8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Copyright (c) 2007 Sun Microsystems Inc. All Rights Reserved
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The contents of this file are subject to the terms
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * of the Common Development and Distribution License
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * (the License). You may not use this file except in
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * compliance with the License.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * You can obtain a copy of the License at
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * https://opensso.dev.java.net/public/CDDLv1.0.html or
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * See the License for the specific language governing
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * permission and limitations under the License.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * When distributing Covered Code, include this CDDL
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Header Notice in each file and include the License file
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * If applicable, add the following below the CDDL Header,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * with the fields enclosed by brackets [] replaced by
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * your own identifying information:
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * "Portions Copyrighted [year] [name of copyright owner]"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * $Id: ReplayPasswd.java,v 1.6 2009/11/04 22:50:35 manish_rustagi Exp $
6cf99bcf5206a0fcc9dd9296fc46ac28c3fe8adePeter Major * Portions Copyrighted 2011-2016 ForgeRock AS.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.authentication.service.AuthUtils;
2b334f0952c10d0c75270724be759748dd3323afJon Jonthomasimport com.sun.identity.authentication.util.ISAuthConstants;
2b334f0952c10d0c75270724be759748dd3323afJon Jonthomasimport com.sun.identity.shared.encode.CookieUtils;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * This class is used to set the encrypted password as a session property.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * It reads the value of the property "com.sun.am.replaypasswd.key" which is
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * the key that is to be used for DES Encryption. Once the password is
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * encrypted, it assigns a session property "sunIdentityUserPassword" with
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * this value.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * This class is also used to set "sharepoint_login_attr_value" as a session
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * property to support Sharepoint. It reads the value of the property
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * "com.sun.am.sharepoint_login_attr_name" which indicates the user token that
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Sharepoint uses for authentication and gets its corresponding attribute
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * value from the user datastore.It will then put this as a value of
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * "sharepoint_login_attr_value" session property.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * This class also sets the "owaAuthCookie" for the all the domains for which
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * "iPlanetdirectoryPro" cookie is set.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterpublic class ReplayPasswd implements AMPostAuthProcessInterface {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private static final String CIPHER_INSTANCE_NAME =
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private static final String REPLAY_PASSWORD_KEY =
2b334f0952c10d0c75270724be759748dd3323afJon Jonthomas "com.sun.am.replaypasswd.key";
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private static final String SUN_IDENTITY_USER_PASSWORD =
2b334f0952c10d0c75270724be759748dd3323afJon Jonthomas "sunIdentityUserPassword";
2b334f0952c10d0c75270724be759748dd3323afJon Jonthomas "com.sun.am.iis_owa_enabled";
2b334f0952c10d0c75270724be759748dd3323afJon Jonthomas "owaAuthCookie";
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private static final String OWA_AUTH_COOKIE_VALUE =
2b334f0952c10d0c75270724be759748dd3323afJon Jonthomas "amOwaValue";
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private static final String SHAREPOINT_LOGIN_ATTR_NAME =
2b334f0952c10d0c75270724be759748dd3323afJon Jonthomas "com.sun.am.sharepoint_login_attr_name";
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private static final String SHAREPOINT_LOGIN_ATTR_VALUE =
2b334f0952c10d0c75270724be759748dd3323afJon Jonthomas "sharepoint_login_attr_value";
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private static Debug debug = Debug.getInstance("ReplayPasswd");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Post processing on successful authentication.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param requestParamsMap contains HttpServletRequest parameters
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param request HttpServlet request
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param response HttpServlet response
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param ssoToken user's session
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @throws AuthenticationException if there is an error while setting
55fd6d019a44ba92b8161fc97ce159198afddb24Peter Major * the session password property
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public void onLoginSuccess(Map requestParamsMap,
2b334f0952c10d0c75270724be759748dd3323afJon Jonthomas SSOToken ssoToken) throws AuthenticationException {
55fd6d019a44ba92b8161fc97ce159198afddb24Peter Major debug.message("ReplayPasswd.onLoginSuccess: request is not available, password is not saved.");
2b334f0952c10d0c75270724be759748dd3323afJon Jonthomas debug.message("ReplayPasswd.onLoginSuccess called: Req:" + request.getRequestURL());
2b334f0952c10d0c75270724be759748dd3323afJon Jonthomas debug.warning("ReplayPasswd: unable to get user password as requestParamsMap is null");
2b334f0952c10d0c75270724be759748dd3323afJon Jonthomas String userpasswd = (String) requestParamsMap.get(ISAuthConstants.SHARED_STATE_PASSWORD);
2b334f0952c10d0c75270724be759748dd3323afJon Jonthomas String encryptedPassword = encryptPassword(userpasswd);
2b334f0952c10d0c75270724be759748dd3323afJon Jonthomas if (StringUtils.isNotBlank(encryptedPassword)) {
2b334f0952c10d0c75270724be759748dd3323afJon Jonthomas ssoToken.setProperty(SUN_IDENTITY_USER_PASSWORD, encryptedPassword);
2b334f0952c10d0c75270724be759748dd3323afJon Jonthomas debug.warning("ReplayPasswd: unable to set encrypted Password as encrypted value is empty");
2b334f0952c10d0c75270724be759748dd3323afJon Jonthomas debug.warning("ReplayPasswd: unable to get user password to encrypt");
2b334f0952c10d0c75270724be759748dd3323afJon Jonthomas String iisOwaEnabled = SystemProperties.get(IIS_OWA_ENABLED);
2b334f0952c10d0c75270724be759748dd3323afJon Jonthomas String strAttributeName = SystemProperties.get(SHAREPOINT_LOGIN_ATTR_NAME);
2b334f0952c10d0c75270724be759748dd3323afJon Jonthomas // Set OWA Auth Cookie
6cf99bcf5206a0fcc9dd9296fc46ac28c3fe8adePeter Major for (String domain : AuthUtils.getCookieDomainsForRequest(request)) {
2b334f0952c10d0c75270724be759748dd3323afJon Jonthomas owaAuthCookie = CookieUtils.newCookie(OWA_AUTH_COOKIE, OWA_AUTH_COOKIE_VALUE, "/", domain);
2b334f0952c10d0c75270724be759748dd3323afJon Jonthomas CookieUtils.addCookieToResponse(response, owaAuthCookie);
2b334f0952c10d0c75270724be759748dd3323afJon Jonthomas if (strAttributeName != null && !strAttributeName.trim().equals("")) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster AMIdentity amIdentityUser = IdUtils.getIdentity(ssoToken);
2b334f0952c10d0c75270724be759748dd3323afJon Jonthomas String strAttributeValue = Misc.getMapAttr(attrMap, strAttributeName, null);
2b334f0952c10d0c75270724be759748dd3323afJon Jonthomas ssoToken.setProperty(SHAREPOINT_LOGIN_ATTR_VALUE, strAttributeValue);
2b334f0952c10d0c75270724be759748dd3323afJon Jonthomas debug.message("ReplayPasswd.onLoginSuccess: " + strAttributeName + "=" + strAttributeValue);
2b334f0952c10d0c75270724be759748dd3323afJon Jonthomas debug.message("ReplayPasswd.onLoginSuccess: Replay password concluded successfully");
2b334f0952c10d0c75270724be759748dd3323afJon Jonthomas debug.error("ReplayPasswd.onLoginSuccess: IOException while fetching user attributes: " + ire);
2b334f0952c10d0c75270724be759748dd3323afJon Jonthomas debug.error("ReplayPasswd.onLoginSuccess: NoSuchAlgorithmException"
2b334f0952c10d0c75270724be759748dd3323afJon Jonthomas + " while setting session password property: " + noe);
2b334f0952c10d0c75270724be759748dd3323afJon Jonthomas debug.error("ReplayPasswd.onLoginSuccess: InvalidKeyException "
2b334f0952c10d0c75270724be759748dd3323afJon Jonthomas + "while setting session password property: " + ike);
2b334f0952c10d0c75270724be759748dd3323afJon Jonthomas debug.error("ReplayPasswd.onLoginSuccess:IllegalBlockSizeException"
2b334f0952c10d0c75270724be759748dd3323afJon Jonthomas + " while setting session password property: " + ibe);
2b334f0952c10d0c75270724be759748dd3323afJon Jonthomas debug.error("ReplayPasswd.onLoginSuccess: NoSuchPaddingException "
2b334f0952c10d0c75270724be759748dd3323afJon Jonthomas + "while setting session password property: " + npe);
2b334f0952c10d0c75270724be759748dd3323afJon Jonthomas debug.error("ReplayPasswd.onLoginSuccess: BadPaddingException "
2b334f0952c10d0c75270724be759748dd3323afJon Jonthomas + "while setting session password property: " + bpe);
2b334f0952c10d0c75270724be759748dd3323afJon Jonthomas debug.error("ReplayPasswd.onLoginSuccess: SSOException while setting session password property: "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Post processing on failed authentication.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param requestParamsMap contains HttpServletRequest parameters
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param req HttpServlet request
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param res HttpServlet response
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @throws AuthenticationException if there is an error
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public void onLoginFailure(Map requestParamsMap,
2b334f0952c10d0c75270724be759748dd3323afJon Jonthomas HttpServletResponse res) throws AuthenticationException {
2b334f0952c10d0c75270724be759748dd3323afJon Jonthomas debug.message("ReplayPasswd.onLoginFailure: called");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Post processing on Logout.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param req HttpServlet request
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param res HttpServlet response
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param ssoToken user's session
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @throws AuthenticationException if there is an error
2b334f0952c10d0c75270724be759748dd3323afJon Jonthomas SSOToken ssoToken) throws AuthenticationException {
2b334f0952c10d0c75270724be759748dd3323afJon Jonthomas debug.message("ReplayPasswd.onLogout called");
2b334f0952c10d0c75270724be759748dd3323afJon Jonthomas * Encrypts the provided password.
2b334f0952c10d0c75270724be759748dd3323afJon Jonthomas * @param userpasswd the password
2b334f0952c10d0c75270724be759748dd3323afJon Jonthomas * @return the encrypted password
2b334f0952c10d0c75270724be759748dd3323afJon Jonthomas * @throws NoSuchAlgorithmException
2b334f0952c10d0c75270724be759748dd3323afJon Jonthomas * @throws NoSuchPaddingException
2b334f0952c10d0c75270724be759748dd3323afJon Jonthomas * @throws InvalidKeyException
2b334f0952c10d0c75270724be759748dd3323afJon Jonthomas * @throws IllegalBlockSizeException
2b334f0952c10d0c75270724be759748dd3323afJon Jonthomas * @throws BadPaddingException
2b334f0952c10d0c75270724be759748dd3323afJon Jonthomas * @throws SSOException
2b334f0952c10d0c75270724be759748dd3323afJon Jonthomas private String encryptPassword(String userpasswd) throws NoSuchAlgorithmException, NoSuchPaddingException,
2b334f0952c10d0c75270724be759748dd3323afJon Jonthomas InvalidKeyException, IllegalBlockSizeException, BadPaddingException, SSOException {
2b334f0952c10d0c75270724be759748dd3323afJon Jonthomas String deskeystr = SystemProperties.get(REPLAY_PASSWORD_KEY);
2b334f0952c10d0c75270724be759748dd3323afJon Jonthomas debug.message("ReplayPasswd.encodePassword: cannot encode password, Replay PaswordKey is empty");
2b334f0952c10d0c75270724be759748dd3323afJon Jonthomas SecretKeySpec keySpec = new SecretKeySpec(desKey, "DES");
2b334f0952c10d0c75270724be759748dd3323afJon Jonthomas Cipher cipher = Cipher.getInstance(CIPHER_INSTANCE_NAME);
2b334f0952c10d0c75270724be759748dd3323afJon Jonthomas // The array size must be a multiply of 8 (DES block size)
2b334f0952c10d0c75270724be759748dd3323afJon Jonthomas int length = userpasswd.length() + (8 - userpasswd.length() % 8);