFailed(str, "LOGIN_FAILED", true, null);
* Log login failed
* @param str message for login failed
* @param error error message for login failed
void logFailed(String str, String error) {
logFailed(str, "LOGIN_FAILED", true, error);
* Adds log message to authentication error log.
* @param str localized message to be logged.
* @param logId logging message Id.
* @param appendAuthType if true, append authentication type to the logId
* to form new logging message Id. for example:
* @param error error Id to be append to logId to form new logging
* message Id. for example : "LOGIN_FAILED_LEVEL_INVALIDPASSWORD"
public void logFailed(String str, String logId, boolean appendAuthType,
String error) {
try {
String logFailed = str;
if (str == null) {
logFailed = LazyConfig.AUTHD.bundle.getString("loginFailed");
List<String> dataList = new ArrayList<String>();
StringBuilder messageId = new StringBuilder();
if ((indexType != null) &&
(indexType != AuthContext.IndexType.COMPOSITE_ADVICE)) {
if (appendAuthType) {
if (indexName != null) {
if (error != null) {
String[] data = dataList.toArray(new String[dataList.size()]);
String contextId = null;
try {
SSOToken localSSOToken = getSSOToken();
if (localSSOToken != null) {
contextId = localSSOToken.getProperty(Constants.AM_CTX_ID);
} catch (SSOException ssoe) {
DEBUG.message("Error while retrieving SSOToken for login failure: "
+ ssoe.getMessage());
Hashtable<String, String> props = new Hashtable<String, String>();
if (client != null) {
props.put(LogConstants.IP_ADDR, client);
if (userDN != null) {
props.put(LogConstants.LOGIN_ID, userDN);
} else if (getFailureTokenId() != null) {
props.put(LogConstants.LOGIN_ID, getFailureTokenId());
} else if (callbacksPerState != null && !callbacksPerState.values().isEmpty()) {
for (Callback[] cb : callbacksPerState.values()) {
for (Callback aCb : cb) {
if (aCb instanceof NameCallback) {
userDN = ((NameCallback) aCb).getName();
if (DEBUG.messageEnabled()) {
DEBUG.message("userDN is null, setting to " + userDN);
props.put(LogConstants.LOGIN_ID, userDN);
if (orgDN != null) {
props.put(LogConstants.DOMAIN, orgDN);
if ((failureModuleList != null) &&
(failureModuleList.length() > 0)) {
props.put(LogConstants.MODULE_NAME, failureModuleList);
InternalSession session = getReferencedSession();
if (session != null) {
props.put(LogConstants.LOGIN_ID_SID, finalSessionId.toString());
if (contextId != null) {
props.put(LogConstants.CONTEXT_ID, contextId);
LazyConfig.AUTHD.logIt(data, LazyConfig.AUTHD.LOG_ERROR, messageId.toString(), props);
} catch (Exception e) {
DEBUG.error("Error creating logFailed message", e);
* Log Logout status
void logLogout() {
try {
String logLogout = LazyConfig.AUTHD.bundle.getString("logout");
List<String> dataList = new ArrayList<String>();
StringBuilder messageId = new StringBuilder();
if (indexType != null) {
if (indexName != null) {
String[] data = dataList.toArray(new String[dataList.size()]);
String contextId = null;
SSOToken localSSOToken = getSSOToken();
if (localSSOToken != null) {
contextId = localSSOToken.getProperty(Constants.AM_CTX_ID);
Hashtable<String, String> props = new Hashtable<String, String>();
if (client != null) {
props.put(LogConstants.IP_ADDR, client);
if (userDN != null) {
props.put(LogConstants.LOGIN_ID, userDN);
if (orgDN != null) {
props.put(LogConstants.DOMAIN, orgDN);
if (authMethName != null) {
props.put(LogConstants.MODULE_NAME, authMethName);
InternalSession session = getReferencedSession();
if (session != null) {
props.put(LogConstants.LOGIN_ID_SID, finalSessionId.toString());
if (contextId != null) {
props.put(LogConstants.CONTEXT_ID, contextId);
LazyConfig.AUTHD.logIt(data, AuthD.LOG_ACCESS, messageId.toString(), props);
} catch (Exception e) {
DEBUG.error("Error creating logout message", e);
* Attribute name for loginFailureLockout.
*/ /**
* Return attribute name for LoginLockout
* @return attribute name for LoginLockout
public String getLoginLockoutAttrName() {
return loginLockoutAttrName;
* Attribute value for loginFailureLockout.
*/ /**
* Return attribute value for LoginLockout
* @return attribute value for LoginLockout
public String getLoginLockoutAttrValue() {
return loginLockoutAttrValue;
* Attribute name for storing invalid attempts data.
*/ /**
* Return attribute name for storing invalid attempts data
* @return attribute name for storing invalid attempts data
public String getInvalidAttemptsDataAttrName() {
return invalidAttemptsDataAttrName;
* Max time for loginFailureLockout.
*/ /**
* Return LoginLockout duration
* @return LoginLockout duration
public long getLoginFailureLockoutDuration() {
return loginFailureLockoutDuration;
* Multiplier for Memory Lockout Duration
*/ /**
* Return multiplier for Memory Lockout
* @return LoginLockout multiplier
public int getLoginFailureLockoutMultiplier() {
return loginFailureLockoutMultiplier;
* Returns old Session
* @return old Session
public InternalSession getOldSession() {
return getReferencedOldSession();
* Sets old Session
* @param oldSession Old InternalSession Object
public void setOldSession(InternalSession oldSession) {
if (null == oldSession) {
this.oldSessionReference = null;
this.oldSessionReference = oldSession.getSessionID();
* Returns session upgrade.
* @return session upgrade.
public boolean isSessionUpgrade() {
return sessionUpgrade;
* Sets session upgrade.
* @param sessionUpgrade <code>true</code> if session upgrade.
void setSessionUpgrade(boolean sessionUpgrade) {
this.sessionUpgrade = sessionUpgrade;
private void sessionUpgrade() throws AuthException {
// set the larger authlevel
InternalSession oldSession = getReferencedOldSession();
if (oldSession == null && oldStatelessSession == null) {
String strPrevAuthLevel;
String prevServiceName;
String prevRoleName;
String prevModuleList;
if (oldSession != null) {
strPrevAuthLevel = AMAuthUtils.getDataFromRealmQualifiedData(oldSession.getProperty("AuthLevel"));
prevServiceName = oldSession.getProperty("Service");
prevRoleName = oldSession.getProperty("Role");
prevModuleList = oldSession.getProperty("AuthType");
} else {
try {
strPrevAuthLevel = AMAuthUtils.getDataFromRealmQualifiedData(oldStatelessSession.getProperty("AuthLevel"));
prevServiceName = oldStatelessSession.getProperty("Service");
prevRoleName = oldStatelessSession.getProperty("Role");
prevModuleList = oldStatelessSession.getProperty("AuthType");
} catch (SessionException se) {
throw new AuthException(AMAuthErrorCode.SESSION_UPGRADE_FAILED, null);
int prevAuthLevel = 0;
String upgradeAuthLevel;
try {
prevAuthLevel = Integer.parseInt(strPrevAuthLevel);
} catch (NumberFormatException e) {
DEBUG.error("AuthLevel from session property bad format");
if (DEBUG.messageEnabled()) {
DEBUG.message("prevAuthLevel : " + prevAuthLevel);
if (prevAuthLevel > authLevel) {
upgradeAuthLevel = Integer.toString(prevAuthLevel);
} else {
upgradeAuthLevel = Integer.toString(authLevel);
if ((qualifiedOrgDN != null) && (qualifiedOrgDN.length() != 0)) {
upgradeAuthLevel = AMAuthUtils.toRealmQualifiedAuthnData(
// update service name if indextype is service
String upgradeServiceName = prevServiceName;
String newServiceName;
newServiceName = getAuthConfigName(indexType, indexName);
if ((newServiceName != null) && (newServiceName.length() != 0)) {
if ((qualifiedOrgDN != null)
&& (qualifiedOrgDN.length() != 0)) {
newServiceName = AMAuthUtils.toRealmQualifiedAuthnData(
if (prevServiceName != null) {
upgradeServiceName = prevServiceName;
if ((newServiceName != null) &&
(!prevServiceName.contains(newServiceName))) {
upgradeServiceName = newServiceName + "|" +
} else {
upgradeServiceName = newServiceName;
// update role if indexType is role
String upgradeRoleName = prevRoleName;
if (indexType == AuthContext.IndexType.ROLE) {
if (prevRoleName != null) {
upgradeRoleName = prevRoleName;
if ((indexName != null)
&& (!prevRoleName.contains(indexName))) {
upgradeRoleName = indexName + "|" + prevRoleName;
} else {
upgradeRoleName = indexName;
// update auth meth name
String newModuleList = authMethName;
if ((qualifiedOrgDN != null) && (qualifiedOrgDN.length() != 0)) {
newModuleList = getRealmQualifiedModulesList(
DNMapper.orgNameToRealmName(qualifiedOrgDN), authMethName);
if (DEBUG.messageEnabled()) {
DEBUG.message("newModuleList : " + newModuleList);
DEBUG.message("prevModuleList : " + prevModuleList);
String upgradeModuleList = null;
StringBuilder sb = new StringBuilder();
if (prevModuleList == null ? newModuleList != null : !prevModuleList.equals(newModuleList)) {
upgradeModuleList = parsePropertyList(prevModuleList, newModuleList);
} else {
upgradeModuleList = sb.toString();
if (DEBUG.messageEnabled()) {
DEBUG.message("oldAuthLevel : " + prevAuthLevel);
DEBUG.message("newAuthLevel : " + authLevel);
DEBUG.message("upgradeAuthLevel : " + upgradeAuthLevel);
DEBUG.message("prevServiceName : " + prevServiceName);
DEBUG.message("upgradeServiceName : " + upgradeServiceName);
DEBUG.message("preRoleName : " + prevRoleName);
DEBUG.message("upgradeRoleName : " + upgradeRoleName);
DEBUG.message("prevModuleList: " + prevModuleList);
DEBUG.message("newModuleList: " + newModuleList);
DEBUG.message("upgradeModuleList: " + upgradeModuleList);
updateSessionProperty("AuthLevel", upgradeAuthLevel);
updateSessionProperty("AuthType", upgradeModuleList);
updateSessionProperty("Service", upgradeServiceName);
updateSessionProperty("Role", upgradeRoleName);
InternalSession session = getReferencedSession();
/* upgrade session properties - old session and new session proeprties
* will be concatenated , seperated by |
private void updateSessionProperty(final String property, final String value) {
if (value == null) {
InternalSession session = null;
if (!forceAuth) {
session = getReferencedSession();
} else {
session = getReferencedOldSession();
if (null != session) {
session.putProperty(property, value);
/* update session with the property and value */
/* Get realm qualified modules list */
private String getRealmQualifiedModulesList(String realm, String oldModulesList) {
if (DEBUG.messageEnabled()) {
DEBUG.message("getRealmQualifiedModulesList:realm : "
+ realm);
DEBUG.message("getRealmQualifiedModulesList:oldModulesList : "
+ oldModulesList);
StringBuilder sb = new StringBuilder();
StringTokenizer st = new StringTokenizer(oldModulesList, "|");
while (st.hasMoreTokens()) {
String module = st.nextToken();
sb.append(AMAuthUtils.toRealmQualifiedAuthnData(realm, module))
String realmQualifiedModulesList = sb.toString();
int i = realmQualifiedModulesList.lastIndexOf("|");
if (i != -1) {
realmQualifiedModulesList =
realmQualifiedModulesList.substring(0, i);
if (DEBUG.messageEnabled()) {
DEBUG.message("RealmQualifiedModulesList is : "
+ realmQualifiedModulesList);
return realmQualifiedModulesList;
/* compare old session property and new session property */
private String parsePropertyList(String oldProperty, String newProperty) {
if (DEBUG.messageEnabled()) {
DEBUG.message("oldProperty : " + oldProperty);
DEBUG.message("newProperty : " + newProperty);
StringBuilder sb = new StringBuilder();
StringTokenizer st = new StringTokenizer(oldProperty, "|");
while (st.hasMoreTokens()) {
String s = st.nextToken();
if (!newProperty.equals(s)) {
String propertyList = sb.toString();
if (DEBUG.messageEnabled()) {
DEBUG.message("propertyList is : " + propertyList);
return propertyList;
// Upgrade all Properties from the existing (old) session to new session
private void upgradeAllProperties(InternalSession oldSession) {
if (DEBUG.messageEnabled()) {
DEBUG.message("LoginState::upgradeAllProperties() : Calling SessionPropertyUpgrader");
InternalSession session = getReferencedSession();
LazyConfig.SESSION_PROPERTY_UPGRADER.populateProperties(oldSession, session, forceAuth);
// Upgrade all Properties from the existing (old) session to new session
private void upgradeAllPropertiesFromStateless(StatelessSession oldSession) throws SessionException {
if (DEBUG.messageEnabled()) {
DEBUG.message("LoginState::upgradeAllProperties() : Calling SessionPropertyUpgrader");
InternalSession session = getReferencedSession();
LazyConfig.SESSION_PROPERTY_UPGRADER.populatePropertiesFromStateless(oldSession, session);
private void invokeSessionUpgradeHandlers() {
if (sessionUpgradeHandlers == null) {
for (SessionUpgradeHandler sessionUpgradeHandler : sessionUpgradeHandlers) {
InternalSession session = getReferencedSession();
InternalSession oldSession = getReferencedOldSession();
sessionUpgradeHandler.handleSessionUpgrade(oldSession, session);
private static synchronized void loadSessionUpgradeHandlers() {
if (sessionUpgradeHandlers == null) {
List<SessionUpgradeHandler> instances = new ArrayList<>(1);
final ServiceLoader<SessionUpgradeHandler> impls = ServiceLoader.load(SessionUpgradeHandler.class);
for (SessionUpgradeHandler sessionUpgradeHandler : impls) {
sessionUpgradeHandlers = ImmutableList.copyOf(instances);
boolean isCookieSet() {
return cookieSet;
void setCookieSet(boolean flag) {
cookieSet = flag;
boolean isCookieSupported() {
return cookieSupported;
void setCookieSupported(boolean flag) {
cookieSupported = flag;
/* Order to determine execution of Post processing SPI is :
* Authentication Method SPI execution order
* ==========================================================
* Org , Level , User ,Module
* 1. Set at the user's role entry
* 2. Set at the user's org entry
* Role
* 1. Set that the role user's authenticates to
* 2. Set at the user's role entry.
* 3. Set at the user's org entry.
* Service
* 1. Set at the service.
* 2. Set at the user's role entry.
* 3. Set at the user's org entry.
* @param indexType Index type for post process
* @param indexName Index name for post process
* @param type indicates success, failure or logout
void postProcess(AuthContext.IndexType indexType, String indexName, PostProcessEvent type) {
Set<AMPostAuthProcessInterface> postLoginInstanceSet = getPostLoginInstances(getPostLoginClassSet(indexType, indexName));
if ((postLoginInstanceSet != null) &&
(!postLoginInstanceSet.isEmpty())) {
for (AMPostAuthProcessInterface postLoginInstance : postLoginInstanceSet) {
executePostProcessSPI(postLoginInstance, type);
* Returns an instance of the spi and execute it based on whether
* the login status is success or failed
* @param postProcessInstance <code>AMPostAuthProcessInterface</code>
* object to be processes in post login
* @param type indicates success, failure or logout
private void executePostProcessSPI(AMPostAuthProcessInterface postProcessInstance,
PostProcessEvent type) {
/* Reset Post Process URLs in servletRequest so
* that plugin can set new values (just a safety measure) */
if (requestMap.isEmpty() && (servletRequest != null)) {
Map<String, String[]> map = servletRequest.getParameterMap();
for (Map.Entry<String, String[]> e : map.entrySet()) {
requestMap.put(e.getKey(), e.getValue()[0]);
/* execute the post process spi */
try {
switch (type) {
final SSOToken ssoToken = getSSOToken();
postProcessInstance.onLoginSuccess(requestMap, servletRequest, servletResponse, ssoToken);
// Regenerate the session ID based on the sso token in case this is a stateless session that
// has been updated.
setSessionID(new SessionID(ssoToken.getTokenID().toString()));
postProcessInstance.onLoginFailure(requestMap, servletRequest, servletResponse);
case LOGOUT:
postProcessInstance.onLogout(servletRequest, servletResponse, getSSOToken());
if (DEBUG.messageEnabled()) {
DEBUG.message("executePostProcessSPI: invalid input type: " + type);
} catch (AuthenticationException ae) {
if (DEBUG.messageEnabled()) {
DEBUG.message("Error ", ae);
} catch (Exception e) {
if (DEBUG.messageEnabled()) {
DEBUG.message("Error ", e);
* Creates a set of instances that are implementation of classes of type
* AMPostAuthProcessInterface. The classes are picked based on index type
* and auth configuration.
* @param indexType Index type for post login process
* @param indexName Index name for post login process
private Set<String> getPostLoginClassSet(AuthContext.IndexType indexType, String indexName) {
Set<String> postLoginClassSet = Collections.emptySet();
if (indexType == AuthContext.IndexType.ROLE) {
/* If role based auth then get post process classes from
* auth config of that role.
postLoginClassSet = getRolePostLoginClassSet();
} else if (indexType == AuthContext.IndexType.SERVICE) {
/* For service based auth if service name is console service
* then use admin auth config otherwise use the index name
if (indexName.equals(ISAuthConstants.CONSOLE_SERVICE)) {
if ((orgAdminAuthConfig != null) &&
(!orgAdminAuthConfig.equals(ISAuthConstants.BLANK))) {
postLoginClassSet = getServicePostLoginClassSet
} else {
postLoginClassSet = getServicePostLoginClassSet(indexName);
} else if ((indexType == AuthContext.IndexType.USER)) {
/* For user based auth, take the auth config from users attributes
if (((userAuthConfig != null) && (!userAuthConfig.equals(
ISAuthConstants.BLANK)))) {
postLoginClassSet = getServicePostLoginClassSet(userAuthConfig);
if (((postLoginClassSet == null) || (postLoginClassSet.isEmpty())) &&
((orgPostLoginClassSet != null) && (!orgPostLoginClassSet.isEmpty()))) {
/* If no Post Process class is found or module based auth then
* default to org level only if they are defined.
postLoginClassSet = orgPostLoginClassSet;
} else if (indexType == null) {
/* For org based auth, if post process classes are not defined at
* org level then use or default config.
if ((orgAuthConfig != null) && (!orgAuthConfig.
equals(ISAuthConstants.BLANK))) {
postLoginClassSet = getServicePostLoginClassSet(orgAuthConfig);
if (DEBUG.messageEnabled()) {
DEBUG.message("postLoginClassSet = " + postLoginClassSet);
return postLoginClassSet;
* Note that as a side effect, this sets the post auth process instance property on the session.
private Set<AMPostAuthProcessInterface> getPostLoginInstances(Set<String> postLoginClassSet) {
Set<AMPostAuthProcessInterface> postLoginInstanceSet = new HashSet<>();
if ((postLoginClassSet != null) && (!postLoginClassSet.isEmpty())) {
StringBuilder sb = new StringBuilder();
for (String postLoginClassName : postLoginClassSet) {
if (sb.length() > 0) {
if (DEBUG.messageEnabled()) {
DEBUG.message("setPostLoginInstances : "
+ postLoginClassName);
DEBUG.message("setPostLoginInstances : "
+ postLoginClassSet.size());
AMPostAuthProcessInterface postProcessInstance = getPostLoginProcessInstance(postLoginClassName);
if (postProcessInstance != null) {
InternalSession session = getReferencedSession();
session.putProperty(ISAuthConstants.POST_AUTH_PROCESS_INSTANCE, sb.toString());
return postLoginInstanceSet;
* Returns role post login class set
* @return role post login class set
private Set<String> getRolePostLoginClassSet() {
Set<String> postLoginClassSet = null;
try {
Map<String, Set<String>> roleAttrMap = getRoleServiceAttributes();
postLoginClassSet = roleAttrMap.get(ISAuthConstants.POST_LOGIN_PROCESS);
if (postLoginClassSet == null) {
postLoginClassSet = Collections.emptySet();
if (DEBUG.messageEnabled()) {
DEBUG.message("Role Post Login Class Set : " +
} catch (Exception e) {
if (DEBUG.messageEnabled()) {
DEBUG.message("Error get role class set ", e);
return postLoginClassSet;
* Returns the service post login process class set
* @param indexName Index name for post login
* @return the service post login process class set
private Set<String> getServicePostLoginClassSet(String indexName) {
Set<String> postLoginClassSet = null;
try {
if ((serviceAttributesMap != null)
&& (serviceAttributesMap.isEmpty())) {
serviceAttributesMap = getServiceAttributes(indexName);
if (DEBUG.messageEnabled()) {
DEBUG.message("Service Attributes are . :" +
postLoginClassSet = serviceAttributesMap.get(ISAuthConstants.POST_LOGIN_PROCESS);
if (postLoginClassSet == null) {
postLoginClassSet = Collections.emptySet();
if (DEBUG.messageEnabled()) {
DEBUG.message("postLoginClassName: " + postLoginClassSet);
} catch (Exception e) {
if (DEBUG.messageEnabled()) {
DEBUG.message("Error get service post login class name "
+ e.getMessage());
return postLoginClassSet;
* Returns the error message set by module.
* @return the error message set by module.
String getModuleErrorMessage() {
return moduleErrorMessage;
void setModuleErrorMessage(String message) {
moduleErrorMessage = message;
* Returns the Login URL user input.
* @return the Login URL user input.
public String getLoginURL() {
return loginURL;
* Returns the flag indicating a request "forward" after
* successful authentication.
* @return the boolean flag.
boolean isForwardSuccess() {
return forwardSuccess;
* Returns page timeout.
* @return Page timeout.
long getPageTimeOut() {
if (DEBUG.messageEnabled()) {
DEBUG.message("Returning page timeout :" + pageTimeOut);
return pageTimeOut;
* Sets the page timeout.
* @param pageTimeOut Page timeout.
synchronized void setPageTimeOut(long pageTimeOut) {
if (DEBUG.messageEnabled()) {
DEBUG.message("Setting page timeout :" + pageTimeOut);
this.pageTimeOut = pageTimeOut;
* Returns last callback sent.
* @return Last callback sent.
long getLastCallbackSent() {
if (DEBUG.messageEnabled()) {
"Returning Last Callback Sent :" + lastCallbackSent);
return lastCallbackSent;
* Sets the last callback sent.
* @param lastCallbackSent Last callback sent.
void setLastCallbackSent(long lastCallbackSent) {
if (DEBUG.messageEnabled()) {
DEBUG.message("setting Last Callback Sent :" + lastCallbackSent);
this.lastCallbackSent = lastCallbackSent;
* This function is to get the redirect url from a set of urls
* based on client type. Each url will be of the form
* clienttype|url, applications need to provide redirect urls
* along with the client type so that it can be client aware.
* If it does not find the specified url along with
* client type, it returns the default client type
* @param urls set of urls with client type.
* @return redirect url from a set of urls for client type
private String getRedirectUrl(Set<String> urls) {
//If the urls set is null, return the default url
String clientURL = null;
tempDefaultURL = null;
if ((urls != null) && (!urls.isEmpty())) {
String defaultURL = null;
for (final String url : urls) {
if (DEBUG.messageEnabled()) {
DEBUG.message("URL is : " + url);
if ((url != null) && (url.length() > 0)) {
int i = url.indexOf(ISAuthConstants.PIPE_SEPARATOR);
if (i != -1) {
if (clientURL == null) {
clientURL = AuthUtils.getClientURLFromString(
url, i, servletRequest);
} else {
// There is no delimiter, ok check the size of the
// urls
if ((defaultURL == null) ||
(defaultURL.length() == 0)) {
defaultURL = url;
} //end while
tempDefaultURL = defaultURL;
if (DEBUG.messageEnabled()) {
DEBUG.message("defaultURL : " + defaultURL);
DEBUG.message("tempDefaultURL : " + tempDefaultURL);
return clientURL;
* Return ignoreUserProfile
* @return ignoreUserProfile
boolean ignoreProfile() {
return ignoreUserProfile;
* Return set which contains union of the two sets
* if one of the set is null or empty, return the other set
* @param set1 First set will be joined
* @param set2 Second set will be joined
* @return set which contains union of the two sets
private Set mergeSet(Set<String> set1, Set<String> set2) {
if (set1 == null || set1.isEmpty()) {
if (set2 == null || set2.isEmpty()) {
return Collections.EMPTY_SET;
} else {
return set2;
} else {
if (set2 == null || set2.isEmpty()) {
return set1;
} else {
Set<String> returnSet = new HashSet<String>(set1);
return returnSet;
* Converts a set to a map, keys are the elements in the set, value is
* the token. User naming attribute is always added as one of the key.
* @param names set of names are used key for map
* @param token value for each named key
* @return map that is converted from set
private Map toAvPairMap(Set<String> names, String token) {
if (token == null) {
return Collections.EMPTY_MAP;
Map map = new HashMap();
Set<String> set = new HashSet<String>();
//map.put(AMStoreConnection.getNamingAttribute(AMObject.USER), set);
//map.put(userNamingAttr, set);
if (names == null || names.isEmpty()) {
return map;
for (final Object name : names) {
map.put(name, set);
return map;
* Sets the <code>failureTokenId</code> - set by modules
* if this is set the logs will show the user id.
* @param userID User ID.
public void setFailedUserId(String userID) {
if (DEBUG.messageEnabled()) {
DEBUG.message("setting userID : " + userID);
* If the session should be persisted to the CTS, do so.
void persistSession() {
if (stateless || isNoSession()) {
* Get all the received Callbacks.
* @return The received Callbacks.
public Map<String, Callback[]> getAllReceivedCallbacks() {
return callbacksPerState;
* Returns Callbacks per Page state.
* @return Callbacks per Page state.
Callback[] getCallbacksPerState(String pageState) {
Callback[] rtnCallbacks = null;
rtnCallbacks = callbacksPerState.get(pageState);
return rtnCallbacks;
* Sets Callbacks per Page state.
void setCallbacksPerState(String pageState, Callback[] callbacks) {
this.callbacksPerState.put(pageState, callbacks);
* Returns <code>true<code> if cookie detected.
* @return <code>true<code> if cookie detected.
public boolean isCookieDetect() {
return cookieDetect;
* Sets the cookie detection value - <code>true</code> if
* <code>cookieSupport</code> is null.
* @param cookieDetect Cookie Detect flag.
public void setCookieDetect(boolean cookieDetect) {
this.cookieDetect = cookieDetect;
* Sets a Map of attribute value pairs to be used when the authentication
* service is configured to dynamically create a user.
* @param attributeValuePairs Map of attribute name to a set of values.
public void setUserCreationAttributes(Map attributeValuePairs) {
if (DEBUG.messageEnabled()) {
DEBUG.message("attributeValuePairs : " + attributeValuePairs);
if ((attributeValuePairs != null) && (!attributeValuePairs.isEmpty())) {
if (userCreationAttributes == null) {
userCreationAttributes = new HashMap();
if (attributeValuePairs.containsKey(
) {
externalAliasList = (HashSet) attributeValuePairs.get(ISAuthConstants.USER_ALIAS_ATTR);
if (DEBUG.messageEnabled()) {
DEBUG.message("externalAliasList:" + externalAliasList);
* Sets the module name of successful <code>LoginModule</code>.
* This module name will be populated in the session property
* <code>AuthType</code>.
* @param moduleName Name of module.
public void setSuccessModuleName(String moduleName) {
if (DEBUG.messageEnabled()) {
DEBUG.message("Module name is .. " + moduleName);
DEBUG.message("successModuleSet is : " + successModuleSet);
* Returns a Set which contains the modules names which user
* successfully authenticated.
* @return a Set which contains the modules names which user
* successfully authenticated.
Set<String> getSuccessModuleSet() {
if (DEBUG.messageEnabled()) {
DEBUG.message("getSuccessModuleSet : " + successModuleSet);
return successModuleSet;
* Checks if module is Application.
* @param moduleName is the module name to be compared with
* Application module name.
* @return true if module is Application else false.
private boolean isApplicationModule(String moduleName) {
boolean isApp = (moduleName != null) &&
if (DEBUG.messageEnabled()) {
DEBUG.message("is Application Module : " + isApp);
return isApp;
* Adds the failed module name to a set.
* @param moduleName Failed module name.
public void setFailureModuleName(String moduleName) {
if (DEBUG.messageEnabled()) {
DEBUG.message("Module name is .. " + moduleName);
DEBUG.message("failureModuleSet is : " + failureModuleSet);
* Returns the failure module list.
* @return Failure module list.
Set<String> getFailureModuleSet() {
return failureModuleSet;
* Sets the failure module list.
* @param failureModuleList which is the list of failed modules.
void setFailureModuleList(String failureModuleList) {
this.failureModuleList = failureModuleList;
if (DEBUG.messageEnabled()) {
DEBUG.message("failureModulelist :" + failureModuleList);
* Gets the failure module names.
* @return The list of failure auth module names in a pipe separated string.
public String getFailureModuleNames() {
return failureModuleList;
* Returns <code>true</code> if the logged in user is 'Agent'.
* @param amIdentityUser OpenSSO Identity user.
* @return <code>true</code> if the logged in user is 'Agent'.
private boolean isAgent(AMIdentity amIdentityUser) {
boolean isAgent = false;
try {
if (amIdentityUser != null &&
amIdentityUser.getType().equals(IdType.AGENT)) {
isAgent = true;
DEBUG.message("user is of type 'Agent'");
} catch (Exception e) {
if (DEBUG.messageEnabled()) {
DEBUG.message("Error isAgent : " + e.toString());
return isAgent;
* Sets the module map which has key as module localized name and
* value is module name
* @param moduleMap module containing map of module localized name
* and module name.
void setModuleMap(Map<String, String> moduleMap) {
this.moduleMap = moduleMap;
* Returns the key for the localized module name.
* @param localizedModuleName , the localized module name
* @return a string, the module name
protected String getModuleName(String localizedModuleName) {
return moduleMap.get(localizedModuleName);
* Sets locale from servlet request.
* @param request HTTP Servlet Request.
void setRequestLocale(HttpServletRequest request) {
isLocaleSet = true;
* Sets remote locale passed by client
* @param localeStr remote client locale string.
public void setRemoteLocale(String localeStr) {
localeContext.setLocale(ISLocaleContext.URL_LOCALE, localeStr);
isLocaleSet = true;
* Returns <code>true</code> if session state is invalid.
* @return <code>true</code> if session state is invalid.
boolean isSessionInvalid() {
InternalSession session = getReferencedSession();
return (session == null || session.getState() == INVALID ||
session.getState() == DESTROYED);
* Returns <code>AMIdentity</code> object for a Role.
* @param roleName role name.
* @return <code>AMIdentity</code> object.
* @throws AuthException
public AMIdentity getRole(String roleName) throws AuthException {
try {
amIdentityRole =
LazyConfig.AUTHD.getIdentity(IdType.ROLE, roleName, getOrgDN());
} catch (AuthException ae) {
DEBUG.message("role not found or is not a static role");
if (amIdentityRole == null) {
amIdentityRole =
LazyConfig.AUTHD.getIdentity(IdType.FILTEREDROLE, roleName, getOrgDN());
return amIdentityRole;
* Returns Universal Identifier of a role.
* @param roleName Role Name.
* @return universal identifier of role name.
String getRoleUniversalId(String roleName) {
String roleUnivId = null;
try {
AMIdentity amIdentity = getRole(roleName);
roleUnivId = IdUtils.getUniversalId(amIdentity);
} catch (Exception ae) {
if (DEBUG.messageEnabled()) {
DEBUG.message("Error getting role : " + ae.getMessage());
return roleUnivId;
* Returns user DN of an Identity.
* @param amIdentityUser <code>AMIdentity</code> object.
* @return Identity user DN.
public String getUserDN(AMIdentity amIdentityUser) {
String returnUserDN = null;
if (principalList != null) {
if (principalList.contains("|")) {
StringTokenizer st = new StringTokenizer(principalList, "|");
while (st.hasMoreTokens()) {
String sToken = st.nextToken();
if (LDAPUtils.isDN(sToken)) {
returnUserDN = sToken;
} else if (LDAPUtils.isDN(principalList)) {
returnUserDN = principalList;
if (returnUserDN == null || (returnUserDN.length() == 0)) {
if (amIdentityUser != null) {
returnUserDN = IdentityUtils.getDN(amIdentityUser);
} else if (userDN != null) {
returnUserDN = userDN;
} else {
returnUserDN = tokenToDN(principalList);
return returnUserDN;
* Return DN for container
* @param containerDNs set of DN for containers
* @throws AuthException if container name is invalid
private void getContainerDN(Set<String> containerDNs) throws AuthException {
String userOrgDN = null;
String agentContainerDN = null;
// Check Container DNs for NULL
if ((containerDNs == null) || (containerDNs.isEmpty())) {
DEBUG.message("Container DNs is null");
} else {
for (String containerName : containerDNs) {
try {
if (DN.valueOf(containerName).isInScopeOf(getOrgDN(), SearchScope.WHOLE_SUBTREE)) {
int containerType =
if (DEBUG.messageEnabled()) {
DEBUG.message("Container Type = "
+ containerType);
DEBUG.message("Container Name = "
+ containerName);
if ((containerType == AMObject.ORGANIZATIONAL_UNIT)
&& (agentContainerDN == null)) {
agentContainerDN = containerName;
} else if ((containerType == AMObject.ORGANIZATION)
&& (userOrgDN == null)) {
userOrgDN = containerName;
} else if ((containerType == AMObject.PEOPLE_CONTAINER)
&& (userContainerDN == null)) {
userContainerDN = containerName;
if (userContainerDN != null && agentContainerDN != null
&& userOrgDN != null) {
} catch (Exception e) {
DEBUG.error("Container - " + containerName +
" is INVALID :- ", e);
if (userContainerDN == null) {
try {
userContainerDN = AMStoreConnection.getNamingAttribute(
AdminInterfaceUtils.defaultPeopleContainerName() + "," +
} catch (AMException aec) {
DEBUG.message("Cannot get userContainer DN");
if (userContainerDN == null && agentContainerDN == null) {
DEBUG.message("No Valid Container in the list");
throw new AuthException(AMAuthErrorCode.AUTH_ERROR, null);
if (DEBUG.messageEnabled()) {
DEBUG.message("agentContainerDN = " + agentContainerDN);
DEBUG.message("userContainerDN = " + userContainerDN);
DEBUG.message("userOrgDN set in PC atrr = " + userOrgDN);
* Search for identities given the identity type, identity name
* Use common method from LazyConfig.AUTHD for getIdentity
* @param idType identity type for user
* @param userTokenID user token identifier
* @param populate whether to retrieve all attributes or not
* @return IdSearchResults for given the identity type and identity name
* @throws IdRepoException if it fails to search user
* @throws SSOException if <code>SSOToken</code> is not valid
private IdSearchResults searchIdentity(IdType idType, String userTokenID, boolean populate)
throws IdRepoException, SSOException {
if (DEBUG.messageEnabled()) {
DEBUG.message("In searchAutehnticatedUser: idType " + idType);
DEBUG.message("In getUserProfile : Search for user " +
IdSearchResults searchResults = null;
Set returnSet = mergeSet(aliasAttrNames, USER_ATTRIBUTES);
int maxResults = 2;
int maxTime = 0;
String pattern;
Map avPairs;
boolean isRecursive = true;
IdSearchControl idsc = new IdSearchControl();
if (populate) {
} else {
if (DEBUG.messageEnabled()) {
DEBUG.message("alias attr=" + aliasAttrNames +
", attr=" + USER_ATTRIBUTES + ",merge=" + returnSet);
if (DEBUG.messageEnabled()) {
DEBUG.message("Search for Identity " + userTokenID);
// search for the identity
Set result = Collections.EMPTY_SET;
try {
searchResults =
amIdRepo.searchIdentities(idType, userTokenID, idsc);
if (searchResults != null) {
result = searchResults.getSearchResults();
} catch (SSOException sso) {
if (DEBUG.messageEnabled()) {
DEBUG.message("SSOException Error searching Identity " +
" with username " + sso.getMessage());
} catch (IdRepoException e) {
if (DEBUG.messageEnabled()) {
DEBUG.message("IdRepoException : Error searching "
+ " Identities with username : "
+ e.getMessage());
if (result.isEmpty() && (aliasAttrNames != null) &&
(!aliasAttrNames.isEmpty())) {
if (DEBUG.messageEnabled()) {
DEBUG.message("No identity found, try Alias attrname.");
pattern = "*";
avPairs = toAvPairMap(aliasAttrNames, userTokenID);
if (DEBUG.messageEnabled()) {
DEBUG.message("Search for Filter (avPairs) :" + avPairs);
DEBUG.message("userTokenID : " + userTokenID);
DEBUG.message("userDN : " + userDN);
DEBUG.message("idType :" + idType);
DEBUG.message("pattern :" + pattern);
DEBUG.message("isRecursive :" + isRecursive);
DEBUG.message("maxResults :" + maxResults);
DEBUG.message("maxTime :" + maxTime);
DEBUG.message("returnSet :" + returnSet);
Set resultAlias = Collections.EMPTY_SET;
try {
idsc.setSearchModifiers(IdSearchOpModifier.OR, avPairs);
searchResults = amIdRepo.searchIdentities(idType, pattern, idsc);
if (searchResults != null) {
resultAlias = searchResults.getSearchResults();
if ((resultAlias.isEmpty()) && (userDN != null) &&
(!userDN.equalsIgnoreCase(userTokenID))) {
avPairs = toAvPairMap(aliasAttrNames, userDN);
if (DEBUG.messageEnabled()) {
DEBUG.message("Search for Filter (avPairs) " +
"with userDN : " + avPairs);
idsc.setSearchModifiers(IdSearchOpModifier.OR, avPairs);
searchResults =
amIdRepo.searchIdentities(idType, pattern, idsc);
} catch (SSOException sso) {
if (DEBUG.messageEnabled()) {
DEBUG.message("SSOException : Error searching "
+ "Identities with aliasattrname : "
+ sso.getMessage());
} catch (IdRepoException e) {
if (DEBUG.messageEnabled()) {
DEBUG.message("IdRepoException : Error searching "
+ "Identities : " + e.getMessage());
return searchResults;
} // end
* Creates <code>AMIdentity</code> in the repository.
* @param userName name of user to be created.
* @param userAttributes Map of default attributes.
* @param userRoles Set of default roles.
* @return <code>AMIdentity</code> object of created user.
* @throws IdRepoException if it fails to create <code>AMIdentity</code>
* @throws SSOException if <code>SSOToken</code> for admin is not valid
public AMIdentity createUserIdentity(
String userName,
Map userAttributes,
Set userRoles
) throws IdRepoException, SSOException {
AMIdentity amIdentityUser = amIdRepo.createIdentity(IdType.USER,
userName, userAttributes);
if (userRoles != null && !userRoles.isEmpty()) {
for (final Object userRole : userRoles) {
String trole = (String) userRole;
try {
if (trole.length() != 0) {
amIdentityRole = getRole(trole);
} catch (Exception e) {
DEBUG.message("createUserProfile():invalid role: ", e);
//ignore invalid Roles
return amIdentityUser;
* Returns the universal id associated with a user name.
* @param userName name of user to be created.
* @return universal identifier of the user.
public String getUserUniversalId(String userName) {
AMIdentity amIdUser = amIdentityUser;
String universalId = null;
try {
if (amIdUser == null) {
amIdUser = LazyConfig.AUTHD.getIdentity(IdType.USER, userName, getOrgDN());
universalId = IdUtils.getUniversalId(amIdUser);
} catch (Exception e) {
"Error getting Identity for user :" + e.getMessage());
if (DEBUG.messageEnabled()) {
DEBUG.message("getUserUniversalId:universalId : " + universalId);
return universalId;
* Returns the type of authentication to be used after Composite Advices.
* @return an integer type indicating the type of authentication required.
int getCompositeAdviceType() {
return compositeAdviceType;
* Sets the type of authentication to be used after Composite Advices.
* @param type Type of authentication.
void setCompositeAdviceType(int type) {
this.compositeAdviceType = type;
* Returns the Composite Advice for this Authentication request.
* @return String of Composite Advice.
public String getCompositeAdvice() {
return compositeAdvice;
* Sets the Composite Advice for this Authentication request.
* @param compositeAdvice Composite Advice for authentication.
void setCompositeAdvice(String compositeAdvice) {
this.compositeAdvice = compositeAdvice;
* Sets the qualified OrgDN for Policy conditions
* to be used after Composite Advices.
* @param qualifiedOrgDN qualifiedOrgDN for Policy conditions.
void setQualifiedOrgDN(String qualifiedOrgDN) {
this.qualifiedOrgDN = qualifiedOrgDN;
* Returns the Authentication configuration / Authentication
* chain name used for current authentication process.
* @param indexType AuthContext.IndexType
* @param indexName Index Name for AuthContext.IndexType
private String getAuthConfigName(AuthContext.IndexType indexType,
String indexName) {
String finalAuthConfigName = null;
if (indexType == AuthContext.IndexType.ROLE) {
finalAuthConfigName = roleAuthConfig;
} else if (indexType == AuthContext.IndexType.SERVICE) {
if (indexName.equals(ISAuthConstants.CONSOLE_SERVICE)) {
if ((orgAdminAuthConfig != null) &&
(!orgAdminAuthConfig.equals(ISAuthConstants.BLANK))) {
finalAuthConfigName = orgAdminAuthConfig;
} else {
finalAuthConfigName = indexName;
} else if ((indexType == AuthContext.IndexType.USER)) {
if (((userAuthConfig != null) && (!userAuthConfig.equals(
ISAuthConstants.BLANK)))) {
finalAuthConfigName = userAuthConfig;
} else if (indexType == null) {
if ((orgAuthConfig != null) && (!orgAuthConfig.
equals(ISAuthConstants.BLANK))) {
finalAuthConfigName = orgAuthConfig;
if (DEBUG.messageEnabled()) {
DEBUG.message("getAuthConfigName:finalAuthConfigName = "
+ finalAuthConfigName);
return finalAuthConfigName;
boolean isAuthValidForInternalUser() {
boolean authValid = true;
InternalSession session = getReferencedSession();
if (session == null) {
"LoginState.isValidAuthForInternalUser():session is null");
return false;
String userId = token;
if (userId == null) {
"LoginState.isValidAuthForInternalUser():userId is null");
return false;
if (INTERNAL_USERS.contains(userId.toLowerCase())) {
String authRealm = orgDN;
String authModule = "";
if (!successModuleSet.isEmpty()) {
authModule = (successModuleSet.iterator().next());
if (authRealm == null) {
"LoginState.isValidAuthForInternalUser():authRealm is null");
return false;
if (authModule == null) {
if (DEBUG.warningEnabled()) {
+ "authModule is null");
return false;
if (DEBUG.messageEnabled()) {
+ "Attempt to login as:" + userId
+ ", to module:" + authModule
+ ", at realm:" + authRealm);
if (!authRealm.equals(ServiceManager.getBaseDN())) {
authValid = false;
if (DEBUG.warningEnabled()) {
+ "Attempt to login as:" + userId
+ ", to module:" + authModule
+ ", at realm:" + authRealm
+ ", denied due to internal users restriction ");
return authValid;
* Sets userDN - called by <code>AMLoginContext</code>.
public void setUserName(String username) {
userDN = username;
* Restores the old session (if one exists). Used in the case of a failed session upgrade or successful force-auth
* to restore the original session object. If no old session exists then this method does nothing.
public void restoreOldSession() {
InternalSession oldSession = getReferencedOldSession();
if (oldSession != null) {
DEBUG.message("Restoring old session");
* Indicates userID generate mode is enabled
public boolean isUserIDGeneratorEnabled() {
return userIDGeneratorEnabled;
private void setUserIDGeneratorEnabled(final boolean userIDGeneratorEnabled) {
this.userIDGeneratorEnabled = userIDGeneratorEnabled;
* Indicates provider class name for userIDGenerator
public String getUserIDGeneratorClassName() {
return userIDGeneratorClassName;
private void setUserIDGeneratorClassName(final String userIDGeneratorClassName) {
this.userIDGeneratorClassName = userIDGeneratorClassName;
* Indicates accountlocking mode is enabled.
private boolean isLoginFailureLockoutMode() {
return loginFailureLockoutMode;
private void setLoginFailureLockoutMode(final boolean loginFailureLockoutMode) {
this.loginFailureLockoutMode = loginFailureLockoutMode;
* Indicates loginFailureLockoutStoreInDS mode is enabled.
private boolean isLoginFailureLockoutStoreInDS() {
return loginFailureLockoutStoreInDS;
private void setLoginFailureLockoutStoreInDS(final boolean loginFailureLockoutStoreInDS) {
this.loginFailureLockoutStoreInDS = loginFailureLockoutStoreInDS;
private void setAccountLife(final String accountLife) {
this.accountLife = accountLife;
private void setLoginFailureLockoutDuration(final long loginFailureLockoutDuration) {
this.loginFailureLockoutDuration = loginFailureLockoutDuration;
private void setLoginFailureLockoutMultiplier(final int loginFailureLockoutMultiplier) {
this.loginFailureLockoutMultiplier = loginFailureLockoutMultiplier;
private void setLoginFailureLockoutTime(final long loginFailureLockoutTime) {
this.loginFailureLockoutTime = loginFailureLockoutTime;
private void setLoginFailureLockoutCount(final int loginFailureLockoutCount) {
this.loginFailureLockoutCount = loginFailureLockoutCount;
private void setLoginLockoutNotification(final String loginLockoutNotification) {
this.loginLockoutNotification = loginLockoutNotification;
private void setLoginLockoutAttrName(final String loginLockoutAttrName) {
this.loginLockoutAttrName = loginLockoutAttrName;
private void setMandatory2FAValue(final String mandatory2FAValue) {
this.mandatory2fa = Boolean.parseBoolean(mandatory2FAValue);
private void setLoginLockoutAttrValue(final String loginLockoutAttrValue) {
this.loginLockoutAttrValue = loginLockoutAttrValue;
private void setInvalidAttemptsDataAttrName(final String invalidAttemptsDataAttrName) {
this.invalidAttemptsDataAttrName = invalidAttemptsDataAttrName;
private void setLoginLockoutUserWarning(final int loginLockoutUserWarning) {
this.loginLockoutUserWarning = loginLockoutUserWarning;
* Whether to keep authentication module instances in the session so that they can be called on logout. This is
* useful if the login modules have particular logout callback functionality that must be invoked. See
* authentication service setting "sunAMAuthKeepAuthModuleIntances". Not supported for stateless sessions.
boolean isModulesInSessionEnabled() {
return modulesInSession;
* <code>SSOToken</code> ID for login failed
public String getFailureTokenId() {
return failureTokenId;
private void setFailureTokenId(final String failureTokenId) {
this.failureTokenId = failureTokenId;
public boolean is2faMandatory() {
return mandatory2fa;
* Sets a shared state map from the {@link AMLoginModule}.
* @param sharedState
public void setSharedState(Map sharedState) {
this.sharedState = sharedState;
* The shared state map.
* @return sharedState
public Map getSharedState() {
return sharedState;
* Saves the attributes specified by the sharedStateAttributes into requestMap.
public void saveSharedStateAttributes() {
if (sharedState != null) {
for (String sharedStateKey : SHARED_STATE_ATTRIBUTES) {
requestMap.put(sharedStateKey, (String) sharedState.get(sharedStateKey));
* Save the principalList that is generated by successful LoginContext authentication, to the requestMap.
void saveSubjectState() {
if (principalList != null) {
requestMap.put(ISAuthConstants.PRINCIPAL_LIST, principalList);
* Saves the principals successfully created in the authentication process whether all modules or identity searches
* are successful or not. This differs from the principalList which is generated by the logincontext as that is only
* generated when all modules have been completed successfully.
* @param principalName
public void saveAuthenticatedPrincipal(String principalName) {
// store in the requestmap
requestMap.put(ISAuthConstants.AUTHENTICATED_PRINCIPALS, StringUtils.join(authenticatedPrincipals, "|"));
* Returns a list of the authenticated principals in the current authentication process.
* @return authenticatedPrincipals
public Set<String> getAuthenticatedPrincipals() {
return authenticatedPrincipals;
* Indicates the type of post-processing that should be performed.
enum PostProcessEvent {