74cb99072c4b0ebd2ccafcfa284288fa760f7a1aMark Andrews DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
e8555412f186ad05a064591bcb25c2f7d7395756Mark Andrews Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
74cb99072c4b0ebd2ccafcfa284288fa760f7a1aMark Andrews The contents of this file are subject to the terms
e8555412f186ad05a064591bcb25c2f7d7395756Mark Andrews of the Common Development and Distribution License
74cb99072c4b0ebd2ccafcfa284288fa760f7a1aMark Andrews (the License). You may not use this file except in
a5d43b72413db3edd6b36a58f9bdf2cf6ff692f2Bob Halley compliance with the License.
682d0209e8a67d53594fb524b5d9ae4141bcc9b2Evan Hunt You can obtain a copy of the License at
2baa66562a2f119edffded961d3391f87ff98ec0Ondřej Surý https://opensso.dev.java.net/public/CDDLv1.0.html or
a5d43b72413db3edd6b36a58f9bdf2cf6ff692f2Bob Halley See the License for the specific language governing
b123b265e3a3d9b72a14230b6517e0f6fdb5c5b5Mark Andrews permission and limitations under the License.
5506903c9215faf42586307c2288942fd804c579Evan Hunt When distributing Covered Code, include this CDDL
a5d43b72413db3edd6b36a58f9bdf2cf6ff692f2Bob Halley Header Notice in each file and include the License file
5506903c9215faf42586307c2288942fd804c579Evan Hunt If applicable, add the following below the CDDL Header,
5506903c9215faf42586307c2288942fd804c579Evan Hunt with the fields enclosed by brackets [] replaced by
5506903c9215faf42586307c2288942fd804c579Evan Hunt your own identifying information:
30c76944175c52f947d268329ff815aadeea6306Mark Andrews "Portions Copyrighted [year] [name of copyright owner]"
5506903c9215faf42586307c2288942fd804c579Evan Hunt Portions copyright 2014-2015 ForgeRock AS.
5506903c9215faf42586307c2288942fd804c579Evan Hunt<%@ page import="com.iplanet.am.util.SystemProperties" %>
74cb99072c4b0ebd2ccafcfa284288fa760f7a1aMark Andrews<%@ page import="com.iplanet.sso.SSOException" %>
74cb99072c4b0ebd2ccafcfa284288fa760f7a1aMark Andrews<%@ page import="com.iplanet.sso.SSOToken" %>
c16aed9c469a986f1b84e457db4a8c4d2da01ca3Mark Andrews<%@ page import="com.iplanet.sso.SSOTokenManager" %>
c16aed9c469a986f1b84e457db4a8c4d2da01ca3Mark Andrews<%@ page import="com.sun.identity.common.DNUtils" %>
5506903c9215faf42586307c2288942fd804c579Evan Hunt<%@ page import="com.sun.identity.idm.AMIdentity" %>
5506903c9215faf42586307c2288942fd804c579Evan Hunt<%@ page import="com.sun.identity.idm.IdRepoException" %>
5506903c9215faf42586307c2288942fd804c579Evan Hunt<%@ page import="com.sun.identity.idm.IdType" %>
5506903c9215faf42586307c2288942fd804c579Evan Hunt<%@ page import="javax.servlet.http.HttpServletRequest" %>
5506903c9215faf42586307c2288942fd804c579Evan Hunt<%@ page import="java.io.IOException" %>
c16aed9c469a986f1b84e457db4a8c4d2da01ca3Mark Andrews<%@ page import="java.util.ResourceBundle" %>
c16aed9c469a986f1b84e457db4a8c4d2da01ca3Mark Andrews<%@ page import="java.text.MessageFormat" %>
5506903c9215faf42586307c2288942fd804c579Evan Hunt * Ensures that the provided request contains an SSOToken with super user privileges.
5506903c9215faf42586307c2288942fd804c579Evan Hunt * If the request contains an SSOToken with super user privileges, the SSOToken is
5506903c9215faf42586307c2288942fd804c579Evan Hunt * If the request contains an SSOToken without super user privileges, the HTTP client
5506903c9215faf42586307c2288942fd804c579Evan Hunt * is informed that they are not authoriszed to access this page and null is returned.
5506903c9215faf42586307c2288942fd804c579Evan Hunt * If the request does not contain an SSOToken, the HTTP client is redirected to the
5506903c9215faf42586307c2288942fd804c579Evan Hunt * login page with a follow on redirect back to the current page.
5506903c9215faf42586307c2288942fd804c579Evan Hunt * @param request The HTTP request.
5506903c9215faf42586307c2288942fd804c579Evan Hunt * @param response The HTTP response.
5506903c9215faf42586307c2288942fd804c579Evan Hunt * @param out The JspWriter used to inform the HTTP client that they are unauthorized to view this page.
5506903c9215faf42586307c2288942fd804c579Evan Hunt * @param currentPageUrl The path of the JSP page in which this file has been included, relative to AM root.
5506903c9215faf42586307c2288942fd804c579Evan Hunt * @return The SSOToken of the current user if they have one with super user privileges.
5506903c9215faf42586307c2288942fd804c579Evan Hunt * @throws IOException If attempting to write to out parameter fails.
5506903c9215faf42586307c2288942fd804c579Evan Hunt public SSOToken requireAdminSSOToken(HttpServletRequest request,
ca42dcc0686fefd3db202edab80e5adb09d6add5Evan Hunt HttpServletResponse response,
5506903c9215faf42586307c2288942fd804c579Evan Hunt JspWriter out,
5506903c9215faf42586307c2288942fd804c579Evan Hunt String currentPageUrl) throws IOException {
5506903c9215faf42586307c2288942fd804c579Evan Hunt SSOToken ssoToken;
5506903c9215faf42586307c2288942fd804c579Evan Hunt // Obtain current user identity from ssoToken
5506903c9215faf42586307c2288942fd804c579Evan Hunt SSOTokenManager manager = SSOTokenManager.getInstance();
5506903c9215faf42586307c2288942fd804c579Evan Hunt ssoToken = manager.createSSOToken(request);
5506903c9215faf42586307c2288942fd804c579Evan Hunt AMIdentity user = new AMIdentity(ssoToken);
5506903c9215faf42586307c2288942fd804c579Evan Hunt // Obtain DN and identity for super user
5506903c9215faf42586307c2288942fd804c579Evan Hunt String adminUserDN = "";
8b7d3aeda264513ca83961fb752703cc3c85451dMark Andrews AMIdentity adminUserId = null;
8b7d3aeda264513ca83961fb752703cc3c85451dMark Andrews String adminUser = SystemProperties.get("com.sun.identity.authentication.super.user");
5506903c9215faf42586307c2288942fd804c579Evan Hunt if (adminUser != null) {
5506903c9215faf42586307c2288942fd804c579Evan Hunt adminUserDN = DNUtils.normalizeDN(adminUser);
5506903c9215faf42586307c2288942fd804c579Evan Hunt adminUserId = new AMIdentity(ssoToken, adminUser, IdType.USER, "/", null);
5506903c9215faf42586307c2288942fd804c579Evan Hunt // Check if current user is super user
5506903c9215faf42586307c2288942fd804c579Evan Hunt if ((!adminUserDN.equals(DNUtils.normalizeDN(ssoToken.getPrincipal().getName()))) && (!user.equals(adminUserId))) {
30c76944175c52f947d268329ff815aadeea6306Mark Andrews out.println(ResourceBundle.getBundle("encode", request.getLocale()).getString("no.permission"));
30c76944175c52f947d268329ff815aadeea6306Mark Andrews ssoToken = null;
c16aed9c469a986f1b84e457db4a8c4d2da01ca3Mark Andrews } catch (SSOException e) {
c16aed9c469a986f1b84e457db4a8c4d2da01ca3Mark Andrews // If the user has does not have a session force them to authenticate then redirect back here
c16aed9c469a986f1b84e457db4a8c4d2da01ca3Mark Andrews response.sendRedirect("UI/Login?goto=../" + currentPageUrl);
c16aed9c469a986f1b84e457db4a8c4d2da01ca3Mark Andrews ssoToken = null;
c16aed9c469a986f1b84e457db4a8c4d2da01ca3Mark Andrews } catch (IdRepoException e) {
c16aed9c469a986f1b84e457db4a8c4d2da01ca3Mark Andrews // If the SSOToken's universal identifier is invalid
b123b265e3a3d9b72a14230b6517e0f6fdb5c5b5Mark Andrews String errorMsgTemplate = ResourceBundle.getBundle("encode", request.getLocale()).getString("invalid.uid");
5506903c9215faf42586307c2288942fd804c579Evan Hunt out.println(MessageFormat.format(errorMsgTemplate, "UI/Logout?goto=../" + currentPageUrl));
c16aed9c469a986f1b84e457db4a8c4d2da01ca3Mark Andrews ssoToken = null;
c16aed9c469a986f1b84e457db4a8c4d2da01ca3Mark Andrews return ssoToken;