Search in sources :

Example 1 with PwmResponse

use of password.pwm.http.PwmResponse in project pwm by pwm-project.

the class ConfigManagerServlet method doDownloadConfig.

private void doDownloadConfig(final PwmRequest pwmRequest) throws IOException, ServletException, PwmUnrecoverableException {
    final PwmSession pwmSession = pwmRequest.getPwmSession();
    final PwmResponse resp = pwmRequest.getPwmResponse();
    try {
        final StoredConfigurationImpl storedConfiguration = readCurrentConfiguration(pwmRequest);
        final OutputStream responseWriter = resp.getOutputStream();
        resp.setHeader(HttpHeader.ContentDisposition, "attachment;filename=" + PwmConstants.DEFAULT_CONFIG_FILE_FILENAME);
        resp.setContentType(HttpContentType.xml);
        storedConfiguration.toXml(responseWriter);
        responseWriter.close();
    } catch (Exception e) {
        LOGGER.error(pwmSession, "unable to download configuration: " + e.getMessage());
    }
}
Also used : StoredConfigurationImpl(password.pwm.config.stored.StoredConfigurationImpl) PwmResponse(password.pwm.http.PwmResponse) ZipOutputStream(java.util.zip.ZipOutputStream) OutputStream(java.io.OutputStream) PwmSession(password.pwm.http.PwmSession) ServletException(javax.servlet.ServletException) PwmUnrecoverableException(password.pwm.error.PwmUnrecoverableException) ChaiUnavailableException(com.novell.ldapchai.exception.ChaiUnavailableException) PwmException(password.pwm.error.PwmException) IOException(java.io.IOException)

Example 2 with PwmResponse

use of password.pwm.http.PwmResponse in project pwm by pwm-project.

the class ConfigManagerServlet method doGenerateSupportZip.

private void doGenerateSupportZip(final PwmRequest pwmRequest) throws IOException, ServletException {
    final PwmResponse resp = pwmRequest.getPwmResponse();
    resp.setHeader(HttpHeader.ContentDisposition, "attachment;filename=" + PwmConstants.PWM_APP_NAME + "-Support.zip");
    resp.setContentType(HttpContentType.zip);
    final String pathPrefix = PwmConstants.PWM_APP_NAME + "-Support" + "/";
    ZipOutputStream zipOutput = null;
    try {
        zipOutput = new ZipOutputStream(resp.getOutputStream(), PwmConstants.DEFAULT_CHARSET);
        DebugItemGenerator.outputZipDebugFile(pwmRequest, zipOutput, pathPrefix);
    } catch (Exception e) {
        LOGGER.error(pwmRequest, "error during zip debug building: " + e.getMessage());
    } finally {
        if (zipOutput != null) {
            try {
                zipOutput.close();
            } catch (Exception e) {
                LOGGER.error(pwmRequest, "error during zip debug closing: " + e.getMessage());
            }
        }
    }
}
Also used : ZipOutputStream(java.util.zip.ZipOutputStream) PwmResponse(password.pwm.http.PwmResponse) ServletException(javax.servlet.ServletException) PwmUnrecoverableException(password.pwm.error.PwmUnrecoverableException) ChaiUnavailableException(com.novell.ldapchai.exception.ChaiUnavailableException) PwmException(password.pwm.error.PwmException) IOException(java.io.IOException)

Example 3 with PwmResponse

use of password.pwm.http.PwmResponse in project pwm by pwm-project.

the class SessionFilter method verifySession.

/**
 * Attempt to determine if user agent is able to track sessions (either via url rewriting or cookies).
 */
private static ProcessStatus verifySession(final PwmRequest pwmRequest, final SessionVerificationMode mode) throws IOException, ServletException, PwmUnrecoverableException {
    final LocalSessionStateBean ssBean = pwmRequest.getPwmSession().getSessionStateBean();
    final HttpServletRequest req = pwmRequest.getHttpServletRequest();
    final PwmResponse pwmResponse = pwmRequest.getPwmResponse();
    if (!pwmRequest.getMethod().isIdempotent() && pwmRequest.hasParameter(PwmConstants.PARAM_FORM_ID)) {
        LOGGER.debug(pwmRequest, "session is unvalidated but can not be validated during a " + pwmRequest.getMethod().toString() + " request, will allow");
        return ProcessStatus.Continue;
    }
    {
        final String acceptEncodingHeader = pwmRequest.getHttpServletRequest().getHeader(HttpHeader.Accept.getHttpName());
        if (acceptEncodingHeader != null && acceptEncodingHeader.contains("json")) {
            LOGGER.debug(pwmRequest, "session is unvalidated but can not be validated during a json request, will allow");
            return ProcessStatus.Continue;
        }
    }
    if (pwmRequest.getURL().isCommandServletURL()) {
        return ProcessStatus.Continue;
    }
    final String verificationParamName = pwmRequest.getConfig().readAppProperty(AppProperty.HTTP_PARAM_SESSION_VERIFICATION);
    final String keyFromRequest = pwmRequest.readParameterAsString(verificationParamName, PwmHttpRequestWrapper.Flag.BypassValidation);
    // request doesn't have key, so make a new one, store it in the session, and redirect back here with the new key.
    if (keyFromRequest == null || keyFromRequest.length() < 1) {
        final String returnURL = figureValidationURL(pwmRequest, ssBean.getSessionVerificationKey());
        LOGGER.trace(pwmRequest, "session has not been validated, redirecting with verification key to " + returnURL);
        // better chance of detecting un-sticky sessions this way
        pwmResponse.setHeader(HttpHeader.Connection, "close");
        if (mode == SessionVerificationMode.VERIFY_AND_CACHE) {
            req.setAttribute("Location", returnURL);
            pwmResponse.forwardToJsp(JspUrl.INIT);
        } else {
            pwmResponse.sendRedirect(returnURL);
        }
        return ProcessStatus.Halt;
    }
    // else, request has a key, so investigate.
    if (keyFromRequest.equals(ssBean.getSessionVerificationKey())) {
        final String returnURL = figureValidationURL(pwmRequest, null);
        // session looks, good, mark it as such and return;
        LOGGER.trace(pwmRequest, "session validated, redirecting to original request url: " + returnURL);
        ssBean.setSessionVerified(true);
        pwmRequest.getPwmResponse().sendRedirect(returnURL);
        return ProcessStatus.Halt;
    }
    // user's session is messed up.  send to error page.
    final String errorMsg = "client unable to reply with session key";
    final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_BAD_SESSION, errorMsg);
    LOGGER.error(pwmRequest, errorInformation);
    pwmRequest.respondWithError(errorInformation, true);
    return ProcessStatus.Halt;
}
Also used : HttpServletRequest(javax.servlet.http.HttpServletRequest) ErrorInformation(password.pwm.error.ErrorInformation) PwmResponse(password.pwm.http.PwmResponse) LocalSessionStateBean(password.pwm.bean.LocalSessionStateBean)

Example 4 with PwmResponse

use of password.pwm.http.PwmResponse in project pwm by pwm-project.

the class SessionFilter method handleStandardRequestOperations.

private ProcessStatus handleStandardRequestOperations(final PwmRequest pwmRequest) throws PwmUnrecoverableException, IOException, ServletException {
    final PwmApplication pwmApplication = pwmRequest.getPwmApplication();
    final Configuration config = pwmRequest.getConfig();
    final PwmSession pwmSession = pwmRequest.getPwmSession();
    final LocalSessionStateBean ssBean = pwmSession.getSessionStateBean();
    final PwmResponse resp = pwmRequest.getPwmResponse();
    // debug the http session headers
    if (!pwmSession.getSessionStateBean().isDebugInitialized()) {
        LOGGER.trace(pwmSession, pwmRequest.debugHttpHeaders());
        pwmSession.getSessionStateBean().setDebugInitialized(true);
    }
    try {
        pwmApplication.getSessionStateService().readLoginSessionState(pwmRequest);
    } catch (PwmUnrecoverableException e) {
        LOGGER.warn(pwmRequest, "error while reading login session state: " + e.getMessage());
    }
    // mark last url
    if (!new PwmURL(pwmRequest.getHttpServletRequest()).isCommandServletURL()) {
        ssBean.setLastRequestURL(pwmRequest.getHttpServletRequest().getRequestURI());
    }
    // mark last request time.
    ssBean.setSessionLastAccessedTime(Instant.now());
    // check the page leave notice
    if (checkPageLeaveNotice(pwmSession, config)) {
        LOGGER.warn("invalidating session due to dirty page leave time greater then configured timeout");
        pwmRequest.invalidateSession();
        resp.sendRedirect(pwmRequest.getHttpServletRequest().getRequestURI());
        return ProcessStatus.Halt;
    }
    // override session locale due to parameter
    handleLocaleParam(pwmRequest);
    // set the session's theme
    handleThemeParam(pwmRequest);
    // check the sso override flag
    handleSsoOverrideParam(pwmRequest);
    // check for session verification failure
    if (!ssBean.isSessionVerified()) {
        // ignore resource requests
        final SessionVerificationMode mode = config.readSettingAsEnum(PwmSetting.ENABLE_SESSION_VERIFICATION, SessionVerificationMode.class);
        if (mode == SessionVerificationMode.OFF) {
            ssBean.setSessionVerified(true);
        } else {
            if (verifySession(pwmRequest, mode) == ProcessStatus.Halt) {
                return ProcessStatus.Halt;
            }
        }
    }
    {
        final String forwardURLParamName = config.readAppProperty(AppProperty.HTTP_PARAM_NAME_FORWARD_URL);
        final String forwardURL = pwmRequest.readParameterAsString(forwardURLParamName);
        if (forwardURL != null && forwardURL.length() > 0) {
            try {
                checkUrlAgainstWhitelist(pwmApplication, pwmRequest.getSessionLabel(), forwardURL);
            } catch (PwmOperationalException e) {
                LOGGER.error(pwmRequest, e.getErrorInformation());
                pwmRequest.respondWithError(e.getErrorInformation());
                return ProcessStatus.Halt;
            }
            ssBean.setForwardURL(forwardURL);
            LOGGER.debug(pwmRequest, "forwardURL parameter detected in request, setting session forward url to " + forwardURL);
        }
    }
    {
        final String logoutURLParamName = config.readAppProperty(AppProperty.HTTP_PARAM_NAME_LOGOUT_URL);
        final String logoutURL = pwmRequest.readParameterAsString(logoutURLParamName);
        if (logoutURL != null && logoutURL.length() > 0) {
            try {
                checkUrlAgainstWhitelist(pwmApplication, pwmRequest.getSessionLabel(), logoutURL);
            } catch (PwmOperationalException e) {
                LOGGER.error(pwmRequest, e.getErrorInformation());
                pwmRequest.respondWithError(e.getErrorInformation());
                return ProcessStatus.Halt;
            }
            ssBean.setLogoutURL(logoutURL);
            LOGGER.debug(pwmRequest, "logoutURL parameter detected in request, setting session logout url to " + logoutURL);
        }
    }
    {
        final String expireParamName = pwmRequest.getConfig().readAppProperty(AppProperty.HTTP_PARAM_NAME_PASSWORD_EXPIRED);
        if ("true".equalsIgnoreCase(pwmRequest.readParameterAsString(expireParamName))) {
            LOGGER.debug(pwmSession, "detected param '" + expireParamName + "'=true in request, will force pw change");
            pwmSession.getLoginInfoBean().getLoginFlags().add(LoginInfoBean.LoginFlag.forcePwChange);
        }
    }
    // update last request time.
    ssBean.setSessionLastAccessedTime(Instant.now());
    if (pwmApplication.getStatisticsManager() != null) {
        pwmApplication.getStatisticsManager().incrementValue(Statistic.HTTP_REQUESTS);
    }
    return ProcessStatus.Continue;
}
Also used : PwmApplication(password.pwm.PwmApplication) Configuration(password.pwm.config.Configuration) SessionVerificationMode(password.pwm.config.option.SessionVerificationMode) PwmResponse(password.pwm.http.PwmResponse) LocalSessionStateBean(password.pwm.bean.LocalSessionStateBean) PwmUnrecoverableException(password.pwm.error.PwmUnrecoverableException) PwmURL(password.pwm.http.PwmURL) PwmSession(password.pwm.http.PwmSession) PwmOperationalException(password.pwm.error.PwmOperationalException)

Example 5 with PwmResponse

use of password.pwm.http.PwmResponse in project pwm by pwm-project.

the class RequestInitializationFilter method addPwmResponseHeaders.

public static void addPwmResponseHeaders(final PwmRequest pwmRequest) throws PwmUnrecoverableException {
    if (pwmRequest == null) {
        return;
    }
    final PwmApplication pwmApplication = pwmRequest.getPwmApplication();
    final PwmSession pwmSession = pwmRequest.getPwmSession();
    final Configuration config = pwmApplication.getConfig();
    final PwmResponse resp = pwmRequest.getPwmResponse();
    if (resp.isCommitted()) {
        return;
    }
    final boolean includeXSessionID = Boolean.parseBoolean(config.readAppProperty(AppProperty.HTTP_HEADER_SEND_XSESSIONID));
    if (includeXSessionID && pwmSession != null) {
        resp.setHeader(HttpHeader.XSessionID, pwmSession.getSessionStateBean().getSessionID());
    }
    final boolean includeContentLanguage = Boolean.parseBoolean(config.readAppProperty(AppProperty.HTTP_HEADER_SEND_CONTENT_LANGUAGE));
    if (includeContentLanguage) {
        resp.setHeader(HttpHeader.Content_Language, pwmRequest.getLocale().toLanguageTag());
    }
    addStaticResponseHeaders(pwmApplication, resp.getHttpServletResponse());
    if (pwmSession != null) {
        final String contentPolicy;
        if (pwmRequest.getURL().isConfigGuideURL() || pwmRequest.getURL().isConfigManagerURL()) {
            contentPolicy = config.readAppProperty(AppProperty.SECURITY_HTTP_CONFIG_CSP_HEADER);
        } else {
            contentPolicy = config.readSettingAsString(PwmSetting.SECURITY_CSP_HEADER);
        }
        if (contentPolicy != null && !contentPolicy.isEmpty()) {
            final String nonce = pwmRequest.getCspNonce();
            final String expandedPolicy = contentPolicy.replace("%NONCE%", nonce);
            resp.setHeader(HttpHeader.ContentSecurityPolicy, expandedPolicy);
        }
    }
}
Also used : PwmApplication(password.pwm.PwmApplication) Configuration(password.pwm.config.Configuration) PwmResponse(password.pwm.http.PwmResponse) PwmSession(password.pwm.http.PwmSession)

Aggregations

PwmResponse (password.pwm.http.PwmResponse)6 PwmUnrecoverableException (password.pwm.error.PwmUnrecoverableException)4 ChaiUnavailableException (com.novell.ldapchai.exception.ChaiUnavailableException)3 IOException (java.io.IOException)3 ServletException (javax.servlet.ServletException)3 PwmException (password.pwm.error.PwmException)3 PwmSession (password.pwm.http.PwmSession)3 OutputStream (java.io.OutputStream)2 ZipOutputStream (java.util.zip.ZipOutputStream)2 PwmApplication (password.pwm.PwmApplication)2 LocalSessionStateBean (password.pwm.bean.LocalSessionStateBean)2 Configuration (password.pwm.config.Configuration)2 BufferedOutputStream (java.io.BufferedOutputStream)1 Instant (java.time.Instant)1 HttpServletRequest (javax.servlet.http.HttpServletRequest)1 SessionVerificationMode (password.pwm.config.option.SessionVerificationMode)1 StoredConfigurationImpl (password.pwm.config.stored.StoredConfigurationImpl)1 ErrorInformation (password.pwm.error.ErrorInformation)1 PwmOperationalException (password.pwm.error.PwmOperationalException)1 PwmURL (password.pwm.http.PwmURL)1