Examples with TokenRestriction com.iplanet.dpro.session.TokenRestriction used on opensource projects
Example 1 with TokenRestriction
use of com.iplanet.dpro.session.TokenRestriction in project OpenAM by OpenRock.
the class CDCServlet method redirectWithAuthNResponse.
/**
* Constructs the Liberty AuthNResponse with Restricted SSOToken
* and redirects the user to the requested resouce
*/
private void redirectWithAuthNResponse(HttpServletRequest request, HttpServletResponse response, SSOToken token) throws ServletException, IOException {
String gotoURL = getRedirectURL(request, response);
if (debug.messageEnabled()) {
debug.message("CDCServlet.redirectWithAuthNResponse: gotoURL = " + gotoURL);
}
if (debug.messageEnabled()) {
debug.message("CDCServlet.redirectWithAuthNResponse: After encoding: gotoURL = " + gotoURL);
}
if (gotoURL != null) {
try {
String inResponseTo = request.getParameter(REQUEST_ID);
String spDescriptor = request.getParameter(PROVIDER_ID);
String resTokenID = null;
/**
* validateAndGetRestriction throws an exception if an agent
* profile with provider id and goto url is not present
*/
TokenRestriction tokenRes = spValidator.validateAndGetRestriction(FSAuthnRequest.parseURLEncodedRequest(request), gotoURL);
if (uniqueCookieEnabled) {
resTokenID = sessionService.getRestrictedTokenId(token.getTokenID().toString(), tokenRes);
} else {
resTokenID = token.getTokenID().toString();
}
FSAssertion assertion = createAssertion(spDescriptor, SELF_PROVIDER_ID, resTokenID, token.getAuthType(), token.getProperty("authInstant"), token.getPrincipal().getName(), inResponseTo);
String relayState = request.getParameter(RELAY_STATE);
Status status = new Status(new StatusCode(IFSConstants.STATUS_CODE_SUCCESS));
FSAuthnResponse authnResponse = createAuthnResponse(SELF_PROVIDER_ID, responseID, inResponseTo, status, assertion, relayState);
sendAuthnResponse(request, response, authnResponse, gotoURL);
} catch (SAMLException se) {
debug.error("CDCServlet.doGetPost", se);
showError(response);
} catch (FSMsgException fe) {
debug.error("CDCServlet.doGetPost", fe);
showError(response);
} catch (FSException fse) {
debug.error("CDCServlet.doGetPost", fse);
showError(response);
} catch (SessionException e) {
debug.error("CDCServlet.doGetPost", e);
} catch (SSOException ssoe) {
debug.error("CDCServlet.doGetPost", ssoe);
} catch (Exception e) {
debug.error("CDCServlet.doGetPost", e);
spValidator = new LdapSPValidator();
showError(response, FORBIDDEN_STR_MATCH);
}
}
}
Also used :
Status(com.sun.identity.saml.protocol.Status)
FSMsgException(com.sun.identity.federation.message.common.FSMsgException)
TokenRestriction(com.iplanet.dpro.session.TokenRestriction)
SessionException(com.iplanet.dpro.session.SessionException)
SSOException(com.iplanet.sso.SSOException)
StatusCode(com.sun.identity.saml.protocol.StatusCode)
SAMLException(com.sun.identity.saml.common.SAMLException)
ServletException(javax.servlet.ServletException)
ParseException(java.text.ParseException)
SSOException(com.iplanet.sso.SSOException)
FSMsgException(com.sun.identity.federation.message.common.FSMsgException)
SAMLException(com.sun.identity.saml.common.SAMLException)
FSException(com.sun.identity.federation.common.FSException)
IOException(java.io.IOException)
UnknownHostException(java.net.UnknownHostException)
SessionException(com.iplanet.dpro.session.SessionException)
FSAuthnResponse(com.sun.identity.federation.message.FSAuthnResponse)
FSAssertion(com.sun.identity.federation.message.FSAssertion)
FSException(com.sun.identity.federation.common.FSException)
Example 2 with TokenRestriction
use of com.iplanet.dpro.session.TokenRestriction in project OpenAM by OpenRock.
the class GetHttpSession method doGet.
public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
if (!validateRequest(request)) {
response.setStatus(HttpServletResponse.SC_FORBIDDEN);
return;
}
String op = request.getParameter(OP);
if (op.equals(RECOVER_OP)) {
HttpSession httpSession = request.getSession(false);
if (httpSession != null) {
if (sessionDebug.messageEnabled()) {
sessionDebug.message("GetHttpSession.recover: Old HttpSession is obtained");
}
SessionID sid = new SessionID(request);
if (!sid.isNull()) {
sessionService.retrieveSession(sid, httpSession);
}
} else {
sessionDebug.error("GetHttpSession.recover: Old HttpSession is not obtained");
}
} else if (op.equals(SAVE_OP)) {
HttpSession httpSession = request.getSession(false);
if (httpSession != null) {
if (sessionDebug.messageEnabled()) {
sessionDebug.message("GetHttpSession.save: HttpSession is obtained");
}
SessionID sid = new SessionID(request);
if (!sid.isNull()) {
int status = sessionService.handleSaveSession(sid, httpSession);
response.setStatus(status);
}
} else {
sessionDebug.error("GetHttpSession.save: HttpSession is not obtained");
response.setStatus(HttpServletResponse.SC_NOT_FOUND);
}
} else if (op.equals(CREATE_OP)) {
HttpSession httpSession = request.getSession(true);
String domain = request.getParameter(DOMAIN);
InternalSession is = sessionService.newInternalSession(domain, httpSession, false);
if (sessionDebug.messageEnabled()) {
sessionDebug.message("GetHttpSession.create: Created new session=" + is.getID());
}
DataOutputStream out = new DataOutputStream(response.getOutputStream());
out.writeUTF(is.getID().toString());
out.flush();
out.close();
} else if (op.equals(INVALIDATE_OP)) {
HttpSession httpSession = request.getSession(false);
if (httpSession != null) {
if (sessionDebug.messageEnabled()) {
sessionDebug.message("GetHttpSession.invalidate: HttpSession is obtained");
}
try {
httpSession.invalidate();
} catch (IllegalStateException ise) {
if (sessionDebug.messageEnabled()) {
sessionDebug.message("Exception:invalidateSession: the web containers session timeout could be " + "shorter than the OpenSSO session timeout", ise);
}
}
} else {
if (sessionDebug.warningEnabled()) {
sessionDebug.warning("GetHttpSession.invalidate: session is not obtained");
}
}
} else if (op.equals(RELEASE_OP)) {
SessionID sid = new SessionID(request);
if (!sid.isNull()) {
if (sessionDebug.messageEnabled()) {
sessionDebug.message("GetHttpSession.release: releasing session=" + sid);
}
int status = sessionService.handleReleaseSession(sid);
response.setStatus(status);
} else {
if (sessionDebug.messageEnabled()) {
sessionDebug.message("GetHttpSession.release: missing session id");
}
}
} else if (op.equals(GET_RESTRICTED_TOKEN_OP)) {
DataInputStream in = null;
DataOutputStream out = null;
SessionID sid = new SessionID(request);
try {
in = new DataInputStream(request.getInputStream());
TokenRestriction restriction = TokenRestrictionFactory.unmarshal(in.readUTF());
String token = sessionService.handleGetRestrictedTokenIdRemotely(sid, restriction);
if (token != null) {
if (sessionDebug.messageEnabled()) {
sessionDebug.message("GetHttpSession.get_restricted_token: Created new session=" + token);
}
response.setStatus(HttpServletResponse.SC_OK);
out = new DataOutputStream(response.getOutputStream());
out.writeUTF(token);
out.flush();
} else {
sessionDebug.error("GetHttpSession.get_restricted_token: failed to create token");
response.setStatus(HttpServletResponse.SC_NOT_FOUND);
}
} catch (Exception ex) {
sessionDebug.error("GetHttpSession.get_restricted_token: exception occured while create token", ex);
response.setStatus(HttpServletResponse.SC_NOT_FOUND);
} finally {
IOUtils.closeIfNotNull(in);
IOUtils.closeIfNotNull(out);
}
} else if (op.equals(DEREFERENCE_RESTRICTED_TOKEN_ID)) {
DataInputStream in = null;
DataOutputStream out = null;
String cookieValue = CookieUtils.getCookieValueFromReq(request, CookieUtils.getAmCookieName());
if ((cookieValue != null) && (cookieValue.indexOf("%") != -1)) {
cookieValue = URLEncDec.decode(cookieValue);
}
SessionID sid = new SessionID(cookieValue);
try {
in = new DataInputStream(request.getInputStream());
String restrictedID = in.readUTF();
try {
String masterSID = sessionService.deferenceRestrictedID(sessionCache.getSession(sid), restrictedID);
response.setStatus(HttpServletResponse.SC_OK);
out = new DataOutputStream(response.getOutputStream());
out.writeUTF(masterSID);
out.flush();
if (sessionDebug.messageEnabled()) {
sessionDebug.message("GetHttpSession.dereference_restricted_token_id: master sid=" + masterSID);
}
} catch (SessionException se) {
sessionDebug.message("GetHttpSession.dereference_restricted_token_id: unable to find master sid", se);
response.setStatus(HttpServletResponse.SC_OK);
out = new DataOutputStream(response.getOutputStream());
out.writeUTF("ERROR");
out.flush();
}
} catch (Exception ex) {
sessionDebug.error("GetHttpSession.dereference_restricted_token_id: exception occured while finding master sid", ex);
response.setStatus(HttpServletResponse.SC_NOT_FOUND);
} finally {
IOUtils.closeIfNotNull(in);
IOUtils.closeIfNotNull(out);
}
} else {
sessionDebug.error("GetHttpSession: unknown operation requested");
response.setStatus(HttpServletResponse.SC_NOT_IMPLEMENTED);
}
}
Also used :
TokenRestriction(com.iplanet.dpro.session.TokenRestriction)
HttpSession(javax.servlet.http.HttpSession)
DataOutputStream(java.io.DataOutputStream)
SessionException(com.iplanet.dpro.session.SessionException)
DataInputStream(java.io.DataInputStream)
SessionID(com.iplanet.dpro.session.SessionID)
IOException(java.io.IOException)
SessionException(com.iplanet.dpro.session.SessionException)
Example 3 with TokenRestriction
use of com.iplanet.dpro.session.TokenRestriction in project OpenAM by OpenRock.
the class InternalSession method setRestrictedTokensBySid.
/**
* This setter method is used by the JSON serialization mechanism and should not be used for other purposes.
*
* @param restrictedTokensBySid The deserialized map of sid<->restricted tokens that should be stored in a
* ConcurrentHashMap.
*/
@JsonSetter
private void setRestrictedTokensBySid(ConcurrentMap<SessionID, TokenRestriction> restrictedTokensBySid) {
for (Map.Entry<SessionID, TokenRestriction> entry : restrictedTokensBySid.entrySet()) {
SessionID sid = entry.getKey();
TokenRestriction restriction = entry.getValue();
this.restrictedTokensBySid.put(sid, restriction);
this.restrictedTokensByRestriction.put(restriction, sid);
}
}
Also used :
TokenRestriction(com.iplanet.dpro.session.TokenRestriction)
HashMap(java.util.HashMap)
ConcurrentMap(java.util.concurrent.ConcurrentMap)
Map(java.util.Map)
ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap)
SessionID(com.iplanet.dpro.session.SessionID)
JsonSetter(com.fasterxml.jackson.annotation.JsonSetter)
Example 4 with TokenRestriction
use of com.iplanet.dpro.session.TokenRestriction in project OpenAM by OpenRock.
the class SessionInfoFactory method makeSessionInfo.
/**
* Generates a SessionInfo object from the given InternalSession.
*
* @param internalSession Non null InternalSession to use.
* @param sid Session ID for the user performing the action.
* @return A non null SessionInfo instance if valid.
*
* @throws SessionException If there was an error storing the TokenRestriction on the SessionInfo.
*
* @throws IllegalAccessException If this method has not been called in-conjunction with
* SessionInfoFactory#validateSession
*/
public SessionInfo makeSessionInfo(InternalSession internalSession, SessionID sid) throws SessionException {
SessionInfo info = internalSession.toSessionInfo();
TokenRestriction restriction = internalSession.getRestrictionForToken(sid);
if (restriction != null) {
try {
info.getProperties().put(TOKEN_RESTRICTION_PROP, TokenRestrictionFactory.marshal(restriction));
} catch (Exception e) {
throw new SessionException(e);
}
} else if (!sid.equals(internalSession.getID())) {
throw new IllegalArgumentException("Session id mismatch");
}
// replace master sid with the sid from the request (either master or
// restricted) in order not to leak the master sid
info.setSessionID(sid.toString());
return info;
}
Also used :
TokenRestriction(com.iplanet.dpro.session.TokenRestriction)
SessionInfo(com.iplanet.dpro.session.share.SessionInfo)
SessionException(com.iplanet.dpro.session.SessionException)
SessionTimedOutException(com.iplanet.dpro.session.SessionTimedOutException)
SessionException(com.iplanet.dpro.session.SessionException)
Example 5 with TokenRestriction
use of com.iplanet.dpro.session.TokenRestriction in project OpenAM by OpenRock.
the class SessionCache method getSession.
/**
* This function will get a session based on the session id. It will allow invalid sessions to be returned,
* and allow the caller to specify whether the session can be updated (and therefore have the idle time
* refreshed).
*
* @param sessionID The Session id.
* @param allowInvalidSessions If true, allow invalid Sessions to be returned.
* @param possiblyResetIdleTime If true, the idle time of the session can be reset, if false, it is never reset.
* @return A session object.
* @throws SessionException If the Session ID object does not contain a
* valid session string, or the session string was valid before
* but has been destroyed, or there was an error during
* communication with session service.
*/
public Session getSession(SessionID sessionID, boolean allowInvalidSessions, boolean possiblyResetIdleTime) throws SessionException {
if (sessionID.toString() == null || sessionID.toString().length() == 0) {
throw new SessionException(SessionBundle.rbName, "invalidSessionID", null);
}
Session session = readSession(sessionID);
if (session != null) {
/**
* Reduced crosstalk protection.
*
* When a user logs out, or the Session is destroyed and crosstalk is reduced, it is possible
* for a destroyed session to be recovered by accessing it on a remote server. Instead the
* session will be left in the {@link #sessionTable} until it is purged. This check will
* detect this condition and indicate to the caller their SessionID is invalid.
*/
if (session.getState(false) == DESTROYED && getPurgeDelayForReducedCrosstalk() > 0) {
throw new SessionException("Session is in a destroyed state");
}
TokenRestriction restriction = session.getRestriction();
try {
if (SystemProperties.isServerMode()) {
if ((restriction != null) && !restriction.isSatisfied(RestrictedTokenContext.getCurrent())) {
throw new SessionException(SessionBundle.rbName, "restrictionViolation", null);
}
}
} catch (Exception e) {
throw new SessionException(e);
}
if (!sessionPollerPool.getCacheBasedPolling() && session.maxCachingTimeReached()) {
session.refresh(false);
}
return session;
}
session = new Session(sessionID);
if (!allowInvalidSessions) {
session.refresh(possiblyResetIdleTime);
}
session.setContext(RestrictedTokenContext.getCurrent());
writeSession(session);
if (!sessionPollerPool.isPollingEnabled()) {
session.addInternalSessionListener();
}
return session;
}
Also used :
TokenRestriction(com.iplanet.dpro.session.TokenRestriction)
SessionException(com.iplanet.dpro.session.SessionException)
SessionException(com.iplanet.dpro.session.SessionException)
Session(com.iplanet.dpro.session.Session)
Aggregations
TokenRestriction (com.iplanet.dpro.session.TokenRestriction)6
SessionException (com.iplanet.dpro.session.SessionException)4
SessionID (com.iplanet.dpro.session.SessionID)3
IOException (java.io.IOException)2
JsonSetter (com.fasterxml.jackson.annotation.JsonSetter)1
DNOrIPAddressListTokenRestriction (com.iplanet.dpro.session.DNOrIPAddressListTokenRestriction)1
Session (com.iplanet.dpro.session.Session)1
SessionTimedOutException (com.iplanet.dpro.session.SessionTimedOutException)1
InternalSession (com.iplanet.dpro.session.service.InternalSession)1
SessionInfo (com.iplanet.dpro.session.share.SessionInfo)1
SSOException (com.iplanet.sso.SSOException)1
FSException (com.sun.identity.federation.common.FSException)1
FSAssertion (com.sun.identity.federation.message.FSAssertion)1
FSAuthnResponse (com.sun.identity.federation.message.FSAuthnResponse)1
FSMsgException (com.sun.identity.federation.message.common.FSMsgException)1
SAMLException (com.sun.identity.saml.common.SAMLException)1
Status (com.sun.identity.saml.protocol.Status)1
StatusCode (com.sun.identity.saml.protocol.StatusCode)1
DataInputStream (java.io.DataInputStream)1
DataOutputStream (java.io.DataOutputStream)1
