use of com.iplanet.sso.SSOToken in project OpenAM by OpenRock.
the class SiteIDValidator method getServerDetails.
/**
* Internal method for getting the Server list
*
* @return true if Server list is obtained, false otherwise
*/
private boolean getServerDetails() {
if (!serverAddrSet.isEmpty()) {
return true;
}
try {
SSOToken stoken = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance());
ServiceSchemaManager ssm = new ServiceSchemaManager(ISAuthConstants.PLATFORM_SERVICE_NAME, stoken);
if (ssm != null) {
ServiceSchema ss = ssm.getGlobalSchema();
if (ss != null) {
Map attrs = ss.getAttributeDefaults();
Set serverList = (Set) attrs.get(PLATFORM_SERVER_LIST);
if (serverList != null && !serverList.isEmpty()) {
Iterator serverIterator = serverList.iterator();
while (serverIterator.hasNext()) {
String serverVal = (String) serverIterator.next();
if (serverVal != null) {
StringTokenizer tk = new StringTokenizer(serverVal, "|");
String serverUrl = tk.nextToken();
String serverId = tk.nextToken();
serverAddrSet.add(serverUrl);
StringTokenizer sidtk = new StringTokenizer(serverId, "|");
serverIdSet.add(sidtk.nextToken());
}
}
}
}
}
return true;
} catch (SMSException se) {
if (debug.messageEnabled()) {
debug.message("Site List Validator. Unable to get global " + "config: SMSException", se);
}
} catch (SSOException ssoe) {
if (debug.messageEnabled()) {
debug.message("Site List Validator. Unable to get global " + "config: SSOException", ssoe);
}
}
return false;
}
use of com.iplanet.sso.SSOToken in project OpenAM by OpenRock.
the class XacmlService method checkPermission.
/**
* Check if this user has permission to perform the given action (which will be "read" in the case of export
* and "modify" in the case of import).
*
* @return true if the user has permission, false otherwise.
*/
@VisibleForTesting
boolean checkPermission(String action) throws EntitlementException {
try {
Request restletRequest = getRequest();
String urlLastSegment = restletRequest.getResourceRef().getLastSegment();
String realm = RestletRealmRouter.getRealmFromRequest(restletRequest);
final Map<String, String> context = (Map<String, String>) ServletUtils.getRequest(getRequest()).getAttribute(FORGEROCK_AUTH_CONTEXT);
final String tokenId = context.get("tokenId");
final SSOToken token = SSOTokenManager.getInstance().createSSOToken(tokenId);
return checkPermission(action, urlLastSegment, realm, token);
} catch (SSOException e) {
debug.warning("XacmlService permission evaluation failed", e);
throw new EntitlementException(INTERNAL_ERROR, e);
}
}
use of com.iplanet.sso.SSOToken in project OpenAM by OpenRock.
the class FSDefaultSPAdapter method postSSOFederationSuccess.
/**
* Invokes this method after the successful Single Sign-On or Federation.
* @param hostedEntityID provider ID for the hosted SP
* @param request servlet request
* @param response servlet response
* @param ssoToken user's SSO token
* @param authnRequest the original authentication request sent from SP
* @param authnResponse response from IDP if Browser POST or LECP profile
* is used for the request, value will be null if Browser Artifact
* profile is used.
* @param samlResponse response from IDP if Browser Artifact profile is used
* for the request, value will be null if Browser POST or LECP
* profile is used.
* @exception FederationException if user want to fail the process.
* @return true if browser redirection happened, false otherwise.
*/
public boolean postSSOFederationSuccess(String hostedEntityID, HttpServletRequest request, HttpServletResponse response, Object ssoToken, FSAuthnRequest authnRequest, FSAuthnResponse authnResponse, FSResponse samlResponse) throws FederationException {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSDefaultSPAdapter.postFedSuccess, " + "process " + hostedEntityID);
}
// find out if this is a federation request
boolean isFederation = false;
if (authnRequest == null) {
FSUtils.debug.error("FSDefaultSPAdapter.postFedSuccess null");
} else {
String nameIDPolicy = authnRequest.getNameIDPolicy();
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSDefaultSPAdapter.postSuccess " + nameIDPolicy);
}
if (nameIDPolicy.equals(IFSConstants.NAME_ID_POLICY_FEDERATED)) {
isFederation = true;
}
}
SSOToken adminToken = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance());
if (isFederation && adminToken != null) {
try {
// get name Identifier
String nameId = null;
List assertions = null;
String idpEntityId = null;
if (authnResponse != null) {
// POST profile
assertions = authnResponse.getAssertion();
idpEntityId = authnResponse.getProviderId();
} else {
// Artifact profile
assertions = samlResponse.getAssertion();
}
FSAssertion assertion = (FSAssertion) assertions.iterator().next();
if (idpEntityId == null) {
idpEntityId = assertion.getIssuer();
}
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAdapter.postSuccess: idp=" + idpEntityId);
}
Iterator stmtIter = assertion.getStatement().iterator();
while (stmtIter.hasNext()) {
Statement statement = (Statement) stmtIter.next();
int stmtType = statement.getStatementType();
if (stmtType == Statement.AUTHENTICATION_STATEMENT) {
FSAuthenticationStatement authStatement = (FSAuthenticationStatement) statement;
FSSubject subject = (FSSubject) authStatement.getSubject();
NameIdentifier ni = subject.getIDPProvidedNameIdentifier();
if (ni == null) {
ni = subject.getNameIdentifier();
}
if (ni != null) {
nameId = ni.getName();
}
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAdapter.postSuccess: " + "found name id =" + nameId);
}
break;
}
}
if (nameId == null) {
FSUtils.debug.warning("FSAdapter.postSuc : null nameID");
return false;
}
Map map = new HashMap();
Set set = new HashSet();
set.add("|" + hostedEntityID + "|" + nameId + "|");
map.put("iplanet-am-user-federation-info-key", set);
AMIdentityRepository idRepo = new AMIdentityRepository(adminToken, ((SSOToken) ssoToken).getProperty(ISAuthConstants.ORGANIZATION));
IdSearchControl searchControl = new IdSearchControl();
searchControl.setTimeOut(0);
searchControl.setMaxResults(0);
searchControl.setAllReturnAttributes(false);
searchControl.setSearchModifiers(IdSearchOpModifier.AND, map);
IdSearchResults searchResults = idRepo.searchIdentities(IdType.USER, "*", searchControl);
Set amIdSet = searchResults.getSearchResults();
if (amIdSet.size() > 1) {
String univId = ((SSOToken) ssoToken).getProperty(Constants.UNIVERSAL_IDENTIFIER);
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAdapter.postSuccess: found " + amIdSet.size() + " federation with same ID as " + univId);
}
String metaAlias = null;
try {
IDFFMetaManager metaManager = new IDFFMetaManager(ssoToken);
if (metaManager != null) {
SPDescriptorConfigElement spConfig = metaManager.getSPDescriptorConfig(realm, hostedEntityID);
if (spConfig != null) {
metaAlias = spConfig.getMetaAlias();
}
}
} catch (IDFFMetaException ie) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAdapter.postSuccess: " + "couldn't find meta alias:", ie);
}
}
FSAccountManager accManager = FSAccountManager.getInstance(metaAlias);
FSAccountFedInfoKey fedInfoKey = new FSAccountFedInfoKey(hostedEntityID, nameId);
// previous federation exists with different users
Iterator it = amIdSet.iterator();
while (it.hasNext()) {
AMIdentity amId = (AMIdentity) it.next();
// compare with the SSO token
String tmpUnivId = IdUtils.getUniversalId(amId);
if (univId.equalsIgnoreCase(tmpUnivId)) {
continue;
}
// remove federation information for this user
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAdapter.postSucces, " + "remove fed info for user " + tmpUnivId);
}
accManager.removeAccountFedInfo(tmpUnivId, fedInfoKey, idpEntityId);
}
}
} catch (FSAccountMgmtException f) {
FSUtils.debug.warning("FSDefaultSPAdapter.postSSOSuccess", f);
} catch (IdRepoException i) {
FSUtils.debug.warning("FSDefaultSPAdapter.postSSOSuccess", i);
} catch (SSOException e) {
FSUtils.debug.warning("FSDefaultSPAdapter.postSSOSuccess", e);
}
}
return false;
}
use of com.iplanet.sso.SSOToken in project OpenAM by OpenRock.
the class WebServiceAuthenticatorImpl method authenticate.
/**
* Authenticates a web service using its certificates.
*
* @param message a Message object that needs authentication.
* @param request the HttpServletRequest object that comes from the web
* service
* @return a SSOToken Object for the valid certificates after
* successful authentication or null if authentication fails.
*/
public Object authenticate(Message message, Subject subject, Map state, HttpServletRequest request) {
List certs = null;
X509Certificate clientCert = message.getPeerCertificate();
if (clientCert != null) {
// SSL client auth certificate
certs = new ArrayList(2);
certs.add(clientCert);
}
X509Certificate messageCert = message.getMessageCertificate();
if (messageCert != null) {
if (certs == null) {
certs = new ArrayList(1);
}
certs.add(messageCert);
}
String principal = null;
StringBuffer principalsSB = null;
if (certs == null) {
principal = ANONYMOUS_PRINCIPAL;
} else {
Set principalsSet = new HashSet(6);
for (Iterator iter = certs.iterator(); iter.hasNext(); ) {
X509Certificate cert = (X509Certificate) iter.next();
if (debug.messageEnabled()) {
debug.message("WebServiceAuthenticatorImpl.authenticate: cert = " + cert);
}
String subjectDN = CertUtils.getSubjectName(cert);
if (principal == null) {
principal = subjectDN;
} else if (!principal.equals(subjectDN)) {
principalsSet.add(subjectDN);
}
String issuerDN = CertUtils.getIssuerName(cert);
principalsSet.add(issuerDN);
}
principalsSB = new StringBuffer(50);
for (Iterator iter = principalsSet.iterator(); iter.hasNext(); ) {
String str = (String) iter.next();
if (principalsSB.length() == 0) {
principalsSB.append(str);
} else {
principalsSB.append("|").append(str);
}
}
}
if (debug.messageEnabled()) {
debug.message("WebServiceAuthenticatorImpl.authenticate" + ": principal = " + principal + ", principals = " + principalsSB);
}
String authMech = message.getAuthenticationMechanism();
String cacheKey = authMech + " " + principal;
if (debug.messageEnabled()) {
debug.message("WebServiceAuthenticatorImpl.authenticate" + ": cacheKey = " + cacheKey);
}
SSOToken ssoToken = null;
ssoToken = (SSOToken) ssoTokenCache.get(cacheKey);
if (ssoToken != null) {
if (ssoTokenManager.isValidToken(ssoToken)) {
if (debug.messageEnabled()) {
debug.message("WebServiceAuthenticatorImpl." + "authenticate: found ssoToken in cache");
}
return ssoToken;
}
if (debug.messageEnabled()) {
debug.message("WebServiceAuthenticatorImpl." + "authenticate: ssoToken in cache expired");
}
synchronized (ssoTokenCache) {
ssoTokenCache.remove(cacheKey);
}
ssoToken = null;
}
String authInstant = null;
try {
InternalSession is = InjectorHolder.getInstance(SessionService.class).newInternalSession(null, null, false);
is.activate("");
Map attrs = sessionSchema.getAttributeDefaults();
is.setMaxSessionTime(CollectionHelper.getIntMapAttr(attrs, MAX_SESSION_TIME, DEFAULT_MAX_SESSION_TIME, debug));
is.setMaxIdleTime(CollectionHelper.getIntMapAttr(attrs, IDLE_TIME, DEFAULT_IDLE_TIME, debug));
is.setMaxCachingTime(CollectionHelper.getIntMapAttr(attrs, CACHE_TIME, DEFAULT_CACHE_TIME, debug));
is.putProperty(AUTH_TYPE_PROP, message.getAuthenticationMechanism());
authInstant = DateUtils.toUTCDateFormat(new Date());
is.putProperty(AUTH_INSTANT_PROP, authInstant);
ssoToken = SSOTokenManager.getInstance().createSSOToken(is.getID().toString());
} catch (Exception ex) {
debug.error("WebServiceAuthenticatorImpl.authenticate: " + "Unable to get SSOToken", ex);
}
if (ssoToken == null) {
return null;
}
try {
ssoToken.setProperty(PRINCIPAL_PROP, principal);
if (principalsSB != null) {
ssoToken.setProperty(PRINCIPALS_PROP, principalsSB.toString());
}
if (authInstant != null) {
ssoToken.setProperty(AUTH_INSTANT_PROP, authInstant);
}
ssoToken.setProperty(AUTH_TYPE_PROP, message.getAuthenticationMechanism());
SSOTokenManager.getInstance().refreshSession(ssoToken);
ssoTokenCache.put(cacheKey, ssoToken);
} catch (Exception ex) {
debug.error("WebServiceAuthenticatorImpl.authenticate: " + "Unable to set SSOToken property", ex);
return null;
}
return ssoToken;
}
use of com.iplanet.sso.SSOToken in project OpenAM by OpenRock.
the class CramMD5MechanismHandler method getUserPassword.
private static String getUserPassword(String userName) {
try {
SSOToken adminToken = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance());
AMIdentityRepository idRepo = new AMIdentityRepository(adminToken, SMSEntry.getRootSuffix());
IdSearchControl searchControl = new IdSearchControl();
searchControl.setTimeOut(0);
searchControl.setMaxResults(0);
searchControl.setAllReturnAttributes(false);
IdSearchResults searchResults = idRepo.searchIdentities(IdType.USER, userName, searchControl);
Set users = searchResults.getSearchResults();
if (users == null || users.isEmpty()) {
if (debug.messageEnabled()) {
debug.message("CramMD5MechanismHandler.getUserPassword: " + "no user found");
}
return null;
}
if (users.size() > 1) {
if (debug.messageEnabled()) {
debug.message("CramMD5MechanismHandler.getUserPassword: " + "more than 1 user found");
}
return null;
}
AMIdentity user = (AMIdentity) users.iterator().next();
Set passwords = user.getAttribute("userPassword");
if (passwords == null || passwords.isEmpty()) {
if (debug.messageEnabled()) {
debug.message("CramMD5MechanismHandler.getUserPassword: " + "user has no password");
}
return null;
}
if (passwords.size() > 1) {
if (debug.messageEnabled()) {
debug.message("CramMD5MechanismHandler.getUserPassword: " + "user has more than 1 passwords");
}
return null;
}
String password = (String) passwords.iterator().next();
if (password.startsWith("{CLEAR}")) {
password = password.substring(7);
}
return password;
} catch (Exception ex) {
AuthnSvcUtils.debug.error("CramMD5MechanismHandler.getUserPassword: ", ex);
return null;
}
}
Aggregations