use of com.sun.identity.idm.IdSearchResults in project OpenAM by OpenRock.
the class DelegationPolicyImpl method getSubjects.
/**
* Returns a set of selected subjects of specified types matching the
* pattern in the given realm. The pattern accepts "*" as the wild card for
* searching subjects. For example, "a*c" matches with any subject starting
* with a and ending with c.
*
* @param token The <code>SSOToken</code> of the requesting user
* @param orgName The name of the realm from which the subjects are fetched.
* @param types a set of subject types. e.g. ROLE, GROUP.
* @param pattern a filter used to select the subjects.
*
* @return a set of subjects associated with the realm.
*
* @throws SSOException invalid or expired single-sign-on token
* @throws DelegationException for any abnormal condition
*
* @return <code>Set</code> of universal Ids of the subjects associated
* with the realm.
*
* @throws SSOException invalid or expired single-sign-on token
* @throws DelegationException for any abnormal condition
*/
public Set getSubjects(SSOToken token, String orgName, Set types, String pattern) throws SSOException, DelegationException {
Set results = new HashSet();
// All Authenticated Users would be returned only if pattern is *
if ((pattern != null) && pattern.equals("*")) {
results.add(AUTHN_USERS_ID);
}
if (DelegationManager.debug.messageEnabled()) {
DelegationManager.debug.message("DelegationPolicyImpl.getSubjects(): types=" + types);
}
try {
AMIdentityRepository idRepo = new AMIdentityRepository(appToken, orgName);
Set supportedTypes = idRepo.getSupportedIdTypes();
if (DelegationManager.debug.messageEnabled()) {
DelegationManager.debug.message("DelegationPolicyImpl.getSubjects(): " + "supported subject types=" + supportedTypes);
}
if ((supportedTypes != null) && (!supportedTypes.isEmpty()) && (types != null) && (!types.isEmpty())) {
Iterator it = types.iterator();
while (it.hasNext()) {
IdType idType = IdUtils.getType((String) it.next());
if (supportedTypes.contains(idType)) {
IdSearchControl ctrl = new IdSearchControl();
ctrl.setRecursive(true);
ctrl.setMaxResults(-1);
ctrl.setTimeOut(-1);
IdSearchResults idsr = idRepo.searchIdentities(idType, pattern, ctrl);
if (idsr != null) {
Set searchRes = idsr.getSearchResults();
if ((searchRes != null) && (!searchRes.isEmpty())) {
Iterator iter = searchRes.iterator();
while (iter.hasNext()) {
AMIdentity id = (AMIdentity) iter.next();
results.add(IdUtils.getUniversalId(id));
}
}
}
}
}
}
return results;
} catch (IdRepoException ide) {
throw new DelegationException(ide);
}
}
use of com.sun.identity.idm.IdSearchResults in project OpenAM by OpenRock.
the class FSDefaultSPAdapter method postSSOFederationSuccess.
/**
* Invokes this method after the successful Single Sign-On or Federation.
* @param hostedEntityID provider ID for the hosted SP
* @param request servlet request
* @param response servlet response
* @param ssoToken user's SSO token
* @param authnRequest the original authentication request sent from SP
* @param authnResponse response from IDP if Browser POST or LECP profile
* is used for the request, value will be null if Browser Artifact
* profile is used.
* @param samlResponse response from IDP if Browser Artifact profile is used
* for the request, value will be null if Browser POST or LECP
* profile is used.
* @exception FederationException if user want to fail the process.
* @return true if browser redirection happened, false otherwise.
*/
public boolean postSSOFederationSuccess(String hostedEntityID, HttpServletRequest request, HttpServletResponse response, Object ssoToken, FSAuthnRequest authnRequest, FSAuthnResponse authnResponse, FSResponse samlResponse) throws FederationException {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSDefaultSPAdapter.postFedSuccess, " + "process " + hostedEntityID);
}
// find out if this is a federation request
boolean isFederation = false;
if (authnRequest == null) {
FSUtils.debug.error("FSDefaultSPAdapter.postFedSuccess null");
} else {
String nameIDPolicy = authnRequest.getNameIDPolicy();
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSDefaultSPAdapter.postSuccess " + nameIDPolicy);
}
if (nameIDPolicy.equals(IFSConstants.NAME_ID_POLICY_FEDERATED)) {
isFederation = true;
}
}
SSOToken adminToken = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance());
if (isFederation && adminToken != null) {
try {
// get name Identifier
String nameId = null;
List assertions = null;
String idpEntityId = null;
if (authnResponse != null) {
// POST profile
assertions = authnResponse.getAssertion();
idpEntityId = authnResponse.getProviderId();
} else {
// Artifact profile
assertions = samlResponse.getAssertion();
}
FSAssertion assertion = (FSAssertion) assertions.iterator().next();
if (idpEntityId == null) {
idpEntityId = assertion.getIssuer();
}
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAdapter.postSuccess: idp=" + idpEntityId);
}
Iterator stmtIter = assertion.getStatement().iterator();
while (stmtIter.hasNext()) {
Statement statement = (Statement) stmtIter.next();
int stmtType = statement.getStatementType();
if (stmtType == Statement.AUTHENTICATION_STATEMENT) {
FSAuthenticationStatement authStatement = (FSAuthenticationStatement) statement;
FSSubject subject = (FSSubject) authStatement.getSubject();
NameIdentifier ni = subject.getIDPProvidedNameIdentifier();
if (ni == null) {
ni = subject.getNameIdentifier();
}
if (ni != null) {
nameId = ni.getName();
}
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAdapter.postSuccess: " + "found name id =" + nameId);
}
break;
}
}
if (nameId == null) {
FSUtils.debug.warning("FSAdapter.postSuc : null nameID");
return false;
}
Map map = new HashMap();
Set set = new HashSet();
set.add("|" + hostedEntityID + "|" + nameId + "|");
map.put("iplanet-am-user-federation-info-key", set);
AMIdentityRepository idRepo = new AMIdentityRepository(adminToken, ((SSOToken) ssoToken).getProperty(ISAuthConstants.ORGANIZATION));
IdSearchControl searchControl = new IdSearchControl();
searchControl.setTimeOut(0);
searchControl.setMaxResults(0);
searchControl.setAllReturnAttributes(false);
searchControl.setSearchModifiers(IdSearchOpModifier.AND, map);
IdSearchResults searchResults = idRepo.searchIdentities(IdType.USER, "*", searchControl);
Set amIdSet = searchResults.getSearchResults();
if (amIdSet.size() > 1) {
String univId = ((SSOToken) ssoToken).getProperty(Constants.UNIVERSAL_IDENTIFIER);
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAdapter.postSuccess: found " + amIdSet.size() + " federation with same ID as " + univId);
}
String metaAlias = null;
try {
IDFFMetaManager metaManager = new IDFFMetaManager(ssoToken);
if (metaManager != null) {
SPDescriptorConfigElement spConfig = metaManager.getSPDescriptorConfig(realm, hostedEntityID);
if (spConfig != null) {
metaAlias = spConfig.getMetaAlias();
}
}
} catch (IDFFMetaException ie) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAdapter.postSuccess: " + "couldn't find meta alias:", ie);
}
}
FSAccountManager accManager = FSAccountManager.getInstance(metaAlias);
FSAccountFedInfoKey fedInfoKey = new FSAccountFedInfoKey(hostedEntityID, nameId);
// previous federation exists with different users
Iterator it = amIdSet.iterator();
while (it.hasNext()) {
AMIdentity amId = (AMIdentity) it.next();
// compare with the SSO token
String tmpUnivId = IdUtils.getUniversalId(amId);
if (univId.equalsIgnoreCase(tmpUnivId)) {
continue;
}
// remove federation information for this user
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAdapter.postSucces, " + "remove fed info for user " + tmpUnivId);
}
accManager.removeAccountFedInfo(tmpUnivId, fedInfoKey, idpEntityId);
}
}
} catch (FSAccountMgmtException f) {
FSUtils.debug.warning("FSDefaultSPAdapter.postSSOSuccess", f);
} catch (IdRepoException i) {
FSUtils.debug.warning("FSDefaultSPAdapter.postSSOSuccess", i);
} catch (SSOException e) {
FSUtils.debug.warning("FSDefaultSPAdapter.postSSOSuccess", e);
}
}
return false;
}
use of com.sun.identity.idm.IdSearchResults in project OpenAM by OpenRock.
the class CramMD5MechanismHandler method getUserPassword.
private static String getUserPassword(String userName) {
try {
SSOToken adminToken = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance());
AMIdentityRepository idRepo = new AMIdentityRepository(adminToken, SMSEntry.getRootSuffix());
IdSearchControl searchControl = new IdSearchControl();
searchControl.setTimeOut(0);
searchControl.setMaxResults(0);
searchControl.setAllReturnAttributes(false);
IdSearchResults searchResults = idRepo.searchIdentities(IdType.USER, userName, searchControl);
Set users = searchResults.getSearchResults();
if (users == null || users.isEmpty()) {
if (debug.messageEnabled()) {
debug.message("CramMD5MechanismHandler.getUserPassword: " + "no user found");
}
return null;
}
if (users.size() > 1) {
if (debug.messageEnabled()) {
debug.message("CramMD5MechanismHandler.getUserPassword: " + "more than 1 user found");
}
return null;
}
AMIdentity user = (AMIdentity) users.iterator().next();
Set passwords = user.getAttribute("userPassword");
if (passwords == null || passwords.isEmpty()) {
if (debug.messageEnabled()) {
debug.message("CramMD5MechanismHandler.getUserPassword: " + "user has no password");
}
return null;
}
if (passwords.size() > 1) {
if (debug.messageEnabled()) {
debug.message("CramMD5MechanismHandler.getUserPassword: " + "user has more than 1 passwords");
}
return null;
}
String password = (String) passwords.iterator().next();
if (password.startsWith("{CLEAR}")) {
password = password.substring(7);
}
return password;
} catch (Exception ex) {
AuthnSvcUtils.debug.error("CramMD5MechanismHandler.getUserPassword: ", ex);
return null;
}
}
use of com.sun.identity.idm.IdSearchResults in project OpenAM by OpenRock.
the class IdRepoDataStoreProvider method getUserID.
/**
* Returns user matching the search criteria.
* @param orgDN The realm to search the user. If null,
* searches the root realm.
* @param avPairs Attribute key/value pairs that will be used for
* searching the user. Key is the attribute name, value
* is a Set containing attribute value(s).
* @return Universal identifier of the matching user, null if
* the matching user could not be found.
* @throws DataStoreProviderException if error occurs during search or
* multiple matching users found.
*/
public String getUserID(String orgDN, Map<String, Set<String>> avPairs) throws DataStoreProviderException {
if (orgDN == null) {
orgDN = SMSEntry.getRootSuffix();
}
if (avPairs == null || avPairs.isEmpty()) {
throw new DataStoreProviderException(bundle.getString("nullAvPair"));
}
Set amIdSet = null;
try {
IdSearchControl searchControl = getIdSearchControl(avPairs, IdSearchOpModifier.AND);
AMIdentityRepository idRepo = getAMIdentityRepository(orgDN);
IdSearchResults searchResults = idRepo.searchIdentities(IdType.USER, "*", searchControl);
amIdSet = searchResults.getSearchResults();
} catch (IdRepoException ame) {
debug.error("IdRepoDataStoreProvider.getUserID(): IdRepoException", ame);
throw new DataStoreProviderException(ame);
} catch (SSOException ssoe) {
debug.error("IdRepoDataStoreProvider.getUserID() : SSOException", ssoe);
throw new DataStoreProviderException(ssoe);
}
if (amIdSet == null || amIdSet.isEmpty()) {
debug.message("IdRepoDataStoreProvider.getUserID : user not found");
return null;
} else if (amIdSet.size() > 1) {
debug.message("IdRepoDataStoreProvider.getUserID : multiple match");
throw new DataStoreProviderException(bundle.getString("multipleMatches"));
}
// single user found.
final AMIdentity amId = (AMIdentity) amIdSet.iterator().next();
final String universalId = IdUtils.getUniversalId(amId);
if (debug.messageEnabled()) {
debug.message("IdRepoDataStoreProvider.getUserID()" + " Name=: " + amId.getName() + " DN=: " + amId.getDN() + " univId=: " + universalId);
}
return universalId;
}
use of com.sun.identity.idm.IdSearchResults in project OpenAM by OpenRock.
the class DeviceIdSave method getIdentity.
/**
* Gets the identity of the user.
*
* @return The user's identity.
*/
private AMIdentityWrapper getIdentity() {
AMIdentityWrapper amIdentity = null;
AMIdentityRepository amIdRepo = getAMIdentityRepository(getRequestOrg());
IdSearchControl idsc = new IdSearchControl();
idsc.setAllReturnAttributes(true);
Set<AMIdentity> results = Collections.emptySet();
try {
idsc.setMaxResults(0);
IdSearchResults searchResults = amIdRepo.searchIdentities(IdType.USER, userName, idsc);
if (searchResults != null) {
results = searchResults.getSearchResults();
}
if (results.isEmpty()) {
DEBUG.error("DeviceIdSave.getIdentity : User " + userName + " is not found");
} else if (results.size() > 1) {
DEBUG.error("DeviceIdSave.getIdentity : More than one user found for the userName " + userName);
} else {
amIdentity = new AMIdentityWrapper(results.iterator().next());
}
} catch (IdRepoException e) {
DEBUG.error("DeviceIdSave.getIdentity : Error searching Identities with username : " + userName, e);
} catch (SSOException e) {
DEBUG.error("DeviceIdSave.getIdentity : Module exception : ", e);
}
return amIdentity;
}
Aggregations