Example 26 with AMIdentity
use of com.sun.identity.idm.AMIdentity in project OpenAM by OpenRock.
the class IdentityRestUtils method changePassword.
public static void changePassword(Context serverContext, String realm, String username, String oldPassword, String newPassword) throws ResourceException {
try {
SSOToken token = serverContext.asContext(SSOTokenContext.class).getCallerSSOToken();
AMIdentity userIdentity = new AMIdentity(token, username, IdType.USER, realm, null);
userIdentity.changePassword(oldPassword, newPassword);
} catch (SSOException ssoe) {
debug.warning("IdentityRestUtils.changePassword() :: SSOException occurred while changing " + "the password for user: " + username, ssoe);
throw new PermanentException(401, "An error occurred while trying to change the password", ssoe);
} catch (IdRepoException ire) {
throw RESOURCE_MAPPING_HANDLER.handleError(ire);
}
}
Also used :
SSOToken(com.iplanet.sso.SSOToken)
SSOTokenContext(org.forgerock.openam.rest.resource.SSOTokenContext)
AMIdentity(com.sun.identity.idm.AMIdentity)
PermanentException(org.forgerock.json.resource.PermanentException)
IdRepoException(com.sun.identity.idm.IdRepoException)
SSOException(com.iplanet.sso.SSOException)
Example 27 with AMIdentity
use of com.sun.identity.idm.AMIdentity in project OpenAM by OpenRock.
the class LoginState method searchUserProfile.
/**
* Search the user profile
* if <code>IndexType</code> is USER and if number of tokens is 1 and
* token is <code>superAdmin</code> then return. If more then 1 tokens
* are found then make sure the user tokens are in
* <code>iplanet-am-useralias-list</code>
* <p/>
* If <code>IndexType</code> is <code>LEVEL</code>, <code>MODULE</code>
* then there is only 1 user token retrieve the profile for the
* authenticated user and create profile if dynamic profile creation
* enabled.
* <p/>
* If <code>IndexType</code> is <code>ORG</code>, <code>SERVICE</code>,
* <code>ROLE</code> then retrieve the user profile for first token, if the
* profile is found and <code>user-alias-list</code> contains other
* tokens then continue, else try to retrieve remaining tokens till a match
* is found.
* <p/>
* Checks all the users in the tokenSet are active else error
* For ROLE based authentication checks if all user belong to the same Role.
*
* @param subject
* @param indexType
* @param indexName
* @return <code>true</code> if it found user profile
* @throws AuthException
*/
public boolean searchUserProfile(Subject subject, AuthContext.IndexType indexType, String indexName) throws AuthException {
tokenSet = getTokenFromPrincipal(subject);
// check for all users user authenticated as
if (DEBUG.messageEnabled()) {
DEBUG.message("in searchUserProfile");
DEBUG.message("indexType is.. :" + indexType);
DEBUG.message("indexName is.. :" + indexName);
DEBUG.message("Subject is.. :" + subject);
DEBUG.message("token is.. :" + token);
DEBUG.message("tokenSet is.. :" + tokenSet);
DEBUG.message("ignoreUserProfile.. :" + ignoreUserProfile);
DEBUG.message("userDN is.. :" + userDN);
}
// retreive the tokens from the subject
try {
boolean gotUserProfile = true;
if (((ignoreUserProfile && !isApplicationModule(indexName))) || (isApplicationModule(indexName) && LazyConfig.AUTHD.isSuperAdmin(userDN))) {
if (LazyConfig.AUTHD.isSuperAdmin(userDN)) {
amIdentityUser = LazyConfig.AUTHD.getIdentity(IdType.USER, userDN, getOrgDN());
} else {
amIdentityUser = new AMIdentity(null, userDN, IdType.USER, getOrgDN(), null);
}
userDN = getUserDN(amIdentityUser);
populateDefaultUserAttributes();
return true;
}
if ((indexType == AuthContext.IndexType.USER)) {
if (token == null) {
return false;
}
getUserProfile(token, true);
Map<String, Boolean> aliasFound = searchUserAliases(token, tokenSet);
if (!checkAliasList(aliasFound)) {
if (createWithAlias) {
if (amIdentityUser == null) {
addAliasToUserProfile(amIdentityUser, aliasFound);
} else {
addAliasToUserProfile(token, aliasFound);
}
} else {
throw new AuthException(AMAuthErrorCode.AUTH_LOGIN_FAILED, null);
}
}
} else {
// for ORG / SERVICE / ROLE / MODULE / LEVEL
boolean gotProfile = true;
if (tokenSet.isEmpty()) {
DEBUG.message("tokenset empty");
throw new AuthException(AMAuthErrorCode.AUTH_ERROR, null);
} else if (tokenSet.size() == 1) {
if (isAccountLocked(token)) {
DEBUG.message(String.format("User account \"%s\" locked", token));
throw new AuthException(AMAuthErrorCode.AUTH_USER_LOCKED, null);
}
DEBUG.message("tokenset size is 1");
gotUserProfile = getCreateUserProfile(true);
if (!userEnabled) {
setFailedUserId(token);
throw new AuthException(AMAuthErrorCode.AUTH_USER_INACTIVE, null);
}
if (LazyConfig.AUTHD.isSuperAdmin(userDN)) {
return true;
}
if (gotUserProfile) {
if (indexType == AuthContext.IndexType.ROLE) {
boolean userRoleFound = getUserForRole(getIdentityRole(indexName, getOrgDN()));
if (DEBUG.messageEnabled()) {
DEBUG.message("userRoleFound: " + userRoleFound);
}
if (!userRoleFound) {
logFailed(AuthUtils.getErrorVal(AMAuthErrorCode.AUTH_USER_NOT_FOUND, AuthUtils.ERROR_MESSAGE), "USERNOTFOUND");
auditor.auditLoginFailure(this, USER_NOT_FOUND);
throw new AuthException(AMAuthErrorCode.AUTH_USER_NOT_FOUND, null);
}
}
}
} else {
// came here multiple users found
DEBUG.message("came here !! multiple modules , users ");
// initialize variables required
String validToken = null;
boolean foundUserAlias = false;
boolean userRoleFound = true;
Map<String, Boolean> userEnabledMap = new HashMap<String, Boolean>();
Map<String, Boolean> userRoleFoundMap = new HashMap<String, Boolean>();
Map<String, Boolean> foundAliasMap = new HashMap<String, Boolean>();
Map<String, Boolean> gotUserProfileMap = new HashMap<String, Boolean>();
String aliasToken = null;
for (final String tok : tokenSet) {
token = tok;
if (DEBUG.messageEnabled()) {
DEBUG.message("BEGIN WHILE: Token is.. : " + token);
}
gotUserProfile = getUserProfile(token, true);
gotUserProfileMap.put(token, gotUserProfile);
if (DEBUG.messageEnabled()) {
DEBUG.message("gotUserProfile : " + gotUserProfile);
}
if (gotUserProfile) {
if (validToken == null) {
validToken = token;
}
userEnabledMap.put(token, userEnabled);
if (indexType == AuthContext.IndexType.ROLE) {
userRoleFound = getUserForRole(getIdentityRole(indexName, getOrgDN()));
userRoleFoundMap.put(token, userRoleFound);
}
foundAliasMap = searchUserAliases(token, tokenSet);
if (foundUserAlias = getFoundUserAlias(foundAliasMap)) {
aliasToken = token;
if (DEBUG.messageEnabled()) {
DEBUG.message("found aliases exiting while:" + foundAliasMap);
}
break;
}
}
}
// end while
if (DEBUG.messageEnabled()) {
DEBUG.message("Alias Token is : " + aliasToken);
DEBUG.message("Profile Token :" + validToken);
DEBUG.message("Token is : " + token);
}
if (aliasToken != null) {
token = aliasToken;
}
boolean userEnabled = getUserEnabled(userEnabledMap);
if (!userEnabled) {
setFailedUserId(DNUtils.DNtoName(token));
throw new AuthException(AMAuthErrorCode.AUTH_USER_INACTIVE, null);
}
if (indexType == AuthContext.IndexType.ROLE) {
userRoleFound = getUserRoleFound(userRoleFoundMap);
if (!userRoleFound) {
logFailed(AuthUtils.getErrorVal(AMAuthErrorCode.AUTH_USER_NOT_FOUND, AuthUtils.ERROR_MESSAGE), "USERNOTFOUND");
auditor.auditLoginFailure(this, USER_NOT_FOUND);
throw new AuthException(AMAuthErrorCode.AUTH_USER_NOT_FOUND, null);
}
DEBUG.message("userRoleFound:true");
}
gotUserProfile = getGotUserProfile(gotUserProfileMap);
DEBUG.message("userEnabled : true");
if ((gotUserProfile) && (!foundUserAlias)) {
if (createWithAlias) {
if (DEBUG.messageEnabled()) {
DEBUG.message("dynamicProfileCreation : " + dynamicProfileCreation);
DEBUG.message("foundUserAliasMap : " + foundAliasMap);
DEBUG.message("foundUserAliasMap : " + foundUserAlias);
}
addAliasToUserProfile(validToken, foundAliasMap);
} else {
//end dynamic profile creation
throw new AuthException(AMAuthErrorCode.AUTH_LOGIN_FAILED, null);
}
}
if (createWithAlias && !gotUserProfile) {
gotUserProfile = createUserProfileForTokens(tokenSet, gotUserProfileMap);
}
}
}
if (DEBUG.messageEnabled()) {
DEBUG.message("LoginState:searchUserProfile:returning: " + gotUserProfile);
}
return gotUserProfile;
} catch (AuthException e) {
throw new AuthException(e);
} catch (Exception e) {
DEBUG.error("Error retrieving profile", e);
throw new AuthException(e);
}
}
Also used :
AMIdentity(com.sun.identity.idm.AMIdentity)
Map(java.util.Map)
HashMap(java.util.HashMap)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
SSOException(com.iplanet.sso.SSOException)
AMConfigurationException(com.sun.identity.authentication.config.AMConfigurationException)
IdRepoException(com.sun.identity.idm.IdRepoException)
AuthenticationException(com.sun.identity.authentication.spi.AuthenticationException)
AMException(com.iplanet.am.sdk.AMException)
SessionException(com.iplanet.dpro.session.SessionException)
Example 28 with AMIdentity
use of com.sun.identity.idm.AMIdentity in project OpenAM by OpenRock.
the class LoginState method addAliasToUserProfile.
/* add token to iplanet-am-user-alias-list of the token which has
* a profile
*/
void addAliasToUserProfile(String token, Map<String, Boolean> foundUserAliasMap) throws AuthException {
if (DEBUG.messageEnabled()) {
DEBUG.message("Token : " + token);
}
AMIdentity amIdentityUser = LazyConfig.AUTHD.getIdentity(IdType.USER, token, getOrgDN());
addAliasToUserProfile(amIdentityUser, foundUserAliasMap);
}
Also used :
AMIdentity(com.sun.identity.idm.AMIdentity)
Example 29 with AMIdentity
use of com.sun.identity.idm.AMIdentity in project OpenAM by OpenRock.
the class LoginState method getUserProfile.
/**
* Returns <code>true</code> if user profile found.
*
* @param user userID for profile
* @param populate
* @param loginStatus current login status for profile
* @return <code>true</code> if user profile found.
* @throws AuthException if multiple user match found in search
*/
public boolean getUserProfile(String user, boolean populate, boolean loginStatus) throws AuthException {
// if this check is not added SDK goes into a loop
if ((user == null) || (user.length() == 0)) {
throw new AuthException(AMAuthErrorCode.AUTH_ERROR, null);
}
IdType idt = null;
try {
if (DEBUG.messageEnabled()) {
DEBUG.message("In getUserProfile : Search for user " + user);
}
Set<AMIdentity> amIdentitySet = Collections.emptySet();
IdSearchResults searchResults = null;
if (LazyConfig.AUTHD.isSuperAdmin(user)) {
// get the AMIdentity to get the universal
// id of amAdmin, currently there is no support
// for special users so the universal id in
// the ssotoken will be amAdmin's id.
AMIdentity amIdentity = LazyConfig.AUTHD.getIdentity(IdType.USER, user, getOrgDN());
amIdentitySet = new HashSet<AMIdentity>();
amIdentitySet.add(amIdentity);
} else {
// is present i.e., using IdUtils
try {
if (DEBUG.messageEnabled()) {
DEBUG.message("LoginState: gettingIdentity " + "using IdUtil.getIdentity: " + user + " Org: " + getOrgDN());
}
AMIdentity amIdentity = IdUtils.getIdentity(LazyConfig.AUTHD.getSSOAuthSession(), user, getOrgDN());
if (amIdentity != null && amIdentity.getAttributes() != null) {
amIdentitySet = new HashSet<AMIdentity>();
amIdentitySet.add(amIdentity);
idt = amIdentity.getType();
if (DEBUG.messageEnabled()) {
DEBUG.message("LoginState: getIdentity " + "using IdUtil.getIdentity: " + amIdentity);
}
}
} catch (IdRepoException e) {
// Ignore the exception and continue
if (DEBUG.messageEnabled()) {
DEBUG.message("LoginState: getting identity " + "Got IdRepException in IdUtils.getIdentity", e);
}
} catch (SSOException se) {
// Ignore the exception and continue
if (DEBUG.messageEnabled()) {
DEBUG.message("LoginState: getting identity " + "Got SSOException in IdUtils.getIdentity", se);
}
}
// search for all configured Identity Types
if (amIdentitySet == Collections.EMPTY_SET || idt != null && !identityTypes.contains(idt.getName())) {
if (DEBUG.messageEnabled()) {
DEBUG.message("LoginState: getIdentity " + "performing IdRepo search to obtain AMIdentity");
}
String userTokenID = DNUtils.DNtoName(user);
if (DEBUG.messageEnabled()) {
DEBUG.message("Search for Identity " + userTokenID);
}
Set<String> tmpIdentityTypes = new HashSet<String>(identityTypes);
if (identityTypes.contains("user")) {
tmpIdentityTypes.remove("user");
searchResults = searchIdentity(IdUtils.getType("user"), userTokenID, populate);
if (searchResults != null) {
amIdentitySet = searchResults.getSearchResults();
}
}
if (amIdentitySet.isEmpty()) {
for (final String strIdType : tmpIdentityTypes) {
// Get identity by searching
searchResults = searchIdentity(IdUtils.getType(strIdType), userTokenID, populate);
if (searchResults != null) {
amIdentitySet = searchResults.getSearchResults();
}
if (!amIdentitySet.isEmpty()) {
break;
}
}
}
}
}
if (DEBUG.messageEnabled()) {
DEBUG.message("result is :" + amIdentitySet);
}
if (amIdentitySet.isEmpty()) {
return false;
}
// check if there is multiple match
if (amIdentitySet.size() > 1) {
// multiple user match found, throw exception,
// user need to login as super admin to fix it
DEBUG.error("getUserProfile : Multiple matches found for " + "user '" + token + "' in org " + orgDN + "\nPlease make sure user is unique within the login " + "organization, and contact your admin to fix the problem");
throw new AuthException(AMAuthErrorCode.AUTH_ERROR, null);
}
amIdentityUser = (AMIdentity) amIdentitySet.iterator().next();
userDN = getUserDN(amIdentityUser);
idt = amIdentityUser.getType();
if (DEBUG.messageEnabled()) {
DEBUG.message("userDN is : " + userDN);
DEBUG.message("userID(token) is : " + token);
DEBUG.message("idType is : " + idt);
}
if (populate) {
Map basicAttrs = null;
Map serviceAttrs = null;
if (searchResults != null) {
basicAttrs = (Map) searchResults.getResultAttributes().get(amIdentityUser);
} else {
basicAttrs = amIdentityUser.getAttributes();
}
if (amIdentityRole != null) {
// role based auth. the specified role takes preference.
DEBUG.message("retrieving session service from role");
if (amIdentityRole != null) {
//Fix for OPENAM-612 - this request is cached most of the time
Set oc = amIdentityRole.getAttribute("objectclass");
if (oc != null && oc.contains("iplanet-am-session-service")) {
serviceAttrs = amIdentityRole.getServiceAttributes(ISAuthConstants.SESSION_SERVICE_NAME);
}
}
} else if (idt.equals(IdType.USER)) {
DEBUG.message("retrieving session service from user");
//Fix for OPENAM-612 - this request is cached most of the time
Set oc = amIdentityUser.getAttribute("objectclass");
if (oc != null && oc.contains("iplanet-am-session-service")) {
serviceAttrs = amIdentityUser.getServiceAttributes(ISAuthConstants.SESSION_SERVICE_NAME);
}
}
if (serviceAttrs != null && !serviceAttrs.isEmpty()) {
basicAttrs.putAll(serviceAttrs);
}
populateUserAttributes(basicAttrs, loginStatus, amIdentityUser);
}
return true;
} catch (SSOException ex) {
DEBUG.error("SSOException");
if (DEBUG.messageEnabled()) {
DEBUG.message("Stack trace: ", ex);
}
} catch (AMException ex) {
DEBUG.error("No aliases for: " + aliasAttrNames + "=" + token);
if (DEBUG.messageEnabled()) {
DEBUG.message("Stack trace: ", ex);
}
} catch (IdRepoException ee) {
if (DEBUG.messageEnabled()) {
DEBUG.error("IdReporException ", ee);
}
}
return false;
}
Also used :
Set(java.util.Set)
HashSet(java.util.HashSet)
IdSearchResults(com.sun.identity.idm.IdSearchResults)
IdRepoException(com.sun.identity.idm.IdRepoException)
AMException(com.iplanet.am.sdk.AMException)
SSOException(com.iplanet.sso.SSOException)
IdType(com.sun.identity.idm.IdType)
AMIdentity(com.sun.identity.idm.AMIdentity)
Map(java.util.Map)
HashMap(java.util.HashMap)
HashSet(java.util.HashSet)
Example 30 with AMIdentity
use of com.sun.identity.idm.AMIdentity in project OpenAM by OpenRock.
the class LoginState method getUserUniversalId.
/**
* Returns the universal id associated with a user name.
*
* @param userName name of user to be created.
* @return universal identifier of the user.
*/
public String getUserUniversalId(String userName) {
AMIdentity amIdUser = amIdentityUser;
String universalId = null;
try {
if (amIdUser == null) {
amIdUser = LazyConfig.AUTHD.getIdentity(IdType.USER, userName, getOrgDN());
}
universalId = IdUtils.getUniversalId(amIdUser);
} catch (Exception e) {
DEBUG.message("Error getting Identity for user :" + e.getMessage());
}
if (DEBUG.messageEnabled()) {
DEBUG.message("getUserUniversalId:universalId : " + universalId);
}
return universalId;
}
Also used :
AMIdentity(com.sun.identity.idm.AMIdentity)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
SSOException(com.iplanet.sso.SSOException)
AMConfigurationException(com.sun.identity.authentication.config.AMConfigurationException)
IdRepoException(com.sun.identity.idm.IdRepoException)
AuthenticationException(com.sun.identity.authentication.spi.AuthenticationException)
AMException(com.iplanet.am.sdk.AMException)
SessionException(com.iplanet.dpro.session.SessionException)
Aggregations
AMIdentity (com.sun.identity.idm.AMIdentity)373
IdRepoException (com.sun.identity.idm.IdRepoException)243
SSOException (com.iplanet.sso.SSOException)215
Set (java.util.Set)170
HashSet (java.util.HashSet)150
SSOToken (com.iplanet.sso.SSOToken)112
Iterator (java.util.Iterator)91
AMIdentityRepository (com.sun.identity.idm.AMIdentityRepository)85
Map (java.util.Map)83
HashMap (java.util.HashMap)78
IdType (com.sun.identity.idm.IdType)52
SMSException (com.sun.identity.sm.SMSException)52
AMConsoleException (com.sun.identity.console.base.model.AMConsoleException)44
CLIException (com.sun.identity.cli.CLIException)43
IOutput (com.sun.identity.cli.IOutput)42
IdSearchResults (com.sun.identity.idm.IdSearchResults)39
IdSearchControl (com.sun.identity.idm.IdSearchControl)35
OrganizationConfigManager (com.sun.identity.sm.OrganizationConfigManager)23
Test (org.testng.annotations.Test)23
List (java.util.List)22
