Examples with LocalSessionStateBean password.pwm.bean.LocalSessionStateBean used on opensource projects

Search in sources :

Example 6 with LocalSessionStateBean

use of password.pwm.bean.LocalSessionStateBean in project pwm by pwm-project.

the class ActivateUserServlet method handleActivateRequest.

@ActionHandler(action = "activate")
public ProcessStatus handleActivateRequest(final PwmRequest pwmRequest) throws PwmUnrecoverableException, ChaiUnavailableException, IOException, ServletException {
    final PwmApplication pwmApplication = pwmRequest.getPwmApplication();
    final PwmSession pwmSession = pwmRequest.getPwmSession();
    final Configuration config = pwmApplication.getConfig();
    final LocalSessionStateBean ssBean = pwmSession.getSessionStateBean();
    if (CaptchaUtility.captchaEnabledForRequest(pwmRequest)) {
        if (!CaptchaUtility.verifyReCaptcha(pwmRequest)) {
            final ErrorInformation errorInfo = new ErrorInformation(PwmError.ERROR_BAD_CAPTCHA_RESPONSE);
            throw new PwmUnrecoverableException(errorInfo);
        }
    }
    pwmApplication.getSessionStateService().clearBean(pwmRequest, ActivateUserBean.class);
    final List<FormConfiguration> configuredActivationForm = config.readSettingAsForm(PwmSetting.ACTIVATE_USER_FORM);
    Map<FormConfiguration, String> formValues = new HashMap<>();
    try {
        // read the values from the request
        formValues = FormUtility.readFormValuesFromRequest(pwmRequest, configuredActivationForm, ssBean.getLocale());
        // check for intruders
        pwmApplication.getIntruderManager().convenience().checkAttributes(formValues);
        // read the context attr
        final String contextParam = pwmRequest.readParameterAsString(PwmConstants.PARAM_CONTEXT);
        // read the profile attr
        final String ldapProfile = pwmRequest.readParameterAsString(PwmConstants.PARAM_LDAP_PROFILE);
        // see if the values meet the configured form requirements.
        FormUtility.validateFormValues(config, formValues, ssBean.getLocale());
        final String searchFilter = ActivateUserUtils.figureLdapSearchFilter(pwmRequest);
        // read an ldap user object based on the params
        final UserIdentity userIdentity;
        {
            final UserSearchEngine userSearchEngine = pwmApplication.getUserSearchEngine();
            final SearchConfiguration searchConfiguration = SearchConfiguration.builder().contexts(Collections.singletonList(contextParam)).filter(searchFilter).formValues(formValues).ldapProfile(ldapProfile).build();
            userIdentity = userSearchEngine.performSingleUserSearch(searchConfiguration, pwmRequest.getSessionLabel());
        }
        ActivateUserUtils.validateParamsAgainstLDAP(pwmRequest, formValues, userIdentity);
        final List<UserPermission> userPermissions = config.readSettingAsUserPermission(PwmSetting.ACTIVATE_USER_QUERY_MATCH);
        if (!LdapPermissionTester.testUserPermissions(pwmApplication, pwmSession.getLabel(), userIdentity, userPermissions)) {
            final String errorMsg = "user " + userIdentity + " attempted activation, but does not match query string";
            final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_ACTIVATE_NO_PERMISSION, errorMsg);
            pwmApplication.getIntruderManager().convenience().markUserIdentity(userIdentity, pwmSession);
            pwmApplication.getIntruderManager().convenience().markAddressAndSession(pwmSession);
            throw new PwmUnrecoverableException(errorInformation);
        }
        final ActivateUserBean activateUserBean = pwmApplication.getSessionStateService().getBean(pwmRequest, ActivateUserBean.class);
        activateUserBean.setUserIdentity(userIdentity);
        activateUserBean.setFormValidated(true);
        pwmApplication.getIntruderManager().convenience().clearAttributes(formValues);
        pwmApplication.getIntruderManager().convenience().clearAddressAndSession(pwmSession);
    } catch (PwmOperationalException e) {
        pwmApplication.getIntruderManager().convenience().markAttributes(formValues, pwmSession);
        pwmApplication.getIntruderManager().convenience().markAddressAndSession(pwmSession);
        setLastError(pwmRequest, e.getErrorInformation());
        LOGGER.debug(pwmSession.getLabel(), e.getErrorInformation().toDebugStr());
    }
    return ProcessStatus.Continue;
}
Also used : PwmApplication(password.pwm.PwmApplication) FormConfiguration(password.pwm.config.value.data.FormConfiguration) SearchConfiguration(password.pwm.ldap.search.SearchConfiguration) Configuration(password.pwm.config.Configuration) HashMap(java.util.HashMap) UserIdentity(password.pwm.bean.UserIdentity) UserSearchEngine(password.pwm.ldap.search.UserSearchEngine) PwmUnrecoverableException(password.pwm.error.PwmUnrecoverableException) SearchConfiguration(password.pwm.ldap.search.SearchConfiguration) ActivateUserBean(password.pwm.http.bean.ActivateUserBean) PwmOperationalException(password.pwm.error.PwmOperationalException) ErrorInformation(password.pwm.error.ErrorInformation) LocalSessionStateBean(password.pwm.bean.LocalSessionStateBean) FormConfiguration(password.pwm.config.value.data.FormConfiguration) PwmSession(password.pwm.http.PwmSession) UserPermission(password.pwm.config.value.data.UserPermission)

Example 7 with LocalSessionStateBean

use of password.pwm.bean.LocalSessionStateBean in project pwm by pwm-project.

the class SessionFilter method verifySession.

/**
 * Attempt to determine if user agent is able to track sessions (either via url rewriting or cookies).
 */
private static ProcessStatus verifySession(final PwmRequest pwmRequest, final SessionVerificationMode mode) throws IOException, ServletException, PwmUnrecoverableException {
    final LocalSessionStateBean ssBean = pwmRequest.getPwmSession().getSessionStateBean();
    final HttpServletRequest req = pwmRequest.getHttpServletRequest();
    final PwmResponse pwmResponse = pwmRequest.getPwmResponse();
    if (!pwmRequest.getMethod().isIdempotent() && pwmRequest.hasParameter(PwmConstants.PARAM_FORM_ID)) {
        LOGGER.debug(pwmRequest, "session is unvalidated but can not be validated during a " + pwmRequest.getMethod().toString() + " request, will allow");
        return ProcessStatus.Continue;
    }
    {
        final String acceptEncodingHeader = pwmRequest.getHttpServletRequest().getHeader(HttpHeader.Accept.getHttpName());
        if (acceptEncodingHeader != null && acceptEncodingHeader.contains("json")) {
            LOGGER.debug(pwmRequest, "session is unvalidated but can not be validated during a json request, will allow");
            return ProcessStatus.Continue;
        }
    }
    if (pwmRequest.getURL().isCommandServletURL()) {
        return ProcessStatus.Continue;
    }
    final String verificationParamName = pwmRequest.getConfig().readAppProperty(AppProperty.HTTP_PARAM_SESSION_VERIFICATION);
    final String keyFromRequest = pwmRequest.readParameterAsString(verificationParamName, PwmHttpRequestWrapper.Flag.BypassValidation);
    // request doesn't have key, so make a new one, store it in the session, and redirect back here with the new key.
    if (keyFromRequest == null || keyFromRequest.length() < 1) {
        final String returnURL = figureValidationURL(pwmRequest, ssBean.getSessionVerificationKey());
        LOGGER.trace(pwmRequest, "session has not been validated, redirecting with verification key to " + returnURL);
        // better chance of detecting un-sticky sessions this way
        pwmResponse.setHeader(HttpHeader.Connection, "close");
        if (mode == SessionVerificationMode.VERIFY_AND_CACHE) {
            req.setAttribute("Location", returnURL);
            pwmResponse.forwardToJsp(JspUrl.INIT);
        } else {
            pwmResponse.sendRedirect(returnURL);
        }
        return ProcessStatus.Halt;
    }
    // else, request has a key, so investigate.
    if (keyFromRequest.equals(ssBean.getSessionVerificationKey())) {
        final String returnURL = figureValidationURL(pwmRequest, null);
        // session looks, good, mark it as such and return;
        LOGGER.trace(pwmRequest, "session validated, redirecting to original request url: " + returnURL);
        ssBean.setSessionVerified(true);
        pwmRequest.getPwmResponse().sendRedirect(returnURL);
        return ProcessStatus.Halt;
    }
    // user's session is messed up.  send to error page.
    final String errorMsg = "client unable to reply with session key";
    final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_BAD_SESSION, errorMsg);
    LOGGER.error(pwmRequest, errorInformation);
    pwmRequest.respondWithError(errorInformation, true);
    return ProcessStatus.Halt;
}
Also used : HttpServletRequest(javax.servlet.http.HttpServletRequest) ErrorInformation(password.pwm.error.ErrorInformation) PwmResponse(password.pwm.http.PwmResponse) LocalSessionStateBean(password.pwm.bean.LocalSessionStateBean)

Example 8 with LocalSessionStateBean

use of password.pwm.bean.LocalSessionStateBean in project pwm by pwm-project.

the class GuestRegistrationServlet method handleUpdateRequest.

protected void handleUpdateRequest(final PwmRequest pwmRequest, final GuestRegistrationBean guestRegistrationBean) throws ServletException, ChaiUnavailableException, IOException, PwmUnrecoverableException {
    // Fetch the session state bean.
    final PwmSession pwmSession = pwmRequest.getPwmSession();
    final LocalSessionStateBean ssBean = pwmSession.getSessionStateBean();
    final PwmApplication pwmApplication = pwmRequest.getPwmApplication();
    final Configuration config = pwmApplication.getConfig();
    final List<FormConfiguration> formItems = pwmApplication.getConfig().readSettingAsForm(PwmSetting.GUEST_UPDATE_FORM);
    final String expirationAttribute = config.readSettingAsString(PwmSetting.GUEST_EXPIRATION_ATTRIBUTE);
    try {
        // read the values from the request
        final Map<FormConfiguration, String> formValues = FormUtility.readFormValuesFromRequest(pwmRequest, formItems, pwmRequest.getLocale());
        // see if the values meet form requirements.
        FormUtility.validateFormValues(config, formValues, ssBean.getLocale());
        // read current values from user.
        final ChaiUser theGuest = pwmSession.getSessionManager().getActor(pwmApplication, guestRegistrationBean.getUpdateUserIdentity());
        // check unique fields against ldap
        FormUtility.validateFormValueUniqueness(pwmApplication, formValues, ssBean.getLocale(), Collections.singletonList(guestRegistrationBean.getUpdateUserIdentity()));
        final Instant expirationDate = readExpirationFromRequest(pwmRequest);
        // Update user attributes
        LdapOperationsHelper.writeFormValuesToLdap(pwmApplication, pwmSession.getSessionManager().getMacroMachine(pwmApplication), theGuest, formValues, false);
        // Write expirationDate
        if (expirationDate != null) {
            theGuest.writeDateAttribute(expirationAttribute, expirationDate);
        }
        // send email.
        final UserInfo guestUserInfoBean = UserInfoFactory.newUserInfo(pwmApplication, pwmRequest.getSessionLabel(), pwmRequest.getLocale(), guestRegistrationBean.getUpdateUserIdentity(), theGuest.getChaiProvider());
        this.sendUpdateGuestEmailConfirmation(pwmRequest, guestUserInfoBean);
        pwmApplication.getStatisticsManager().incrementValue(Statistic.UPDATED_GUESTS);
        // everything good so forward to confirmation page.
        pwmRequest.getPwmResponse().forwardToSuccessPage(Message.Success_UpdateGuest);
        return;
    } catch (PwmOperationalException e) {
        LOGGER.error(pwmSession, e.getErrorInformation().toDebugStr());
        setLastError(pwmRequest, e.getErrorInformation());
    } catch (ChaiOperationException e) {
        final ErrorInformation info = new ErrorInformation(PwmError.ERROR_UNKNOWN, "unexpected error writing to ldap: " + e.getMessage());
        LOGGER.error(pwmSession, info);
        setLastError(pwmRequest, info);
    }
    this.forwardToUpdateJSP(pwmRequest, guestRegistrationBean);
}
Also used : PwmApplication(password.pwm.PwmApplication) FormConfiguration(password.pwm.config.value.data.FormConfiguration) SearchConfiguration(password.pwm.ldap.search.SearchConfiguration) ActionConfiguration(password.pwm.config.value.data.ActionConfiguration) Configuration(password.pwm.config.Configuration) Instant(java.time.Instant) UserInfo(password.pwm.ldap.UserInfo) PwmOperationalException(password.pwm.error.PwmOperationalException) ErrorInformation(password.pwm.error.ErrorInformation) ChaiUser(com.novell.ldapchai.ChaiUser) LocalSessionStateBean(password.pwm.bean.LocalSessionStateBean) FormConfiguration(password.pwm.config.value.data.FormConfiguration) ChaiOperationException(com.novell.ldapchai.exception.ChaiOperationException) PwmSession(password.pwm.http.PwmSession)

Example 9 with LocalSessionStateBean

use of password.pwm.bean.LocalSessionStateBean in project pwm by pwm-project.

the class ChangePasswordServlet method processFormAction.

@ActionHandler(action = "form")
ProcessStatus processFormAction(final PwmRequest pwmRequest) throws ServletException, PwmUnrecoverableException, IOException, ChaiUnavailableException {
    final ChangePasswordBean cpb = pwmRequest.getPwmApplication().getSessionStateService().getBean(pwmRequest, ChangePasswordBean.class);
    final LocalSessionStateBean ssBean = pwmRequest.getPwmSession().getSessionStateBean();
    final UserInfo userInfo = pwmRequest.getPwmSession().getUserInfo();
    final LoginInfoBean loginBean = pwmRequest.getPwmSession().getLoginInfoBean();
    final PasswordData currentPassword = pwmRequest.readParameterAsPassword("currentPassword");
    // check the current password
    if (cpb.isCurrentPasswordRequired() && loginBean.getUserCurrentPassword() != null) {
        if (currentPassword == null) {
            LOGGER.debug(pwmRequest, "failed password validation check: currentPassword value is missing");
            setLastError(pwmRequest, new ErrorInformation(PwmError.ERROR_MISSING_PARAMETER));
            return ProcessStatus.Continue;
        }
        final boolean passed;
        {
            final boolean caseSensitive = Boolean.parseBoolean(userInfo.getPasswordPolicy().getValue(PwmPasswordRule.CaseSensitive));
            final PasswordData storedPassword = loginBean.getUserCurrentPassword();
            passed = caseSensitive ? storedPassword.equals(currentPassword) : storedPassword.equalsIgnoreCase(currentPassword);
        }
        if (!passed) {
            pwmRequest.getPwmApplication().getIntruderManager().convenience().markUserIdentity(userInfo.getUserIdentity(), pwmRequest.getSessionLabel());
            LOGGER.debug(pwmRequest, "failed password validation check: currentPassword value is incorrect");
            setLastError(pwmRequest, new ErrorInformation(PwmError.ERROR_BAD_CURRENT_PASSWORD));
            return ProcessStatus.Continue;
        }
        cpb.setCurrentPasswordPassed(true);
    }
    final List<FormConfiguration> formItem = pwmRequest.getConfig().readSettingAsForm(PwmSetting.PASSWORD_REQUIRE_FORM);
    try {
        // read the values from the request
        final Map<FormConfiguration, String> formValues = FormUtility.readFormValuesFromRequest(pwmRequest, formItem, ssBean.getLocale());
        ChangePasswordServletUtil.validateParamsAgainstLDAP(formValues, pwmRequest.getPwmSession(), pwmRequest.getPwmSession().getSessionManager().getActor(pwmRequest.getPwmApplication()));
        cpb.setFormPassed(true);
    } catch (PwmOperationalException e) {
        pwmRequest.getPwmApplication().getIntruderManager().convenience().markAddressAndSession(pwmRequest.getPwmSession());
        pwmRequest.getPwmApplication().getIntruderManager().convenience().markUserIdentity(userInfo.getUserIdentity(), pwmRequest.getSessionLabel());
        LOGGER.debug(pwmRequest, e.getErrorInformation());
        setLastError(pwmRequest, e.getErrorInformation());
        return ProcessStatus.Continue;
    }
    return ProcessStatus.Continue;
}
Also used : ChangePasswordBean(password.pwm.http.bean.ChangePasswordBean) ErrorInformation(password.pwm.error.ErrorInformation) LoginInfoBean(password.pwm.bean.LoginInfoBean) PasswordData(password.pwm.util.PasswordData) LocalSessionStateBean(password.pwm.bean.LocalSessionStateBean) UserInfo(password.pwm.ldap.UserInfo) FormConfiguration(password.pwm.config.value.data.FormConfiguration) PwmOperationalException(password.pwm.error.PwmOperationalException)

Example 10 with LocalSessionStateBean

use of password.pwm.bean.LocalSessionStateBean in project pwm by pwm-project.

the class CommandServlet method redirectToForwardURL.

private static void redirectToForwardURL(final PwmRequest pwmRequest) throws IOException, PwmUnrecoverableException {
    final LocalSessionStateBean sessionStateBean = pwmRequest.getPwmSession().getSessionStateBean();
    final String redirectURL = pwmRequest.getForwardUrl();
    LOGGER.trace(pwmRequest, "redirecting user to forward url: " + redirectURL);
    // after redirecting we need to clear the session forward url
    if (sessionStateBean.getForwardURL() != null) {
        LOGGER.trace(pwmRequest, "clearing session forward url: " + sessionStateBean.getForwardURL());
        sessionStateBean.setForwardURL(null);
    }
    pwmRequest.sendRedirect(redirectURL);
}
Also used : LocalSessionStateBean(password.pwm.bean.LocalSessionStateBean)

Aggregations

LocalSessionStateBean (password.pwm.bean.LocalSessionStateBean)17 ErrorInformation (password.pwm.error.ErrorInformation)9 PwmUnrecoverableException (password.pwm.error.PwmUnrecoverableException)7 PwmOperationalException (password.pwm.error.PwmOperationalException)6 PwmApplication (password.pwm.PwmApplication)5 FormConfiguration (password.pwm.config.value.data.FormConfiguration)5 PwmSession (password.pwm.http.PwmSession)5 UserInfo (password.pwm.ldap.UserInfo)5 HashMap (java.util.HashMap)4 UserIdentity (password.pwm.bean.UserIdentity)4 Configuration (password.pwm.config.Configuration)4 SearchConfiguration (password.pwm.ldap.search.SearchConfiguration)4 LoginInfoBean (password.pwm.bean.LoginInfoBean)3 PasswordData (password.pwm.util.PasswordData)3 ChaiUser (com.novell.ldapchai.ChaiUser)2 ChaiOperationException (com.novell.ldapchai.exception.ChaiOperationException)2 Instant (java.time.Instant)2 LinkedHashMap (java.util.LinkedHashMap)2 List (java.util.List)2 Locale (java.util.Locale)2
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial