Example 1 with NoOpTokenRestriction
use of org.forgerock.openam.dpro.session.NoOpTokenRestriction in project OpenAM by OpenRock.
the class LdapSPValidator method validateAndGetRestriction.
/**
* Returns token restriction.
* The method does the following operations:
* <ol>
* <li>Validates the AuthRequest by checking the Provider ID againt the
* agent instances in the directory</li>
* <li>From the agent instance in the directory, checks if the agent is
* active and also checks the gotoURL is protected by the agent</li>
* <li>Combines the hostnames and IP addresses valid for the agent
* and sets them as the restriction for the SSO Token</li>
* </ol>
*
* @param request Federation Service Authentication Request.
* @param gotoURL Goto URL.
* @return token restriction.
*/
public TokenRestriction validateAndGetRestriction(FSAuthnRequest request, String gotoURL) throws Exception {
// Check for initialization exceptions
if (exception != null) {
throw (exception);
}
String realm = null;
/*
* Search directory for provider ID and if present
* return DN, valid IP and hostnames as restriction
*/
URL url = new URL(URLDecoder.decode(request.getProviderId(), "UTF-8"));
String realmName = url.getQuery();
if (realmName != null) {
int idx = realmName.indexOf(REALM_NAME_ATTR);
if (idx != -1) {
realm = realmName.substring(idx + REALM_NAME_ATTR.length());
}
}
StringBuffer rootPrefix = new StringBuffer(1024);
rootPrefix.append(url.getProtocol()).append("://").append(url.getHost()).append(":").append(url.getPort()).append("/");
// Search for agent instances
try {
Map agents = searchAgents(rootPrefix, realm);
// Make sure there is atleast one entry in the directory
if (agents.isEmpty()) {
if (CDCServlet.debug.warningEnabled()) {
CDCServlet.debug.warning("LdapSPValidator.validateAndGetRestriction: " + "Invalid Agent Root URL: " + rootPrefix);
}
throw new Exception("Invalid Agent Root URL: " + rootPrefix + " not found.");
}
// Obtain the DNs and hostlists from the entries
StringBuffer agentDN = null;
ArrayList hostnames = new ArrayList();
boolean gotoUrlValid = false;
URL gotoUrl = new URL(gotoURL);
String gotoHost = gotoUrl.getHost().toLowerCase();
String gotoProtocol = gotoUrl.getProtocol().toLowerCase();
int gotoPort = gotoUrl.getPort();
//use default port when port is not specified explicitly
if (gotoPort == -1) {
if (HTTPS.equalsIgnoreCase(gotoProtocol)) {
gotoPort = HTTPS_DEFAULT_PORT;
} else {
gotoPort = HTTP_DEFAULT_PORT;
}
}
for (Iterator i = agents.keySet().iterator(); i.hasNext(); ) {
AMIdentity amid = (AMIdentity) i.next();
Map attributes = amid.getAttributes();
if (attributes != null) {
if (isAgentActive(attributes)) {
Set attrValues = (Set) attributes.get(LDAP_ATTR_NAME);
if ((attrValues != null) && !attrValues.isEmpty()) {
getHostnames(attrValues, hostnames);
if (validateGotoUrl(attrValues, hostnames, gotoHost, gotoProtocol, gotoPort)) {
if (agentDN == null) {
agentDN = new StringBuffer(50);
} else {
agentDN.append("|");
}
agentDN.append(IdUtils.getDN(amid));
gotoUrlValid = true;
}
}
}
}
}
if (!gotoUrlValid) {
if (CDCServlet.debug.warningEnabled()) {
CDCServlet.debug.warning("LdapSPValidator.validateAndGetRestriction" + "Invalid GoTo URL: " + gotoURL + " for Agent ID: " + rootPrefix);
}
throw (new Exception("Goto URL not valid for the agent Provider ID"));
}
if (CDCServlet.debug.messageEnabled()) {
CDCServlet.debug.message("LdapSPValidator.validateAndGetRestriction: " + "Restriction string for: " + rootPrefix + " is: " + agentDN + " " + hostnames);
}
if (!Boolean.valueOf(SystemConfigurationUtil.getProperty(Constants.IS_ENABLE_UNIQUE_COOKIE))) {
return new NoOpTokenRestriction();
} else {
return new DNOrIPAddressListTokenRestriction(agentDN.toString(), hostnames);
}
} catch (Exception ex) {
CDCServlet.debug.error("Invalid Agent: Could not get agent for the realm", ex);
throw (new Exception("Invalid Agent: Could not get agent for the realm"));
}
}
Also used :
HashSet(java.util.HashSet)
Set(java.util.Set)
ArrayList(java.util.ArrayList)
NoOpTokenRestriction(org.forgerock.openam.dpro.session.NoOpTokenRestriction)
URL(java.net.URL)
IdRepoException(com.sun.identity.idm.IdRepoException)
MalformedURLException(java.net.MalformedURLException)
SSOException(com.iplanet.sso.SSOException)
DNOrIPAddressListTokenRestriction(com.iplanet.dpro.session.DNOrIPAddressListTokenRestriction)
AMIdentity(com.sun.identity.idm.AMIdentity)
Iterator(java.util.Iterator)
HashMap(java.util.HashMap)
Map(java.util.Map)
Aggregations
DNOrIPAddressListTokenRestriction (com.iplanet.dpro.session.DNOrIPAddressListTokenRestriction)1
SSOException (com.iplanet.sso.SSOException)1
AMIdentity (com.sun.identity.idm.AMIdentity)1
IdRepoException (com.sun.identity.idm.IdRepoException)1
MalformedURLException (java.net.MalformedURLException)1
URL (java.net.URL)1
ArrayList (java.util.ArrayList)1
HashMap (java.util.HashMap)1
HashSet (java.util.HashSet)1
Iterator (java.util.Iterator)1
Map (java.util.Map)1
Set (java.util.Set)1
NoOpTokenRestriction (org.forgerock.openam.dpro.session.NoOpTokenRestriction)1
