Search in sources :

Example 36 with SSOToken

use of com.iplanet.sso.SSOToken in project OpenAM by OpenRock.

the class SiteIDValidator method getServerDetails.

/**
     * Internal method for getting the Server list
     * 
     * @return true if Server list is obtained, false otherwise
     */
private boolean getServerDetails() {
    if (!serverAddrSet.isEmpty()) {
        return true;
    }
    try {
        SSOToken stoken = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance());
        ServiceSchemaManager ssm = new ServiceSchemaManager(ISAuthConstants.PLATFORM_SERVICE_NAME, stoken);
        if (ssm != null) {
            ServiceSchema ss = ssm.getGlobalSchema();
            if (ss != null) {
                Map attrs = ss.getAttributeDefaults();
                Set serverList = (Set) attrs.get(PLATFORM_SERVER_LIST);
                if (serverList != null && !serverList.isEmpty()) {
                    Iterator serverIterator = serverList.iterator();
                    while (serverIterator.hasNext()) {
                        String serverVal = (String) serverIterator.next();
                        if (serverVal != null) {
                            StringTokenizer tk = new StringTokenizer(serverVal, "|");
                            String serverUrl = tk.nextToken();
                            String serverId = tk.nextToken();
                            serverAddrSet.add(serverUrl);
                            StringTokenizer sidtk = new StringTokenizer(serverId, "|");
                            serverIdSet.add(sidtk.nextToken());
                        }
                    }
                }
            }
        }
        return true;
    } catch (SMSException se) {
        if (debug.messageEnabled()) {
            debug.message("Site List Validator. Unable to get global " + "config: SMSException", se);
        }
    } catch (SSOException ssoe) {
        if (debug.messageEnabled()) {
            debug.message("Site List Validator. Unable to get global " + "config: SSOException", ssoe);
        }
    }
    return false;
}
Also used : StringTokenizer(java.util.StringTokenizer) SSOToken(com.iplanet.sso.SSOToken) HashSet(java.util.HashSet) Set(java.util.Set) Iterator(java.util.Iterator) SSOException(com.iplanet.sso.SSOException) Map(java.util.Map)

Example 37 with SSOToken

use of com.iplanet.sso.SSOToken in project OpenAM by OpenRock.

the class XacmlService method checkPermission.

/**
     * Check if this user has permission to perform the given action (which will be "read" in the case of export
     * and "modify" in the case of import).
     *
     * @return true if the user has permission, false otherwise.
     */
@VisibleForTesting
boolean checkPermission(String action) throws EntitlementException {
    try {
        Request restletRequest = getRequest();
        String urlLastSegment = restletRequest.getResourceRef().getLastSegment();
        String realm = RestletRealmRouter.getRealmFromRequest(restletRequest);
        final Map<String, String> context = (Map<String, String>) ServletUtils.getRequest(getRequest()).getAttribute(FORGEROCK_AUTH_CONTEXT);
        final String tokenId = context.get("tokenId");
        final SSOToken token = SSOTokenManager.getInstance().createSSOToken(tokenId);
        return checkPermission(action, urlLastSegment, realm, token);
    } catch (SSOException e) {
        debug.warning("XacmlService permission evaluation failed", e);
        throw new EntitlementException(INTERNAL_ERROR, e);
    }
}
Also used : EntitlementException(com.sun.identity.entitlement.EntitlementException) SSOToken(com.iplanet.sso.SSOToken) HttpServletRequest(javax.servlet.http.HttpServletRequest) Request(org.restlet.Request) SSOException(com.iplanet.sso.SSOException) Map(java.util.Map) HashMap(java.util.HashMap) VisibleForTesting(org.forgerock.util.annotations.VisibleForTesting)

Example 38 with SSOToken

use of com.iplanet.sso.SSOToken in project OpenAM by OpenRock.

the class FSDefaultSPAdapter method postSSOFederationSuccess.

/**
     * Invokes this method after the successful Single Sign-On or Federation.
     * @param hostedEntityID provider ID for the hosted SP
     * @param request servlet request
     * @param response servlet response
     * @param ssoToken user's SSO token
     * @param authnRequest the original authentication request sent from SP 
     * @param authnResponse response from IDP if Browser POST or LECP profile
     *        is used for the request, value will be null if Browser Artifact
     *        profile is used. 
     * @param samlResponse response from IDP if Browser Artifact profile is used
     *        for the request, value will be null if Browser POST or LECP 
     *        profile is used.
     * @exception FederationException if user want to fail the process.
     * @return true if browser redirection happened, false otherwise.
     */
public boolean postSSOFederationSuccess(String hostedEntityID, HttpServletRequest request, HttpServletResponse response, Object ssoToken, FSAuthnRequest authnRequest, FSAuthnResponse authnResponse, FSResponse samlResponse) throws FederationException {
    if (FSUtils.debug.messageEnabled()) {
        FSUtils.debug.message("FSDefaultSPAdapter.postFedSuccess, " + "process " + hostedEntityID);
    }
    // find out if this is a federation request
    boolean isFederation = false;
    if (authnRequest == null) {
        FSUtils.debug.error("FSDefaultSPAdapter.postFedSuccess null");
    } else {
        String nameIDPolicy = authnRequest.getNameIDPolicy();
        if (FSUtils.debug.messageEnabled()) {
            FSUtils.debug.message("FSDefaultSPAdapter.postSuccess " + nameIDPolicy);
        }
        if (nameIDPolicy.equals(IFSConstants.NAME_ID_POLICY_FEDERATED)) {
            isFederation = true;
        }
    }
    SSOToken adminToken = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance());
    if (isFederation && adminToken != null) {
        try {
            // get name Identifier
            String nameId = null;
            List assertions = null;
            String idpEntityId = null;
            if (authnResponse != null) {
                // POST profile
                assertions = authnResponse.getAssertion();
                idpEntityId = authnResponse.getProviderId();
            } else {
                // Artifact profile
                assertions = samlResponse.getAssertion();
            }
            FSAssertion assertion = (FSAssertion) assertions.iterator().next();
            if (idpEntityId == null) {
                idpEntityId = assertion.getIssuer();
            }
            if (FSUtils.debug.messageEnabled()) {
                FSUtils.debug.message("FSAdapter.postSuccess: idp=" + idpEntityId);
            }
            Iterator stmtIter = assertion.getStatement().iterator();
            while (stmtIter.hasNext()) {
                Statement statement = (Statement) stmtIter.next();
                int stmtType = statement.getStatementType();
                if (stmtType == Statement.AUTHENTICATION_STATEMENT) {
                    FSAuthenticationStatement authStatement = (FSAuthenticationStatement) statement;
                    FSSubject subject = (FSSubject) authStatement.getSubject();
                    NameIdentifier ni = subject.getIDPProvidedNameIdentifier();
                    if (ni == null) {
                        ni = subject.getNameIdentifier();
                    }
                    if (ni != null) {
                        nameId = ni.getName();
                    }
                    if (FSUtils.debug.messageEnabled()) {
                        FSUtils.debug.message("FSAdapter.postSuccess: " + "found name id =" + nameId);
                    }
                    break;
                }
            }
            if (nameId == null) {
                FSUtils.debug.warning("FSAdapter.postSuc : null nameID");
                return false;
            }
            Map map = new HashMap();
            Set set = new HashSet();
            set.add("|" + hostedEntityID + "|" + nameId + "|");
            map.put("iplanet-am-user-federation-info-key", set);
            AMIdentityRepository idRepo = new AMIdentityRepository(adminToken, ((SSOToken) ssoToken).getProperty(ISAuthConstants.ORGANIZATION));
            IdSearchControl searchControl = new IdSearchControl();
            searchControl.setTimeOut(0);
            searchControl.setMaxResults(0);
            searchControl.setAllReturnAttributes(false);
            searchControl.setSearchModifiers(IdSearchOpModifier.AND, map);
            IdSearchResults searchResults = idRepo.searchIdentities(IdType.USER, "*", searchControl);
            Set amIdSet = searchResults.getSearchResults();
            if (amIdSet.size() > 1) {
                String univId = ((SSOToken) ssoToken).getProperty(Constants.UNIVERSAL_IDENTIFIER);
                if (FSUtils.debug.messageEnabled()) {
                    FSUtils.debug.message("FSAdapter.postSuccess: found " + amIdSet.size() + " federation with same ID as " + univId);
                }
                String metaAlias = null;
                try {
                    IDFFMetaManager metaManager = new IDFFMetaManager(ssoToken);
                    if (metaManager != null) {
                        SPDescriptorConfigElement spConfig = metaManager.getSPDescriptorConfig(realm, hostedEntityID);
                        if (spConfig != null) {
                            metaAlias = spConfig.getMetaAlias();
                        }
                    }
                } catch (IDFFMetaException ie) {
                    if (FSUtils.debug.messageEnabled()) {
                        FSUtils.debug.message("FSAdapter.postSuccess: " + "couldn't find meta alias:", ie);
                    }
                }
                FSAccountManager accManager = FSAccountManager.getInstance(metaAlias);
                FSAccountFedInfoKey fedInfoKey = new FSAccountFedInfoKey(hostedEntityID, nameId);
                // previous federation exists with different users
                Iterator it = amIdSet.iterator();
                while (it.hasNext()) {
                    AMIdentity amId = (AMIdentity) it.next();
                    // compare with the SSO token
                    String tmpUnivId = IdUtils.getUniversalId(amId);
                    if (univId.equalsIgnoreCase(tmpUnivId)) {
                        continue;
                    }
                    // remove federation information for this user
                    if (FSUtils.debug.messageEnabled()) {
                        FSUtils.debug.message("FSAdapter.postSucces, " + "remove fed info for user " + tmpUnivId);
                    }
                    accManager.removeAccountFedInfo(tmpUnivId, fedInfoKey, idpEntityId);
                }
            }
        } catch (FSAccountMgmtException f) {
            FSUtils.debug.warning("FSDefaultSPAdapter.postSSOSuccess", f);
        } catch (IdRepoException i) {
            FSUtils.debug.warning("FSDefaultSPAdapter.postSSOSuccess", i);
        } catch (SSOException e) {
            FSUtils.debug.warning("FSDefaultSPAdapter.postSSOSuccess", e);
        }
    }
    return false;
}
Also used : SSOToken(com.iplanet.sso.SSOToken) Set(java.util.Set) HashSet(java.util.HashSet) FSSubject(com.sun.identity.federation.message.FSSubject) NameIdentifier(com.sun.identity.saml.assertion.NameIdentifier) HashMap(java.util.HashMap) IdSearchResults(com.sun.identity.idm.IdSearchResults) SPDescriptorConfigElement(com.sun.identity.federation.jaxb.entityconfig.SPDescriptorConfigElement) SSOException(com.iplanet.sso.SSOException) FSAccountFedInfoKey(com.sun.identity.federation.accountmgmt.FSAccountFedInfoKey) FSAccountManager(com.sun.identity.federation.accountmgmt.FSAccountManager) FSAssertion(com.sun.identity.federation.message.FSAssertion) Iterator(java.util.Iterator) IdSearchControl(com.sun.identity.idm.IdSearchControl) List(java.util.List) HashSet(java.util.HashSet) FSAuthenticationStatement(com.sun.identity.federation.message.FSAuthenticationStatement) Statement(com.sun.identity.saml.assertion.Statement) FSAuthenticationStatement(com.sun.identity.federation.message.FSAuthenticationStatement) IDFFMetaException(com.sun.identity.federation.meta.IDFFMetaException) IdRepoException(com.sun.identity.idm.IdRepoException) IDFFMetaManager(com.sun.identity.federation.meta.IDFFMetaManager) AMIdentity(com.sun.identity.idm.AMIdentity) AMIdentityRepository(com.sun.identity.idm.AMIdentityRepository) FSAccountMgmtException(com.sun.identity.federation.accountmgmt.FSAccountMgmtException) Map(java.util.Map) HashMap(java.util.HashMap)

Example 39 with SSOToken

use of com.iplanet.sso.SSOToken in project OpenAM by OpenRock.

the class WebServiceAuthenticatorImpl method authenticate.

/**
     * Authenticates a web service using its certificates.
     *
     * @param message a Message object that needs authentication.
     * @param request the HttpServletRequest object that comes from the web
     *                service
     * @return a SSOToken Object for the valid certificates after
     *         successful authentication or null if authentication fails.
     */
public Object authenticate(Message message, Subject subject, Map state, HttpServletRequest request) {
    List certs = null;
    X509Certificate clientCert = message.getPeerCertificate();
    if (clientCert != null) {
        // SSL client auth certificate
        certs = new ArrayList(2);
        certs.add(clientCert);
    }
    X509Certificate messageCert = message.getMessageCertificate();
    if (messageCert != null) {
        if (certs == null) {
            certs = new ArrayList(1);
        }
        certs.add(messageCert);
    }
    String principal = null;
    StringBuffer principalsSB = null;
    if (certs == null) {
        principal = ANONYMOUS_PRINCIPAL;
    } else {
        Set principalsSet = new HashSet(6);
        for (Iterator iter = certs.iterator(); iter.hasNext(); ) {
            X509Certificate cert = (X509Certificate) iter.next();
            if (debug.messageEnabled()) {
                debug.message("WebServiceAuthenticatorImpl.authenticate: cert = " + cert);
            }
            String subjectDN = CertUtils.getSubjectName(cert);
            if (principal == null) {
                principal = subjectDN;
            } else if (!principal.equals(subjectDN)) {
                principalsSet.add(subjectDN);
            }
            String issuerDN = CertUtils.getIssuerName(cert);
            principalsSet.add(issuerDN);
        }
        principalsSB = new StringBuffer(50);
        for (Iterator iter = principalsSet.iterator(); iter.hasNext(); ) {
            String str = (String) iter.next();
            if (principalsSB.length() == 0) {
                principalsSB.append(str);
            } else {
                principalsSB.append("|").append(str);
            }
        }
    }
    if (debug.messageEnabled()) {
        debug.message("WebServiceAuthenticatorImpl.authenticate" + ": principal = " + principal + ", principals = " + principalsSB);
    }
    String authMech = message.getAuthenticationMechanism();
    String cacheKey = authMech + " " + principal;
    if (debug.messageEnabled()) {
        debug.message("WebServiceAuthenticatorImpl.authenticate" + ": cacheKey = " + cacheKey);
    }
    SSOToken ssoToken = null;
    ssoToken = (SSOToken) ssoTokenCache.get(cacheKey);
    if (ssoToken != null) {
        if (ssoTokenManager.isValidToken(ssoToken)) {
            if (debug.messageEnabled()) {
                debug.message("WebServiceAuthenticatorImpl." + "authenticate: found ssoToken in cache");
            }
            return ssoToken;
        }
        if (debug.messageEnabled()) {
            debug.message("WebServiceAuthenticatorImpl." + "authenticate: ssoToken in cache expired");
        }
        synchronized (ssoTokenCache) {
            ssoTokenCache.remove(cacheKey);
        }
        ssoToken = null;
    }
    String authInstant = null;
    try {
        InternalSession is = InjectorHolder.getInstance(SessionService.class).newInternalSession(null, null, false);
        is.activate("");
        Map attrs = sessionSchema.getAttributeDefaults();
        is.setMaxSessionTime(CollectionHelper.getIntMapAttr(attrs, MAX_SESSION_TIME, DEFAULT_MAX_SESSION_TIME, debug));
        is.setMaxIdleTime(CollectionHelper.getIntMapAttr(attrs, IDLE_TIME, DEFAULT_IDLE_TIME, debug));
        is.setMaxCachingTime(CollectionHelper.getIntMapAttr(attrs, CACHE_TIME, DEFAULT_CACHE_TIME, debug));
        is.putProperty(AUTH_TYPE_PROP, message.getAuthenticationMechanism());
        authInstant = DateUtils.toUTCDateFormat(new Date());
        is.putProperty(AUTH_INSTANT_PROP, authInstant);
        ssoToken = SSOTokenManager.getInstance().createSSOToken(is.getID().toString());
    } catch (Exception ex) {
        debug.error("WebServiceAuthenticatorImpl.authenticate: " + "Unable to get SSOToken", ex);
    }
    if (ssoToken == null) {
        return null;
    }
    try {
        ssoToken.setProperty(PRINCIPAL_PROP, principal);
        if (principalsSB != null) {
            ssoToken.setProperty(PRINCIPALS_PROP, principalsSB.toString());
        }
        if (authInstant != null) {
            ssoToken.setProperty(AUTH_INSTANT_PROP, authInstant);
        }
        ssoToken.setProperty(AUTH_TYPE_PROP, message.getAuthenticationMechanism());
        SSOTokenManager.getInstance().refreshSession(ssoToken);
        ssoTokenCache.put(cacheKey, ssoToken);
    } catch (Exception ex) {
        debug.error("WebServiceAuthenticatorImpl.authenticate: " + "Unable to set SSOToken property", ex);
        return null;
    }
    return ssoToken;
}
Also used : HashSet(java.util.HashSet) Set(java.util.Set) SSOToken(com.iplanet.sso.SSOToken) ArrayList(java.util.ArrayList) X509Certificate(java.security.cert.X509Certificate) Date(java.util.Date) SessionService(com.iplanet.dpro.session.service.SessionService) InternalSession(com.iplanet.dpro.session.service.InternalSession) Iterator(java.util.Iterator) ArrayList(java.util.ArrayList) List(java.util.List) Map(java.util.Map) HashSet(java.util.HashSet)

Example 40 with SSOToken

use of com.iplanet.sso.SSOToken in project OpenAM by OpenRock.

the class CramMD5MechanismHandler method getUserPassword.

private static String getUserPassword(String userName) {
    try {
        SSOToken adminToken = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance());
        AMIdentityRepository idRepo = new AMIdentityRepository(adminToken, SMSEntry.getRootSuffix());
        IdSearchControl searchControl = new IdSearchControl();
        searchControl.setTimeOut(0);
        searchControl.setMaxResults(0);
        searchControl.setAllReturnAttributes(false);
        IdSearchResults searchResults = idRepo.searchIdentities(IdType.USER, userName, searchControl);
        Set users = searchResults.getSearchResults();
        if (users == null || users.isEmpty()) {
            if (debug.messageEnabled()) {
                debug.message("CramMD5MechanismHandler.getUserPassword: " + "no user found");
            }
            return null;
        }
        if (users.size() > 1) {
            if (debug.messageEnabled()) {
                debug.message("CramMD5MechanismHandler.getUserPassword: " + "more than 1 user found");
            }
            return null;
        }
        AMIdentity user = (AMIdentity) users.iterator().next();
        Set passwords = user.getAttribute("userPassword");
        if (passwords == null || passwords.isEmpty()) {
            if (debug.messageEnabled()) {
                debug.message("CramMD5MechanismHandler.getUserPassword: " + "user has no password");
            }
            return null;
        }
        if (passwords.size() > 1) {
            if (debug.messageEnabled()) {
                debug.message("CramMD5MechanismHandler.getUserPassword: " + "user has more than 1 passwords");
            }
            return null;
        }
        String password = (String) passwords.iterator().next();
        if (password.startsWith("{CLEAR}")) {
            password = password.substring(7);
        }
        return password;
    } catch (Exception ex) {
        AuthnSvcUtils.debug.error("CramMD5MechanismHandler.getUserPassword: ", ex);
        return null;
    }
}
Also used : SSOToken(com.iplanet.sso.SSOToken) Set(java.util.Set) IdSearchResults(com.sun.identity.idm.IdSearchResults) AMIdentity(com.sun.identity.idm.AMIdentity) AMIdentityRepository(com.sun.identity.idm.AMIdentityRepository) IdSearchControl(com.sun.identity.idm.IdSearchControl) IdRepoException(com.sun.identity.idm.IdRepoException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) AuthLoginException(com.sun.identity.authentication.spi.AuthLoginException) SSOException(com.iplanet.sso.SSOException) UnsupportedEncodingException(java.io.UnsupportedEncodingException)

Aggregations

SSOToken (com.iplanet.sso.SSOToken)776 SSOException (com.iplanet.sso.SSOException)390 Set (java.util.Set)226 SMSException (com.sun.identity.sm.SMSException)218 HashSet (java.util.HashSet)179 IdRepoException (com.sun.identity.idm.IdRepoException)144 HashMap (java.util.HashMap)130 Test (org.testng.annotations.Test)130 CLIException (com.sun.identity.cli.CLIException)117 Iterator (java.util.Iterator)115 AMIdentity (com.sun.identity.idm.AMIdentity)113 Map (java.util.Map)113 IOutput (com.sun.identity.cli.IOutput)99 IOException (java.io.IOException)68 List (java.util.List)57 AMIdentityRepository (com.sun.identity.idm.AMIdentityRepository)56 IdType (com.sun.identity.idm.IdType)54 ServiceConfigManager (com.sun.identity.sm.ServiceConfigManager)53 EntitlementException (com.sun.identity.entitlement.EntitlementException)52 ServiceConfig (com.sun.identity.sm.ServiceConfig)52