use of password.pwm.http.PwmResponse in project pwm by pwm-project.
the class ConfigManagerServlet method doDownloadConfig.
private void doDownloadConfig(final PwmRequest pwmRequest) throws IOException, ServletException, PwmUnrecoverableException {
final PwmSession pwmSession = pwmRequest.getPwmSession();
final PwmResponse resp = pwmRequest.getPwmResponse();
try {
final StoredConfigurationImpl storedConfiguration = readCurrentConfiguration(pwmRequest);
final OutputStream responseWriter = resp.getOutputStream();
resp.setHeader(HttpHeader.ContentDisposition, "attachment;filename=" + PwmConstants.DEFAULT_CONFIG_FILE_FILENAME);
resp.setContentType(HttpContentType.xml);
storedConfiguration.toXml(responseWriter);
responseWriter.close();
} catch (Exception e) {
LOGGER.error(pwmSession, "unable to download configuration: " + e.getMessage());
}
}
use of password.pwm.http.PwmResponse in project pwm by pwm-project.
the class ConfigManagerServlet method doGenerateSupportZip.
private void doGenerateSupportZip(final PwmRequest pwmRequest) throws IOException, ServletException {
final PwmResponse resp = pwmRequest.getPwmResponse();
resp.setHeader(HttpHeader.ContentDisposition, "attachment;filename=" + PwmConstants.PWM_APP_NAME + "-Support.zip");
resp.setContentType(HttpContentType.zip);
final String pathPrefix = PwmConstants.PWM_APP_NAME + "-Support" + "/";
ZipOutputStream zipOutput = null;
try {
zipOutput = new ZipOutputStream(resp.getOutputStream(), PwmConstants.DEFAULT_CHARSET);
DebugItemGenerator.outputZipDebugFile(pwmRequest, zipOutput, pathPrefix);
} catch (Exception e) {
LOGGER.error(pwmRequest, "error during zip debug building: " + e.getMessage());
} finally {
if (zipOutput != null) {
try {
zipOutput.close();
} catch (Exception e) {
LOGGER.error(pwmRequest, "error during zip debug closing: " + e.getMessage());
}
}
}
}
use of password.pwm.http.PwmResponse in project pwm by pwm-project.
the class SessionFilter method verifySession.
/**
* Attempt to determine if user agent is able to track sessions (either via url rewriting or cookies).
*/
private static ProcessStatus verifySession(final PwmRequest pwmRequest, final SessionVerificationMode mode) throws IOException, ServletException, PwmUnrecoverableException {
final LocalSessionStateBean ssBean = pwmRequest.getPwmSession().getSessionStateBean();
final HttpServletRequest req = pwmRequest.getHttpServletRequest();
final PwmResponse pwmResponse = pwmRequest.getPwmResponse();
if (!pwmRequest.getMethod().isIdempotent() && pwmRequest.hasParameter(PwmConstants.PARAM_FORM_ID)) {
LOGGER.debug(pwmRequest, "session is unvalidated but can not be validated during a " + pwmRequest.getMethod().toString() + " request, will allow");
return ProcessStatus.Continue;
}
{
final String acceptEncodingHeader = pwmRequest.getHttpServletRequest().getHeader(HttpHeader.Accept.getHttpName());
if (acceptEncodingHeader != null && acceptEncodingHeader.contains("json")) {
LOGGER.debug(pwmRequest, "session is unvalidated but can not be validated during a json request, will allow");
return ProcessStatus.Continue;
}
}
if (pwmRequest.getURL().isCommandServletURL()) {
return ProcessStatus.Continue;
}
final String verificationParamName = pwmRequest.getConfig().readAppProperty(AppProperty.HTTP_PARAM_SESSION_VERIFICATION);
final String keyFromRequest = pwmRequest.readParameterAsString(verificationParamName, PwmHttpRequestWrapper.Flag.BypassValidation);
// request doesn't have key, so make a new one, store it in the session, and redirect back here with the new key.
if (keyFromRequest == null || keyFromRequest.length() < 1) {
final String returnURL = figureValidationURL(pwmRequest, ssBean.getSessionVerificationKey());
LOGGER.trace(pwmRequest, "session has not been validated, redirecting with verification key to " + returnURL);
// better chance of detecting un-sticky sessions this way
pwmResponse.setHeader(HttpHeader.Connection, "close");
if (mode == SessionVerificationMode.VERIFY_AND_CACHE) {
req.setAttribute("Location", returnURL);
pwmResponse.forwardToJsp(JspUrl.INIT);
} else {
pwmResponse.sendRedirect(returnURL);
}
return ProcessStatus.Halt;
}
// else, request has a key, so investigate.
if (keyFromRequest.equals(ssBean.getSessionVerificationKey())) {
final String returnURL = figureValidationURL(pwmRequest, null);
// session looks, good, mark it as such and return;
LOGGER.trace(pwmRequest, "session validated, redirecting to original request url: " + returnURL);
ssBean.setSessionVerified(true);
pwmRequest.getPwmResponse().sendRedirect(returnURL);
return ProcessStatus.Halt;
}
// user's session is messed up. send to error page.
final String errorMsg = "client unable to reply with session key";
final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_BAD_SESSION, errorMsg);
LOGGER.error(pwmRequest, errorInformation);
pwmRequest.respondWithError(errorInformation, true);
return ProcessStatus.Halt;
}
use of password.pwm.http.PwmResponse in project pwm by pwm-project.
the class SessionFilter method handleStandardRequestOperations.
private ProcessStatus handleStandardRequestOperations(final PwmRequest pwmRequest) throws PwmUnrecoverableException, IOException, ServletException {
final PwmApplication pwmApplication = pwmRequest.getPwmApplication();
final Configuration config = pwmRequest.getConfig();
final PwmSession pwmSession = pwmRequest.getPwmSession();
final LocalSessionStateBean ssBean = pwmSession.getSessionStateBean();
final PwmResponse resp = pwmRequest.getPwmResponse();
// debug the http session headers
if (!pwmSession.getSessionStateBean().isDebugInitialized()) {
LOGGER.trace(pwmSession, pwmRequest.debugHttpHeaders());
pwmSession.getSessionStateBean().setDebugInitialized(true);
}
try {
pwmApplication.getSessionStateService().readLoginSessionState(pwmRequest);
} catch (PwmUnrecoverableException e) {
LOGGER.warn(pwmRequest, "error while reading login session state: " + e.getMessage());
}
// mark last url
if (!new PwmURL(pwmRequest.getHttpServletRequest()).isCommandServletURL()) {
ssBean.setLastRequestURL(pwmRequest.getHttpServletRequest().getRequestURI());
}
// mark last request time.
ssBean.setSessionLastAccessedTime(Instant.now());
// check the page leave notice
if (checkPageLeaveNotice(pwmSession, config)) {
LOGGER.warn("invalidating session due to dirty page leave time greater then configured timeout");
pwmRequest.invalidateSession();
resp.sendRedirect(pwmRequest.getHttpServletRequest().getRequestURI());
return ProcessStatus.Halt;
}
// override session locale due to parameter
handleLocaleParam(pwmRequest);
// set the session's theme
handleThemeParam(pwmRequest);
// check the sso override flag
handleSsoOverrideParam(pwmRequest);
// check for session verification failure
if (!ssBean.isSessionVerified()) {
// ignore resource requests
final SessionVerificationMode mode = config.readSettingAsEnum(PwmSetting.ENABLE_SESSION_VERIFICATION, SessionVerificationMode.class);
if (mode == SessionVerificationMode.OFF) {
ssBean.setSessionVerified(true);
} else {
if (verifySession(pwmRequest, mode) == ProcessStatus.Halt) {
return ProcessStatus.Halt;
}
}
}
{
final String forwardURLParamName = config.readAppProperty(AppProperty.HTTP_PARAM_NAME_FORWARD_URL);
final String forwardURL = pwmRequest.readParameterAsString(forwardURLParamName);
if (forwardURL != null && forwardURL.length() > 0) {
try {
checkUrlAgainstWhitelist(pwmApplication, pwmRequest.getSessionLabel(), forwardURL);
} catch (PwmOperationalException e) {
LOGGER.error(pwmRequest, e.getErrorInformation());
pwmRequest.respondWithError(e.getErrorInformation());
return ProcessStatus.Halt;
}
ssBean.setForwardURL(forwardURL);
LOGGER.debug(pwmRequest, "forwardURL parameter detected in request, setting session forward url to " + forwardURL);
}
}
{
final String logoutURLParamName = config.readAppProperty(AppProperty.HTTP_PARAM_NAME_LOGOUT_URL);
final String logoutURL = pwmRequest.readParameterAsString(logoutURLParamName);
if (logoutURL != null && logoutURL.length() > 0) {
try {
checkUrlAgainstWhitelist(pwmApplication, pwmRequest.getSessionLabel(), logoutURL);
} catch (PwmOperationalException e) {
LOGGER.error(pwmRequest, e.getErrorInformation());
pwmRequest.respondWithError(e.getErrorInformation());
return ProcessStatus.Halt;
}
ssBean.setLogoutURL(logoutURL);
LOGGER.debug(pwmRequest, "logoutURL parameter detected in request, setting session logout url to " + logoutURL);
}
}
{
final String expireParamName = pwmRequest.getConfig().readAppProperty(AppProperty.HTTP_PARAM_NAME_PASSWORD_EXPIRED);
if ("true".equalsIgnoreCase(pwmRequest.readParameterAsString(expireParamName))) {
LOGGER.debug(pwmSession, "detected param '" + expireParamName + "'=true in request, will force pw change");
pwmSession.getLoginInfoBean().getLoginFlags().add(LoginInfoBean.LoginFlag.forcePwChange);
}
}
// update last request time.
ssBean.setSessionLastAccessedTime(Instant.now());
if (pwmApplication.getStatisticsManager() != null) {
pwmApplication.getStatisticsManager().incrementValue(Statistic.HTTP_REQUESTS);
}
return ProcessStatus.Continue;
}
use of password.pwm.http.PwmResponse in project pwm by pwm-project.
the class RequestInitializationFilter method addPwmResponseHeaders.
public static void addPwmResponseHeaders(final PwmRequest pwmRequest) throws PwmUnrecoverableException {
if (pwmRequest == null) {
return;
}
final PwmApplication pwmApplication = pwmRequest.getPwmApplication();
final PwmSession pwmSession = pwmRequest.getPwmSession();
final Configuration config = pwmApplication.getConfig();
final PwmResponse resp = pwmRequest.getPwmResponse();
if (resp.isCommitted()) {
return;
}
final boolean includeXSessionID = Boolean.parseBoolean(config.readAppProperty(AppProperty.HTTP_HEADER_SEND_XSESSIONID));
if (includeXSessionID && pwmSession != null) {
resp.setHeader(HttpHeader.XSessionID, pwmSession.getSessionStateBean().getSessionID());
}
final boolean includeContentLanguage = Boolean.parseBoolean(config.readAppProperty(AppProperty.HTTP_HEADER_SEND_CONTENT_LANGUAGE));
if (includeContentLanguage) {
resp.setHeader(HttpHeader.Content_Language, pwmRequest.getLocale().toLanguageTag());
}
addStaticResponseHeaders(pwmApplication, resp.getHttpServletResponse());
if (pwmSession != null) {
final String contentPolicy;
if (pwmRequest.getURL().isConfigGuideURL() || pwmRequest.getURL().isConfigManagerURL()) {
contentPolicy = config.readAppProperty(AppProperty.SECURITY_HTTP_CONFIG_CSP_HEADER);
} else {
contentPolicy = config.readSettingAsString(PwmSetting.SECURITY_CSP_HEADER);
}
if (contentPolicy != null && !contentPolicy.isEmpty()) {
final String nonce = pwmRequest.getCspNonce();
final String expandedPolicy = contentPolicy.replace("%NONCE%", nonce);
resp.setHeader(HttpHeader.ContentSecurityPolicy, expandedPolicy);
}
}
}
Aggregations