LoginState.java revision 563b922249eadd0562ddea89c52ed308c2d31c0a
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * Copyright (c) 2005 Sun Microsystems Inc. All Rights Reserved
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * The contents of this file are subject to the terms
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * of the Common Development and Distribution License
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * (the License). You may not use this file except in
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * compliance with the License.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * You can obtain a copy of the License at
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * https://opensso.dev.java.net/public/CDDLv1.0.html or
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * See the License for the specific language governing
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * permission and limitations under the License.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * When distributing Covered Code, include this CDDL
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * Header Notice in each file and include the License file
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * If applicable, add the following below the CDDL Header,
dff2cc5646d4437ab9e0cb1dcb59da65462a5938jeff.schenk * with the fields enclosed by brackets [] replaced by
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * your own identifying information:
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * "Portions Copyrighted [year] [name of copyright owner]"
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * $Id: LoginState.java,v 1.57 2010/01/20 21:30:40 qcheng Exp $
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * Portions Copyrighted 2010-2015 ForgeRock AS.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenkimport static java.util.Collections.unmodifiableSet;
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenkimport static org.forgerock.openam.audit.AuditConstants.AuthenticationFailureReason.*;
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenkimport static org.forgerock.openam.session.SessionConstants.*;
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenkimport static org.forgerock.openam.utils.CollectionUtils.asSet;
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenkimport javax.security.auth.callback.NameCallback;
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenkimport com.iplanet.dpro.session.service.InternalSession;
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenkimport com.sun.identity.authentication.AuthContext;
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenkimport com.sun.identity.authentication.audit.AuthenticationProcessEventAuditor;
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenkimport com.sun.identity.authentication.client.ZeroPageLoginConfig;
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenkimport com.sun.identity.authentication.config.AMAuthConfigUtils;
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenkimport com.sun.identity.authentication.config.AMAuthenticationInstance;
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenkimport com.sun.identity.authentication.config.AMAuthenticationManager;
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenkimport com.sun.identity.authentication.config.AMConfigurationException;
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenkimport com.sun.identity.authentication.server.AuthContextLocal;
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenkimport com.sun.identity.authentication.spi.AMPostAuthProcessInterface;
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenkimport com.sun.identity.authentication.spi.AuthenticationException;
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenkimport com.sun.identity.authentication.spi.AMLoginModule;
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenkimport com.sun.identity.authentication.util.AMAuthUtils;
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenkimport com.sun.identity.authentication.util.ISAuthConstants;
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenkimport com.sun.identity.common.admin.AdminInterfaceUtils;
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenkimport com.sun.identity.idm.AMIdentityRepository;
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenkimport com.sun.identity.security.AdminTokenAction;
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenkimport com.sun.identity.session.util.SessionUtils;
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenkimport com.sun.identity.shared.datastruct.CollectionHelper;
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenkimport com.sun.identity.sm.OrganizationConfigManager;
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenkimport org.forgerock.guava.common.collect.ImmutableList;
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenkimport org.forgerock.openam.authentication.service.DefaultSessionPropertyUpgrader;
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenkimport org.forgerock.openam.authentication.service.SessionPropertyUpgrader;
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenkimport org.forgerock.openam.authentication.service.SessionUpgradeHandler;
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * This class maintains the User's login state information from the time user
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * requests for authentication till the time the user either logs out of the
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * OpenAM system or the session is destroyed by any privileged application of
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * the OpenAM system.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk /* Define internal users
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * For these users we would allow authentication only at root realm
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * and require to be authenticated to configuration datastore.
dff2cc5646d4437ab9e0cb1dcb59da65462a5938jeff.schenk public static final Set<String> INTERNAL_USERS = unmodifiableSet(asSet("amadmin", "dsameuser", "urlaccessagent"));
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk private static final boolean URL_REWRITE_IN_PATH = SystemProperties.getAsBoolean(Constants.REWRITE_AS_PATH);
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk private static final String NO_SESSION_QUERY_PARAM = "noSession";
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk private static final Set<String> USER_ATTRIBUTES;
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk private static final long AGENT_SESSION_IDLE_TIME;
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk private static final SecureRandom SECURE_RANDOM;
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk private static final List<String> SHARED_STATE_ATTRIBUTES =
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk Arrays.asList(ISAuthConstants.SHARED_STATE_PASSWORD, ISAuthConstants.SHARED_STATE_USERNAME);
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk private static volatile List<SessionUpgradeHandler> sessionUpgradeHandlers = null;
dff2cc5646d4437ab9e0cb1dcb59da65462a5938jeff.schenk * Lazy initialisation holder to allow unit testing without loading the world.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk private static class LazyConfig {
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk private static final AuthD AUTHD = AuthD.getAuth();
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk private static final SessionPropertyUpgrader SESSION_PROPERTY_UPGRADER = loadPropertyUpgrader();
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk attrs.add(ISAuthConstants.SESS_MAX_CACHING_TIME);
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk // App session timeout is default to 0 => non-expiring
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk long agSessIdleTime = SystemProperties.getAsLong(Constants.AGENT_SESSION_IDLE_TIME, 0L);
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk AGENT_SESSION_IDLE_TIME = (agSessIdleTime > 0 && agSessIdleTime < minAgentSessionIdleTime)
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk // Obtain the secureRandom instance
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk SECURE_RANDOM = SecureRandom.getInstance("SHA1PRNG");
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk DEBUG.error("LoginState.static() : LoginState : SecureRandom.getInstance() Failed", ex);
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk throw new IllegalStateException("Unable to obtain SecureRandom", ex);
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk private boolean mandatory2fa;
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk private boolean loginFailureLockoutMode = false;
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk private boolean loginFailureLockoutStoreInDS = true;
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk private String invalidAttemptsDataAttrName = null;
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk private final Map<String, Callback[]> callbacksPerState = new HashMap<String, Callback[]>();
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk private int loginStatus = LoginStatus.AUTH_IN_PROGRESS;
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk private boolean newRequest; // new or existing request
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk private boolean dynamicProfileCreation = false;
dff2cc5646d4437ab9e0cb1dcb59da65462a5938jeff.schenk private boolean ignoreUserProfile = false;
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk private boolean createWithAlias = false;
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk private int moduleAuthLevel = Integer.MIN_VALUE;
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk private boolean cookieSupported = true;
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk private boolean cookieSet = false;
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk private boolean userEnabled = true;
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk private AuthContext.IndexType prevIndexType = null;
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk private String defaultOrgSuccessLoginURL = null;
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk private String defaultOrgFailureLoginURL = null;
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk private final Map<String, String> requestMap = new HashMap<String, String>();
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk private Set<String> domainAuthenticators = null;
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk private boolean sessionUpgrade = false;
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk // error code
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk // timed out
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk private boolean timedOut = false;
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk private Set orgPostLoginClassSet = Collections.EMPTY_SET;
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk private Map serviceAttributesMap = new HashMap();
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk private Set<AMPostAuthProcessInterface> postLoginInstanceSet = null;
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk private boolean isLocaleSet = false;
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk private boolean cookieDetect = false;
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk private Map<String, Object> userCreationAttributes = null;
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk private final Set<String> successModuleSet = new HashSet<String>();
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk private final Set<String> failureModuleSet = new HashSet<String>();
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk private String failureModuleList = ISAuthConstants.EMPTY_STRING;
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk private Set<String> identityTypes = Collections.emptySet();
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk private Set<String> userSessionMapping = Collections.emptySet();
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk // Variable indicating a request "forward" after
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk // authentication success
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk private boolean forwardSuccess = false;
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk private boolean postProcessInSession = false;
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk private boolean modulesInSession = false;
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk // Indicates Session is stateless
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk public boolean stateless = false;
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * Indicates if orgnization is active
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk private boolean inetDomainStatus = true;
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * Default roles for user
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * Default auth level for each auth module
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk private ZeroPageLoginConfig zeroPageLoginConfig;
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk private boolean forceAuth;
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk private boolean cookieTimeToLiveEnabledFlag = false;
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk // Enable Module based Auth
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk private boolean enableModuleBasedAuth = true;
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk private ISLocaleContext localeContext = new ISLocaleContext();
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * The sharedState Map of the {@link AMLoginModule} and subclasses.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * Stores the principals corresponding to the successful authentication modules within the current authentication
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk private final Set<String> authenticatedPrincipals = new HashSet<String>();
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk private final AuthenticationProcessEventAuditor auditor = InjectorHolder.getInstance(
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * Attempts to load the configured session property upgrader class.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk private static SessionPropertyUpgrader loadPropertyUpgrader() {
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk String upgraderClass = SystemProperties.get(Constants.SESSION_UPGRADER_IMPL,
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk upgrader = Class.forName(upgraderClass).asSubclass(SessionPropertyUpgrader.class).newInstance();
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk DEBUG.message("SessionUpgrader implementation ('" + upgraderClass
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk + ") successfully loaded.");
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk DEBUG.error("Unable to load the following Session Upgrader implementation: " +
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk upgraderClass + "\nFallbacking to DefaultSessionUpgrader", ex);
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk upgrader = new DefaultSessionPropertyUpgrader();
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * Converts a byte array to a hex string.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk private static String byteArrayToHexString(byte[] byteArray) {
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk onebyte = ((0x000000ff & byteArray[i]) | 0xffffff00);
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk hexData.append(Integer.toHexString(onebyte).substring(6));
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * Returns servlet request object.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * @return servlet request object.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk public HttpServletRequest getHttpServletRequest() {
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * Sets servlet request.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * @param servletRequest Servlet request.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk public void setHttpServletRequest(HttpServletRequest servletRequest) {
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * Returns session, Returns null if session state is <code>INACTIVE</code>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * or <code>DESTROYED</code>.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * @return session;
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk if (session == null || session.getState() == INACTIVE ||
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk "Session is null OR INACTIVE OR DESTROYED :" + session);
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * Sets the internal session for the request.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * @param sess Internal session for the request.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * Sets the session id, independently of the session. Used by stateless session activation to update the
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * serialised session id while leaving the InternalSession null.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * @param sid the new session id to set.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * Sets the callbacks recieved and notify waiting thread.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * @param callback
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * @param amLoginContext
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk synchronized (amLoginContext) {
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * Sets the callbacks recieved and notify waiting thread.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * Used in non-jaas thread mode only.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * @param callback
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk public void setReceivedCallback_NoThread(Callback[] callback) {
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * Sets the callbacks submitted by login module and notify waiting thread.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * @param callback
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * @param amLoginContext
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk synchronized (amLoginContext) {
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * Sets the callbacks submitted by login module and notify waiting thread.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * Used in non-jaas thread mode only.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * @param callback
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk public void setSubmittedCallback_NoThread(Callback[] callback) {
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * Returns recieved callback info from loginmodule.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * @return recieved callback info from loginmodule.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * Returns callbacks submitted by client.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * @return callbacks submitted by client.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * Returns the organization DN example <code>o=iplanet.com,o=isp</code>.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * @return the organization DN example <code>o=iplanet.com,o=isp</code>.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk } catch (Exception e) {
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * Returns the organization name.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * @return the organization name.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk orgName = DNMapper.orgNameToRealmName(getOrgDN());
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * Returns the authentication login status.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * @return the authentication login status.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * Sets the authentication login status.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * @param loginStatus authentication login status.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk public synchronized void setLoginStatus(int loginStatus) {
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * Sets the request parameters hash.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * @param requestHash Request parameters hash.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk public void setParamHash(Hashtable requestHash) {
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk /* copy these parameters to HashMap */
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * Sets the request type.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * @param newRequest <code>true</code> for new request type;
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * <code>false</code> for existing request type.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * Returns the request type.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * @return the request type.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk public boolean isNewRequest() {
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * Returns <code>true</code> if dynamic profile is enabled.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * @return <code>true</code> if dynamic profile is enabled.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk public boolean isDynamicProfileCreationEnabled() {
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * Populates the organization profile.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * @throws AuthException
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk public void populateOrgProfile() throws AuthException {
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk // get inetdomainstatus for the org
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk // check if org is active
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk inetDomainStatus = LazyConfig.AUTHD.getInetDomainStatus(getOrgDN());
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk // org inactive
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk logFailed(AuthUtils.getErrorVal(AMAuthErrorCode.AUTH_ORG_INACTIVE,
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk auditor.auditLoginFailure(this, REALM_INACTIVE);
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk throw new AuthException(AMAuthErrorCode.AUTH_ORG_INACTIVE, null);
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk // get handle to org config manager object to retrieve auth service
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk // attributes.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk LazyConfig.AUTHD.getOrgConfigManager(getOrgDN());
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk orgConfigMgr.getServiceConfig(ISAuthConstants.AUTH_SERVICE_NAME);
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk Map<String, Set<String>> attrs = svcConfig.getAttributes();
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk stateless = CollectionHelper.getBooleanMapAttr(attrs, ISAuthConstants.AUTH_STATELESS_SESSIONS, false);
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk aliasAttrNames = attrs.get(ISAuthConstants.AUTH_ALIAS_ATTR);
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk // NEEDED FOR BACKWARD COMPATIBILITY SUPPORT - OPEN ISSUE
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk // TODO: Remove backward compat stuff
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk attrs, ISAuthConstants.AUTH_NAMING_ATTR, "uid");
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk // END BACKWARD COMPATIBILITY SUPPORT
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk defaultRoles = attrs.get(ISAuthConstants.AUTH_DEFAULT_ROLE);
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk } else if (tmp.equalsIgnoreCase("createAlias")) {
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk tmp = CollectionHelper.getMapAttr(attrs, Constants.ZERO_PAGE_LOGIN_ENABLED);
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk Set<String> zplWhitelist = (Set<String>) attrs.get(Constants.ZERO_PAGE_LOGIN_WHITELIST);
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk boolean allowZPLWithoutReferer = CollectionHelper.getBooleanMapAttr(attrs,
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk Constants.ZERO_PAGE_LOGIN_ALLOW_MISSING_REFERER, true);
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk this.zeroPageLoginConfig = new ZeroPageLoginConfig(zplEnabled, zplWhitelist, allowZPLWithoutReferer);
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk new AMAuthenticationManager(LazyConfig.AUTHD.getSSOAuthSession(), getOrgDN());
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk domainAuthenticators = authManager.getAllowedModuleNames();
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk attrs, ISAuthConstants.DEFAULT_AUTH_LEVEL, LazyConfig.AUTHD.defaultAuthLevel);
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk Set orgSuccessLoginURLSet = (Set) attrs.get(ISAuthConstants.LOGIN_SUCCESS_URL);
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk clientOrgSuccessLoginURL = getRedirectUrl(orgSuccessLoginURLSet);
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk Set orgFailureLoginURLSet = (Set) attrs.get(ISAuthConstants.LOGIN_FAILURE_URL);
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk clientOrgFailureLoginURL = getRedirectUrl(orgFailureLoginURLSet);
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk orgAuthConfig = CollectionHelper.getMapAttr(attrs,
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk orgAdminAuthConfig = CollectionHelper.getMapAttr(attrs,
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk (Set) attrs.get(ISAuthConstants.POST_LOGIN_PROCESS);
dff2cc5646d4437ab9e0cb1dcb59da65462a5938jeff.schenk // retrieve account locking specific attributes
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk attrs, ISAuthConstants.LOGIN_FAILURE_STORE_IN_DS);
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk setLoginFailureLockoutDuration(Long.parseLong(tmp));
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk DEBUG.error("auth-lockout-duration bad format.");
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk setLoginFailureLockoutDuration(getLoginFailureLockoutDuration() * 60 * 1000);
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk tmp = Misc.getMapAttr(attrs, ISAuthConstants.LOCKOUT_MULTIPLIER);
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk setLoginFailureLockoutMultiplier(Integer.parseInt(tmp));
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk DEBUG.error("auth-lockout-multiplier bad format.");
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk setLoginFailureLockoutCount(Integer.parseInt(tmp));
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk setLoginFailureLockoutTime(Long.parseLong(tmp));
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk DEBUG.error("auth-login-failure-duration bad format.");
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk setLoginFailureLockoutTime(getLoginFailureLockoutTime() * 60 * 1000);
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk setLoginLockoutUserWarning(Integer.parseInt(tmp));
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk DEBUG.error("auth-lockout-warn-user bad format.");
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk setLoginLockoutNotification(CollectionHelper.getMapAttr(
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk setUserIDGeneratorEnabled(Boolean.valueOf(tmp));
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk tmp = CollectionHelper.getMapAttr(attrs, ISAuthConstants.TWO_FACTOR_AUTH_MANDATORY);
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk setUserIDGeneratorClassName(CollectionHelper.getMapAttr(
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk attrs, ISAuthConstants.USERNAME_GENERATOR_CLASS));
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk setInvalidAttemptsDataAttrName(CollectionHelper.getMapAttr(
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk attrs, ISAuthConstants.INVALID_ATTEMPTS_DATA_ATTR_NAME));
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk + "\ncharset->" + localeContext.getMIMECharset()
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk + "\ndynamicProfileCreation->" + dynamicProfileCreation
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk + "\norgSucessLoginURLSet->" + orgSuccessLoginURLSet
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk + "\norgFailureLoginURLSet->" + orgFailureLoginURLSet
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk + "\nclientSuccessLoginURL ->" + clientOrgSuccessLoginURL
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk + "\ndefaultSuccessLoginURL ->" + defaultOrgSuccessLoginURL
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk + "\norgPostLoginClassSet ->" + orgPostLoginClassSet
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk + "\norgAdminAuthConfig ->" + orgAdminAuthConfig
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk + "\nclientFailureLoginURL ->" + clientOrgFailureLoginURL
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk + "\ndefaultFailureLoginURL ->" + defaultOrgFailureLoginURL
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk + "\nenableModuleBasedAuth ->" + enableModuleBasedAuth
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk + "\nloginFailureLockoutMode->" + isLoginFailureLockoutMode()
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk + "\nloginFailureLockoutStoreInDS->"
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk + "\nloginFailureLockoutCount->" + getLoginFailureLockoutCount()
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk + "\nloginFailureLockoutTime->" + getLoginFailureLockoutTime()
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk + "\nloginLockoutUserWarning->" + getLoginLockoutUserWarning()
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk + "\nloginLockoutNotification->" + getLoginLockoutNotification()
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk + "\ninvalidAttemptsDataAttrName->" + getInvalidAttemptsDataAttrName()
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk + "\nzeroPageLoginConfig->" + zeroPageLoginConfig
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk throw new AuthException(AMAuthErrorCode.AUTH_ERROR, null);
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * Populates the global profile.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * @throws AuthException
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk public void populateGlobalProfile() throws AuthException {
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk Map attrs = AuthUtils.getGlobalAttributes("iPlanetAMAuthService");
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk postProcessInSession = Boolean.parseBoolean(tmpPostProcess);
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk modulesInSession = Boolean.parseBoolean(tmpModules);
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk DEBUG.message("LoginState.populateGlobalProfile: "
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk + "Getting Global Profile: " +
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk "\npostProcessInSession ->" + postProcessInSession +
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * Returns the authenticated subject.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * @return Authenticated subject
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * Sets the authenticated subject.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * @param subject Authenticated subject.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * Returns session idle time.
dff2cc5646d4437ab9e0cb1dcb59da65462a5938jeff.schenk * @return session idle time.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk public int getIdleTime() {
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * Returns session cache time.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * @return session cache time.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk public int getCacheTime() {
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * Returns user DN.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * @return user DN.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * Returns authentication level.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * @return authentication level.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk public int getAuthLevel() {
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk /* for AMLoginModule */
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk /* It is not a clean way to call setAuthLevel() in
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * this method. To make reference to authLevel(like
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * in sessionUpgrade()), make sure setAuthLevel() has
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * been called before, NOT getAuthLevel() ! or it will
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * return zero.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * Sets the authentication level.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * checks if <code>moduleAuthLevel</code> is set and if
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * it is greater then the authentications level then
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * <code>moduleAuthLevel</code> will be the set level.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * @param authLevel Authentication Level.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk // check if module Level is set and is greater
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk // then authenticated modules level
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk DEBUG.message("AuthLevel is set to : " + this.authLevel);
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * Returns the client address.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * @return the client address.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk DEBUG.message("getClient : servletRequest is : " + servletRequest);
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk clientHost = ClientUtils.getClientIPAddress(servletRequest);
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk InetAddress localHost = InetAddress.getLocalHost();
dff2cc5646d4437ab9e0cb1dcb59da65462a5938jeff.schenk } catch (Exception e) {
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * Sets the client address.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * @param remoteAddr Client address.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * convert a token to DN
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * FOR BACKWARD COMPATIBILITY SUPPORT
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * @param token0 <code>SSOToken</code> ID has user principal
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk * @return DN for user principal
return token;
return token;
return userDN;
} catch (Exception e) {
return token0;
throws AuthException {
* Unless the noSession query parameter was set on the request and then in that case no new permanent session is
* @return <code>true</code> if user session is activated successfully, <code>false if failed to activated</code>
public boolean activateSession(Subject subject, AuthContextLocal ac, Object loginContext) throws AuthException {
final boolean isSessionActivated = getSessionActivator().activateSession(this, AuthD.getSessionService(),
return isSessionActivated;
throw ae;
} catch (Exception e) {
if (isNoSession()) {
if (stateless) {
if (!ignoreUserProfile) {
if (sessionUpgrade) {
} else if (!ignoreUserProfile) {
throw new AuthException(
throw new AuthException(
if (sessionUpgrade) {
boolean firstElement = true;
if (!firstElement) {
firstElement = false;
if (dynamicProfileCreation) {
} else if (ignoreUserProfile) {
} else if (createWithAlias) {
if (!sessionUpgrade) {
if (!sessionUpgrade) {
if (!sessionUpgrade) {
iterator();
subject);
} catch (Exception e) {
throw new AuthException(e);
public boolean getInetDomainStatus() {
return inetDomainStatus;
return queryOrg;
if (!isLocaleSet) {
isLocaleSet = true;
void destroySession() {
return sid;
public boolean getForceFlag() {
return forceAuth;
public boolean isCookieTimeToLiveEnabled() {
return cookieTimeToLiveEnabledFlag;
public int getCookieTimeToLive() {
return cookieTimeToLive;
return userOrg;
) throws AuthException {
newRequest = true;
} catch (Exception e) {
throw new AuthException(e);
cookieSupported = false;
cookieSet = true;
return authContext;
void createSession(
) throws AuthException {
return null;
return ssoToken;
boolean useAMCookie) {
boolean appendSessCookieInURL = SystemProperties.getAsBoolean(Constants.APPEND_SESS_COOKIE_IN_URL, true);
if (!appendSessCookieInURL) {
return url;
return url;
return url;
if (URL_REWRITE_IN_PATH) {
return (encodedURL);
if (!dynamicProfileCreation) {
return attrs;
void populateUserAttributes(
Map p,
boolean loginStatus,
) throws AMException {
if (!loginStatus) {
DEBUG);
userEnabled = false;
} catch (Exception e) {
throws AuthException {
} catch (Exception e) {
throw new AuthException(e);
public boolean getUserProfile(
boolean populate,
boolean loginStatus
) throws AuthException {
} catch (IdRepoException e) {
if (populate) {
} catch (Exception e) {
} catch (Exception e) {
} catch (Exception e) {
userEnabled = true;
public boolean searchUserProfile(
) throws AuthException {
boolean gotUserProfile = true;
if (createWithAlias) {
throw new AuthException(
boolean gotProfile = true;
if (!userEnabled) {
throw new AuthException(
if (gotUserProfile) {
+ userRoleFound);
if (!userRoleFound) {
throw new AuthException(
boolean foundUserAlias = false;
boolean userRoleFound = true;
+ token);
if (gotUserProfile) {
if (foundUserAlias =
+ foundAliasMap);
if (!userEnabled) {
throw new AuthException(
if (!userRoleFound) {
throw new AuthException(
if (createWithAlias) {
+ foundAliasMap);
+ foundUserAlias);
throw new AuthException(
+ gotUserProfile);
return gotUserProfile;
} catch (AuthException e) {
throw new AuthException(e);
} catch (Exception e) {
throw new AuthException(e);
throws AuthException {
boolean gotProfile = false;
if (!gotProfile) {
return gotProfile;
} catch (Exception e) {
return foundUserAliasMap;
while (p.hasNext()) {
return tokenSet;
public boolean isUserEnabled() {
return userEnabled;
return amIdentityRole;
return null;
} catch (Exception e) {
return amIdRole;
return authMethName;
boolean foundUser = false;
foundUser = true;
} catch (Exception e) {
return foundUser;
return zeroPageLoginConfig;
return requestHash;
return userEnabled;
boolean userRoleFound = true;
userRoleFound = false;
return userRoleFound;
boolean foundUserAlias = true;
foundUserAlias = false;
return foundUserAlias;
boolean gotUserProfile = false;
gotUserProfile = true;
return gotUserProfile;
throws AuthException {
} catch (Exception e) {
boolean aliasFound = true;
aliasFound = false;
return aliasFound;
return lbCookie;
return indexType;
return prevIndexType;
void setDecodedGoToOnFailURL() {
return postProcessGoto;
if ((currentGoto != null) && (currentGoto.length() != 0) && (!currentGoto.equalsIgnoreCase("null"))) {
+ successLoginURL);
return encodedSuccessURL;
} catch (Exception e) {
return roleURL;
} catch (Exception e) {
return roleFailureURL;
return roleAttributeMap;
} catch (Exception e) {
} catch (Exception e) {
return successServiceURL;
} catch (Exception e) {
return serviceFailureURL;
return attributeDataMap;
return attributeDataMap;
} catch (Exception e) {
return null;
return loginPostProcessInstance;
return null;
} catch (Exception e) {
return null;
public void setSuccessLoginURL(
public void setFailureLoginURL(
+ getFailureTokenId());
} catch (Exception e) {
getFailureTokenId(), e);
return postProcessURL;
return fqdnFailureLoginURL;
return AuthUtils.getPostProcessURL(servletRequest, AMPostAuthProcessInterface.POST_PROCESS_LOGOUT_URL);
} catch (Exception e) {
return null;
return serviceURL;
return servletResponse;
return prevCallback;
* @return <code>true</code> if the authentication request was made with the noSession query parameter set to true.
public boolean isNoSession() {
return accountLife;
return token;
protected boolean getEnableModuleBasedAuth() {
return enableModuleBasedAuth;
public boolean getLoginFailureLockoutMode() {
return isLoginFailureLockoutMode();
public boolean getLoginFailureLockoutStoreInDS() {
return isLoginFailureLockoutStoreInDS();
public long getLoginFailureLockoutTime() {
return loginFailureLockoutTime;
public int getLoginFailureLockoutCount() {
return loginFailureLockoutCount;
return loginLockoutNotification;
public int getLoginLockoutUserWarning() {
return loginLockoutUserWarning;
return errorCode;
return errorMessage;
return errorTemplate;
return moduleErrorTemplate;
public boolean isTimedOut() {
return timedOut;
return lockoutMsg;
return this.indexName;
) throws AuthException {
newRequest = true;
} catch (Exception e) {
isLocaleSet = false;
return authContext;
boolean levelSet = false;
levelSet = true;
return levelSet;
} catch (Exception e) {
return orgDN;
return moduleInstances;
} catch (Exception e) {
return moduleInstances;
return domainAuthenticators;
return cert;
public void logSuccess() {
.toUpperCase());
if (!isNoSession()) {
} catch (Exception e) {
} catch (Exception e) {
if (appendAuthType) {
.toUpperCase());
} catch (Exception e) {
public void logLogout() {
.toUpperCase());
} catch (Exception e) {
return loginLockoutAttrName;
return loginLockoutAttrValue;
return invalidAttemptsDataAttrName;
public long getLoginFailureLockoutDuration() {
return loginFailureLockoutDuration;
public int getLoginFailureLockoutMultiplier() {
return loginFailureLockoutMultiplier;
return oldSession;
public boolean isSessionUpgrade() {
return sessionUpgrade;
void sessionUpgrade() {
} catch (NumberFormatException e) {
if (!forceAuth) {
+ realm);
+ oldModulesList);
return realmQualifiedModulesList;
return propertyList;
private void invokeSessionUpgradeHandlers() {
private static synchronized void loadSessionUpgradeHandlers() {
boolean isCookieSet() {
return cookieSet;
boolean isCookieSupported() {
return cookieSupported;
switch (type) {
case SUCCESS:
case FAILURE:
case LOGOUT:
} catch (Exception e) {
void setPostLoginInstances(
} catch (Exception e) {
return postLoginClassSet;
} catch (Exception e) {
+ e.getMessage());
return postLoginClassSet;
return moduleErrorMessage;
return loginURL;
public boolean isForwardSuccess() {
return forwardSuccess;
public long getPageTimeOut() {
return pageTimeOut;
public long getLastCallbackSent() {
return lastCallbackSent;
return clientURL;
public boolean ignoreProfile() {
return ignoreUserProfile;
} catch (Exception e) {
return set2;
return set1;
return returnSet;
return map;
return map;
void updateSessionForFailover() {
return callbacksPerState;
return rtnCallbacks;
public boolean isCookieDetect() {
return cookieDetect;
return successModuleSet;
return isApp;
return failureModuleSet;
return failureModuleList;
boolean isAgent = false;
isAgent = true;
} catch (Exception e) {
return isAgent;
isLocaleSet = true;
isLocaleSet = true;
public boolean isSessionInvalid() {
return amIdentityRole;
return roleUnivId;
return returnUserDN;
int containerType =
+ containerType);
+ containerName);
} catch (Exception e) {
getOrgDN();
boolean isRecursive = true;
} catch (IdRepoException e) {
+ e.getMessage());
} catch (IdRepoException e) {
return searchResults;
} catch (Exception e) {
return amIdentityUser;
} catch (Exception e) {
return universalId;
public int getCompositeAdviceType() {
return compositeAdviceType;
return compositeAdvice;
return finalAuthConfigName;
boolean isAuthValidForInternalUser() {
boolean authValid = true;
authValid = false;
return authValid;
* Restores the old session (if one exists). Used in the case of a failed session upgrade or successful force-auth
public void restoreOldSession() {
public boolean isUserIDGeneratorEnabled() {
return userIDGeneratorEnabled;
return userIDGeneratorClassName;
public boolean isLoginFailureLockoutMode() {
return loginFailureLockoutMode;
public boolean isLoginFailureLockoutStoreInDS() {
return loginFailureLockoutStoreInDS;
* Whether to keep authentication module instances in the session so that they can be called on logout. This is
* useful if the login modules have particular logout callback functionality that must be invoked. See
* authentication service setting "sunAMAuthKeepAuthModuleIntances". Not supported for stateless sessions.
boolean isModulesInSessionEnabled() {
return modulesInSession;
return failureTokenId;
public boolean is2faMandatory() {
return mandatory2fa;
return sharedState;
public void saveSharedStateAttributes() {
* Save the principalList that is generated by successful LoginContext authentication, to the requestMap.
public void saveSubjectState() {
* Saves the principals successfully created in the authentication process whether all modules or identity searches
* are successful or not. This differs from the principalList which is generated by the logincontext as that is only
requestMap.put(ISAuthConstants.AUTHENTICATED_PRINCIPALS, StringUtils.join(authenticatedPrincipals, "|"));
return authenticatedPrincipals;
enum PostProcessEvent {