Example 1 with RestrictedTokenAction
use of com.sun.identity.session.util.RestrictedTokenAction in project OpenAM by OpenRock.
the class SessionRequestHandler method processRequest.
private Response processRequest(final PLLAuditor auditor, final Request req, final HttpServletRequest servletRequest, final HttpServletResponse servletResponse) {
final SessionRequest sreq = SessionRequest.parseXML(req.getContent());
auditor.setMethod(sreq.getMethodName());
SessionResponse sres = new SessionResponse(sreq.getRequestID(), sreq.getMethodID());
Object context;
try {
// use remote client IP as default RestrictedToken context
context = SessionUtils.getClientAddress(servletRequest);
this.clientToken = null;
} catch (Exception ex) {
sessionDebug.error("SessionRequestHandler encounterd exception", ex);
sres.setException(ex.getMessage());
return auditedExceptionResponse(auditor, sres);
}
String requester = sreq.getRequester();
if (requester != null) {
try {
context = RestrictedTokenContext.unmarshal(requester);
if (context instanceof SSOToken) {
SSOTokenManager ssoTokenManager = SSOTokenManager.getInstance();
SSOToken adminToken = (SSOToken) context;
if (!ssoTokenManager.isValidToken(adminToken)) {
sres.setException(SessionBundle.getString("appTokenInvalid") + requester);
return auditedExceptionResponse(auditor, sres);
}
this.clientToken = (SSOToken) context;
}
} catch (Exception ex) {
if (sessionDebug.warningEnabled()) {
sessionDebug.warning("SessionRequestHandler.processRequest:" + "app token invalid, sending Session response" + " with Exception");
}
sres.setException(SessionBundle.getString("appTokenInvalid") + requester);
return auditedExceptionResponse(auditor, sres);
}
}
try {
sres = (SessionResponse) RestrictedTokenContext.doUsing(context, new RestrictedTokenAction() {
public Object run() throws Exception {
return processSessionRequest(auditor, sreq, servletRequest, servletResponse);
}
});
} catch (Exception ex) {
sessionDebug.error("SessionRequestHandler encounterd exception", ex);
sres.setException(ex.getMessage());
}
if (sres.getException() == null) {
auditor.auditAccessSuccess();
} else {
auditor.auditAccessFailure(sres.getException());
}
return new Response(sres.toXMLString());
}
Also used :
SSOTokenManager(com.iplanet.sso.SSOTokenManager)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
Response(com.iplanet.services.comm.share.Response)
SessionResponse(com.iplanet.dpro.session.share.SessionResponse)
SSOToken(com.iplanet.sso.SSOToken)
SessionResponse(com.iplanet.dpro.session.share.SessionResponse)
SessionRequest(com.iplanet.dpro.session.share.SessionRequest)
SessionException(com.iplanet.dpro.session.SessionException)
RestrictedTokenAction(com.sun.identity.session.util.RestrictedTokenAction)
Example 2 with RestrictedTokenAction
use of com.sun.identity.session.util.RestrictedTokenAction in project OpenAM by OpenRock.
the class Session method run.
public void run() {
if (sessionPollerPool.isPollingEnabled()) {
try {
if (!getIsPolling()) {
long expectedTime;
if (willExpire(maxIdleTime)) {
expectedTime = (latestRefreshTime + (maxIdleTime * 60)) * 1000;
if (sessionPollerPool.getCacheBasedPolling()) {
expectedTime = Math.min(expectedTime, (latestRefreshTime + (maxCachingTime * 60)) * 1000);
}
} else {
expectedTime = (latestRefreshTime + (SessionMeta.getAppSSOTokenRefreshTime() * 60)) * 1000;
}
if (expectedTime > scheduledExecutionTime()) {
// Get an instance as required otherwise it causes issues on container restart.
SystemTimerPool.getTimerPool().schedule(this, new Date(expectedTime));
return;
}
if (sender == null) {
sender = new SessionPollerSender(this);
}
RestrictedTokenContext.doUsing(getContext(), new RestrictedTokenAction() {
public Object run() throws Exception {
try {
setIsPolling(true);
sessionPollerPool.getThreadPool().run(sender);
} catch (ThreadPoolException e) {
setIsPolling(false);
sessionDebug.error("Send Polling Error: ", e);
}
return null;
}
});
}
} catch (SessionException se) {
sessionCache.removeSID(sessionID);
sessionDebug.message("session is not in timeout state so clean it", se);
} catch (Exception ex) {
sessionDebug.error("Exception encountered while polling", ex);
}
} else {
String sessionRemovalDebugMessage;
if (purgeAt > 0) {
// destroyed session scheduled for purge
if (purgeAt > scheduledExecutionTime()) {
SystemTimerPool.getTimerPool().schedule(this, new Date(purgeAt));
return;
}
sessionRemovalDebugMessage = "Session Removed, Reduced Crosstalk Purge Time complete";
} else {
// schedule at the max session time
long expectedTime = -1;
if (willExpire(maxSessionTime)) {
expectedTime = (latestRefreshTime + (maxSessionTime * 60)) * 1000;
}
if (expectedTime > scheduledExecutionTime()) {
SystemTimerPool.getTimerPool().schedule(this, new Date(expectedTime));
return;
}
sessionRemovalDebugMessage = "Session Destroyed, Caching time exceeded the Max Session Time";
}
try {
sessionCache.removeSID(sessionID);
if (sessionDebug.messageEnabled()) {
sessionDebug.message(sessionRemovalDebugMessage);
}
} catch (Exception ex) {
sessionDebug.error("Exception occured while cleaning up Session Cache", ex);
}
}
}
Also used :
SessionPollerSender(org.forgerock.openam.session.SessionPollerSender)
ThreadPoolException(com.iplanet.am.util.ThreadPoolException)
Date(java.util.Date)
RestrictedTokenAction(com.sun.identity.session.util.RestrictedTokenAction)
ThreadPoolException(com.iplanet.am.util.ThreadPoolException)
SSOException(com.iplanet.sso.SSOException)
Example 3 with RestrictedTokenAction
use of com.sun.identity.session.util.RestrictedTokenAction in project OpenAM by OpenRock.
the class Session method refresh.
/**
* Gets the latest session from session server and updates the local cache
* of this session.
*
* @param reset The flag to indicate whether to reset the latest session
* access time in the session server.
* @exception SessionException if the session reached its
* maximum session time, or the session was destroyed, or
* there was an error during communication with session
* service.
*/
public void refresh(final boolean reset) throws SessionException {
// recalculate whether session is local or remote on every refresh
// this is just an optmization
// it is functionally safe to always use remote mode
// but it is not efficient
// this check takes care of migration "remote -> local"
// reverse migration "local - > remote" will be
// done by calling Session.markNonLocal() from
// SessionService.handleReleaseSession()
sessionIsLocal = checkSessionLocal();
Object activeContext = RestrictedTokenContext.getCurrent();
if (activeContext == null) {
activeContext = this.context;
}
try {
RestrictedTokenContext.doUsing(activeContext, new RestrictedTokenAction() {
public Object run() throws Exception {
doRefresh(reset);
return null;
}
});
} catch (Exception e) {
sessionCache.removeSID(sessionID);
if (sessionDebug.messageEnabled()) {
sessionDebug.message("session.Refresh " + "Removed SID:" + sessionID);
}
throw new SessionException(e);
}
}
Also used :
RestrictedTokenAction(com.sun.identity.session.util.RestrictedTokenAction)
ThreadPoolException(com.iplanet.am.util.ThreadPoolException)
SSOException(com.iplanet.sso.SSOException)
Example 4 with RestrictedTokenAction
use of com.sun.identity.session.util.RestrictedTokenAction in project OpenAM by OpenRock.
the class LocalSSOTokenSessionModule method validateRequest.
/**
* Validates the request by checking the validity of the SSOToken ID from the AM cookie.
* <p>
* If the SSOToken ID is a restricted token then the request must also contain a url parameter "requester" which
* must contain the application SSOToken ID of the application the restricted token was issued for.
*
* @param messageInfo {@inheritDoc}
* @param clientSubject {@inheritDoc}
* @param serviceSubject {@inheritDoc}
* @return {@inheritDoc}
*/
@Override
public Promise<AuthStatus, AuthenticationException> validateRequest(final MessageInfoContext messageInfo, final Subject clientSubject, Subject serviceSubject) {
if (!isInitialised()) {
initDependencies();
}
final HttpServletRequest request = (HttpServletRequest) messageInfo.asContext(AttributesContext.class).getAttributes().get(HttpServletRequest.class.getName());
String requester = request.getParameter(REQUESTER_URL_PARAM);
if (requester != null) {
try {
SSOToken requesterToken = getFactory().getTokenFromId(requester);
if (getFactory().isTokenValid(requesterToken)) {
Object o = RestrictedTokenContext.doUsing(requesterToken, new RestrictedTokenAction() {
public Object run() throws Exception {
return validate(request, messageInfo, clientSubject);
}
});
return newResultPromise((AuthStatus) o);
}
} catch (Exception ex) {
return newExceptionPromise(new AuthenticationException("An error occurred whilst trying to use restricted token."));
}
}
return validate(request, messageInfo, clientSubject);
}
Also used :
HttpServletRequest(javax.servlet.http.HttpServletRequest)
SSOToken(com.iplanet.sso.SSOToken)
AttributesContext(org.forgerock.services.context.AttributesContext)
AuthenticationException(org.forgerock.caf.authentication.api.AuthenticationException)
RestrictedTokenAction(com.sun.identity.session.util.RestrictedTokenAction)
UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException)
IOException(java.io.IOException)
AuthException(javax.security.auth.message.AuthException)
AuthenticationException(org.forgerock.caf.authentication.api.AuthenticationException)
SSOException(com.iplanet.sso.SSOException)
Example 5 with RestrictedTokenAction
use of com.sun.identity.session.util.RestrictedTokenAction in project OpenAM by OpenRock.
the class IdRepoJAXRPCObjectImpl method getSSOToken.
/**
* Check if agent token ID is appended to the token string.
* if yes, we use it as a restriction context. This is meant
* for cookie hijacking feature where agent appends the agent token ID
* to the user sso token before sending it over to the server for
* validation.
*/
protected SSOToken getSSOToken(String token) throws SSOException {
// Initalize the class variables
initialize_idrepo();
int index = token.indexOf(" ");
if (tokenManager == null) {
tokenManager = SSOTokenManager.getInstance();
}
if (index == -1) {
return tokenManager.createSSOToken(token);
}
SSOToken stoken = null;
String agentTokenStr = token.substring(index + 1);
String tokenStr = token.substring(0, index);
final String ftoken = tokenStr;
try {
/*
* for 7.0 patch-4 agent, IP address maybe send back to server.
* this is a very simple check for IP Address
*/
Object context = null;
if (agentTokenStr.indexOf('.') != -1) {
try {
context = InetAddress.getByName(agentTokenStr);
} catch (Exception e) {
context = tokenManager.createSSOToken(agentTokenStr);
}
} else {
context = tokenManager.createSSOToken(agentTokenStr);
}
stoken = (SSOToken) RestrictedTokenContext.doUsing(context, new RestrictedTokenAction() {
public Object run() throws Exception {
return tokenManager.createSSOToken(ftoken);
}
});
} catch (SSOException e) {
idRepoDebug.error("IdRepoJAXRPCObjectImpl:getSSOToken", e);
return tokenManager.createSSOToken(tokenStr);
} catch (Exception e) {
idRepoDebug.error("IdRepoJAXRPCObjectImpl:getSSOToken", e);
}
return stoken;
}
Also used :
SSOToken(com.iplanet.sso.SSOToken)
SSOException(com.iplanet.sso.SSOException)
IdRepoException(com.sun.identity.idm.IdRepoException)
ServerEntryNotFoundException(com.iplanet.services.naming.ServerEntryNotFoundException)
SendNotificationException(com.iplanet.services.comm.server.SendNotificationException)
MalformedURLException(java.net.MalformedURLException)
RemoteException(java.rmi.RemoteException)
SSOException(com.iplanet.sso.SSOException)
RestrictedTokenAction(com.sun.identity.session.util.RestrictedTokenAction)
Aggregations
RestrictedTokenAction (com.sun.identity.session.util.RestrictedTokenAction)5
SSOException (com.iplanet.sso.SSOException)4
SSOToken (com.iplanet.sso.SSOToken)3
ThreadPoolException (com.iplanet.am.util.ThreadPoolException)2
SessionException (com.iplanet.dpro.session.SessionException)1
SessionRequest (com.iplanet.dpro.session.share.SessionRequest)1
SessionResponse (com.iplanet.dpro.session.share.SessionResponse)1
SendNotificationException (com.iplanet.services.comm.server.SendNotificationException)1
Response (com.iplanet.services.comm.share.Response)1
ServerEntryNotFoundException (com.iplanet.services.naming.ServerEntryNotFoundException)1
SSOTokenManager (com.iplanet.sso.SSOTokenManager)1
IdRepoException (com.sun.identity.idm.IdRepoException)1
IOException (java.io.IOException)1
MalformedURLException (java.net.MalformedURLException)1
RemoteException (java.rmi.RemoteException)1
Date (java.util.Date)1
UnsupportedCallbackException (javax.security.auth.callback.UnsupportedCallbackException)1
AuthException (javax.security.auth.message.AuthException)1
HttpServletRequest (javax.servlet.http.HttpServletRequest)1
HttpServletResponse (javax.servlet.http.HttpServletResponse)1
