Example 6 with PwmUnrecoverableException
use of password.pwm.error.PwmUnrecoverableException in project pwm by pwm-project.
the class HttpEventManager method sessionCreated.
public void sessionCreated(final HttpSessionEvent httpSessionEvent) {
final HttpSession httpSession = httpSessionEvent.getSession();
try {
final ContextManager contextManager = ContextManager.getContextManager(httpSession);
final PwmApplication pwmApplication = contextManager.getPwmApplication();
httpSession.setAttribute(PwmConstants.SESSION_ATTR_PWM_APP_NONCE, pwmApplication.getRuntimeNonce());
if (pwmApplication != null && pwmApplication.getStatisticsManager() != null) {
pwmApplication.getStatisticsManager().updateEps(EpsStatistic.SESSIONS, 1);
}
LOGGER.trace("new http session created");
} catch (PwmUnrecoverableException e) {
LOGGER.warn("error during sessionCreated event: " + e.getMessage());
}
}
Also used :
PwmApplication(password.pwm.PwmApplication)
HttpSession(javax.servlet.http.HttpSession)
PwmUnrecoverableException(password.pwm.error.PwmUnrecoverableException)
Example 7 with PwmUnrecoverableException
use of password.pwm.error.PwmUnrecoverableException in project pwm by pwm-project.
the class IdleTimeoutCalculator method idleTimeoutForRequest.
public static TimeDuration idleTimeoutForRequest(final PwmURL pwmURL, final PwmApplication pwmApplication, final PwmSession pwmSession) throws PwmUnrecoverableException {
if (pwmURL.isResourceURL()) {
return figureMaxSessionTimeout(pwmApplication, pwmSession).getIdleTimeout();
}
final Configuration config = pwmApplication.getConfig();
if (pwmURL.isPwmServletURL(PwmServletDefinition.Helpdesk)) {
if (config.readSettingAsBoolean(PwmSetting.HELPDESK_ENABLE)) {
final HelpdeskProfile helpdeskProfile = pwmSession.getSessionManager().getHelpdeskProfile(pwmApplication);
if (helpdeskProfile != null) {
final long helpdeskIdleTimeout = helpdeskProfile.readSettingAsLong(PwmSetting.HELPDESK_IDLE_TIMEOUT_SECONDS);
if (helpdeskIdleTimeout > 0) {
return new TimeDuration(helpdeskIdleTimeout, TimeUnit.SECONDS);
}
}
}
}
if ((pwmURL.isPwmServletURL(PwmServletDefinition.PrivatePeopleSearch) || pwmURL.isPwmServletURL(PwmServletDefinition.PublicPeopleSearch)) && pwmURL.isPrivateUrl()) {
if (config.readSettingAsBoolean(PwmSetting.PEOPLE_SEARCH_ENABLE)) {
final long peopleSearchIdleTimeout = config.readSettingAsLong(PwmSetting.PEOPLE_SEARCH_IDLE_TIMEOUT_SECONDS);
if (peopleSearchIdleTimeout > 0) {
return new TimeDuration(peopleSearchIdleTimeout, TimeUnit.SECONDS);
}
}
}
if (pwmURL.isPwmServletURL(PwmServletDefinition.ConfigEditor)) {
try {
if (pwmSession.getSessionManager().checkPermission(pwmApplication, Permission.PWMADMIN)) {
final long configEditorIdleTimeout = Long.parseLong(config.readAppProperty(AppProperty.CONFIG_EDITOR_IDLE_TIMEOUT));
if (configEditorIdleTimeout > 0) {
return new TimeDuration(configEditorIdleTimeout, TimeUnit.SECONDS);
}
}
} catch (PwmUnrecoverableException e) {
LOGGER.error(pwmSession, "error while figuring max idle timeout for session: " + e.getMessage());
}
}
if (pwmURL.isPwmServletURL(PwmServletDefinition.ConfigGuide)) {
if (pwmApplication.getApplicationMode() == PwmApplicationMode.NEW) {
final long configGuideIdleTimeout = Long.parseLong(config.readAppProperty(AppProperty.CONFIG_GUIDE_IDLE_TIMEOUT));
if (configGuideIdleTimeout > 0) {
return new TimeDuration(configGuideIdleTimeout, TimeUnit.SECONDS);
}
}
}
final long idleTimeout = config.readSettingAsLong(PwmSetting.IDLE_TIMEOUT_SECONDS);
return new TimeDuration(idleTimeout, TimeUnit.SECONDS);
}
Also used :
Configuration(password.pwm.config.Configuration)
HelpdeskProfile(password.pwm.config.profile.HelpdeskProfile)
TimeDuration(password.pwm.util.java.TimeDuration)
PwmUnrecoverableException(password.pwm.error.PwmUnrecoverableException)
Example 8 with PwmUnrecoverableException
use of password.pwm.error.PwmUnrecoverableException in project pwm by pwm-project.
the class StoredConfigurationImpl method fromXml.
public static StoredConfigurationImpl fromXml(final InputStream xmlData) throws PwmUnrecoverableException {
final Instant startTime = Instant.now();
// validateXmlSchema(xmlData);
final Document inputDocument = XmlUtil.parseXml(xmlData);
final StoredConfigurationImpl newConfiguration = StoredConfigurationImpl.newStoredConfiguration();
try {
newConfiguration.document = inputDocument;
// verify create time;
newConfiguration.createTime();
ConfigurationCleaner.cleanup(newConfiguration);
} catch (Exception e) {
final String errorMsg = "error reading configuration file format, error=" + e.getMessage();
final ErrorInformation errorInfo = new ErrorInformation(PwmError.CONFIG_FORMAT_ERROR, null, new String[] { errorMsg });
throw new PwmUnrecoverableException(errorInfo);
}
checkIfXmlRequiresUpdate(newConfiguration);
LOGGER.debug("successfully loaded configuration (" + TimeDuration.compactFromCurrent(startTime) + ")");
return newConfiguration;
}
Also used :
ErrorInformation(password.pwm.error.ErrorInformation)
Instant(java.time.Instant)
PwmUnrecoverableException(password.pwm.error.PwmUnrecoverableException)
Document(org.jdom2.Document)
PwmUnrecoverableException(password.pwm.error.PwmUnrecoverableException)
PwmOperationalException(password.pwm.error.PwmOperationalException)
PwmException(password.pwm.error.PwmException)
IOException(java.io.IOException)
Example 9 with PwmUnrecoverableException
use of password.pwm.error.PwmUnrecoverableException in project pwm by pwm-project.
the class RequestInitializationFilter method handleRequestSecurityChecks.
@SuppressWarnings("checkstyle:MethodLength")
public static void handleRequestSecurityChecks(final PwmRequest pwmRequest) throws PwmUnrecoverableException {
final LocalSessionStateBean ssBean = pwmRequest.getPwmSession().getSessionStateBean();
// check the user's IP address
if (!pwmRequest.getConfig().readSettingAsBoolean(PwmSetting.MULTI_IP_SESSION_ALLOWED)) {
final String remoteAddress = readUserIPAddress(pwmRequest.getHttpServletRequest(), pwmRequest.getConfig());
if (!ssBean.getSrcAddress().equals(remoteAddress)) {
final String errorMsg = "current network address '" + remoteAddress + "' has changed from original network address '" + ssBean.getSrcAddress() + "'";
final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_SECURITY_VIOLATION, errorMsg);
throw new PwmUnrecoverableException(errorInformation);
}
}
// check total time.
{
if (ssBean.getSessionCreationTime() != null) {
final Long maxSessionSeconds = pwmRequest.getConfig().readSettingAsLong(PwmSetting.SESSION_MAX_SECONDS);
final TimeDuration sessionAge = TimeDuration.fromCurrent(ssBean.getSessionCreationTime());
if (sessionAge.getTotalSeconds() > maxSessionSeconds) {
final String errorMsg = "session age (" + sessionAge.asCompactString() + ") is longer than maximum permitted age";
final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_SECURITY_VIOLATION, errorMsg);
throw new PwmUnrecoverableException(errorInformation);
}
}
}
// check headers
{
final List<String> requiredHeaders = pwmRequest.getConfig().readSettingAsStringArray(PwmSetting.REQUIRED_HEADERS);
if (requiredHeaders != null && !requiredHeaders.isEmpty()) {
final Map<String, String> configuredValues = StringUtil.convertStringListToNameValuePair(requiredHeaders, "=");
for (final Map.Entry<String, String> entry : configuredValues.entrySet()) {
final String key = entry.getKey();
if (key != null && key.length() > 0) {
final String requiredValue = entry.getValue();
if (requiredValue != null && requiredValue.length() > 0) {
final String value = pwmRequest.readHeaderValueAsString(key);
if (value == null || value.length() < 1) {
final String errorMsg = "request is missing required value for header '" + key + "'";
final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_SECURITY_VIOLATION, errorMsg);
throw new PwmUnrecoverableException(errorInformation);
} else {
if (!requiredValue.equals(value)) {
final String errorMsg = "request has incorrect required value for header '" + key + "'";
final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_SECURITY_VIOLATION, errorMsg);
throw new PwmUnrecoverableException(errorInformation);
}
}
}
}
}
}
}
// check permitted source IP address
{
final List<String> requiredHeaders = pwmRequest.getConfig().readSettingAsStringArray(PwmSetting.IP_PERMITTED_RANGE);
if (requiredHeaders != null && !requiredHeaders.isEmpty()) {
boolean match = false;
final String requestAddress = pwmRequest.getHttpServletRequest().getRemoteAddr();
for (int i = 0; i < requiredHeaders.size() && !match; i++) {
final String ipMatchString = requiredHeaders.get(i);
try {
final IPMatcher ipMatcher = new IPMatcher(ipMatchString);
try {
if (ipMatcher.match(requestAddress)) {
match = true;
}
} catch (IPMatcher.IPMatcherException e) {
LOGGER.error("error while attempting to match permitted address range '" + ipMatchString + "', error: " + e);
}
} catch (IPMatcher.IPMatcherException e) {
LOGGER.error("error parsing permitted address range '" + ipMatchString + "', error: " + e);
}
}
if (!match) {
final String errorMsg = "request network address '" + requestAddress + "' does not match any configured permitted source address";
final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_SECURITY_VIOLATION, errorMsg);
throw new PwmUnrecoverableException(errorInformation);
}
}
}
// csrf cross-site request forgery checks
final boolean performCsrfHeaderChecks = Boolean.parseBoolean(pwmRequest.getConfig().readAppProperty(AppProperty.SECURITY_HTTP_PERFORM_CSRF_HEADER_CHECKS));
if (performCsrfHeaderChecks && !pwmRequest.getMethod().isIdempotent() && !pwmRequest.getURL().isRestService()) {
final String originValue = pwmRequest.readHeaderValueAsString(HttpHeader.Origin);
final String referrerValue = pwmRequest.readHeaderValueAsString(HttpHeader.Referer);
final String siteUrl = pwmRequest.getPwmApplication().getConfig().readSettingAsString(PwmSetting.PWM_SITE_URL);
final String targetValue = pwmRequest.getHttpServletRequest().getRequestURL().toString();
if (StringUtil.isEmpty(targetValue)) {
final String msg = "malformed request instance, missing target uri value";
final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_SECURITY_VIOLATION, msg);
LOGGER.debug(pwmRequest, errorInformation.toDebugStr() + " [" + makeHeaderDebugStr(pwmRequest) + "]");
throw new PwmUnrecoverableException(errorInformation);
}
final boolean originHeaderEvaluated;
if (!StringUtil.isEmpty(originValue)) {
if (!PwmURL.compareUriBase(originValue, targetValue)) {
final String msg = "cross-origin request not permitted: origin header does not match incoming target url" + " [" + makeHeaderDebugStr(pwmRequest) + "]";
final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_SECURITY_VIOLATION, msg);
LOGGER.debug(pwmRequest, errorInformation.toDebugStr());
throw new PwmUnrecoverableException(errorInformation);
}
originHeaderEvaluated = true;
} else {
originHeaderEvaluated = false;
}
final boolean referrerHeaderEvaluated;
if (!StringUtil.isEmpty(referrerValue)) {
if (!PwmURL.compareUriBase(referrerValue, targetValue) && !PwmURL.compareUriBase(referrerValue, siteUrl)) {
final String msg = "cross-origin request not permitted: referrer header does not match incoming target url" + " [" + makeHeaderDebugStr(pwmRequest) + "]";
final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_SECURITY_VIOLATION, msg);
LOGGER.debug(pwmRequest, errorInformation.toDebugStr());
throw new PwmUnrecoverableException(errorInformation);
}
referrerHeaderEvaluated = true;
} else {
referrerHeaderEvaluated = false;
}
if (!referrerHeaderEvaluated && !originHeaderEvaluated && !PwmURL.compareUriBase(originValue, siteUrl)) {
final String msg = "neither referer nor origin header request are present on non-idempotent request";
final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_SECURITY_VIOLATION, msg);
LOGGER.debug(pwmRequest, errorInformation.toDebugStr() + " [" + makeHeaderDebugStr(pwmRequest) + "]");
throw new PwmUnrecoverableException(errorInformation);
}
}
// check trial
if (PwmConstants.TRIAL_MODE) {
final StatisticsManager statisticsManager = pwmRequest.getPwmApplication().getStatisticsManager();
final String currentAuthString = statisticsManager.getStatBundleForKey(StatisticsManager.KEY_CURRENT).getStatistic(Statistic.AUTHENTICATIONS);
if (new BigInteger(currentAuthString).compareTo(BigInteger.valueOf(PwmConstants.TRIAL_MAX_AUTHENTICATIONS)) > 0) {
throw new PwmUnrecoverableException(new ErrorInformation(PwmError.ERROR_TRIAL_VIOLATION, "maximum usage per server startup exceeded"));
}
final String totalAuthString = statisticsManager.getStatBundleForKey(StatisticsManager.KEY_CUMULATIVE).getStatistic(Statistic.AUTHENTICATIONS);
if (new BigInteger(totalAuthString).compareTo(BigInteger.valueOf(PwmConstants.TRIAL_MAX_TOTAL_AUTH)) > 0) {
throw new PwmUnrecoverableException(new ErrorInformation(PwmError.ERROR_TRIAL_VIOLATION, "maximum usage for this server has been exceeded"));
}
}
// check intruder
pwmRequest.getPwmApplication().getIntruderManager().convenience().checkAddressAndSession(pwmRequest.getPwmSession());
}
Also used :
PwmUnrecoverableException(password.pwm.error.PwmUnrecoverableException)
ErrorInformation(password.pwm.error.ErrorInformation)
IPMatcher(password.pwm.util.IPMatcher)
StatisticsManager(password.pwm.svc.stats.StatisticsManager)
BigInteger(java.math.BigInteger)
LocalSessionStateBean(password.pwm.bean.LocalSessionStateBean)
TimeDuration(password.pwm.util.java.TimeDuration)
List(java.util.List)
Map(java.util.Map)
HashMap(java.util.HashMap)
LinkedHashMap(java.util.LinkedHashMap)
Example 10 with PwmUnrecoverableException
use of password.pwm.error.PwmUnrecoverableException in project pwm by pwm-project.
the class AbstractPwmServlet method handleRequest.
private void handleRequest(final HttpServletRequest req, final HttpServletResponse resp, final HttpMethod method) throws ServletException, IOException {
try {
final PwmRequest pwmRequest = PwmRequest.forRequest(req, resp);
if (!method.isIdempotent() && !pwmRequest.getURL().isCommandServletURL()) {
Validator.validatePwmFormID(pwmRequest);
try {
Validator.validatePwmRequestCounter(pwmRequest);
} catch (PwmOperationalException e) {
if (e.getError() == PwmError.ERROR_INCORRECT_REQ_SEQUENCE) {
final ErrorInformation errorInformation = e.getErrorInformation();
final PwmSession pwmSession = PwmSessionWrapper.readPwmSession(req);
LOGGER.error(pwmSession, errorInformation.toDebugStr());
pwmRequest.respondWithError(errorInformation, false);
return;
}
throw e;
}
}
// check for incorrect method type.
final ProcessAction processAction = readProcessAction(pwmRequest);
if (processAction != null) {
if (!processAction.permittedMethods().contains(method)) {
final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_SERVICE_NOT_AVAILABLE, "incorrect request method " + method.toString() + " on request to " + pwmRequest.getURLwithQueryString());
LOGGER.error(pwmRequest.getPwmSession(), errorInformation.toDebugStr());
pwmRequest.respondWithError(errorInformation, false);
return;
}
}
this.processAction(pwmRequest);
} catch (Exception e) {
final PwmRequest pwmRequest;
try {
pwmRequest = PwmRequest.forRequest(req, resp);
} catch (Exception e2) {
try {
LOGGER.fatal("exception occurred, but exception handler unable to load request instance; error=" + e.getMessage(), e);
} catch (Exception e3) {
e3.printStackTrace();
}
throw new ServletException(e);
}
final PwmUnrecoverableException pue = convertToPwmUnrecoverableException(e, pwmRequest);
if (processUnrecoverableException(req, resp, pwmRequest.getPwmApplication(), pwmRequest.getPwmSession(), pue)) {
return;
}
outputUnrecoverableException(pwmRequest, pue);
clearModuleBeans(pwmRequest);
}
}
Also used :
ServletException(javax.servlet.ServletException)
ErrorInformation(password.pwm.error.ErrorInformation)
PwmRequest(password.pwm.http.PwmRequest)
PwmUnrecoverableException(password.pwm.error.PwmUnrecoverableException)
PwmSession(password.pwm.http.PwmSession)
ServletException(javax.servlet.ServletException)
PwmUnrecoverableException(password.pwm.error.PwmUnrecoverableException)
PwmException(password.pwm.error.PwmException)
PwmOperationalException(password.pwm.error.PwmOperationalException)
IOException(java.io.IOException)
ChaiUnavailableException(com.novell.ldapchai.exception.ChaiUnavailableException)
PwmOperationalException(password.pwm.error.PwmOperationalException)
Aggregations
PwmUnrecoverableException (password.pwm.error.PwmUnrecoverableException)282
ErrorInformation (password.pwm.error.ErrorInformation)201
PwmOperationalException (password.pwm.error.PwmOperationalException)85
ChaiUnavailableException (com.novell.ldapchai.exception.ChaiUnavailableException)75
IOException (java.io.IOException)72
PwmException (password.pwm.error.PwmException)69
PwmApplication (password.pwm.PwmApplication)48
UserIdentity (password.pwm.bean.UserIdentity)48
Configuration (password.pwm.config.Configuration)43
ServletException (javax.servlet.ServletException)38
LinkedHashMap (java.util.LinkedHashMap)37
Instant (java.time.Instant)35
ArrayList (java.util.ArrayList)31
PwmSession (password.pwm.http.PwmSession)30
Map (java.util.Map)28
ChaiUser (com.novell.ldapchai.ChaiUser)26
ChaiOperationException (com.novell.ldapchai.exception.ChaiOperationException)25
FormConfiguration (password.pwm.config.value.data.FormConfiguration)24
HashMap (java.util.HashMap)23
ChaiException (com.novell.ldapchai.exception.ChaiException)22
