router-authz.js revision 0589fafd98a08996e07c547cf9af82808c323135
039cd2c4871a00e51af909222a34695d9cec3000vboxsync/*! @license
039cd2c4871a00e51af909222a34695d9cec3000vboxsync * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
039cd2c4871a00e51af909222a34695d9cec3000vboxsync * Copyright © 2011-2012 ForgeRock AS. All rights reserved.
039cd2c4871a00e51af909222a34695d9cec3000vboxsync * The contents of this file are subject to the terms
e64031e20c39650a7bc902a3e1aba613b9415deevboxsync * of the Common Development and Distribution License
a16eb14ad7a4b5ef91ddc22d3e8e92d930f736fcvboxsync * (the License). You may not use this file except in
a16eb14ad7a4b5ef91ddc22d3e8e92d930f736fcvboxsync * compliance with the License.
a16eb14ad7a4b5ef91ddc22d3e8e92d930f736fcvboxsync * You can obtain a copy of the License at
a16eb14ad7a4b5ef91ddc22d3e8e92d930f736fcvboxsync * See the License for the specific language governing
a16eb14ad7a4b5ef91ddc22d3e8e92d930f736fcvboxsync * permission and limitations under the License.
a16eb14ad7a4b5ef91ddc22d3e8e92d930f736fcvboxsync * When distributing Covered Code, include this CDDL
039cd2c4871a00e51af909222a34695d9cec3000vboxsync * Header Notice in each file and include the License file
27537ffef7291d0bb3a24e459a6b94c65586defevboxsync * If applicable, add the following below the CDDL Header,
039cd2c4871a00e51af909222a34695d9cec3000vboxsync * with the fields enclosed by brackets [] replaced by
039cd2c4871a00e51af909222a34695d9cec3000vboxsync * your own identifying information:
039cd2c4871a00e51af909222a34695d9cec3000vboxsync * "Portions Copyrighted [year] [name of copyright owner]"
3f8fa562bb916e87b0beff9ec2a4e241c643dcc8vboxsync * This script is called from the router "onRequest" trigger, to enforce a central
039cd2c4871a00e51af909222a34695d9cec3000vboxsync * set of authorization rules.
039cd2c4871a00e51af909222a34695d9cec3000vboxsync * This default implemention simply restricts requests via HTTP to users that are assigned
039cd2c4871a00e51af909222a34695d9cec3000vboxsync * an "openidm-admin" role, and optionally to those that authenticate with TLS mutual
039cd2c4871a00e51af909222a34695d9cec3000vboxsync * authentication (assigned an "openidm-cert" role).
dc23707aec4dc2ce2c6b6f51af21eef72bb8bf2evboxsync// If true, then allows HTTP requests from "openidm-cert" role.
dc23707aec4dc2ce2c6b6f51af21eef72bb8bf2evboxsyncconst allowCert = false;
32ded45b3caba42c8a2315a20bbfabb513fa54c1vboxsyncfunction contains(a, o) {
1032ee3ece58eb60a4d3fb08ff5be8b848eb98bbvboxsync if (typeof(a) != 'undefined' && a != null) {
ab9c7333d588df5d6959a3b2c96c60321d26c4b0vboxsync if (a[i] === o) {
af1bd0025dd5d8be5f1468689d0d77d4839a3be5vboxsync return true;
ab9c7333d588df5d6959a3b2c96c60321d26c4b0vboxsync return false;
039cd2c4871a00e51af909222a34695d9cec3000vboxsync * Public methods are accessible by anonymous user. They are used
039cd2c4871a00e51af909222a34695d9cec3000vboxsync * during registration and forgotten password process.
039cd2c4871a00e51af909222a34695d9cec3000vboxsync logger.debug("request.parent.path = {}", request.parent.path);
e001cafceea8efd540f21109f6ab293f744ebb0bvboxsync logger.debug("request.parent.method = {}", request.parent.method);
ab9c7333d588df5d6959a3b2c96c60321d26c4b0vboxsync if (request.parent.path.match('^/openidm/managed/user') == '/openidm/managed/user') {
53ed059bdb30c2b20a3f329602bb715d75ab7d56vboxsync logger.debug("This is GET request. Selected allowed only. Checking queries.");
9e57274211125689926b35d1916c0c5c82b33670vboxsync var publicQueries = ['check-userName-availability','for-security-answer','for-credentials', 'get-security-question', 'set-newPassword-for-userName-and-security-answer'];
c4fd771ce163c73d7ac90e267e84de29314f5e97vboxsync if (queryName && (publicQueries.indexOf(queryName) > -1)) {
c4fd771ce163c73d7ac90e267e84de29314f5e97vboxsync logger.debug("Query {} found in the list", queryName);
c4fd771ce163c73d7ac90e267e84de29314f5e97vboxsync return true;
c4fd771ce163c73d7ac90e267e84de29314f5e97vboxsync logger.debug("Query {} hasn't been found in a query", queryName);
c4fd771ce163c73d7ac90e267e84de29314f5e97vboxsync return false;
c4fd771ce163c73d7ac90e267e84de29314f5e97vboxsync return true;
c4fd771ce163c73d7ac90e267e84de29314f5e97vboxsync logger.debug("Anonymous POST and DELETE methods are not allowed");
8a0ee4ffcd453884e357b4d5984ae3b7146abb6fvboxsync logger.debug("Anonymous access not allowed for resources other than user");
8a0ee4ffcd453884e357b4d5984ae3b7146abb6fvboxsync return false;
return request.value && request.params && request.params['_action'] && request.params['_action'] == actionName;
function allow() {
return isPublicMethodInvocation();
if (!allow()) {