Example 1 with SessionInfo
use of com.iplanet.dpro.session.share.SessionInfo in project OpenAM by OpenRock.
the class SessionRequestHandler method processSessionRequest.
private SessionResponse processSessionRequest(PLLAuditor auditor, SessionRequest req, HttpServletRequest servletRequest, HttpServletResponse servletResponse) {
SessionResponse res = new SessionResponse(req.getRequestID(), req.getMethodID());
SessionID sid = new SessionID(req.getSessionID());
Session requesterSession = null;
try {
/* common processing by groups of methods */
switch(req.getMethodID()) {
/*
* in this group of methods the request is targeting either all
* LOCAL sessions or a single local session identified by another
* request parameter sid in this case is only used to authenticate
* the operation Session pointed by sid is not expected to be local
* to this server (although it might)
*/
case SessionRequest.GetValidSessions:
case SessionRequest.AddSessionListenerOnAllSessions:
case SessionRequest.GetSessionCount:
/*
* note that the purpose of the following is just to check the
* authentication of the caller (which can also be used as a
* filter for the operation scope!)
*/
requesterSession = sessionCache.getSession(sid);
auditAccessAttempt(auditor, requesterSession);
/*
* also check that sid is not a restricted token
*/
if (requesterSession.getProperty(TOKEN_RESTRICTION_PROP) != null) {
res.setException(sid + " " + SessionBundle.getString("noPrivilege"));
return res;
}
break;
/*
* In this group request is targeting a single session identified by
* sid which is supposed to be hosted by this server instance sid is
* used both as an id of a session and to authenticate the operation
* (performed on own session)
*/
case SessionRequest.GetSession:
case SessionRequest.Logout:
case SessionRequest.AddSessionListener:
case SessionRequest.SetProperty:
case SessionRequest.DestroySession:
if (req.getMethodID() == SessionRequest.DestroySession) {
requesterSession = sessionCache.getSession(sid);
auditAccessAttempt(auditor, requesterSession);
/*
* also check that sid is not a restricted token
*/
if (requesterSession.getProperty(TOKEN_RESTRICTION_PROP) != null) {
res.setException(sid + " " + SessionBundle.getString("noPrivilege"));
return res;
}
sid = new SessionID(req.getDestroySessionID());
} else {
try {
auditAccessAttempt(auditor, sessionCache.getSession(sid));
} catch (SessionException ignored) {
// ignore, we'll log the access attempt without session properties
auditor.auditAccessAttempt();
}
}
if (req.getMethodID() == SessionRequest.SetProperty) {
/*
* This fix is to avoid clients sneaking in to set
* protected properties in server-2 or so through
* server-1. Short circuit this operation without
* forwarding it further.
*/
try {
SessionUtils.checkPermissionToSetProperty(this.clientToken, req.getPropertyName(), req.getPropertyValue());
} catch (SessionException se) {
if (sessionDebug.warningEnabled()) {
sessionDebug.warning("SessionRequestHandler.processRequest:" + "Client does not have permission to set" + " - property key = " + req.getPropertyName() + " : property value = " + req.getPropertyValue());
}
res.setException(sid + " " + SessionBundle.getString("noPrivilege"));
return res;
}
}
if (!serviceConfig.isSessionFailoverEnabled()) {
// TODO check how this behaves in non-session failover case
URL originService = SESSION_SERVICE_URL_SERVICE.getSessionServiceURL(sid);
if (!serverConfig.isLocalSessionService(originService)) {
if (!serverConfig.isSiteEnabled()) {
String siteID = sid.getExtension().getSiteID();
if (siteID != null) {
String primaryID = sid.getExtension().getPrimaryID();
String localServerID = serverConfig.getLocalServerID();
if ((primaryID != null) && (localServerID != null)) {
if (primaryID.equals(localServerID)) {
throw new SessionException("invalid session id");
}
}
}
} else {
return forward(originService, req);
}
}
} else {
if (serviceConfig.isUseInternalRequestRoutingEnabled()) {
// first try
String hostServerID = sessionService.getCurrentHostServer(sid);
if (!serverConfig.isLocalServer(hostServerID)) {
try {
return forward(SESSION_SERVICE_URL_SERVICE.getSessionServiceURL(hostServerID), req);
} catch (SessionException se) {
// attempt retry
if (!sessionService.checkServerUp(hostServerID)) {
// proceed with failover
String retryHostServerID = sessionService.getCurrentHostServer(sid);
if (retryHostServerID.equals(hostServerID)) {
throw se;
} else {
// case
if (!serverConfig.isLocalServer(retryHostServerID)) {
return forward(SESSION_SERVICE_URL_SERVICE.getSessionServiceURL(retryHostServerID), req);
}
}
} else {
throw se;
}
}
}
} else {
// iplanet-am-session-sfo-enabled=true (in direct contradiction to SMS property with same name)
throw new AssertionError("Unreachable code");
}
/*
* if session is not already present locally attempt to
* recover session if in failover mode
*/
if (!sessionService.isSessionPresent(sid)) {
if (sessionService.recoverSession(sid) == null) {
/*
* if not in failover mode or recovery was not
* successful return an exception
*/
/*
* !!!!! IMPORTANT !!!!! DO NOT REMOVE "sid" FROM
* EXCEPTIONMESSAGE Logic kludge in legacy Agent 2.0
* code will break If it can not find SID value in
* the exception message returned by Session
* Service. This dependency should be eventually
* removed once we migrate customers to a newer
* agent code base or switch to a new version of
* Session Service interface
*/
res.setException(sid + " " + SessionBundle.getString("sessionNotObtained"));
return res;
}
}
}
break;
default:
res.setException(sid + " " + SessionBundle.getString("unknownRequestMethod"));
return res;
}
/*
* request method-specific processing
*/
switch(req.getMethodID()) {
case SessionRequest.GetSession:
res.addSessionInfo(sessionService.getSessionInfo(sid, req.getResetFlag()));
break;
case SessionRequest.GetValidSessions:
String pattern = req.getPattern();
List<SessionInfo> infos = null;
int[] status = { 0 };
infos = sessionService.getValidSessions(requesterSession, pattern, status);
res.setStatus(status[0]);
res.setSessionInfo(infos);
break;
case SessionRequest.DestroySession:
sessionService.destroySession(requesterSession, new SessionID(req.getDestroySessionID()));
break;
case SessionRequest.Logout:
sessionService.logout(sid);
break;
case SessionRequest.AddSessionListener:
sessionService.addSessionListener(sid, req.getNotificationURL());
break;
case SessionRequest.AddSessionListenerOnAllSessions:
/**
* Cookie Hijacking fix to disable adding of Notification
* Listener for ALL the sessions over the network to the server
* instance specified by Notification URL This property can be
* added and set in the AMConfig.properties file should there be
* a need to add Notification Listener to ALL the sessions. The
* default value of this property is FALSE
*/
if (getEnableAddListenerOnAllSessions()) {
sessionService.addSessionListenerOnAllSessions(requesterSession, req.getNotificationURL());
}
break;
case SessionRequest.SetProperty:
sessionService.setExternalProperty(this.clientToken, sid, req.getPropertyName(), req.getPropertyValue());
break;
case SessionRequest.GetSessionCount:
String uuid = req.getUUID();
Object sessions = SessionCount.getSessionsFromLocalServer(uuid);
if (sessions != null) {
res.setSessionsForGivenUUID((Map) sessions);
}
break;
default:
res.setException(sid + " " + SessionBundle.getString("unknownRequestMethod"));
break;
}
} catch (SessionException se) {
sessionDebug.message("processSessionRequest caught exception: {}", se.getMessage(), se);
res.setException(sid + " " + se.getMessage());
}
return res;
}
Also used :
SessionException(com.iplanet.dpro.session.SessionException)
SessionInfo(com.iplanet.dpro.session.share.SessionInfo)
SessionResponse(com.iplanet.dpro.session.share.SessionResponse)
SessionID(com.iplanet.dpro.session.SessionID)
URL(java.net.URL)
Session(com.iplanet.dpro.session.Session)
Example 2 with SessionInfo
use of com.iplanet.dpro.session.share.SessionInfo in project OpenAM by OpenRock.
the class SessionService method getValidSessions.
/**
* Gets all valid Internal Sessions, depending on the value of the user's
* preferences.
*
* @param s
* @throws SessionException
*/
public List<SessionInfo> getValidSessions(Session s, String pattern, int[] status) throws SessionException {
if (s.getState(false) != VALID) {
throw new SessionException(SessionBundle.getString("invalidSessionState") + s.getID().toString());
}
try {
AMIdentity user = getUser(s);
Set orgList = user.getAttribute("iplanet-am-session-get-valid-sessions");
if (orgList == null) {
orgList = Collections.EMPTY_SET;
}
List<InternalSession> sessions = getValidInternalSessions(pattern, status);
List<SessionInfo> infos = new ArrayList<SessionInfo>(sessions.size());
// top level admin gets all sessions
boolean isTopLevelAdmin = hasTopLevelAdminRole(s);
for (InternalSession sess : sessions) {
if (isTopLevelAdmin || orgList.contains(sess.getClientDomain())) {
SessionInfo info = sess.toSessionInfo();
// replace session id with session handle to prevent from
// impersonation
info.setSessionID(sess.getSessionHandle());
infos.add(info);
}
}
return infos;
} catch (Exception e) {
throw new SessionException(e);
}
}
Also used :
Set(java.util.Set)
HashSet(java.util.HashSet)
AMIdentity(com.sun.identity.idm.AMIdentity)
ArrayList(java.util.ArrayList)
SessionException(com.iplanet.dpro.session.SessionException)
SessionInfo(com.iplanet.dpro.session.share.SessionInfo)
DelegationException(com.sun.identity.delegation.DelegationException)
SSOException(com.iplanet.sso.SSOException)
InterruptedIOException(java.io.InterruptedIOException)
IdRepoException(com.sun.identity.idm.IdRepoException)
ConnectException(java.net.ConnectException)
SessionException(com.iplanet.dpro.session.SessionException)
CoreTokenException(org.forgerock.openam.cts.exceptions.CoreTokenException)
Example 3 with SessionInfo
use of com.iplanet.dpro.session.share.SessionInfo in project OpenAM by OpenRock.
the class SessionInfoFactory method makeSessionInfo.
/**
* Generates a SessionInfo object from the given InternalSession.
*
* @param internalSession Non null InternalSession to use.
* @param sid Session ID for the user performing the action.
* @return A non null SessionInfo instance if valid.
*
* @throws SessionException If there was an error storing the TokenRestriction on the SessionInfo.
*
* @throws IllegalAccessException If this method has not been called in-conjunction with
* SessionInfoFactory#validateSession
*/
public SessionInfo makeSessionInfo(InternalSession internalSession, SessionID sid) throws SessionException {
SessionInfo info = internalSession.toSessionInfo();
TokenRestriction restriction = internalSession.getRestrictionForToken(sid);
if (restriction != null) {
try {
info.getProperties().put(TOKEN_RESTRICTION_PROP, TokenRestrictionFactory.marshal(restriction));
} catch (Exception e) {
throw new SessionException(e);
}
} else if (!sid.equals(internalSession.getID())) {
throw new IllegalArgumentException("Session id mismatch");
}
// replace master sid with the sid from the request (either master or
// restricted) in order not to leak the master sid
info.setSessionID(sid.toString());
return info;
}
Also used :
TokenRestriction(com.iplanet.dpro.session.TokenRestriction)
SessionInfo(com.iplanet.dpro.session.share.SessionInfo)
SessionException(com.iplanet.dpro.session.SessionException)
SessionTimedOutException(com.iplanet.dpro.session.SessionTimedOutException)
SessionException(com.iplanet.dpro.session.SessionException)
Example 4 with SessionInfo
use of com.iplanet.dpro.session.share.SessionInfo in project OpenAM by OpenRock.
the class StatelessSessionActivator method activateSession.
@Override
public boolean activateSession(final LoginState loginState, final SessionService sessionService, final InternalSession authSession, final Subject subject, final Object loginContext) throws AuthException {
if (loginState.getForceFlag()) {
if (DEBUG.messageEnabled()) {
DEBUG.message("Cannot force auth stateless sessions.");
}
throw new AuthException(AMAuthErrorCode.STATELESS_FORCE_FAILED, null);
}
if (loginState.isSessionUpgrade()) {
//set our old session -- necessary as if the currently owned token is stateless this won't be set
SessionID sid = new SessionID(loginState.getHttpServletRequest());
try {
SessionInfo info = getStatelessSessionFactory().getSessionInfo(sid);
oldSession = getStatelessSessionFactory().generate(info);
loginState.setOldStatelessSession(oldSession);
} catch (SessionException e) {
throw new AuthException(AMAuthErrorCode.SESSION_UPGRADE_FAILED, null);
}
}
//create our new session - the loginState needs this session as it's the one we'll be passing back to the user
final InternalSession session = createSession(sessionService, loginState);
loginState.setSession(session);
return updateSessions(session, loginState, session, authSession, sessionService, subject, loginContext);
}
Also used :
InternalSession(com.iplanet.dpro.session.service.InternalSession)
SessionInfo(com.iplanet.dpro.session.share.SessionInfo)
SessionException(com.iplanet.dpro.session.SessionException)
SessionID(com.iplanet.dpro.session.SessionID)
Example 5 with SessionInfo
use of com.iplanet.dpro.session.share.SessionInfo in project OpenAM by OpenRock.
the class SessionResource method queryCollection.
/**
* Queries the session resources using one of the predefined query filters.
*
* all - (default) will query all Sessions across all servers.
* list - will list the available servers which is useful for the next query
* [server-id] - will list the available Sessions on the named server.
*
* @param context {@inheritDoc}
* @param request {@inheritDoc}
* @param handler {@inheritDoc}
*/
public Promise<QueryResponse, ResourceException> queryCollection(Context context, QueryRequest request, QueryResourceHandler handler) {
String id = request.getQueryId();
if (KEYWORD_LIST.equals(id)) {
Collection<String> servers = generateListServers();
LOGGER.message("SessionResource.queryCollection() :: Retrieved list of servers for query.");
handler.handleResource(newResourceResponse(KEYWORD_LIST, String.valueOf(System.currentTimeMillis()), new JsonValue(servers)));
} else {
Collection<SessionInfo> sessions;
if (KEYWORD_ALL.equals(id)) {
sessions = generateAllSessions();
LOGGER.message("SessionResource.queryCollection() :: Retrieved list of sessions for query.");
} else {
sessions = generateNamedServerSession(id);
LOGGER.message("SessionResource.queryCollection() :: Retrieved list of specified servers for query.");
}
for (SessionInfo session : sessions) {
long timeleft = TimeUnit.SECONDS.toMinutes(session.getTimeLeft());
String username = session.getProperties().get("UserId");
Map<String, Object> map = new HashMap<String, Object>();
map.put(HEADER_USER_ID, username);
map.put(HEADER_TIME_REMAINING, timeleft);
handler.handleResource(newResourceResponse("Sessions", String.valueOf(System.currentTimeMillis()), new JsonValue(map)));
}
}
return newResultPromise(newQueryResponse());
}
Also used :
HashMap(java.util.HashMap)
CaseInsensitiveHashMap(com.sun.identity.common.CaseInsensitiveHashMap)
JsonValue(org.forgerock.json.JsonValue)
SessionInfo(com.iplanet.dpro.session.share.SessionInfo)
Aggregations
SessionInfo (com.iplanet.dpro.session.share.SessionInfo)42
Test (org.testng.annotations.Test)18
SessionException (com.iplanet.dpro.session.SessionException)8
SessionID (com.iplanet.dpro.session.SessionID)6
SessionResponse (com.iplanet.dpro.session.share.SessionResponse)5
SessionRequest (com.iplanet.dpro.session.share.SessionRequest)4
InternalSession (com.iplanet.dpro.session.service.InternalSession)3
Session (com.iplanet.dpro.session.Session)2
TokenRestriction (com.iplanet.dpro.session.TokenRestriction)2
SSOException (com.iplanet.sso.SSOException)2
URL (java.net.URL)2
KeyPair (java.security.KeyPair)2
HashMap (java.util.HashMap)2
SigningManager (org.forgerock.json.jose.jws.SigningManager)2
StatelessSession (org.forgerock.openam.sso.providers.stateless.StatelessSession)2
ThreadPoolException (com.iplanet.am.util.ThreadPoolException)1
SessionTimedOutException (com.iplanet.dpro.session.SessionTimedOutException)1
SessionOperations (com.iplanet.dpro.session.operations.SessionOperations)1
Action (com.iplanet.services.naming.ServiceListeners.Action)1
SSOToken (com.iplanet.sso.SSOToken)1
