admincheck.jsp revision ae4ee6e50386a7dd03bacc6118902609b145379b
04428429c4e689333e3ef8d19a2debeb20d4d15dMark Andrews DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
e999539fb3e45b2617571e0e3ecd651992291701Mark Andrews Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews The contents of this file are subject to the terms
a3b428812703d22a605a9f882e71ed65f0ffdc65Mark Andrews of the Common Development and Distribution License
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews (the License). You may not use this file except in
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington compliance with the License.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews You can obtain a copy of the License at
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington https://opensso.dev.java.net/public/CDDLv1.0.html or
c718d15a9a95054ee3c71540c02335426071fc6dMark Andrews See the License for the specific language governing
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews permission and limitations under the License.
c718d15a9a95054ee3c71540c02335426071fc6dMark Andrews When distributing Covered Code, include this CDDL
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews Header Notice in each file and include the License file
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews If applicable, add the following below the CDDL Header,
c718d15a9a95054ee3c71540c02335426071fc6dMark Andrews with the fields enclosed by brackets [] replaced by
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews your own identifying information:
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews "Portions Copyrighted [year] [name of copyright owner]"
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews Portions copyright 2014 ForgeRock AS.
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews<%@ page import="com.iplanet.am.util.SystemProperties" %>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<%@ page import="com.iplanet.sso.SSOException" %>
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews<%@ page import="com.iplanet.sso.SSOToken" %>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<%@ page import="com.iplanet.sso.SSOTokenManager" %>
a3b428812703d22a605a9f882e71ed65f0ffdc65Mark Andrews<%@ page import="com.sun.identity.common.DNUtils" %>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<%@ page import="com.sun.identity.idm.AMIdentity" %>
c718d15a9a95054ee3c71540c02335426071fc6dMark Andrews<%@ page import="com.sun.identity.idm.IdRepoException" %>
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews<%@ page import="com.sun.identity.idm.IdType" %>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<%@ page import="com.sun.identity.idm.IdUtils" %>
c718d15a9a95054ee3c71540c02335426071fc6dMark Andrews<%@ page import="com.sun.identity.shared.debug.Debug" %>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<%@ page import="com.sun.identity.shared.encode.Hash" %>
c069a20053d41ae299eb9457e50ea44ae9f73ed2Mark Andrews<%@ page import="com.sun.identity.shared.ldap.util.DN" %>
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews<%@ page import="com.sun.identity.sm.SMSEntry" %>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<%@ page import="javax.servlet.http.HttpServletRequest" %>
605bd686e437162b5ab65ac4e7c1be0bba1886ddMark Andrews<%@ page import="java.io.IOException" %>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<%@ page import="java.util.ResourceBundle" %>
3f6174bffe227be44e241a29d186add00c032ff6Mark Andrews<%@ page import="java.text.MessageFormat" %>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson * Ensures that the provided request contains an SSOToken with super user privileges.
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews * If the request contains an SSOToken with super user privileges, the SSOToken is
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson * If the request contains an SSOToken without super user privileges, the HTTP client
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews * is informed that they are not authoriszed to access this page and null is returned.
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson * If the request does not contain an SSOToken, the HTTP client is redirected to the
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews * login page with a follow on redirect back to the current page.
26a77b80bb7ee886c6fa704348d5e80a011d8811Mark Andrews * @param request The HTTP request.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews * @param response The HTTP response.
6f046a065e5543f8cd7e2f24991c65d2372f4c8dMark Andrews * @param out The JspWriter used to inform the HTTP client that they are unauthorized to view this page.
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews * @param currentPageUrl The path of the JSP page in which this file has been included, relative to AM root.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews * @return The SSOToken of the current user if they have one with super user privileges.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews * @throws IOException If attempting to write to out parameter fails.
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews public SSOToken requireAdminSSOToken(HttpServletRequest request,
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews HttpServletResponse response,
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews JspWriter out,
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews String currentPageUrl) throws IOException {
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews SSOToken ssoToken;
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews // Obtain current user identity from ssoToken
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson SSOTokenManager manager = SSOTokenManager.getInstance();
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews ssoToken = manager.createSSOToken(request);
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews AMIdentity user = new AMIdentity(ssoToken);
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews // Obtain DN and identity for super user
80f9a970ae6681c08529ef209eaabbe078c27ca3Mark Andrews String adminUserDN = "";
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews AMIdentity adminUserId = null;
46e873c835bf7d9ec3e1097e0aceb8db5b1ae93aMark Andrews String adminUser = SystemProperties.get("com.sun.identity.authentication.super.user");
46e873c835bf7d9ec3e1097e0aceb8db5b1ae93aMark Andrews if (adminUser != null) {
dd9ad704c3800e3ab07ede8595871eac79984871Mark Andrews adminUserDN = DNUtils.normalizeDN(adminUser);
605bd686e437162b5ab65ac4e7c1be0bba1886ddMark Andrews adminUserId = new AMIdentity(ssoToken, adminUser, IdType.USER, "/", null);
ab81f57ca0c3addfec3df3babdcea9644757cf23Mark Andrews // Check if current user is super user
605bd686e437162b5ab65ac4e7c1be0bba1886ddMark Andrews if ((!adminUserDN.equals(DNUtils.normalizeDN(ssoToken.getPrincipal().getName()))) && (!user.equals(adminUserId))) {
6b5c57e52ac8c3e0af1547be3140ebbfb41a85b3Mark Andrews out.println(ResourceBundle.getBundle("encode", request.getLocale()).getString("no.permission"));
6b5c57e52ac8c3e0af1547be3140ebbfb41a85b3Mark Andrews ssoToken = null;
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews } catch (SSOException e) {
6b5c57e52ac8c3e0af1547be3140ebbfb41a85b3Mark Andrews // If the user has does not have a session force them to authenticate then redirect back here
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews response.sendRedirect("UI/Login?goto=../" + currentPageUrl);
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews ssoToken = null;
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews } catch (IdRepoException e) {
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews // If the SSOToken's universal identifier is invalid
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews String errorMsgTemplate = ResourceBundle.getBundle("encode", request.getLocale()).getString("invalid.uid");
642e0716c8b4ab82ebc8e60f94c9e897ee89f19aMark Andrews out.println(MessageFormat.format(errorMsgTemplate, "UI/Logout?goto=../" + currentPageUrl));
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews ssoToken = null;
6b5c57e52ac8c3e0af1547be3140ebbfb41a85b3Mark Andrews return ssoToken;