LoginState.java revision 35ab1c5bca11317474fe12bdd8d22c17cdaf2697
/**
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2005 Sun Microsystems Inc. All Rights Reserved
*
* The contents of this file are subject to the terms
* of the Common Development and Distribution License
* (the License). You may not use this file except in
* compliance with the License.
*
* You can obtain a copy of the License at
* See the License for the specific language governing
* permission and limitations under the License.
*
* When distributing Covered Code, include this CDDL
* Header Notice in each file and include the License file
* at opensso/legal/CDDLv1.0.txt.
* If applicable, add the following below the CDDL Header,
* with the fields enclosed by brackets [] replaced by
* your own identifying information:
* "Portions Copyrighted [year] [name of copyright owner]"
*
* $Id: LoginState.java,v 1.57 2010/01/20 21:30:40 qcheng Exp $
*
* Portions Copyrighted 2010-2015 ForgeRock AS.
*/
/**
* This class maintains the User's login state information from the time user
* requests for authentication till the time the user either logs out of the
* OpenAM system or the session is destroyed by any privileged application of
* the OpenAM system.
*/
public class LoginState {
/* Define internal users
* For these users we would allow authentication only at root realm
* and require to be authenticated to configuration datastore.
*/
public static final Set<String> INTERNAL_USERS = unmodifiableSet(asSet("amadmin", "dsameuser", "urlaccessagent",
"amldapuser"));
private static final boolean URL_REWRITE_IN_PATH = SystemProperties.getAsBoolean(Constants.REWRITE_AS_PATH);
private static final long AGENT_SESSION_IDLE_TIME;
private static final SecureRandom SECURE_RANDOM;
/**
* Lazy initialisation holder to allow unit testing without loading the world.
*/
private static class LazyConfig {
}
static {
// App session timeout is default to 0 => non-expiring
long minAgentSessionIdleTime = 30L;
// Obtain the secureRandom instance
try {
} catch (NoSuchAlgorithmException ex) {
}
}
private boolean userIDGeneratorEnabled;
private String userIDGeneratorClassName;
private boolean loginFailureLockoutMode = false;
private boolean loginFailureLockoutStoreInDS = true;
private long loginFailureLockoutDuration = 0;
private int loginFailureLockoutMultiplier = 0;
private long loginFailureLockoutTime = 300000;
private int loginFailureLockoutCount = 5;
private int loginLockoutUserWarning = 3;
private int userWarningCount = 0;
private Callback[] receivedCallbackInfo;
private Callback[] prevCallback;
private Callback[] submittedCallbackInfo;
private HttpServletRequest servletRequest;
private HttpServletResponse servletResponse;
private Hashtable requestHash;
private boolean newRequest; // new or existing request
private boolean dynamicProfileCreation = false;
private boolean ignoreUserProfile = false;
private boolean createWithAlias = false;
private boolean persistentCookieMode = false;
private int maxSession;
private int idleTime;
private int cacheTime;
private int authLevel = 0;
private boolean cookieSupported = true;
private boolean cookieSet = false;
private boolean userEnabled = true;
private boolean sessionUpgrade = false;
private long pageTimeOut = 60;
private long lastCallbackSent = 0;
// error code
// timed out
private boolean timedOut = false;
private String defaultUserSuccessURL;
private String clientUserSuccessURL;
private String clientUserFailureURL;
private String defaultUserFailureURL;
private String clientSuccessRoleURL;
private String defaultSuccessRoleURL;
private String clientFailureRoleURL;
private String defaultFailureRoleURL;
private boolean isLocaleSet = false;
private boolean cookieDetect = false;
private long pCookieTimeCreated = 0;
private int compositeAdviceType;
private String compositeAdvice;
// Variable indicating a request "forward" after
// authentication success
private boolean forwardSuccess = false;
private boolean postProcessInSession = false;
private boolean modulesInSession = false;
/**
* Indicates if orgnization is active
*/
private boolean inetDomainStatus = true;
/**
* Default roles for user
*/
/**
* Max. cookie time in seconds. Integer range is 0 - 2147483.
* persistentCookieOn has to be true.
*/
/**
* Indicate if the persistent cookie mode is enabled.
* set to false for production.
*/
private boolean persistentCookieOn = false;
/**
* Default auth level for each auth module
*/
private ZeroPageLoginConfig zeroPageLoginConfig;
private String pCookieAuthLevel;
private boolean forceAuth;
private boolean cookieTimeToLiveEnabledFlag = false;
private int cookieTimeToLive = 0;
// Enable Module based Auth
private boolean enableModuleBasedAuth = true;
/**
* Attempts to load the configured session property upgrader class.
*/
private static SessionPropertyUpgrader loadPropertyUpgrader() {
try {
if (DEBUG.messageEnabled()) {
+ ") successfully loaded.");
}
upgrader = new DefaultSessionPropertyUpgrader();
}
return upgrader;
}
/**
* Converts a byte array to a hex string.
*/
int onebyte;
for (int i = 0; i < readBytes; i++) {
}
}
/**
* Encode persistent cookie
*
* @return encoded value of persistent cookie
*/
public static String encodePCookie() {
return AccessController.doPrivileged(
}
return defaultAuthLevel;
}
/**
* Returns servlet request object.
*
* @return servlet request object.
*/
public HttpServletRequest getHttpServletRequest() {
return servletRequest;
}
/**
* Sets servlet request.
*
* @param servletRequest Servlet request.
*/
this.servletRequest = servletRequest;
}
/**
* Returns session, Returns null if session state is <code>INACTIVE</code>
* or <code>DESTROYED</code>.
*
* @return session;
*/
public InternalSession getSession() {
if (DEBUG.messageEnabled()) {
"Session is null OR INACTIVE OR DESTROYED :" + session);
}
return null;
}
return session;
}
/**
* Sets the internal session for the request.
*
* @param sess Internal session for the request.
*/
} else {
}
}
/**
* Sets the callbacks recieved and notify waiting thread.
*
* @param callback
* @param amLoginContext
*/
public void setReceivedCallback(
synchronized (amLoginContext) {
}
}
/**
* Sets the callbacks recieved and notify waiting thread.
* Used in non-jaas thread mode only.
*
* @param callback
*/
}
/**
* Sets the callbacks submitted by login module and notify waiting thread.
*
* @param callback
* @param amLoginContext
*/
public void setSubmittedCallback(
synchronized (amLoginContext) {
}
}
/**
* Sets the callbacks submitted by login module and notify waiting thread.
* Used in non-jaas thread mode only.
*
* @param callback
*/
}
/**
* Returns recieved callback info from loginmodule.
*
* @return recieved callback info from loginmodule.
*/
public Callback[] getReceivedInfo() {
return receivedCallbackInfo;
}
/**
* Returns callbacks submitted by client.
*
* @return callbacks submitted by client.
*/
public Callback[] getSubmittedInfo() {
return submittedCallbackInfo;
}
/**
* Returns the organization DN example <code>o=iplanet.com,o=isp</code>.
*
* @return the organization DN example <code>o=iplanet.com,o=isp</code>.
*/
try {
} catch (Exception e) {
}
}
return orgDN;
}
/**
* Returns the organization name.
*
* @return the organization name.
*/
public String getOrgName() {
}
return orgName;
}
/**
* Returns the authentication login status.
*
* @return the authentication login status.
*/
public int getLoginStatus() {
return loginStatus;
}
/**
* Sets the authentication login status.
*
* @param loginStatus authentication login status.
*/
public synchronized void setLoginStatus(int loginStatus) {
this.loginStatus = loginStatus;
}
/**
* Sets the request parameters hash.
*
* @param requestHash Request parameters hash.
*/
this.requestHash = requestHash;
/* copy these parameters to HashMap */
if (requestHash != null) {
while (hashKeys.hasMoreElements()) {
}
}
}
/**
* Sets the request type.
*
* @param newRequest <code>true</code> for new request type;
* <code>false</code> for existing request type.
*/
public void setNewRequest(boolean newRequest) {
this.newRequest = newRequest;
}
/**
* Returns the request type.
*
* @return the request type.
*/
public boolean isNewRequest() {
return newRequest;
}
/**
* Returns <code>true</code> if dynamic profile is enabled.
*
* @return <code>true</code> if dynamic profile is enabled.
*/
public boolean isDynamicProfileCreationEnabled() {
return dynamicProfileCreation;
}
/**
* Populates the organization profile.
*
* @throws AuthException
*/
public void populateOrgProfile() throws AuthException {
try {
// get inetdomainstatus for the org
// check if org is active
if (!inetDomainStatus) {
// org inactive
}
// get handle to org config manager object to retrieve auth service
// attributes.
// NEEDED FOR BACKWARD COMPATIBILITY SUPPORT - OPEN ISSUE
// TODO: Remove backward compat stuff
} else {
}
// END BACKWARD COMPATIBILITY SUPPORT
dynamicProfileCreation = true;
ignoreUserProfile = true;
createWithAlias = true;
dynamicProfileCreation = true;
}
persistentCookieMode = true;
}
@SuppressWarnings("unchecked")
if (zplWhitelist == null) {
}
this.zeroPageLoginConfig = new ZeroPageLoginConfig(zplEnabled, zplWhitelist, allowZPLWithoutReferer);
if (domainAuthenticators == null) {
}
if (orgSuccessLoginURLSet == null) {
}
if (orgFailureLoginURLSet == null) {
}
if (orgPostLoginClassSet == null) {
}
enableModuleBasedAuth = false;
}
}
// retrieve account locking specific attributes
setLoginFailureLockoutMode(true);
}
}
setLoginFailureLockoutStoreInDS(false);
}
}
try {
} catch (NumberFormatException e) {
}
}
try {
} catch (NumberFormatException e) {
}
}
try {
} catch (NumberFormatException e) {
}
}
try {
} catch (NumberFormatException e) {
}
}
try {
} catch (NumberFormatException e) {
}
}
}
if (DEBUG.messageEnabled()) {
+ "\ndynamicProfileCreation->" + dynamicProfileCreation
+ "\ndefaultAuthLevel->" + defaultAuthLevel
+ "\norgSucessLoginURLSet->" + orgSuccessLoginURLSet
+ "\norgFailureLoginURLSet->" + orgFailureLoginURLSet
+ "\nclientSuccessLoginURL ->" + clientOrgSuccessLoginURL
+ "\ndefaultSuccessLoginURL ->" + defaultOrgSuccessLoginURL
+ "\norgPostLoginClassSet ->" + orgPostLoginClassSet
+ "\norgAuthConfig ->" + orgAuthConfig
+ "\norgAdminAuthConfig ->" + orgAdminAuthConfig
+ "\nclientFailureLoginURL ->" + clientOrgFailureLoginURL
+ "\ndefaultFailureLoginURL ->" + defaultOrgFailureLoginURL
+ "\nenableModuleBasedAuth ->" + enableModuleBasedAuth
+ "\nloginFailureLockoutMode->" + isLoginFailureLockoutMode()
+ "\nloginFailureLockoutStoreInDS->"
+ "\nloginFailureLockoutCount->" + getLoginFailureLockoutCount()
+ "\nloginFailureLockoutTime->" + getLoginFailureLockoutTime()
+ "\nloginLockoutUserWarning->" + getLoginLockoutUserWarning()
+ "\nloginLockoutNotification->" + getLoginLockoutNotification()
+ "\ninvalidAttemptsDataAttrName->" + getInvalidAttemptsDataAttrName()
+ "\npersistentCookieMode->" + persistentCookieMode
+ "\nzeroPageLoginConfig->" + zeroPageLoginConfig
+ "\nidentityTypes->" + identityTypes
+ "\naliasAttrNames ->" + aliasAttrNames);
}
} catch (AuthException ae) {
throw new AuthException(ae);
}
}
/**
* Populates the global profile.
*
* @throws AuthException
*/
public void populateGlobalProfile() throws AuthException {
if (DEBUG.messageEnabled()) {
+ "Getting Global Profile: " +
"\npostProcessInSession ->" + postProcessInSession +
"\nmodulesInSession ->" + modulesInSession);
}
}
/**
* Returns the authenticated subject.
*
* @return Authenticated subject
*/
public Subject getSubject() {
return subject;
}
/**
* Sets the authenticated subject.
*
* @param subject Authenticated subject.
*/
}
/**
* Returns session idle time.
*
* @return session idle time.
*/
public int getIdleTime() {
return idleTime;
}
/**
* Returns session cache time.
*
* @return session cache time.
*/
public int getCacheTime() {
return cacheTime;
}
/**
* Returns user DN.
*
* @return user DN.
*/
if (DEBUG.messageEnabled()) {
}
return userDN;
}
/**
* Returns authentication level.
*
* @return authentication level.
*/
public int getAuthLevel() {
/* for AMLoginModule */
/* It is not a clean way to call setAuthLevel() in
* this method. To make reference to authLevel(like
* in sessionUpgrade()), make sure setAuthLevel() has
* been called before, NOT getAuthLevel() ! or it will
* return zero.
*/
return authLevel;
}
/**
* Sets the authentication level.
* checks if <code>moduleAuthLevel</code> is set and if
* it is greater then the authentications level then
* <code>moduleAuthLevel</code> will be the set level.
*
* @param authLevel Authentication Level.
*/
//check if we authenticated using a persistent cookie, and if so, use the persistent cookie authlevel instead
}
// check if module Level is set and is greater
// then authenticated modules level
this.authLevel = 0;
} else {
try {
} catch (NumberFormatException e) {
this.authLevel = 0;
}
}
if (this.authLevel < moduleAuthLevel) {
this.authLevel = moduleAuthLevel;
}
if (DEBUG.messageEnabled()) {
}
}
/**
* Returns the client address.
*
* @return the client address.
*/
return client;
}
try {
if (requestHash != null) {
}
if (DEBUG.messageEnabled()) {
}
if (servletRequest != null) {
} else {
}
}
} catch (Exception e) {
if (DEBUG.messageEnabled()) {
}
}
if (DEBUG.messageEnabled()) {
}
client = clientHost;
return clientHost;
}
/**
* Sets the client address.
*
* @param remoteAddr Client address.
*/
client = remoteAddr;
}
/**
* convert a token to DN
* FOR BACKWARD COMPATIBILITY SUPPORT
*
* @param token0 <code>SSOToken</code> ID has user principal
* @return DN for user principal
*/
try {
if (pipe != -1) {
}
// Return if module returns the token in the form of DN
return token;
}
return token;
}
// check if Application module user
// Application module user starts with
// amService-
}
if (DEBUG.messageEnabled()) {
", DN=" + userDN);
}
return userDN;
} catch (Exception e) {
return token0;
}
}
/**
* Returns the client type.
*
* @return the client type.
*/
public String getClientType() {
return (servletRequest != null) ?
}
/**
* Activates session on successful authenticaton.
*
* @param subject
* @param ac
* @return true if user session is activated successfully
*/
throws AuthException {
}
/**
* Activates session on successful authentication.
* <p/>
* Unless the noSession query parameter was set on the request and then in that case no new permanent session is
* activated and <code>true</code>.
*
* @param subject
* @param ac
* @param loginContext instance of JAAS <code>LoginContext</code>
* @return <code>true</code> if user session is activated successfully, <code>false if failed to activated</code>
* or <code>true</code> if the noSession parameter is set to true.
*/
public boolean activateSession(Subject subject, AuthContextLocal ac, Object loginContext) throws AuthException {
try {
if (DEBUG.messageEnabled()) {
}
this.session = getSessionActivator().activateSession(this, LazyConfig.AUTHD.getSessionService(), session);
return isNoSession();
}
}
} catch (AuthException ae) {
throw ae;
} catch (Exception e) {
}
}
private SessionActivator getSessionActivator() {
if (isNoSession()) {
return NoSessionActivator.INSTANCE;
}
return DefaultSessionActivator.INSTANCE;
}
/* add the SSOTokenPrincipal to the Subject */
}
if (DEBUG.messageEnabled()) {
}
if (DEBUG.messageEnabled()) {
}
return subject;
}
/**
* Populates session with properties.
*
* @param session
* @throws AuthException
*/
if (DEBUG.messageEnabled()) {
}
}
// for user based DN is already set
}
if (oldSession != null) {
if (!ignoreUserProfile) {
if (DEBUG.messageEnabled()) {
" newAMIdentity is: " + newAMIdentity);
" oldAMIdentity is: " + oldAMIdentity);
}
}
}
if (DEBUG.messageEnabled()) {
" userDN is: " + userDN);
" oldUserDN is: " + oldUserDN);
" sessionUpgrade is: " + sessionUpgrade);
}
if (sessionUpgrade) {
if ((oldAuthenticationModuleInstanceName != null) &&
try {
} catch (AMConfigurationException ace) {
if (DEBUG.messageEnabled()) {
+ ":Unable to create AMAuthenticationManager"
+ "Instance:"
+ ace.getMessage());
}
throw new AuthException(ace);
}
}
} else if (!ignoreUserProfile) {
if ((oldAMIdentity != null) &&
} else {
if (DEBUG.messageEnabled()) {
"Resetting session upgrade to false " +
"since oldAMIdentity and newAMIdentity doesn't match");
}
throw new AuthException(
}
} else {
} else {
if (DEBUG.messageEnabled()) {
"Resetting session upgrade to false " +
"since Old UserDN and New UserDN doesn't match");
}
throw new AuthException(
}
}
}
if (forceAuth && sessionUpgrade) {
}
if (sessionUpgrade) {
try {
} catch (SSOException ssoExp) {
+ "oldSSOToken.");
}
if (oldSSOToken != null) {
}
if (moduleTimeMap == null) {
}
while (tokenizer.hasMoreTokens()) {
}
boolean firstElement = true;
if (!firstElement) {
}
firstElement = false;
if (moduleAuthTime == null) {
} else {
}
}
}
//Sets the User profile option used, in session.
if (dynamicProfileCreation) {
} else if (ignoreUserProfile) {
} else if (createWithAlias) {
}
if (questionMark != -1) {
}
}
if (sessionSuccessURL != null) {
}
// Get the universal ID
if (amIdentityUser != null) {
}
if (DEBUG.messageEnabled()) {
"ModuleAuthTime = " + moduleAuthTime);
}
try {
if ((isApplicationModule(authMethName) &&
|| isAgent(amIdentityUser)) {
if (DEBUG.messageEnabled()) {
userDN + " with idletimeout to " +
}
} else {
if (DEBUG.messageEnabled()) {
}
}
} else {
}
}
if (!sessionUpgrade) {
}
}
}
}
if (principalList != null) {
}
}
}
) {
if (!sessionUpgrade) {
}
}
if (!sessionUpgrade) {
if ((finalAuthConfig != null) && (
}
}
if ((userSessionMapping != null) &&
mapping, "|");
if (tokenizer.hasMoreTokens()) {
}
if (tokenizer.hasMoreTokens()) {
}
if ((userAttribute != null) &&
if ((userAttrValueSet != null) &&
!(userAttrValueSet.isEmpty())) {
iterator();
} else {
}
}
if (sessionAttribute != null) {
+ "." + sessionAttribute,
} else {
+ "." + userAttribute,
}
}
}
}
}
}
// Set Attribute Map for Authentication module
if (principalDataRetriever != null) {
subject);
if (DEBUG.messageEnabled()) {
}
}
}
}
} catch (Exception e) {
throw new AuthException(e);
}
}
/**
* Returns the <code>inetDomainStatus</code>.
*
* @return <code>inetDomainStatus</code>.
*/
public boolean getInetDomainStatus() {
return inetDomainStatus;
}
/**
* Returns the query Organization.
*
* @return Query Organization.
*/
public String getQueryOrg() {
return queryOrg;
}
/**
* Sets the query organization.
*
* @param queryOrg Query organization.
*/
}
/**
* Returns locale.
*
* @return locale.
*/
if (!isLocaleSet) {
return DEFAULT_LOCALE;
} else {
}
}
/**
* Sets locale
*
* @param locale locale setting
*/
isLocaleSet = true;
}
/* destroy session */
void destroySession() {
}
}
/**
* Checks for <code>persistentCookie</code>.
*/
public void persistentCookieArgExists() {
}
}
/**
* Returns Session ID.
*
* @return Session ID.
*/
return sid;
}
public boolean getForceFlag() {
return forceAuth;
}
public void setForceAuth(boolean force) {
}
/**
* Enables AM session cookie time to live
*
* @param flag if <code>true</code> enables AM session cookie time to live,
* otherwise disables AM session cookie time to live
*/
public void enableCookieTimeToLive(boolean flag) {
if (DEBUG.messageEnabled()) {
+ "enable=" + cookieTimeToLiveEnabledFlag);
}
}
/**
* Checks whether AM session cookie time to live is enabled
*
* @return <code>true</code> if AM session cookie time to live
* is enabled, otherwise returns <code>false</code>
*/
public boolean isCookieTimeToLiveEnabled() {
if (DEBUG.messageEnabled()) {
+ "enabled=" + cookieTimeToLiveEnabledFlag);
}
return cookieTimeToLiveEnabledFlag;
}
/**
* Returns AM session cookie time to live
*
* @return AM session cookie time to live in seconds
*/
public int getCookieTimeToLive() {
if (DEBUG.messageEnabled()) {
+ "cookieTimeToLive=" + cookieTimeToLive);
}
return cookieTimeToLive;
}
/**
* Sets AM session cookie time to live
*
* @param timeToLive AM session cookie time to live in seconds
*/
public void setCookieTimeToLive(int timeToLive) {
if (DEBUG.messageEnabled()) {
+ "cookieTimeToLive=" + cookieTimeToLive);
}
}
/**
* Returns user domain.
*
* @return user domain.
*/
public String getUserDomain(
//org profile is not loaded yet so we can't check with getPersistentCookieMode()
//but we will check if persistentCookie is there and use it because we will
//verify if the pcookie is valid later anyways.
if (cookieValue != null) {
//call to searchPersistentCookie should set userOrg
//getDN or LazyConfig.AUTHD.getOrgDN doesn't return correct dn so using DNMapper
}
}
}
} else {
}
}
if (DEBUG.messageEnabled()) {
}
return userOrg;
}
/**
* Returns authentication context for new request.
*
* @return Authentication context for new request.
* @throws AuthException if it fails to instantiate <code>AuthContext</code>
*/
public AuthContextLocal createAuthContext(
) throws AuthException {
// Get / Construct the Original Login URL
// Get query param indicating a request "forward" after
// successful authentication.
// set the locale
if (DEBUG.messageEnabled()) {
}
if (DEBUG.messageEnabled()) {
}
}
if (DEBUG.messageEnabled()) {
"Creating new AuthContextLocal & LoginState");
}
newRequest = true;
if (DEBUG.messageEnabled()) {
}
try {
} catch (Exception e) {
throw new AuthException(e);
}
cookieSupported = false;
}
if (DEBUG.messageEnabled()) {
}
cookieSet = true;
}
return authContext;
}
/* create new session */
void createSession(
) throws AuthException {
//save the AuthContext object in Session
if (DEBUG.messageEnabled()) {
}
}
/**
* Returns the single sign on token associated with the session.
*
* @return the single sign on token associated with the session.
* @throws SSOException
*/
return null;
}
try {
return ssoToken;
} catch (SSOException ex) {
}
}
/**
* Returns URL with the cookie value in the URL.
*
* @param url URL.
* @param response HTTP Servlet Response.
* @return Encoded URL.
*/
}
/**
* Returns URL with the cookie value in the URL.
* The cookie in the rewritten url will have
* auth cookie if cookie is invalid
*
* @param response HTTP Servlet Response.
* @return the encoded URL
*/
boolean useAMCookie) {
if (DEBUG.messageEnabled()) {
}
boolean appendSessCookieInURL = SystemProperties.getAsBoolean(Constants.APPEND_SESS_COOKIE_IN_URL, true);
if (!appendSessCookieInURL) {
return url;
}
if (DEBUG.messageEnabled()) {
}
if (!cookieDetect && cookieSupported) {
return url;
}
return url;
}
}
if (URL_REWRITE_IN_PATH) {
} else {
}
if (DEBUG.messageEnabled()) {
", Rewritten URL=" + encodedURL);
}
return (encodedURL);
}
/**
* Returns the filename . This method uses ResourceLookup API
* <pre>
* where filePath =
* eg. if orgDN = o=solaris.eng,o=eng.com,o=sun.com,dc=iplanet,dc=com
* clientPath = html
* service name = paycheck
* locale=en
* filename=Login.jsp
* </pre>
* then the search will be as follows :
* <pre>
*
*
*
* </pre>
* In case of non-HTML client, it will try to find
* <code>Login_<charset>.jsp</code>.
* If not found, it then try <coed>Login.jsp</code>.
*
* @return configured jsp file name
*/
}
/**
* Create user profile.
*
* @return <code>true</code> if profile is successfully created.
*/
try {
if (!dynamicProfileCreation) {
return false;
}
// If the module is "Application" then do not create user profile
if (isApplicationModule(authMethName)) {
return false;
}
if (DEBUG.messageEnabled()) {
}
if (userCreationAttributes == null) {
}
// get alias list
// set alias attribute
if ((externalAliasList != null) &&
(!externalAliasList.isEmpty())) {
}
}
}
if (DEBUG.messageEnabled()) {
}
byte bytes[] = new byte[20];
if (amIdentityRole != null) {
// retrieve the session attributes for the default role
}
}
populateUserAttributes(p, true, null);
return true;
if (DEBUG.messageEnabled()) {
}
}
return false;
}
}
}
}
}
return attrs;
}
void populateUserAttributes(
Map p,
boolean loginStatus,
) throws AMException {
if (DEBUG.messageEnabled()) {
}
try {
if (!loginStatus) {
return;
}
DEBUG);
// Status determination
// OPEN ISSUE- amIdentity.isActive return true even if
// user status is set to inactive.
if (amIdentity != null) {
}
if (DEBUG.messageEnabled()) {
}
userEnabled = false;
}
// add value from attributes in iplanet-am-auth-alias-attr-name
if (userAliasList == null) {
}
}
}
}
p, ISAuthConstants.ACCOUNT_LIFE));
// retrieve the user default success url
// at user's role level
if (DEBUG.messageEnabled()) {
"\n idle->" + idleTime +
"\n cache->" + cacheTime +
"\n max->" + maxSession +
"\n userLoginEnabled->" + userEnabled +
"\n userAlias-> :" + userAliasList +
"\n userSuccessURLSet-> :" + userSuccessURLSet +
"\n clientUserSuccessURL-> :" + clientUserSuccessURL +
"\n defaultUserSuccessURL-> :" + defaultUserSuccessURL +
"\n clientUserFailureURL-> :" + clientUserFailureURL +
"\n defaultUserFailureURL-> :" + defaultUserFailureURL +
"\n clientSuccessRoleURL -> :" + clientSuccessRoleURL +
"\n defaultSuccessRoleURL -> :" + defaultSuccessRoleURL +
"\n clientFailureRoleURL -> :" + clientFailureRoleURL +
"\n defaultFailureRoleURL -> :" + defaultFailureRoleURL +
"\n userAuthConfig -> : " + userAuthConfig +
"\n accountLife->" + getAccountLife());
}
} catch (Exception e) {
if (DEBUG.messageEnabled()) {
}
}
}
/**
* Returns <code>true</code> if user profile found.
*
* @param token
* @param populate
* @return <code>true</code> if user profile found.
* @throws AuthException if multiple user match found in search
*/
throws AuthException {
try {
} catch (Exception e) {
if (DEBUG.messageEnabled()) {
}
throw new AuthException(e);
}
}
/**
* Returns <code>true</code> if user profile found.
*
* @param user userID for profile
* @param populate
* @param loginStatus current login status for profile
* @return <code>true</code> if user profile found.
* @throws AuthException if multiple user match found in search
*/
public boolean getUserProfile(
boolean populate,
boolean loginStatus
) throws AuthException {
// Fix to cover SDK Bug which returns a user object
// even if the user is null or empty string
// if this check is not added SDK goes into a loop
}
try {
if (DEBUG.messageEnabled()) {
}
// get the AMIdentity to get the universal
// id of amAdmin, currently there is no support
// for special users so the universal id in
// the ssotoken will be amAdmin's id.
} else {
// Try getting the AMIdentity object assuming AMSDK
// is present i.e., using IdUtils
try {
if (DEBUG.messageEnabled()) {
"using IdUtil.getIdentity: " + user +
" Org: " + getOrgDN());
}
if (amIdentity != null &&
if (DEBUG.messageEnabled()) {
"using IdUtil.getIdentity: " + amIdentity);
}
}
} catch (IdRepoException e) {
// Ignore the exception and continue
if (DEBUG.messageEnabled()) {
"Got IdRepException in IdUtils.getIdentity", e);
}
} catch (SSOException se) {
// Ignore the exception and continue
if (DEBUG.messageEnabled()) {
"Got SSOException in IdUtils.getIdentity", se);
}
}
// If amIdentitySet is still empty, or IdType does not match
// search for all configured Identity Types
if (DEBUG.messageEnabled()) {
"performing IdRepo search to obtain AMIdentity");
}
if (DEBUG.messageEnabled()) {
}
if (searchResults != null) {
}
}
if (amIdentitySet.isEmpty()) {
// Get identity by searching
if (searchResults != null) {
}
if (!amIdentitySet.isEmpty()) {
break;
}
}
}
}
}
if (DEBUG.messageEnabled()) {
}
if (amIdentitySet.isEmpty()) {
return false;
}
// check if there is multiple match
// multiple user match found, throw exception,
// user need to login as super admin to fix it
"\nPlease make sure user is unique within the login " +
"organization, and contact your admin to fix the problem");
}
if (DEBUG.messageEnabled()) {
}
if (populate) {
if (searchResults != null) {
} else {
}
if (amIdentityRole != null) {
// role based auth. the specified role takes preference.
if (amIdentityRole != null) {
//Fix for OPENAM-612 - this request is cached most of the time
}
}
//Fix for OPENAM-612 - this request is cached most of the time
}
}
}
}
return true;
} catch (SSOException ex) {
if (DEBUG.messageEnabled()) {
}
} catch (AMException ex) {
if (DEBUG.messageEnabled()) {
}
} catch (IdRepoException ee) {
if (DEBUG.messageEnabled()) {
}
}
return false;
}
/**
* Populate all the default user attribute for profile
*
* @throws AMException if it fails to populate default user attributes
*/
public void populateDefaultUserAttributes() throws AMException {
try {
} catch (Exception e) {
maxSession = 120;
}
try {
} catch (Exception e) {
idleTime = 30;
}
try {
} catch (Exception e) {
cacheTime = 3;
}
userEnabled = true;
if (DEBUG.messageEnabled()) {
"\n idle->" + idleTime +
"\n cache->" + cacheTime +
"\n max->" + maxSession +
"\n userLoginEnabled->" + userEnabled +
"\n clientUserSuccessURL ->" + clientUserSuccessURL +
"\n defaultUserSuccessURL ->" + defaultUserSuccessURL +
"\n clientUserFailureURL ->" + clientUserFailureURL +
"\n defaultUserFailureURL ->" + defaultUserFailureURL +
"\n clientSuccessRoleURL ->" + clientSuccessRoleURL +
"\n defaultSuccessRoleURL ->" + defaultSuccessRoleURL +
"\n clientFailureRoleURL ->" + clientFailureRoleURL +
"\n defaultFailureRoleURL ->" + defaultFailureRoleURL +
"\n userAuthConfig ->" + userAuthConfig +
}
}
/**
* Search the user profile
* if <code>IndexType</code> is USER and if number of tokens is 1 and
* token is <code>superAdmin</code> then return. If more then 1 tokens
* are found then make sure the user tokens are in
* <code>iplanet-am-useralias-list</code>
* <p/>
* If <code>IndexType</code> is <code>LEVEL</code>, <code>MODULE</code>
* then there is only 1 user token retrieve the profile for the
* authenticated user and create profile if dynamic profile creation
* enabled.
* <p/>
* If <code>IndexType</code> is <code>ORG</code>, <code>SERVICE</code>,
* <code>ROLE</code> then retrieve the user profile for first token, if the
* profile is found and <code>user-alias-list</code> contains other
* tokens then continue, else try to retrieve remaining tokens till a match
* is found.
* <p/>
* Checks all the users in the tokenSet are active else error
* For ROLE based authentication checks if all user belong to the same Role.
*
* @param subject
* @param indexType
* @param indexName
* @return <code>true</code> if it found user profile
* @throws AuthException
*/
public boolean searchUserProfile(
) throws AuthException {
// check for all users user authenticated as
if (DEBUG.messageEnabled()) {
}
// retreive the tokens from the subject
try {
boolean gotUserProfile = true;
} else {
}
return true;
}
// for IndexType USER check all the token user
// authenticated as is present
// in the user-alias-list
(pCookieUserName != null)) {
}
return false;
}
getUserProfile(token, true);
if (!checkAliasList(aliasFound)) {
if (createWithAlias) {
if (amIdentityUser == null) {
} else {
}
} else {
throw new AuthException(
}
}
} else {
// for ORG / SERVICE / ROLE / MODULE / LEVEL
boolean gotProfile = true;
if (isAccountLocked(token)) {
}
gotUserProfile = getCreateUserProfile(true);
if (!userEnabled) {
throw new AuthException(
}
return true;
}
if (gotUserProfile) {
boolean userRoleFound = getUserForRole(
if (DEBUG.messageEnabled()) {
+ userRoleFound);
}
if (!userRoleFound) {
"USERNOTFOUND");
throw new AuthException(
}
}
}
} else { // came here multiple users found
// initialize variables required
boolean foundUserAlias = false;
boolean userRoleFound = true;
if (DEBUG.messageEnabled()) {
+ token);
}
if (DEBUG.messageEnabled()) {
}
if (gotUserProfile) {
if (validToken == null) {
validToken = token;
}
}
if (foundUserAlias =
aliasToken = token;
if (DEBUG.messageEnabled()) {
"found aliases exiting while:"
+ foundAliasMap);
}
break;
}
}
} // end while
if (DEBUG.messageEnabled()) {
}
if (aliasToken != null) {
token = aliasToken;
}
if (!userEnabled) {
throw new AuthException(
}
if (!userRoleFound) {
"USERNOTFOUND");
throw new AuthException(
}
}
/* if user profile is found but other tokens in do
* are not found in iplanet-am-user-alias list and
* if dynamic profile creation with user alias is
* enabled then add tokens to iplanet-am-user-alias-list
* to the token's profile
*/
if ((gotUserProfile) && (!foundUserAlias)) {
if (createWithAlias) {
if (DEBUG.messageEnabled()) {
+ foundAliasMap);
+ foundUserAlias);
}
} else { //end dynamic profile creation
throw new AuthException(
}
}
if (createWithAlias && !gotUserProfile) {
}
}
}
if (DEBUG.messageEnabled()) {
+ gotUserProfile);
}
return gotUserProfile;
} catch (AuthException e) {
throw new AuthException(e);
} catch (Exception e) {
throw new AuthException(e);
}
}
/**
* Returns user's profile , if not found then create user profile.
*
* @param populate indicate if populate all default user attributes
* @return <code>true</code> if created user profile successfully
* @throws AuthException if fails create user profile
*/
boolean getCreateUserProfile(boolean populate)
throws AuthException {
boolean gotProfile = false;
} else {
}
if (!gotProfile) {
}
}
return gotProfile;
}
/* if multiple users in the Subject then create User profile
* for the first user and add the other tokens in the alias
* list
* NOTE: Currently we pick up the first token and just add the
* other tokens to the alias list. Can make it configurable by
* specifying isPrimary against a module in the JAAS confiugration
* then read that and whichever module is PRIMARY , create profile
* for that user and add the other user to the aliasList.
*/
// retrieve the first token
// put the other tokens in a list
// these will put in the alias list attribute
// of first token's profile
while (tokenIterator.hasNext()) {
break;
}
while (tokenIterator.hasNext()) {
if (DEBUG.messageEnabled()) {
}
}
}
if (DEBUG.messageEnabled()) {
}
try {
} catch (Exception e) {
if (DEBUG.messageEnabled()) {
}
return false;
}
}
/* search the user-alias-list for token names */
if (DEBUG.messageEnabled()) {
}
// iterate through the tokens in the token set
// and check if the tokens are in the user alias
// list of the user token. if yes then update
// the found user alias map with the token and boolean
// true else boolean false.
if (DEBUG.messageEnabled()) {
}
} else {
}
} else {
} else {
}
}
}
if (DEBUG.messageEnabled()) {
}
}
return foundUserAliasMap;
}
/**
* Returns tokens from Principals of a subject
* returns a Set of tokens
* TODO - DN to Universal ID?
*
* @param subject Principals of a subject associated with
* <code>SSOToken</code>
* @return set of <code>SSOToken</code> associated with subject
*/
while (p.hasNext()) {
}
}
}
if (DEBUG.messageEnabled()) {
}
}
if (principalList != null) {
}
if (DEBUG.messageEnabled()) {
}
return tokenSet;
}
/**
* Returns <code>true</code> if user is active.
*
* @return <code>true</code> if user is active.
*/
public boolean isUserEnabled() {
return userEnabled;
}
/**
* Returns the DN for role.
*
* @param roleName Name of role.
* @param orgDN Organization DN.
* @return the DN for role.
*/
if (amIdentityRole == null) {
}
return amIdentityRole;
}
/**
* Returns Identity Role.
*
* @param role Name of role.
* @param orgDN Organization DN.
* @return Identity Role.
*/
if (DEBUG.messageEnabled()) {
}
return null;
}
try {
// search for this role name in organization
} catch (Exception e) {
}
return amIdRole;
}
/**
* Sets auth module name.
*
* @param authMethName Module Name.
*/
if (DEBUG.messageEnabled()) {
}
}
} else {
}
}
}
if (DEBUG.messageEnabled()) {
}
}
/**
* Returns <code>true</code> if the user belongs to role.
*
* @param amIdentityRole Role object.
* @return <code>true</code> if the user belongs to role.
*/
boolean foundUser = false;
try {
foundUser = true;
}
} catch (Exception e) {
if (DEBUG.messageEnabled()) {
}
}
return foundUser;
}
/**
* Returns persistent cookie argument.
*
* @return persistent cookie argument.
*/
public boolean isPersistentCookieOn() {
return persistentCookieOn;
}
/**
* Returns persistent cookie profie.
*
* @return persistent cookie profie.
*/
public boolean getPersistentCookieMode() {
return persistentCookieMode;
}
/**
* Returns the configuration for whether Zero Page Login (ZPL) should be allowed or not.
*
* @return the ZPL configuration
*/
public ZeroPageLoginConfig getZeroPageLoginConfig() {
return zeroPageLoginConfig;
}
}
/**
* Return saved request parameters in <code>Hashtable</code>
*
* @return saved request parameters in <code>Hashtable</code>
*/
public Hashtable getRequestParamHash() {
return requestHash;
}
/* check if the user list has inactive user */
return userEnabled;
}
/* check if the users belong to role */
boolean userRoleFound = true;
userRoleFound = false;
}
return userRoleFound;
}
/* check if the users map to the same user */
if (DEBUG.messageEnabled()) {
}
boolean foundUserAlias = true;
foundUserAlias = false;
}
if (DEBUG.messageEnabled()) {
}
return foundUserAlias;
}
/* check if profile for the user was retrieve */
if (DEBUG.messageEnabled()) {
}
boolean gotUserProfile = false;
gotUserProfile = true;
}
if (DEBUG.messageEnabled()) {
}
return gotUserProfile;
}
/* add token to iplanet-am-user-alias-list of the token which has
* a profile
*/
throws AuthException {
if (DEBUG.messageEnabled()) {
}
}
/* add token to iplanet-am-user-alias-list of the identity which has
* a profile
*/
if (DEBUG.messageEnabled()) {
}
try {
// set alias attribute
while (aliasIterator.hasNext()) {
}
}
if ((externalAliasList != null)
&& (!externalAliasList.isEmpty())) {
}
amIdentity.store();
}
} catch (Exception e) {
}
}
/* check alias list for tokens , if superAdmin token
* exists then amAdmin need not exist in the user-alias-list
*/
if (DEBUG.messageEnabled()) {
}
boolean aliasFound = true;
while (aliasIterator.hasNext()) {
if (DEBUG.messageEnabled()) {
}
aliasFound = false;
break;
}
}
}
return aliasFound;
}
/**
* Searches persistent cookie in request.
*
* @return user name set in persistent cookie, null if no persistent cookie
* found
*/
public String searchPersistentCookie() {
try {
// trying to find persistent cookie
if (cookieValue != null) {
}
return username;
} catch (Exception e) {
if (DEBUG.messageEnabled()) {
}
return null;
}
}
/**
* parse persistent cookie parameters
* persistent cookie has form:
* [pCookie]=
* username%domainname%authMethod%maxSession%idleTime%cacheTime%sid%time
*
* @param cookieValue Value of the persistent cookie
* @return user name set in persistent cookie, return if no PC found
*/
try {
return null;
}
// some decryption/extraction to be done here
// check domain param in cookie value
if (domainIndex == -1) {
// treat as if cookie not found
return null;
}
// set user name
// tmpstr points to start of domainname
// check auth method param in cookie value
if (authMethIndex == -1) {
// clear our cookie
// treat as if cookie not found
return null;
}
// set domain name string
// tmpstr2 point to the start of auth method
// check maxSession param in cookie value
if (tmpIndex == -1) {
// clear our cookie
// treat as if cookie not found
return null;
}
// set auth method string
// tmpstr point to the start of maxSession
// check idle Time string
if (tmpIndex == -1) {
// treat as if cookie not found
return null;
}
// set max session
// tmpstr2 point to the start of idleTime
// check cacheTime in cookie value
if (tmpIndex == -1) {
// treat as if cookie not found
return null;
}
// set idle time
// set cache time
if (tmpIndex == -1) {
// treat as if cookie not found
return null;
}
if (tmpIndex == -1) {
// treat as if cookie not found
return null;
}
// get sid
// get the time the pCookie was created
if (DEBUG.messageEnabled()) {
}
// clean up auth internal tables
if (!sessionUpgrade) {
}
}
if (!persistentCookieMode) {
//The authentication was started in a realm where persistent cookie was enabled, however the cookie
//points to a different realm where pcookie is not enabled, so we should reject the cookie here right
//away.
return null;
}
int value = -1;
try {
} catch (NumberFormatException nfe) {
//ignore
}
//the cookie should have already reach its lifetime
return null;
}
if (DEBUG.messageEnabled()) {
"\norgDN=" + orgDN);
}
return usernameStr;
} catch (Exception e) {
if (DEBUG.messageEnabled()) {
}
return null;
}
}
/**
* Sets persistent cookie in request
* TO TAKE CARE OF LOAD BALANCING COOKIE
*
* @param cookieDomain name of cookie domain for persistent cookie
* @return persistent cookie in request
* @throws SSOException
* @throws AMException
*/
throws SSOException, AMException {
if (maxage_str != null) {
int maxAge;
try {
long timeRem =
}
maxAge = 0;
}
if (DEBUG.messageEnabled()) {
}
if (maxAge > 0) {
"%" + getOrgName() +
new EncodeAction(cookiestr));
if (DEBUG.messageEnabled()) {
}
} else {
if (DEBUG.messageEnabled()) {
" configured for domain " + orgName +
", but no persistentCookieTime = " + maxage_str);
}
}
}
return pCookie;
}
/**
* set Load Balance Cookie
*
* @param cookieDomain name of cookie domain for persistent cookie
* @param persist indicates if cookie is persistent
* @return persistent cookie in request
* @throws SSOException
* @throws AMException
*/
throws SSOException, AMException {
int maxAge;
try {
maxAge = 0;
}
if (DEBUG.messageEnabled()) {
}
if (maxAge > 0) {
} else {
}
} else {
}
return lbCookie;
}
/**
* Returns the current index type.
*
* @return the current index type.
*/
return indexType;
}
/**
* Sets the indexType.
*
* @param indexType name of indexType to be set
*/
}
/**
* Returns the previous index type in authentication level after module
* selection.
*
* @return the previous index type in authentication level after module
* selection.
*/
return prevIndexType;
}
/**
* Sets the previous index type in authlevel after the choice is made.
*
* @param prevIndexType name of indexType to be set
*/
this.prevIndexType = prevIndexType;
}
/**
* Sets gotoOnFail URL.
*/
void setGoToOnFailURL() {
} else {
gotoOnFailURL = arg;
}
}
}
/**
* Returns success login URL.
*
* @return success login URL.
*/
public String getSuccessLoginURL() {
//check from postAuthModule URL is set
//if not try to retrive it from session property
//Success URL from Post Auth takes pracedence
return postProcessGoto;
}
if (DEBUG.messageEnabled()) {
}
}
if (DEBUG.messageEnabled()) {
+ " which is invalid");
}
currentGoto = null;
}
}
if ((currentGoto != null) && (currentGoto.length() != 0) && (!currentGoto.equalsIgnoreCase("null"))) {
} else {
}
if (DEBUG.messageEnabled()) {
+ successLoginURL);
}
return encodedSuccessURL;
}
/**
* Sets success login URL.
*
* @param url success login URL.
*/
/* this is for AMLoginModule to set the success url */
if (DEBUG.messageEnabled()) {
}
}
try {
} catch (Exception e) {
if (DEBUG.messageEnabled()) {
}
}
return roleURL;
}
try {
} catch (Exception e) {
if (DEBUG.messageEnabled()) {
}
}
return roleFailureURL;
}
/**
* Returns the AMTemplate for role.
*
* @return the AMTemplate for role.
* @throws Exception if fails to get role attribute
*/
try {
if (roleAttributeMap == null) {
} else {
if ((serviceName != null) &&
}
}
}
if (roleAttributeMap == null) {
}
if (DEBUG.messageEnabled()) {
}
return roleAttributeMap;
} catch (Exception e) {
}
}
/**
* Returns success url for a service.
*
* @param indexName name of auth index
* @return success url for a service.
*/
try {
if ((serviceAttributesMap != null)
&& (serviceAttributesMap.isEmpty())) {
}
if (DEBUG.messageEnabled()) {
}
if (DEBUG.messageEnabled()) {
}
} catch (Exception e) {
if (DEBUG.messageEnabled()) {
}
}
return successServiceURL;
}
/**
* Returns the service login failure URL.
*
* @param indexName name of auth index
* @return the service login failure URL.
*/
try {
if (serviceAttributesMap.isEmpty()) {
}
if (DEBUG.messageEnabled()) {
}
} catch (Exception e) {
if (DEBUG.messageEnabled()) {
}
}
return serviceFailureURL;
}
/**
* Returns service login url attributes.
*
* @param indexName name of auth index
* @return service login url attributes.
* @throws Exception if fails to get service attribute
*/
try {
if (attributeDataMap != null) {
return attributeDataMap;
}
return attributeDataMap;
} catch (Exception e) {
if (DEBUG.messageEnabled()) {
}
throw new Exception(e.getMessage());
}
}
/* create an instance of PostLoginProcessInterface Class */
if (DEBUG.messageEnabled()) {
}
return null;
}
try {
return loginPostProcessInstance;
} catch (ClassNotFoundException ce) {
if (DEBUG.messageEnabled()) {
}
return null;
} catch (Exception e) {
if (DEBUG.messageEnabled()) {
}
return null;
}
}
/**
* this is called by AMLoginContext on a successful authentication to set
* the <code>successURL</code> based on the <code>indexType</code>,
* <code>indexName</code> order to figure out Success Login URL is :
* Authentication Method Success URL Order
* <pre>
* ==========================================================================
* Org,Level,Module,User
* 1. set by module
* 2. goto parameter
* 3. URL set for the clientType in iplanet-am-user-success-url
* in User Entry
* 4. URL set for the clientType in
* iplanet-am-auth-login-success-url set at user's Role
* 5. URL set for clientType in iplanet-am-auth-login-success-url
* set at Org
* 6. URL set for clientType in iplanet-am-auth-login-success-url
* - Organization Schema
* 7. iplanet-am-user-success-url set in User Entry
* 8. iplanet-am-auth-login-success-url set at user's Role
* 9. iplanet-am-auth-login-success-url set at Org
* 10. iplanet-am-auth-login-success-url - Organization Schema
*
* Role
* 1. set by module
* 2. goto parameter
* 3. URL matching clientType in iplanet-am-user-success-url
* set in User Entry
* 4. URL matching clientType in iplanet-am-auth-login-success-url
* set at the role user authenticates to.
* 5. URL matching clientType in iplanet-am-auth-login-success-url
* set at user's Role
* 6. URL matching clientType in iplanet-am-auth-login-success-url
* set at Org
* 7. URL matching clientType in iplanet-am-auth-login-success-url
* - Organization Schema
* 8. iplanet-am-user-success-url set in User Entry
* 9. iplanet-am-auth-login-success-url set at the
* role user authenticates to.
* 10. iplanet-am-auth-login-success-url set at user's Role
* 11. iplanet-am-auth-login-success-url set at Org
* 12. iplanet-am-auth-login-success-url - Organization Schema
*
* Service
* 1. set by module
* 2. goto parameter
* 3. URL matching clientType in iplanet-am-user-success-url
* set in User Entry
* 4. URL matching clientType in iplanet-am-auth-login-success-url
* set at the service entry.
* 5. URL matching clientType in iplanet-am-auth-login-success-url
* set at user's Role
* 6. URL matching clientType in iplanet-am-auth-login-success-url
* set at Org
* 7. URL matchhing clientType in iplanet-am-auth-login-success-url
* - Organization Schema
* 8. iplanet-am-user-success-url set in User Entry
* 9. iplanet-am-auth-login-success-url set at the service entry.
* 10. iplanet-am-auth-login-success-url set at user's Role
* 11. iplanet-am-auth-login-success-url set at Org
* 12. iplanet-am-auth-login-success-url - Organization Schema
* </pre>
* NOTE: same order used for failure URL.
*
* @param indexType
* @param indexName
*/
public void setSuccessLoginURL(
/* if module sets the url then return the URL module set */
if (DEBUG.messageEnabled()) {
}
if ((moduleSuccessLoginURL != null) &&
return;
}
/* if goto parameter was specified then return the gotoURL */
/*if ( (gotoURL != null) && (!gotoURL.length() == 0) ) {
successLoginURL = gotoURL;
return ;
}*/
/* if user profile has successurl set for the client type then return
* else get the default user url and continue
*/
if ((clientUserSuccessURL != null) &&
) {
if (successLoginURL != null) {
return;
}
}
return;
}
}
}
return;
}
}
}
if ((clientSuccessRoleURL != null) &&
) {
return;
}
}
if ((clientOrgSuccessLoginURL != null) &&
) {
return;
}
}
// get global default
} else {
}
return;
}
}
// now assign back to the success url
if (DEBUG.messageEnabled()) {
}
return;
}
/**
* Sets failure login URL.
*
* @param indexType
* @param indexName
*/
public void setFailureLoginURL(
/*
* this is called by AMLoginContext on a failed authentication to set
* the successURL based on the indexType,indexName
*/
// if module set the url then return the URL module set
if ((moduleFailureLoginURL != null) &&
return;
}
if (DEBUG.messageEnabled()) {
+ getFailureTokenId());
}
/* if user profile has failure url set then return */
if (getFailureTokenId() != null) {
// get the user profile
try {
getUserProfile(getFailureTokenId(), true, false);
if ((clientUserFailureURL != null) &&
return;
}
} catch (Exception e) {
if (DEBUG.messageEnabled()) {
getFailureTokenId(), e);
}
}
}
return;
}
}
}
return;
}
}
}
if ((clientFailureRoleURL != null) &&
) {
return;
}
}
if ((clientOrgFailureLoginURL != null) &&
) {
return;
}
}
} else {
}
return;
}
}
// now assign back to the Failure url
if (DEBUG.messageEnabled()) {
}
return;
}
/**
* Returns failure login URL.
*
* @return failure login URL.
*/
public String getFailureLoginURL() {
if (postProcessURL != null) {
return postProcessURL;
}
if (DEBUG.messageEnabled()) {
+ " which is invalid");
}
}
}
}
return fqdnFailureLoginURL;
}
/**
* Sets failure login URL.
*
* @param url failure login URL.
*/
/* this is for AMLoginModule to set the failure url */
}
public String getLogoutURL() {
return AuthUtils.getPostProcessURL(servletRequest, AMPostAuthProcessInterface.POST_PROCESS_LOGOUT_URL);
}
/**
* Returns the role login url attribute value.
*
* @param roleAttrMap map object has login url attribute
* @param attrName attribute name for login url
* @return the role login url attribute value.
*/
try {
return getRedirectUrl(roleURLSet);
} catch (Exception e) {
if (DEBUG.messageEnabled()) {
}
return null;
}
}
/**
* Returns service url from attribute value.
*
* @param attributeMap map object has service url attribute
* @param attrName attribute name for service url
* @return service url from attribute value.
*/
if (DEBUG.messageEnabled()) {
"\nserviceURL : " + serviceURL);
}
return serviceURL;
}
/**
* Returns servlet response object.
*
* @return servlet response object.
*/
public HttpServletResponse getHttpServletResponse() {
return servletResponse;
}
/**
* Sets servlet response.
*
* @param servletResponse servletResponse object to be set
*/
this.servletResponse = servletResponse;
}
/**
* Sets persistent cookie to true - called by <code>AMLoginModule</code>.
*/
public synchronized void setPersistentCookieOn() {
persistentCookieOn = true;
}
/**
* Return previously received callback
*
* @return previously received callback
*/
public Callback[] getRecdCallback() {
return prevCallback;
}
/**
* Set previously received callback
*
* @param prevCallback previously received callback
*/
this.prevCallback = prevCallback;
}
/**
* @return <code>true</code> if the authentication request was made with the noSession query parameter set to true.
*/
public boolean isNoSession() {
}
/**
* Indicates loginFailureLockoutStoreInDS mode is enabled.
*/
protected String getAccountLife() {
return accountLife;
}
protected String getUserToken() {
return token;
}
protected boolean getEnableModuleBasedAuth() {
return enableModuleBasedAuth;
}
public boolean getLoginFailureLockoutMode() {
return isLoginFailureLockoutMode();
}
public boolean getLoginFailureLockoutStoreInDS() {
return isLoginFailureLockoutStoreInDS();
}
/**
* Default max time for loginFailureLockout.
*/
public long getLoginFailureLockoutTime() {
return loginFailureLockoutTime;
}
/**
* Default count for loginFailureLockout.
*/
public int getLoginFailureLockoutCount() {
return loginFailureLockoutCount;
}
/**
* Default notification for loginFailureLockout.
*/
public String getLoginLockoutNotification() {
return loginLockoutNotification;
}
if (failedUserId != null) {
if (DEBUG.messageEnabled()) {
}
}
} else {
}
}
}
/**
* Default number of count for loginFailureLockout warning
*/ /**
* Returns lockout warning message.
*
* @return lockout warning message.
*/
public int getLoginLockoutUserWarning() {
return loginLockoutUserWarning;
}
/**
* Returns the error code .
*
* @return the error code .
*/
public String getErrorCode() {
return errorCode;
}
/**
* Sets the error code.
*
* @param errorCode Error code.
*/
}
/**
* Returns the error message.
*
* @return the error message.
*/
public String getErrorMessage() {
return errorMessage;
}
/**
* Sets the error message.
*
* @param errorMessage Error message.
*/
this.errorMessage = errorMessage;
}
/**
* Returns the error template generated by framework.
*
* @return the error template generated by framework.
*/
public String getErrorTemplate() {
return errorTemplate;
}
/**
* Sets the error template generated by framework.
*
* @param errorTemplate Error template.
*/
this.errorTemplate = errorTemplate;
}
/**
* Returns the error template set by module.
*
* @return Error template set by module.
*/
public String getModuleErrorTemplate() {
return moduleErrorTemplate;
}
/**
* Sets the error module template sent by login module.
*
* @param moduleErrorTemplate Module error template.
*/
}
/**
* Returns <code>true</code> if page times out.
*
* @return <code>true</code> if page times out.
*/
public boolean isTimedOut() {
return timedOut;
}
/**
* Sets the time out value.
*
* @param timedOut <code>true</code> to set timed out.
*/
public void setTimedOut(boolean timedOut) {
}
/**
* Returns the lockout message.
*
* @return the lockout message.
*/
public String getLockoutMsg() {
return lockoutMsg;
}
/**
* Sets the lockout message.
*
* @param lockoutMsg the lockout message.
*/
if (DEBUG.messageEnabled()) {
}
this.lockoutMsg = lockoutMsg;
}
/**
* Returns the index name.
*
* @return the index name.
*/
public String getIndexName() {
return this.indexName;
}
/**
* Set index name
*
* @param indexName indexName to be set
*/
}
/**
* Creates <code>AuthContextLocal</code> for new requests.
*
* @return the created <code>AuthContextLocal</code>
* @throws AuthException if fails to create <code>AuthContextLocal</code>
*/
public AuthContextLocal createAuthContext(
) throws AuthException {
if (DEBUG.messageEnabled()) {
}
}
if (DEBUG.messageEnabled()) {
"AuthContextLocal & LoginState");
}
newRequest = true;
if (DEBUG.messageEnabled()) {
}
try {
} catch (Exception e) {
}
isLocaleSet = false;
return authContext;
}
/**
* Sets the module <code>AuthLevel</code>.
* The authentication level being set cannot be downgraded
* below that set by the module configuration.This method
* is called by <code>AMLoginModule</code> SPI
*
* @param authLevel authentication level string to be set
* @return <code>true</code> if setting is successful, false otherwise
*/
public boolean setModuleAuthLevel(int authLevel) {
boolean levelSet = false;
if (this.authLevel < moduleAuthLevel) {
this.authLevel = moduleAuthLevel;
levelSet = true;
}
if (DEBUG.messageEnabled()) {
"module configuration authLevel :" + this.authLevel);
}
return levelSet;
}
/**
* This method is used for requests coming from the
* <code>AuthContext</code> API to determine the <code>orgDN</code> of the
* request. The <code>orgDN</code> is determined based on and in order:
* <pre>
* 1. Domain - check if org is a domain by trying to get domain component
* 3. URL - check if the orgName passed is a DNS alias (URL).
* 4. If no orgDN is found null is returned.
* </pre>
*
* @param orgName is the name of the Organization or Suborganzation whose
* <code>orgDN</code> is to be determined.
* @return a String which is the orgDN of the request
*/
try {
} catch (Exception e) {
if (DEBUG.messageEnabled()) {
}
}
return orgDN;
}
/**
* Returns the module instances for a organization.
*
* @return the module instances for a organization.
*/
try {
return moduleInstances;
}
if (DEBUG.messageEnabled()) {
}
} catch (Exception e) {
if (DEBUG.messageEnabled()) {
}
}
if (moduleInstances == null) {
}
return moduleInstances;
}
/**
* Returns the allowed authentication modules for organization
*
* @return the allowed authentication modules for organization
*/
return domainAuthenticators;
}
/**
* Returns the X509 certificate.
*
* @return the X509 certificate.
*/
"javax.servlet.request.X509Certificate");
if (DEBUG.messageEnabled()) {
}
}
}
return cert;
}
/**
* TODO-JAVADOC
*/
public void logSuccess() {
try {
.toUpperCase());
}
}
if (!isNoSession()) {
localSSOToken = getSSOToken();
}
if (localSSOToken != null) {
}
}
}
}
if (authMethName != null) {
}
}
}
} catch (Exception e) {
}
}
/**
* Adds log message to authentication access log.
*
* @param msgId I18n key of the localized message.
* @param logId Logging message Id
*/
try {
}
}
}
if (authMethName != null) {
}
}
} catch (Exception e) {
}
}
/**
* Log login failed
*
* @param str message for login failed
*/
}
/**
* Log login failed
*
* @param str message for login failed
* @param error error message for login failed
*/
}
/**
* Adds log message to authentication error log.
*
* @param str localized message to be logged.
* @param logId logging message Id.
* @param appendAuthType if true, append authentication type to the logId
* to form new logging message Id. for example:
* "LOGIN_FAILED_LEVEL".
* @param error error Id to be append to logId to form new logging
* message Id. for example : "LOGIN_FAILED_LEVEL_INVALIDPASSWORD"
*/
try {
}
if (appendAuthType) {
.toUpperCase());
}
}
}
}
try {
if (localSSOToken != null) {
}
} catch (SSOException ssoe) {
+ ssoe.getMessage());
}
}
} else if (getFailureTokenId() != null) {
if (aCb instanceof NameCallback) {
if (DEBUG.messageEnabled()) {
}
}
}
}
}
}
if ((failureModuleList != null) &&
}
}
}
} catch (Exception e) {
}
}
/**
* Log Logout status
*/
public void logLogout() {
try {
.toUpperCase());
}
}
if (localSSOToken != null) {
}
}
}
}
if (authMethName != null) {
}
}
}
} catch (Exception e) {
}
}
/**
* Attribute name for loginFailureLockout.
*/ /**
* Return attribute name for LoginLockout
*
* @return attribute name for LoginLockout
*/
public String getLoginLockoutAttrName() {
return loginLockoutAttrName;
}
/**
* Attribute value for loginFailureLockout.
*/ /**
* Return attribute value for LoginLockout
*
* @return attribute value for LoginLockout
*/
public String getLoginLockoutAttrValue() {
return loginLockoutAttrValue;
}
/**
* Attribute name for storing invalid attempts data.
*/ /**
* Return attribute name for storing invalid attempts data
*
* @return attribute name for storing invalid attempts data
*/
public String getInvalidAttemptsDataAttrName() {
return invalidAttemptsDataAttrName;
}
/**
* Max time for loginFailureLockout.
*/ /**
* Return LoginLockout duration
*
* @return LoginLockout duration
*/
public long getLoginFailureLockoutDuration() {
return loginFailureLockoutDuration;
}
/**
* Multiplier for Memory Lockout Duration
*/ /**
* Return multiplier for Memory Lockout
*
* @return LoginLockout multiplier
*/
public int getLoginFailureLockoutMultiplier() {
return loginFailureLockoutMultiplier;
}
/**
* Returns old Session
*
* @return old Session
*/
public InternalSession getOldSession() {
return oldSession;
}
/**
* Sets old Session
*
* @param oldSession Old InternalSession Object
*/
this.oldSession = oldSession;
}
/**
* Returns session upgrade.
*
* @return session upgrade.
*/
public boolean isSessionUpgrade() {
return sessionUpgrade;
}
/**
* Sets session upgrade.
*
* @param sessionUpgrade <code>true</code> if session upgrade.
*/
public void setSessionUpgrade(boolean sessionUpgrade) {
this.sessionUpgrade = sessionUpgrade;
}
void sessionUpgrade() {
// set the larger authlevel
if (oldSession == null) {
return;
}
int prevAuthLevel = 0;
try {
} catch (NumberFormatException e) {
}
if (DEBUG.messageEnabled()) {
}
if (prevAuthLevel > authLevel) {
} else {
}
}
// update service name if indextype is service
if ((qualifiedOrgDN != null)
}
if (prevServiceName != null) {
if ((newServiceName != null) &&
}
} else {
}
}
// update role if indexType is role
if (prevRoleName != null) {
}
} else {
}
}
// update auth meth name
}
if (DEBUG.messageEnabled()) {
}
} else {
}
if (DEBUG.messageEnabled()) {
}
session.setIsSessionUpgrade(true);
}
/* upgrade session properties - old session and new session proeprties
* will be concatenated , seperated by |
*/
return;
}
if (!forceAuth) {
} else {
}
}
/* update session with the property and value */
/* Get realm qualified modules list */
if (DEBUG.messageEnabled()) {
+ realm);
+ oldModulesList);
}
while (st.hasMoreTokens()) {
.append("|");
}
if (i != -1) {
}
if (DEBUG.messageEnabled()) {
}
return realmQualifiedModulesList;
}
/* compare old session property and new session property */
if (DEBUG.messageEnabled()) {
}
while (st.hasMoreTokens()) {
if (!newProperty.equals(s)) {
}
}
if (DEBUG.messageEnabled()) {
}
return propertyList;
}
// Upgrade all Properties from the existing (old) session to new session
if (DEBUG.messageEnabled()) {
}
}
boolean isCookieSet() {
return cookieSet;
}
void setCookieSet(boolean flag) {
}
boolean isCookieSupported() {
return cookieSupported;
}
void setCookieSupported(boolean flag) {
}
/* Order to determine execution of Post processing SPI is :
*
* Authentication Method SPI execution order
* ==========================================================
* Org , Level , User ,Module
* 1. Set at the user's role entry
* 2. Set at the user's org entry
*
* Role
* 1. Set that the role user's authenticates to
* 2. Set at the user's role entry.
* 3. Set at the user's org entry.
*
* Service
* 1. Set at the service.
* 2. Set at the user's role entry.
* 3. Set at the user's org entry.
*
* @param indexType Index type for post process
* @param indexName Index name for post process
* @param type indicates success, failure or logout
*/
(!postLoginInstanceSet.isEmpty()))) {
if (DEBUG.messageEnabled()) {
+ "Setting post process class in session "
}
}
if ((postLoginInstanceSet != null) &&
(!postLoginInstanceSet.isEmpty())) {
}
}
}
/**
* Returns an instance of the spi and execute it based on whether
* the login status is success or failed
*
* @param postProcessInstance <code>AMPostAuthProcessInterface</code>
* object to be processes in post login
* @param type indicates success, failure or logout
*/
/* Reset Post Process URLs in servletRequest so
* that plugin can set new values (just a safety measure) */
@SuppressWarnings("unchecked")
}
}
/* execute the post process spi */
try {
switch (type) {
case SUCCESS:
break;
case FAILURE:
break;
case LOGOUT:
break;
default:
if (DEBUG.messageEnabled()) {
}
}
} catch (AuthenticationException ae) {
if (DEBUG.messageEnabled()) {
}
} catch (Exception e) {
if (DEBUG.messageEnabled()) {
}
}
}
/**
* Creates a set of instances that are implementation of classes of type
* AMPostAuthProcessInterface. The classes are picked based on index type
* and auth configuration.
*
* @param indexType Index type for post login process
* @param indexName Index name for post login process
*/
void setPostLoginInstances(
/* If role based auth then get post process classes from
* auth config of that role.
*/
/* For service based auth if service name is console service
* then use admin auth config otherwise use the index name
*/
if ((orgAdminAuthConfig != null) &&
}
}
} else {
}
/* For user based auth, take the auth config from users attributes
*/
ISAuthConstants.BLANK)))) {
}
}
/* If no Post Process class is found or module based auth then
* default to org level only if they are defined.
*/
/* For org based auth, if post process classes are not defined at
* org level then use or default config.
*/
}
}
if (DEBUG.messageEnabled()) {
}
}
if (DEBUG.messageEnabled()) {
+ postLoginClassSet.size());
}
if (postProcessInstance != null) {
}
}
}
}
/**
* Returns role post login class set
*
* @return role post login class set
*/
try {
if (postLoginClassSet == null) {
}
if (DEBUG.messageEnabled()) {
}
} catch (Exception e) {
if (DEBUG.messageEnabled()) {
}
}
return postLoginClassSet;
}
/**
* Returns the service post login process class set
*
* @param indexName Index name for post login
* @return the service post login process class set
*/
try {
if ((serviceAttributesMap != null)
&& (serviceAttributesMap.isEmpty())) {
}
if (DEBUG.messageEnabled()) {
}
if (postLoginClassSet == null) {
}
if (DEBUG.messageEnabled()) {
}
} catch (Exception e) {
if (DEBUG.messageEnabled()) {
+ e.getMessage());
}
}
return postLoginClassSet;
}
/**
* Returns the error message set by module.
*
* @return the error message set by module.
*/
public String getModuleErrorMessage() {
return moduleErrorMessage;
}
}
/**
* Returns the Login URL user input.
*
* @return the Login URL user input.
*/
public String getLoginURL() {
return loginURL;
}
/**
* Returns the flag indicating a request "forward" after
* successful authentication.
*
* @return the boolean flag.
*/
public boolean isForwardSuccess() {
return forwardSuccess;
}
/**
* Returns page timeout.
*
* @return Page timeout.
*/
public long getPageTimeOut() {
if (DEBUG.messageEnabled()) {
}
return pageTimeOut;
}
/**
* Sets the page timeout.
*
* @param pageTimeOut Page timeout.
*/
public synchronized void setPageTimeOut(long pageTimeOut) {
if (DEBUG.messageEnabled()) {
}
this.pageTimeOut = pageTimeOut;
}
/**
* Returns last callback sent.
*
* @return Last callback sent.
*/
public long getLastCallbackSent() {
if (DEBUG.messageEnabled()) {
"Returning Last Callback Sent :" + lastCallbackSent);
}
return lastCallbackSent;
}
/**
* Sets the last callback sent.
*
* @param lastCallbackSent Last callback sent.
*/
public void setLastCallbackSent(long lastCallbackSent) {
if (DEBUG.messageEnabled()) {
}
this.lastCallbackSent = lastCallbackSent;
}
/**
* This function is to get the redirect url from a set of urls
* based on client type. Each url will be of the form
* clienttype|url, applications need to provide redirect urls
* along with the client type so that it can be client aware.
* If it does not find the specified url along with
* client type, it returns the default client type
*
* @param urls set of urls with client type.
* @return redirect url from a set of urls for client type
*/
//If the urls set is null, return the default url
if (DEBUG.messageEnabled()) {
}
if (i != -1) {
url, i, servletRequest);
}
} else {
// There is no delimiter, ok check the size of the
// urls
if ((defaultURL == null) ||
defaultURL = url;
}
}
}
} //end while
if (DEBUG.messageEnabled()) {
}
}
return clientURL;
}
/**
* Return ignoreUserProfile
*
* @return ignoreUserProfile
*/
public boolean ignoreProfile() {
return ignoreUserProfile;
}
if (DEBUG.messageEnabled()) {
}
try {
while (st.hasMoreTokens()) {
return true;
}
}
} catch (Exception e) {
if (DEBUG.warningEnabled()) {
}
}
return false;
}
/**
* Return set which contains union of the two sets
* if one of the set is null or empty, return the other set
*
* @param set1 First set will be joined
* @param set2 Second set will be joined
* @return set which contains union of the two sets
*/
return Collections.EMPTY_SET;
} else {
return set2;
}
} else {
return set1;
} else {
return returnSet;
}
}
}
/**
* Converts a set to a map, keys are the elements in the set, value is
* the token. User naming attribute is always added as one of the key.
*
* @param names set of names are used key for map
* @param token value for each named key
* @return map that is converted from set
*/
return Collections.EMPTY_MAP;
}
//map.put(AMStoreConnection.getNamingAttribute(AMObject.USER), set);
//map.put(userNamingAttr, set);
return map;
}
}
return map;
}
/**
* Sets the <code>failureTokenId</code> - set by modules
* if this is set the logs will show the user id.
*
* @param userID User ID.
*/
if (DEBUG.messageEnabled()) {
}
}
/* update the httpsession with internalsession if
* failover is enabled
*/
void updateSessionForFailover() {
if (!isNoSession()) {
intSess.setIsISStored(true);
}
}
/**
* Returns Callbacks per Page state.
*
* @return Callbacks per Page state.
*/
return rtnCallbacks;
}
/**
* Sets Callbacks per Page state.
*/
}
/**
* Sets the persistent cookie user name.
*
* @param indexName Persistent cookie user name.
*/
this.pCookieUserName = indexName;
if (DEBUG.messageEnabled()) {
}
}
/**
* Returns <code>true<code> if cookie detected.
*
* @return <code>true<code> if cookie detected.
*/
public boolean isCookieDetect() {
return cookieDetect;
}
/**
* Sets the cookie detection value - <code>true</code> if
* <code>cookieSupport</code> is null.
*
* @param cookieDetect Cookie Detect flag.
*/
public void setCookieDetect(boolean cookieDetect) {
this.cookieDetect = cookieDetect;
}
/**
* Sets a Map of attribute value pairs to be used when the authentication
* service is configured to dynamically create a user.
*
* @param attributeValuePairs Map of attribute name to a set of values.
*/
if (DEBUG.messageEnabled()) {
}
if (userCreationAttributes == null) {
userCreationAttributes = new HashMap();
}
) {
if (DEBUG.messageEnabled()) {
}
}
}
}
/**
* Sets the module name of successful <code>LoginModule</code>.
* This module name will be populated in the session property
* <code>AuthType</code>.
*
* @param moduleName Name of module.
*/
if (DEBUG.messageEnabled()) {
}
}
/**
* Returns a Set which contains the modules names which user
* successfully authenticated.
*
* @return a Set which contains the modules names which user
* successfully authenticated.
*/
if (DEBUG.messageEnabled()) {
}
return successModuleSet;
}
/**
* Checks if module is Application.
*
* @param moduleName is the module name to be compared with
* Application module name.
* @return true if module is Application else false.
*/
if (DEBUG.messageEnabled()) {
}
return isApp;
}
/**
* Adds the failed module name to a set.
*
* @param moduleName Failed module name.
*/
if (DEBUG.messageEnabled()) {
}
}
/**
* Returns the failure module list.
*
* @return Failure module list.
*/
return failureModuleSet;
}
/**
* Sets the failure module list.
*
* @param failureModuleList which is the list of failed modules.
*/
this.failureModuleList = failureModuleList;
if (DEBUG.messageEnabled()) {
}
}
/**
* Returns <code>true</code> if the logged in user is 'Agent'.
*
* @param amIdentityUser OpenSSO Identity user.
* @return <code>true</code> if the logged in user is 'Agent'.
*/
boolean isAgent = false;
try {
if (amIdentityUser != null &&
isAgent = true;
}
} catch (Exception e) {
if (DEBUG.messageEnabled()) {
}
}
return isAgent;
}
/**
* Sets the module map which has key as module localized name and
* value is module name
*
* @param moduleMap module containing map of module localized name
* and module name.
*/
}
/**
* Returns the key for the localized module name.
*
* @param localizedModuleName , the localized module name
* @return a string, the module name
*/
}
/**
* Sets locale from servlet request.
*
* @param request HTTP Servlet Request.
*/
isLocaleSet = true;
}
/**
* Sets remote locale passed by client
*
* @param localeStr remote client locale string.
*/
isLocaleSet = true;
}
/**
* Returns <code>true</code> if session state is invalid.
*
* @return <code>true</code> if session state is invalid.
*/
public boolean isSessionInvalid() {
}
/**
* Returns <code>AMIdentity</code> object for a Role.
*
* @param roleName role name.
* @return <code>AMIdentity</code> object.
* @throws AuthException
*/
try {
} catch (AuthException ae) {
}
if (amIdentityRole == null) {
}
return amIdentityRole;
}
/**
* Returns Universal Identifier of a role.
*
* @param roleName Role Name.
* @return universal identifier of role name.
*/
try {
if (DEBUG.messageEnabled()) {
}
}
return roleUnivId;
}
/**
* Returns user DN of an Identity.
*
* @param amIdentityUser <code>AMIdentity</code> object.
* @return Identity user DN.
*/
if (principalList != null) {
while (st.hasMoreTokens()) {
break;
}
}
}
}
if (amIdentityUser != null) {
} else {
}
}
return returnUserDN;
}
/**
* Return DN for container
*
* @param containerDNs set of DN for containers
* @throws AuthException if container name is invalid
*/
// Check Container DNs for NULL
} else {
try {
int containerType =
if (DEBUG.messageEnabled()) {
+ containerType);
+ containerName);
}
&& (agentContainerDN == null)) {
&& (userContainerDN == null)) {
}
}
break;
}
} catch (Exception e) {
" is INVALID :- ", e);
continue;
}
}
}
if (userContainerDN == null) {
try {
getOrgDN();
} catch (AMException aec) {
}
}
}
if (DEBUG.messageEnabled()) {
}
}
/**
* Search for identities given the identity type, identity name
* Use common method from LazyConfig.AUTHD for getIdentity
*
* @param idType identity type for user
* @param userTokenID user token identifier
* @return IdSearchResults for given the identity type and identity name
* @throws IdRepoException if it fails to search user
* @throws SSOException if <code>SSOToken</code> is not valid
*/
throws IdRepoException, SSOException {
if (DEBUG.messageEnabled()) {
}
int maxResults = 2;
int maxTime = 0;
boolean isRecursive = true;
idsc.setAllReturnAttributes(true);
//idsc.setReturnAttributes(returnSet);
if (DEBUG.messageEnabled()) {
}
if (DEBUG.messageEnabled()) {
}
// search for the identity
try {
if (searchResults != null) {
}
} catch (SSOException sso) {
if (DEBUG.messageEnabled()) {
}
} catch (IdRepoException e) {
if (DEBUG.messageEnabled()) {
+ " Identities with username : "
+ e.getMessage());
}
}
(!aliasAttrNames.isEmpty())) {
if (DEBUG.messageEnabled()) {
}
pattern = "*";
if (DEBUG.messageEnabled()) {
}
try {
if (searchResults != null) {
}
if (DEBUG.messageEnabled()) {
"with userDN : " + avPairs);
}
}
} catch (SSOException sso) {
if (DEBUG.messageEnabled()) {
+ "Identities with aliasattrname : "
+ sso.getMessage());
}
} catch (IdRepoException e) {
if (DEBUG.messageEnabled()) {
+ "Identities : " + e.getMessage());
}
}
}
return searchResults;
} // end
/**
* Creates <code>AMIdentity</code> in the repository.
*
* @param userName name of user to be created.
* @param userAttributes Map of default attributes.
* @param userRoles Set of default roles.
* @return <code>AMIdentity</code> object of created user.
* @throws IdRepoException if it fails to create <code>AMIdentity</code>
* @throws SSOException if <code>SSOToken</code> for admin is not valid
*/
public AMIdentity createUserIdentity(
) throws IdRepoException, SSOException {
try {
}
} catch (Exception e) {
//ignore invalid Roles
}
}
}
return amIdentityUser;
}
/**
* Returns the universal id associated with a user name.
*
* @param userName name of user to be created.
* @return universal identifier of the user.
*/
try {
}
} catch (Exception e) {
"Error getting Identity for user :" + e.getMessage());
}
if (DEBUG.messageEnabled()) {
}
return universalId;
}
/**
* Returns the type of authentication to be used after Composite Advices.
*
* @return an integer type indicating the type of authentication required.
*/
public int getCompositeAdviceType() {
return compositeAdviceType;
}
/**
* Sets the type of authentication to be used after Composite Advices.
*
* @param type Type of authentication.
*/
public void setCompositeAdviceType(int type) {
this.compositeAdviceType = type;
}
/**
* Returns the Composite Advice for this Authentication request.
*
* @return String of Composite Advice.
*/
public String getCompositeAdvice() {
return compositeAdvice;
}
/**
* Sets the Composite Advice for this Authentication request.
*
* @param compositeAdvice Composite Advice for authentication.
*/
this.compositeAdvice = compositeAdvice;
}
/**
* Sets the qualified OrgDN for Policy conditions
* to be used after Composite Advices.
*
* @param qualifiedOrgDN qualifiedOrgDN for Policy conditions.
*/
this.qualifiedOrgDN = qualifiedOrgDN;
}
/**
* Returns the Authentication configuration / Authentication
* chain name used for current authentication process.
*
* @param indexType AuthContext.IndexType
* @param indexName Index Name for AuthContext.IndexType
*/
if ((orgAdminAuthConfig != null) &&
}
}
} else {
}
ISAuthConstants.BLANK)))) {
}
}
}
if (DEBUG.messageEnabled()) {
}
return finalAuthConfigName;
}
boolean isAuthValidForInternalUser() {
boolean authValid = true;
"LoginState.isValidAuthForInternalUser():session is null");
return false;
}
"LoginState.isValidAuthForInternalUser():userId is null");
return false;
}
if (!successModuleSet.isEmpty()) {
}
"LoginState.isValidAuthForInternalUser():authRealm is null");
return false;
}
if (authModule == null) {
if (DEBUG.warningEnabled()) {
+ "authModule is null");
}
return false;
}
if (DEBUG.messageEnabled()) {
+ "Attempt to login as:" + userId
+ ", to module:" + authModule
+ ", at realm:" + authRealm);
}
authValid = false;
if (DEBUG.warningEnabled()) {
+ "Attempt to login as:" + userId
+ ", to module:" + authModule
+ ", at realm:" + authRealm
+ ", denied due to internal users restriction ");
}
}
}
return authValid;
}
/**
* Sets userDN based on pcookie - called by <code>AMLoginContext</code>.
*/
}
/**
* Restores the old session (if one exists). Used in the case of a failed session upgrade or successful force-auth
* to restore the original session object. If no old session exists then this method does nothing.
*/
public void restoreOldSession() {
if (oldSession != null) {
}
}
/**
* Indicates userID generate mode is enabled
*/
public boolean isUserIDGeneratorEnabled() {
return userIDGeneratorEnabled;
}
public void setUserIDGeneratorEnabled(final boolean userIDGeneratorEnabled) {
}
/**
* Indicates provider class name for userIDGenerator
*/
public String getUserIDGeneratorClassName() {
return userIDGeneratorClassName;
}
}
/**
* Indicates accountlocking mode is enabled.
*/
public boolean isLoginFailureLockoutMode() {
return loginFailureLockoutMode;
}
public void setLoginFailureLockoutMode(final boolean loginFailureLockoutMode) {
}
/**
* Indicates loginFailureLockoutStoreInDS mode is enabled.
*/
public boolean isLoginFailureLockoutStoreInDS() {
return loginFailureLockoutStoreInDS;
}
public void setLoginFailureLockoutStoreInDS(final boolean loginFailureLockoutStoreInDS) {
}
this.accountLife = accountLife;
}
public void setLoginFailureLockoutDuration(final long loginFailureLockoutDuration) {
}
public void setLoginFailureLockoutMultiplier(final int loginFailureLockoutMultiplier) {
}
public void setLoginFailureLockoutTime(final long loginFailureLockoutTime) {
}
public void setLoginFailureLockoutCount(final int loginFailureLockoutCount) {
}
}
}
}
}
public void setLoginLockoutUserWarning(final int loginLockoutUserWarning) {
}
/**
* <code>SSOToken</code> ID for login failed
*/
public String getFailureTokenId() {
return failureTokenId;
}
this.failureTokenId = failureTokenId;
}
/**
* Indicates the type of post-processing that should be performed.
*/
enum PostProcessEvent {
}
}