WEB-INF/jsp/admincheck.jsp

	admincheck.jsp revision 47865bca6b632be56381a140939bdd446eec4514
0N/A<%--
3261N/A
0N/A   DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
0N/A
0N/A   Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
0N/A
0N/A   The contents of this file are subject to the terms
0N/A   of the Common Development and Distribution License
0N/A   (the License). You may not use this file except in
0N/A   compliance with the License.
0N/A
0N/A   You can obtain a copy of the License at
0N/A   https://opensso.dev.java.net/public/CDDLv1.0.html or
0N/A   opensso/legal/CDDLv1.0.txt
0N/A   See the License for the specific language governing
0N/A   permission and limitations under the License.
0N/A
0N/A   When distributing Covered Code, include this CDDL
2362N/A   Header Notice in each file and include the License file
2362N/A   at opensso/legal/CDDLv1.0.txt.
2362N/A   If applicable, add the following below the CDDL Header,
0N/A   with the fields enclosed by brackets [] replaced by
0N/A   your own identifying information:
0N/A   "Portions Copyrighted [year] [name of copyright owner]"
0N/A
0N/A
0N/A   Portions copyright 2014 ForgeRock AS.
0N/A--%>
0N/A
0N/A<%@ page import="com.iplanet.am.util.SystemProperties" %>
0N/A<%@ page import="com.iplanet.sso.SSOException" %>
0N/A<%@ page import="com.iplanet.sso.SSOToken" %>
0N/A<%@ page import="com.iplanet.sso.SSOTokenManager" %>
0N/A<%@ page import="com.sun.identity.common.DNUtils" %>
0N/A<%@ page import="com.sun.identity.idm.AMIdentity" %>
0N/A<%@ page import="com.sun.identity.idm.IdRepoException" %>
0N/A<%@ page import="com.sun.identity.idm.IdType" %>
0N/A<%@ page import="com.sun.identity.idm.IdUtils" %>
0N/A<%@ page import="com.sun.identity.shared.debug.Debug" %>
0N/A<%@ page import="com.sun.identity.shared.encode.Hash" %>
0N/A<%@ page import="com.sun.identity.shared.ldap.util.DN" %>
0N/A<%@ page import="com.sun.identity.sm.SMSEntry" %>
0N/A<%@ page import="javax.servlet.http.HttpServletRequest" %>
0N/A<%@ page import="java.io.IOException" %>
0N/A<%@ page import="java.util.ResourceBundle" %>
0N/A<%@ page import="java.text.MessageFormat" %>
0N/A
0N/A<%!
0N/A    /**
2612N/A     * Ensures that the provided request contains an SSOToken with super user privileges.
0N/A     *
0N/A     * If the request contains an SSOToken with super user privileges, the SSOToken is
0N/A     * returned.
0N/A     *
0N/A     * If the request contains an SSOToken without super user privileges, the HTTP client
0N/A     * is informed that they are not authoriszed to access this page and null is returned.
0N/A     *
0N/A     * If the request does not contain an SSOToken, the HTTP client is redirected to the
0N/A     * login page with a follow on redirect back to the current page.
0N/A     *
0N/A     * @param request The HTTP request.
0N/A     * @param response The HTTP response.
0N/A     * @param out The JspWriter used to inform the HTTP client that they are unauthorized to view this page.
0N/A     * @param currentPageUrl The path of the JSP page in which this file has been included, relative to AM root.
0N/A     * @return The SSOToken of the current user if they have one with super user privileges.
0N/A     * @throws IOException If attempting to write to out parameter fails.
0N/A     */
2612N/A    public SSOToken requireAdminSSOToken(HttpServletRequest request,
0N/A                                         HttpServletResponse response,
0N/A                                         JspWriter out,
0N/A                                         String currentPageUrl) throws IOException {
0N/A
0N/A        SSOToken ssoToken;
0N/A
        try {

            // Obtain current user identity from ssoToken
            SSOTokenManager manager = SSOTokenManager.getInstance();
            ssoToken = manager.createSSOToken(request);
            manager.validateToken(ssoToken);
            AMIdentity user = new AMIdentity(ssoToken);

            // Obtain DN and identity for super user
            String adminUserDN = "";
            AMIdentity adminUserId = null;
            String adminUser = SystemProperties.get("com.sun.identity.authentication.super.user");
            if (adminUser != null) {
                adminUserDN = DNUtils.normalizeDN(adminUser);
                adminUserId = new AMIdentity(ssoToken, adminUser, IdType.USER, "/", null);
            }

            // Check if current user is super user
            if ((!adminUserDN.equals(DNUtils.normalizeDN(ssoToken.getPrincipal().getName()))) && (!user.equals(adminUserId))) {
                out.println(ResourceBundle.getBundle("encode", request.getLocale()).getString("no.permission"));
                ssoToken = null;
            }

        } catch (SSOException e) {
            // If the user has does not have a session force them to authenticate then redirect back here
            response.sendRedirect("UI/Login?goto=../" + currentPageUrl);
            ssoToken = null;

        } catch (IdRepoException e) {
            // If the SSOToken's universal identifier is invalid
            String errorMsgTemplate = ResourceBundle.getBundle("encode", request.getLocale()).getString("invalid.uid");
            out.println(MessageFormat.format(errorMsgTemplate, "UI/Logout?goto=../" + currentPageUrl));
            ssoToken = null;
        }

        return ssoToken;
    }

%>