Search in sources :

Example 1 with SessionInfo

use of com.iplanet.dpro.session.share.SessionInfo in project OpenAM by OpenRock.

the class SessionRequestHandler method processSessionRequest.

private SessionResponse processSessionRequest(PLLAuditor auditor, SessionRequest req, HttpServletRequest servletRequest, HttpServletResponse servletResponse) {
    SessionResponse res = new SessionResponse(req.getRequestID(), req.getMethodID());
    SessionID sid = new SessionID(req.getSessionID());
    Session requesterSession = null;
    try {
        /* common processing by groups of methods */
        switch(req.getMethodID()) {
            /*
             * in this group of methods the request is targeting either all
             * LOCAL sessions or a single local session identified by another
             * request parameter sid in this case is only used to authenticate
             * the operation Session pointed by sid is not expected to be local
             * to this server (although it might)
             */
            case SessionRequest.GetValidSessions:
            case SessionRequest.AddSessionListenerOnAllSessions:
            case SessionRequest.GetSessionCount:
                /*
                     * note that the purpose of the following is just to check the
                     * authentication of the caller (which can also be used as a
                     * filter for the operation scope!)
                     */
                requesterSession = sessionCache.getSession(sid);
                auditAccessAttempt(auditor, requesterSession);
                /*
                     * also check that sid is not a restricted token
                     */
                if (requesterSession.getProperty(TOKEN_RESTRICTION_PROP) != null) {
                    res.setException(sid + " " + SessionBundle.getString("noPrivilege"));
                    return res;
                }
                break;
            /*
             * In this group request is targeting a single session identified by
             * sid which is supposed to be hosted by this server instance sid is
             * used both as an id of a session and to authenticate the operation
             * (performed on own session)
             */
            case SessionRequest.GetSession:
            case SessionRequest.Logout:
            case SessionRequest.AddSessionListener:
            case SessionRequest.SetProperty:
            case SessionRequest.DestroySession:
                if (req.getMethodID() == SessionRequest.DestroySession) {
                    requesterSession = sessionCache.getSession(sid);
                    auditAccessAttempt(auditor, requesterSession);
                    /*
                         * also check that sid is not a restricted token
                         */
                    if (requesterSession.getProperty(TOKEN_RESTRICTION_PROP) != null) {
                        res.setException(sid + " " + SessionBundle.getString("noPrivilege"));
                        return res;
                    }
                    sid = new SessionID(req.getDestroySessionID());
                } else {
                    try {
                        auditAccessAttempt(auditor, sessionCache.getSession(sid));
                    } catch (SessionException ignored) {
                        // ignore, we'll log the access attempt without session properties
                        auditor.auditAccessAttempt();
                    }
                }
                if (req.getMethodID() == SessionRequest.SetProperty) {
                    /*
                         * This fix is to avoid clients sneaking in to set
                         * protected properties in server-2 or so through
                         * server-1. Short circuit this operation without
                         * forwarding it further.
                         */
                    try {
                        SessionUtils.checkPermissionToSetProperty(this.clientToken, req.getPropertyName(), req.getPropertyValue());
                    } catch (SessionException se) {
                        if (sessionDebug.warningEnabled()) {
                            sessionDebug.warning("SessionRequestHandler.processRequest:" + "Client does not have permission to set" + " - property key = " + req.getPropertyName() + " : property value = " + req.getPropertyValue());
                        }
                        res.setException(sid + " " + SessionBundle.getString("noPrivilege"));
                        return res;
                    }
                }
                if (!serviceConfig.isSessionFailoverEnabled()) {
                    // TODO check how this behaves in non-session failover case
                    URL originService = SESSION_SERVICE_URL_SERVICE.getSessionServiceURL(sid);
                    if (!serverConfig.isLocalSessionService(originService)) {
                        if (!serverConfig.isSiteEnabled()) {
                            String siteID = sid.getExtension().getSiteID();
                            if (siteID != null) {
                                String primaryID = sid.getExtension().getPrimaryID();
                                String localServerID = serverConfig.getLocalServerID();
                                if ((primaryID != null) && (localServerID != null)) {
                                    if (primaryID.equals(localServerID)) {
                                        throw new SessionException("invalid session id");
                                    }
                                }
                            }
                        } else {
                            return forward(originService, req);
                        }
                    }
                } else {
                    if (serviceConfig.isUseInternalRequestRoutingEnabled()) {
                        // first try
                        String hostServerID = sessionService.getCurrentHostServer(sid);
                        if (!serverConfig.isLocalServer(hostServerID)) {
                            try {
                                return forward(SESSION_SERVICE_URL_SERVICE.getSessionServiceURL(hostServerID), req);
                            } catch (SessionException se) {
                                // attempt retry
                                if (!sessionService.checkServerUp(hostServerID)) {
                                    // proceed with failover
                                    String retryHostServerID = sessionService.getCurrentHostServer(sid);
                                    if (retryHostServerID.equals(hostServerID)) {
                                        throw se;
                                    } else {
                                        // case
                                        if (!serverConfig.isLocalServer(retryHostServerID)) {
                                            return forward(SESSION_SERVICE_URL_SERVICE.getSessionServiceURL(retryHostServerID), req);
                                        }
                                    }
                                } else {
                                    throw se;
                                }
                            }
                        }
                    } else {
                        // iplanet-am-session-sfo-enabled=true (in direct contradiction to SMS property with same name)
                        throw new AssertionError("Unreachable code");
                    }
                    /*
                     * if session is not already present locally attempt to
                     * recover session if in failover mode
                     */
                    if (!sessionService.isSessionPresent(sid)) {
                        if (sessionService.recoverSession(sid) == null) {
                            /*
                             * if not in failover mode or recovery was not
                             * successful return an exception
                             */
                            /*
                             * !!!!! IMPORTANT !!!!! DO NOT REMOVE "sid" FROM
                             * EXCEPTIONMESSAGE Logic kludge in legacy Agent 2.0
                             * code will break If it can not find SID value in
                             * the exception message returned by Session
                             * Service. This dependency should be eventually
                             * removed once we migrate customers to a newer
                             * agent code base or switch to a new version of
                             * Session Service interface
                             */
                            res.setException(sid + " " + SessionBundle.getString("sessionNotObtained"));
                            return res;
                        }
                    }
                }
                break;
            default:
                res.setException(sid + " " + SessionBundle.getString("unknownRequestMethod"));
                return res;
        }
        /*
             * request method-specific processing
             */
        switch(req.getMethodID()) {
            case SessionRequest.GetSession:
                res.addSessionInfo(sessionService.getSessionInfo(sid, req.getResetFlag()));
                break;
            case SessionRequest.GetValidSessions:
                String pattern = req.getPattern();
                List<SessionInfo> infos = null;
                int[] status = { 0 };
                infos = sessionService.getValidSessions(requesterSession, pattern, status);
                res.setStatus(status[0]);
                res.setSessionInfo(infos);
                break;
            case SessionRequest.DestroySession:
                sessionService.destroySession(requesterSession, new SessionID(req.getDestroySessionID()));
                break;
            case SessionRequest.Logout:
                sessionService.logout(sid);
                break;
            case SessionRequest.AddSessionListener:
                sessionService.addSessionListener(sid, req.getNotificationURL());
                break;
            case SessionRequest.AddSessionListenerOnAllSessions:
                /**
                     * Cookie Hijacking fix to disable adding of Notification
                     * Listener for ALL the sessions over the network to the server
                     * instance specified by Notification URL This property can be
                     * added and set in the AMConfig.properties file should there be
                     * a need to add Notification Listener to ALL the sessions. The
                     * default value of this property is FALSE
                     */
                if (getEnableAddListenerOnAllSessions()) {
                    sessionService.addSessionListenerOnAllSessions(requesterSession, req.getNotificationURL());
                }
                break;
            case SessionRequest.SetProperty:
                sessionService.setExternalProperty(this.clientToken, sid, req.getPropertyName(), req.getPropertyValue());
                break;
            case SessionRequest.GetSessionCount:
                String uuid = req.getUUID();
                Object sessions = SessionCount.getSessionsFromLocalServer(uuid);
                if (sessions != null) {
                    res.setSessionsForGivenUUID((Map) sessions);
                }
                break;
            default:
                res.setException(sid + " " + SessionBundle.getString("unknownRequestMethod"));
                break;
        }
    } catch (SessionException se) {
        sessionDebug.message("processSessionRequest caught exception: {}", se.getMessage(), se);
        res.setException(sid + " " + se.getMessage());
    }
    return res;
}
Also used : SessionException(com.iplanet.dpro.session.SessionException) SessionInfo(com.iplanet.dpro.session.share.SessionInfo) SessionResponse(com.iplanet.dpro.session.share.SessionResponse) SessionID(com.iplanet.dpro.session.SessionID) URL(java.net.URL) Session(com.iplanet.dpro.session.Session)

Example 2 with SessionInfo

use of com.iplanet.dpro.session.share.SessionInfo in project OpenAM by OpenRock.

the class SessionService method getValidSessions.

/**
     * Gets all valid Internal Sessions, depending on the value of the user's
     * preferences.
     *
     * @param s
     * @throws SessionException
     */
public List<SessionInfo> getValidSessions(Session s, String pattern, int[] status) throws SessionException {
    if (s.getState(false) != VALID) {
        throw new SessionException(SessionBundle.getString("invalidSessionState") + s.getID().toString());
    }
    try {
        AMIdentity user = getUser(s);
        Set orgList = user.getAttribute("iplanet-am-session-get-valid-sessions");
        if (orgList == null) {
            orgList = Collections.EMPTY_SET;
        }
        List<InternalSession> sessions = getValidInternalSessions(pattern, status);
        List<SessionInfo> infos = new ArrayList<SessionInfo>(sessions.size());
        // top level admin gets all sessions
        boolean isTopLevelAdmin = hasTopLevelAdminRole(s);
        for (InternalSession sess : sessions) {
            if (isTopLevelAdmin || orgList.contains(sess.getClientDomain())) {
                SessionInfo info = sess.toSessionInfo();
                // replace session id with session handle to prevent from
                // impersonation
                info.setSessionID(sess.getSessionHandle());
                infos.add(info);
            }
        }
        return infos;
    } catch (Exception e) {
        throw new SessionException(e);
    }
}
Also used : Set(java.util.Set) HashSet(java.util.HashSet) AMIdentity(com.sun.identity.idm.AMIdentity) ArrayList(java.util.ArrayList) SessionException(com.iplanet.dpro.session.SessionException) SessionInfo(com.iplanet.dpro.session.share.SessionInfo) DelegationException(com.sun.identity.delegation.DelegationException) SSOException(com.iplanet.sso.SSOException) InterruptedIOException(java.io.InterruptedIOException) IdRepoException(com.sun.identity.idm.IdRepoException) ConnectException(java.net.ConnectException) SessionException(com.iplanet.dpro.session.SessionException) CoreTokenException(org.forgerock.openam.cts.exceptions.CoreTokenException)

Example 3 with SessionInfo

use of com.iplanet.dpro.session.share.SessionInfo in project OpenAM by OpenRock.

the class SessionInfoFactory method makeSessionInfo.

/**
     * Generates a SessionInfo object from the given InternalSession.
     *
     * @param internalSession Non null InternalSession to use.
     * @param sid Session ID for the user performing the action.
     * @return A non null SessionInfo instance if valid.
     *
     * @throws SessionException If there was an error storing the TokenRestriction on the SessionInfo.
     *
     * @throws IllegalAccessException If this method has not been called in-conjunction with
     * SessionInfoFactory#validateSession
     */
public SessionInfo makeSessionInfo(InternalSession internalSession, SessionID sid) throws SessionException {
    SessionInfo info = internalSession.toSessionInfo();
    TokenRestriction restriction = internalSession.getRestrictionForToken(sid);
    if (restriction != null) {
        try {
            info.getProperties().put(TOKEN_RESTRICTION_PROP, TokenRestrictionFactory.marshal(restriction));
        } catch (Exception e) {
            throw new SessionException(e);
        }
    } else if (!sid.equals(internalSession.getID())) {
        throw new IllegalArgumentException("Session id mismatch");
    }
    // replace master sid with the sid from the request (either master or
    // restricted) in order not to leak the master sid
    info.setSessionID(sid.toString());
    return info;
}
Also used : TokenRestriction(com.iplanet.dpro.session.TokenRestriction) SessionInfo(com.iplanet.dpro.session.share.SessionInfo) SessionException(com.iplanet.dpro.session.SessionException) SessionTimedOutException(com.iplanet.dpro.session.SessionTimedOutException) SessionException(com.iplanet.dpro.session.SessionException)

Example 4 with SessionInfo

use of com.iplanet.dpro.session.share.SessionInfo in project OpenAM by OpenRock.

the class StatelessSessionActivator method activateSession.

@Override
public boolean activateSession(final LoginState loginState, final SessionService sessionService, final InternalSession authSession, final Subject subject, final Object loginContext) throws AuthException {
    if (loginState.getForceFlag()) {
        if (DEBUG.messageEnabled()) {
            DEBUG.message("Cannot force auth stateless sessions.");
        }
        throw new AuthException(AMAuthErrorCode.STATELESS_FORCE_FAILED, null);
    }
    if (loginState.isSessionUpgrade()) {
        //set our old session -- necessary as if the currently owned token is stateless this won't be set
        SessionID sid = new SessionID(loginState.getHttpServletRequest());
        try {
            SessionInfo info = getStatelessSessionFactory().getSessionInfo(sid);
            oldSession = getStatelessSessionFactory().generate(info);
            loginState.setOldStatelessSession(oldSession);
        } catch (SessionException e) {
            throw new AuthException(AMAuthErrorCode.SESSION_UPGRADE_FAILED, null);
        }
    }
    //create our new session - the loginState needs this session as it's the one we'll be passing back to the user
    final InternalSession session = createSession(sessionService, loginState);
    loginState.setSession(session);
    return updateSessions(session, loginState, session, authSession, sessionService, subject, loginContext);
}
Also used : InternalSession(com.iplanet.dpro.session.service.InternalSession) SessionInfo(com.iplanet.dpro.session.share.SessionInfo) SessionException(com.iplanet.dpro.session.SessionException) SessionID(com.iplanet.dpro.session.SessionID)

Example 5 with SessionInfo

use of com.iplanet.dpro.session.share.SessionInfo in project OpenAM by OpenRock.

the class SessionResource method queryCollection.

/**
     * Queries the session resources using one of the predefined query filters.
     *
     * all - (default) will query all Sessions across all servers.
     * list - will list the available servers which is useful for the next query
     * [server-id] - will list the available Sessions on the named server.
     *
     * @param context {@inheritDoc}
     * @param request {@inheritDoc}
     * @param handler {@inheritDoc}
     */
public Promise<QueryResponse, ResourceException> queryCollection(Context context, QueryRequest request, QueryResourceHandler handler) {
    String id = request.getQueryId();
    if (KEYWORD_LIST.equals(id)) {
        Collection<String> servers = generateListServers();
        LOGGER.message("SessionResource.queryCollection() :: Retrieved list of servers for query.");
        handler.handleResource(newResourceResponse(KEYWORD_LIST, String.valueOf(System.currentTimeMillis()), new JsonValue(servers)));
    } else {
        Collection<SessionInfo> sessions;
        if (KEYWORD_ALL.equals(id)) {
            sessions = generateAllSessions();
            LOGGER.message("SessionResource.queryCollection() :: Retrieved list of sessions for query.");
        } else {
            sessions = generateNamedServerSession(id);
            LOGGER.message("SessionResource.queryCollection() :: Retrieved list of specified servers for query.");
        }
        for (SessionInfo session : sessions) {
            long timeleft = TimeUnit.SECONDS.toMinutes(session.getTimeLeft());
            String username = session.getProperties().get("UserId");
            Map<String, Object> map = new HashMap<String, Object>();
            map.put(HEADER_USER_ID, username);
            map.put(HEADER_TIME_REMAINING, timeleft);
            handler.handleResource(newResourceResponse("Sessions", String.valueOf(System.currentTimeMillis()), new JsonValue(map)));
        }
    }
    return newResultPromise(newQueryResponse());
}
Also used : HashMap(java.util.HashMap) CaseInsensitiveHashMap(com.sun.identity.common.CaseInsensitiveHashMap) JsonValue(org.forgerock.json.JsonValue) SessionInfo(com.iplanet.dpro.session.share.SessionInfo)

Aggregations

SessionInfo (com.iplanet.dpro.session.share.SessionInfo)42 Test (org.testng.annotations.Test)18 SessionException (com.iplanet.dpro.session.SessionException)8 SessionID (com.iplanet.dpro.session.SessionID)6 SessionResponse (com.iplanet.dpro.session.share.SessionResponse)5 SessionRequest (com.iplanet.dpro.session.share.SessionRequest)4 InternalSession (com.iplanet.dpro.session.service.InternalSession)3 Session (com.iplanet.dpro.session.Session)2 TokenRestriction (com.iplanet.dpro.session.TokenRestriction)2 SSOException (com.iplanet.sso.SSOException)2 URL (java.net.URL)2 KeyPair (java.security.KeyPair)2 HashMap (java.util.HashMap)2 SigningManager (org.forgerock.json.jose.jws.SigningManager)2 StatelessSession (org.forgerock.openam.sso.providers.stateless.StatelessSession)2 ThreadPoolException (com.iplanet.am.util.ThreadPoolException)1 SessionTimedOutException (com.iplanet.dpro.session.SessionTimedOutException)1 SessionOperations (com.iplanet.dpro.session.operations.SessionOperations)1 Action (com.iplanet.services.naming.ServiceListeners.Action)1 SSOToken (com.iplanet.sso.SSOToken)1