Example #1
0
 private AuthD() {
   debug.message("AuthD initializing");
   try {
     rootSuffix = defaultOrg = ServiceManager.getBaseDN();
     initAuthSessions();
     initAuthServiceGlobalSettings();
     initPlatformServiceGlobalSettings();
     initSessionServiceDynamicSettings();
     initAuthConfigGlobalSettings();
     bundle = com.sun.identity.shared.locale.Locale.getInstallResourceBundle(BUNDLE_NAME);
     ResourceBundle platBundle =
         com.sun.identity.shared.locale.Locale.getInstallResourceBundle("amPlatform");
     platformCharset = platBundle.getString(ISAuthConstants.PLATFORM_CHARSET_ATTR);
     printProfileAttrs();
     // Initialize AuthXMLHandler so that AdminTokenAction can
     // generate DPro Session's SSOToken
     new com.sun.identity.authentication.server.AuthXMLHandler();
     authInitFailed = false;
   } catch (Exception ex) {
     debug.error("AuthD init()", ex);
     authInitFailed = true;
   }
   try {
     enforceJAASThread =
         Boolean.valueOf(SystemProperties.get(Constants.ENFORCE_JAAS_THREAD)).booleanValue();
   } catch (Exception e) {
     if (debug.messageEnabled()) {
       debug.message("Wrong format of " + Constants.ENFORCE_JAAS_THREAD);
     }
   }
 }
Example #2
0
/** The <code>PAOSUtils</code> contains utility methods for PAOS implementation. */
public class PAOSUtils {
  public static Debug debug = Debug.getInstance("libIDWSF");

  public static final String BUNDLE_NAME = "libPAOS";

  public static ResourceBundle bundle = Locale.getInstallResourceBundle(BUNDLE_NAME);
}
Example #3
0
 private void setLocale(HttpServletRequest request) {
   if (request != null) {
     String superLocale = request.getParameter("locale");
     if (superLocale != null && superLocale.length() > 0) {
       configLocale = Locale.getLocaleObjFromAcceptLangHeader(superLocale);
     } else {
       String acceptLangHeader = (String) request.getHeader("Accept-Language");
       if ((acceptLangHeader != null) && (acceptLangHeader.length() > 0)) {
         configLocale = Locale.getLocaleObjFromAcceptLangHeader(acceptLangHeader);
       } else {
         configLocale = java.util.Locale.getDefault();
       }
     }
     try {
       rb = ResourceBundle.getBundle(RB_NAME, configLocale);
     } catch (MissingResourceException mre) {
       // do nothing
     }
   }
 }
Example #4
0
  public String getLocalizedString(String i18nKey) {
    if (rb == null) {
      initializeResourceBundle();
    }

    String localizedValue = null;
    try {
      localizedValue = Locale.getString(rb, i18nKey, debug);
    } catch (MissingResourceException mre) {
      // do nothing
    }
    return (localizedValue == null) ? i18nKey : localizedValue;
  }
 /**
  * Constructor
  *
  * @param lang Language for the properties file.
  */
 public PPInteractionHelper(String lang) {
   if (lang != null) {
     props =
         ResourceBundle.getBundle(
             idppProps,
             com.sun.identity.shared.locale.Locale.getLocaleObjFromAcceptLangHeader(lang));
   } else {
     props = IDPPUtils.bundle;
   }
   try {
     defaultMinChars = props.getString("defaultMinTextChars");
     defaultMaxChars = props.getString("defaultMaxTextChars");
   } catch (MissingResourceException mre) {
     IDPPUtils.debug.error(
         "PPInteractHelper.Static: Could not find min" + " or maximum text characters.", mre);
   }
 }
Example #6
0
  /**
   * Returns Resource bundle of a locale.
   *
   * @param locale Locale.
   * @return Resource bundle of a locale.
   */
  public ResourceBundle getResourceBundle(String locale) {
    if (locale == null) {
      return bundle;
    }

    ResourceBundle rb = (ResourceBundle) bundles.get(locale);
    if (rb == null) {
      rb = com.sun.identity.shared.locale.Locale.getResourceBundle(BUNDLE_NAME, locale);

      if (rb == null) {
        rb = bundle;
      }
      bundles.put(locale, rb);
    }

    return rb;
  }
Example #7
0
public class EncryptionUtils {

  public static Debug debug = Debug.getInstance("libEncryption");
  public static final String BUNDLE_NAME = "libEncryption";
  public static ResourceBundle bundle = Locale.getInstallResourceBundle(BUNDLE_NAME);
}
Example #8
0
/**
 * The <code>AuthContextLocal</code> provides the implementation for authenticating users.
 *
 * <p>A typical caller instantiates this class and starts the login process. The caller then obtains
 * an array of <code>Callback</code> objects, which contains the information required by the
 * authentication plug-in module. The caller requests information from the user. On receiving the
 * information from the user, the caller submits the same to this class. If more information is
 * required, the above process continues until all the information required by the
 * plug-ins/authentication modules, has been supplied. The caller then checks if the user has
 * successfully been authenticated. If successfully authenticated, the caller can then get the
 * <code>Subject</code> and <code>SSOToken</code> for the user; if not successfully authenticated,
 * the caller obtains the AuthLoginException.
 *
 * <p>The implementation supports authenticating users either locally i.e., in process with all
 * authentication modules configured or remotely to an authentication service/framework. (See
 * documentation to configure in either of the modes).
 *
 * <p>The <code>getRequirements()</code> and <code>submitRequirements()</code> are used to pass the
 * user credentials for authentication by the plugin modules,<code>getStatus()</code> returns the
 * authentication status.
 *
 * <p>It should be serializable as a requirement to be stored in HttpSession.
 */
public final class AuthContextLocal extends Object implements java.io.Serializable {

  /*
   * Protected variables used locally
   */

  // Debug & I18N class
  private static final String amAuthContextLocal = "amAuthContextLocal";
  /** Hold the debug instance */
  protected static Debug authDebug = Debug.getInstance(amAuthContextLocal);

  /** Holds the locale-specific information */
  protected static ResourceBundle bundle = Locale.getInstallResourceBundle(amAuthContextLocal);

  /** Holds organizationName */
  protected String organizationName;
  /** Holds the set of module instance names */
  protected Set moduleInstanceNames;
  /** Holds the index type */
  protected AuthContext.IndexType indexType;
  /** Holds the index name */
  protected String indexName;
  /** Holds the login status */
  protected AuthContext.Status loginStatus;
  /** Holds the host name */
  protected String hostName;
  /** Holds the http session */
  protected HttpSession httpSession;
  /** Holds Single Sign on Token */
  protected SSOToken ssoToken;
  /** AuthLoginException */
  protected volatile AuthLoginException loginException = null;
  /** Holds call back information */
  protected Callback[] informationRequired = null;
  /** AuthLoginContext */
  public AMLoginContext amlc = null;
  /** Holds LoginStatus */
  public LoginStatus ls;
  /** Holds subject */
  protected Subject subject;
  /** character array for password */
  protected char[] password;

  private LoginState loginState = null;

  private String orgDN = null;

  /** Holds information about submittion of requirements */
  private boolean inSubmitRequirements = false;

  /**
   * Creates <code>AuthContextLocal</code> instance is obtained for a given organization name, or
   * sub organization name. <code>login</code> method is then used to start the authentication
   * process.
   *
   * @param orgName name of the user's organization.
   * @supported.api
   */
  public AuthContextLocal(String orgName) {
    authDebug.message("AuthContextLocal() constructor called");
    organizationName = orgName;

    amlc = new AMLoginContext(this);
    if (authDebug.messageEnabled()) {
      authDebug.message("AMLoginContext object is... " + amlc);
    }
    reset();
  }

  /**
   * Returns authentication module/s instances(or) plugin(s) configured for an organization, or
   * sub-organization that was set during the <code>AuthContext</code> constructor.
   *
   * @return authentication module/s instances (or plugins).
   * @throws UnsupportedOperationException if an error occurred.
   * @supported.api
   */
  public Set getModuleInstanceNames() {
    moduleInstanceNames = amlc.getModuleInstanceNames();

    return (moduleInstanceNames);
  }

  /**
   * Starts the login process for the given <code>AuthContextLocal</code> object.
   *
   * @exception AuthLoginException if an error occurred during login.
   * @supported.api
   */
  public void login() throws AuthLoginException {
    login(null);
  }

  /**
   * Starts the login process for the given <code>AuthContextLocal</code>s object for the given
   * <code>Principal</code> and the user's password. This method should be called primarily when the
   * authenticator knows there would no other credentials needed to complete the authentication
   * process.
   *
   * @param principal <code>Principal</code> of the user to be authenticated.
   * @param password password for the user.
   * @throws AuthLoginException if an error occurred during login.
   * @supported.api
   */
  public void login(Principal principal, char[] password) throws AuthLoginException {

    // Make sure principal and password are not null
    if (principal == null)
      throw new AuthLoginException(amAuthContextLocal, "invalid-username", null);
    if (password == null)
      throw new AuthLoginException(amAuthContextLocal, "invalid-password", null);

    // Copy the password
    this.password = password;

    login(null, null, principal, password, null, false);
  }

  /**
   * Start the login process for the <code>AuthContextLocal</code> object identified by the index
   * type and index name. The <code>IndexType</code> defines the possible kinds of "objects" or
   * "resources" for which an authentication can be performed. Currently supported index types are
   * users, roles, services (or application), levels and mechanism.
   *
   * @param type authentication index type.
   * @param indexName authentication index name.
   * @throws AuthLoginException if an error occurred during login.
   * @supported.api
   */
  public void login(AuthContext.IndexType type, String indexName) throws AuthLoginException {
    if (authDebug.messageEnabled()) {
      authDebug.message(
          "AuthContextLocal::login() called "
              + "with IndexType : "
              + type
              + " & Indexname : "
              + indexName);
    }

    login(type, indexName, null, null, null, false);
  }

  /**
   * Starts the login process for the given <code>AuthContextLocal</code> object for the given
   * <code>Subject</code>. Refer to JAAS for description on <code>Subject</code>.
   *
   * @param subject <code>Subject</code> of the user to be authenticated.
   * @throws AuthLoginException if an error occurred during login.
   * @supported.api
   */
  public void login(Subject subject) throws AuthLoginException {
    login(null, null, null, null, subject, false);
  }

  /**
   * Starts the login process for the given <code>AuthContextLocal</code> object identified by the
   * index type and index name. The <code>IndexType</code> defines the possible kinds of "objects"
   * or "resources" for which an authentication can be performed.Currently supported index types are
   * users, roles, services (or application), levels and mechanism. The pCookieMode indicates that a
   * persistent cookie exists for this request.
   *
   * @param type authentication index type.
   * @param indexName authentication index name.
   * @param locale locale setting.
   * @throws AuthLoginException if an error occurred during login process.
   */
  public void login(AuthContext.IndexType type, String indexName, String locale)
      throws AuthLoginException {
    if (authDebug.messageEnabled()) {
      authDebug.message(
          "AuthContextLocal::login() called "
              + "with IndexType : "
              + type
              + " & Indexname : "
              + indexName
              + " & locale : "
              + locale);
    }

    login(type, indexName, null, null, null, false, null, locale);
  }

  /**
   * Starts the login process for the given <code>AuthContextLocal</code> object identified by the
   * index type and index name. The <code>IndexType</code> defines the possible kinds of "objects"
   * or "resources" for which an authentication can be performed.Currently supported index types are
   * users, roles, services (or application), levels and mechanism. The pCookieMode indicates that a
   * persistent cookie exists for this request.
   *
   * @param type authentication index type.
   * @param indexName authentication index name.
   * @param pCookieMode <code>true</code> if persistent Cookie exists, <code>false</code> otherwise
   * @throws AuthLoginException if an error occurred during login process.
   */
  public void login(AuthContext.IndexType type, String indexName, boolean pCookieMode)
      throws AuthLoginException {
    if (authDebug.messageEnabled()) {
      authDebug.message(
          "AuthContextLocal::login() called "
              + "with IndexType : "
              + type
              + " & Indexname : "
              + indexName
              + " & pCookieMode : "
              + pCookieMode);
    }

    login(type, indexName, null, null, null, pCookieMode);
  }

  /**
   * Starts the login process for the given <code>AuthContextLocal</code> object identified by the
   * index type and index name. The <code>IndexType</code> defines the possible kinds of "objects"
   * or "resources" for which an authentication can be performed.Currently supported index types are
   * users, roles, services (or application), levels and mechanism. The pCookieMode indicates that a
   * persistent cookie exists for this request. The locale specifies the user preferred locale
   * setting.
   *
   * @param type authentication index type.
   * @param indexName authentication index name.
   * @param pCookieMode <code>true</code> if persistent Cookie exists, <code>false</code> otherwise
   * @param locale locale setting.
   * @throws AuthLoginException if an error occurred during login process.
   */
  public void login(
      AuthContext.IndexType type, String indexName, boolean pCookieMode, String locale)
      throws AuthLoginException {
    if (authDebug.messageEnabled()) {
      authDebug.message(
          "AuthContextLocal::login() called "
              + "with IndexType : "
              + type
              + " & Indexname : "
              + indexName
              + " & pCookieMode : "
              + pCookieMode
              + " & locale : "
              + locale);
    }
    login(type, indexName, null, null, null, pCookieMode, null, locale);
  }

  /**
   * Starts the login process for the given <code>AuthContextLocal</code> object identified by the
   * index type and index name. The <code>IndexType</code> defines the possible kinds of "objects"
   * or "resources" for which an authentication can be performed.Currently supported index types are
   * users, roles, services (or application), levels and mechanism. The pCookieMode indicates that a
   * persistent cookie exists for this request. The locale specifies the user preferred locale
   * setting.
   *
   * @param type authentication index type.
   * @param indexName authentication index name.
   * @param pCookieMode <code>true</code> if persistent Cookie exists, <code>false</code> otherwise
   * @param envMap Environment Map, key is String, value is set of string. this is applicable only
   *     when the type is <code>AuthContext.IndexType.RESOURCE</code>
   * @param locale locale setting.
   * @throws AuthLoginException if an error occurred during login process.
   */
  public void login(
      AuthContext.IndexType type, String indexName, boolean pCookieMode, Map envMap, String locale)
      throws AuthLoginException {
    if (authDebug.messageEnabled()) {
      authDebug.message(
          "AuthContextLocal::login() called "
              + "with IndexType : "
              + type
              + " & Indexname : "
              + indexName
              + " & pCookieMode : "
              + pCookieMode
              + " & locale : "
              + locale
              + " & envMap : "
              + envMap);
    }
    login(type, indexName, null, null, null, pCookieMode, envMap, locale);
  }

  /**
   * Performs the Login for the given AuthContext
   *
   * @param type authentication index type
   * @param indexName authentication index name
   * @param principal principal name of the user to be authenticated
   * @param password password for the user
   * @param subject authentication subject
   * @param pCookieMode <code>true</code>persistent Cookie exists, <code>false</code> otherwise
   * @throws AuthLoginException if error occurs during login
   */
  protected void login(
      AuthContext.IndexType type,
      String indexName,
      Principal principal,
      char[] password,
      Subject subject,
      boolean pCookieMode)
      throws AuthLoginException {
    login(type, indexName, principal, password, subject, pCookieMode, null, null);
  }

  /**
   * Performs the Login for the given AuthContext
   *
   * @param type authentication index type
   * @param indexName authentication index name
   * @param principal principal name of the user to be authenticated
   * @param password password for the user
   * @param subject authentication subject
   * @param pCookieMode <code>true</code>persistent Cookie exists, <code>false</code> otherwise
   * @param envMap Environment map, this is applicable only when the type is <code>
   *     AuthContext.IndexType.RESOURCE</code>
   * @param locale locale setting
   * @throws AuthLoginException if error occurs during login
   */
  protected void login(
      AuthContext.IndexType type,
      String indexName,
      Principal principal,
      char[] password,
      Subject subject,
      boolean pCookieMode,
      Map envMap,
      String locale)
      throws AuthLoginException {
    try {
      /*if (!getStatus().equals(AuthContext.Status.NOT_STARTED)) {
          if (authDebug.messageEnabled()) {
              authDebug.message("AuthContextLocal::login called " +
              "when the current login status is : " + getStatus());
          }
          throw new AuthLoginException(amAuthContextLocal,
              "invalidMethod", new Object[]{getStatus()});
      }*/

      // switch the login status
      loginStatus = AuthContext.Status.IN_PROGRESS;

      String redirectUrl = null;
      // specially processing for resouce/IP/Environement based auth
      if ((type != null) && type.equals(AuthContext.IndexType.RESOURCE)) {
        // this is resouce/IP/Env based authentication
        // call Policy Decision Util to find out the actual auth type
        // required by policy
        List result = Collections.EMPTY_LIST;
        try {
          result = PolicyDecisionUtils.doResourceIPEnvAuth(indexName, organizationName, envMap);
        } catch (PolicyException pe) {
          // ignore, continue to default realm based authentication
          // may need to revisit this in the future
          authDebug.warning(
              "AuthContextLocal.login() policy error " + "indexName=" + indexName, pe);
          type = null;
          indexName = null;
        }
        if (authDebug.messageEnabled()) {
          authDebug.message("AuthContextLocal.login: policy decision=" + result);
        }
        if (result.size() == 2) {
          type = (AuthContext.IndexType) result.get(0);
          indexName = (String) result.get(1);
        } else if (result.size() == 1) {
          // this is the redirection case (Policy Redirection Advice)
          redirectUrl = (String) result.get(0);
          // append goto parameter for federation case
          Set tmp = (Set) envMap.get(ISAuthConstants.GOTO_PARAM);
          if ((tmp != null) && !tmp.isEmpty()) {
            String gotoParam = (String) tmp.iterator().next();
            if ((gotoParam != null) && (gotoParam.length() != 0)) {
              if ((redirectUrl != null) && (redirectUrl.indexOf("?") != -1)) {
                redirectUrl =
                    redirectUrl
                        + "&"
                        + ISAuthConstants.GOTO_PARAM
                        + "="
                        + URLEncDec.encode(gotoParam);
              } else {
                redirectUrl =
                    redirectUrl
                        + "?"
                        + ISAuthConstants.GOTO_PARAM
                        + "="
                        + URLEncDec.encode(gotoParam);
              }
            }
          }
          type = null;
          indexName = null;
        } else {
          // no policy decision, use default realm login
          type = null;
          indexName = null;
        }
      }
      HashMap loginParamsMap = new HashMap();

      loginParamsMap.put(INDEX_TYPE, type);
      loginParamsMap.put(INDEX_NAME, indexName);
      loginParamsMap.put(PRINCIPAL, principal);
      loginParamsMap.put(PASSWORD, password);
      loginParamsMap.put(SUBJECT, subject);
      loginParamsMap.put(PCOOKIE, Boolean.valueOf(pCookieMode));
      loginParamsMap.put(LOCALE, locale);
      if (redirectUrl != null) {
        loginParamsMap.put(REDIRECT_URL, redirectUrl);
      }

      if (authDebug.messageEnabled()) {
        authDebug.message("loginParamsMap : " + loginParamsMap.toString());
      }

      authDebug.message("calling AMLoginContext::exceuteLogin : "******"after AMLoginContext::exceuteLogin : "******"Status at the end of login() : " + loginStatus);
      }
    } catch (AuthLoginException e) {
      if (authDebug.messageEnabled()) {
        authDebug.message("Exception in ac.login : "******"AuthContextLocal::reset() called");
    loginStatus = AuthContext.Status.NOT_STARTED;
    informationRequired = null;
    loginException = null;
  }

  /**
   * Returns the set of Principals the user has been authenticated as. This should be invoked only
   * after successful authentication. If the authentication fails or the authentication is in
   * process, this will return <code>null</code>.
   *
   * @return The set of Principals the user has been authenticated as.
   * @supported.api
   */
  public Subject getSubject() {
    if (!loginStatus.equals(AuthContext.Status.SUCCESS)) {
      return (null);
    }
    if (subject == null) {
      subject = amlc.getSubject();
    }
    return (subject);
  }

  /**
   * Checks if the login process requires more information from the user to complete the
   * authentication.
   *
   * @return <code>true</code> if more credentials are required from the user.
   * @supported.api
   */
  public boolean hasMoreRequirements() {
    authDebug.message("AuthContextLocal::hasMoreRequirements()");

    if ((amlc.getStatus() == LoginStatus.AUTH_SUCCESS)
        || (amlc.getStatus() == LoginStatus.AUTH_FAILED)) {
      return false;
    } else {
      informationRequired = amlc.getRequiredInfo();
      return (informationRequired != null);
    }
  }

  /**
   * Checks if the login process requires more information from the user to complete the
   * authentication
   *
   * @param noFilter falg to indicate if there is a Filter
   * @return <code>true</code> if more credentials are required from the user.
   */
  public boolean hasMoreRequirements(boolean noFilter) {
    authDebug.message("AuthContextLocal::hasMoreRequirements()");

    if ((amlc.getStatus() == LoginStatus.AUTH_SUCCESS)
        || (amlc.getStatus() == LoginStatus.AUTH_FAILED)) {
      return false;
    } else {
      informationRequired = amlc.getRequiredInfo();
      return (getCallbacks(informationRequired, noFilter) != null);
    }
  }

  /**
   * Returns an array of <code>Callback</code> objects that must be populated by the user and
   * returned back. These objects are requested by the authentication plug-ins, and these are
   * usually displayed to the user. The user then provides the requested information for it to be
   * authenticated.
   *
   * @return an array of <code>Callback</code> objects requesting credentials from user.
   * @supported.api
   */
  public Callback[] getRequirements() {
    authDebug.message("AuthContextLocal::getRequirements()");

    if ((amlc.getStatus() == LoginStatus.AUTH_SUCCESS)
        || (amlc.getStatus() == LoginStatus.AUTH_FAILED)) {
      return null;
    } else {
      return (informationRequired);
    }
  }

  /**
   * Returns an array of <code>Callback</code> objects that must be populated by the user and
   * returned back. These objects are requested by the authentication plug-ins, and these are
   * usually displayed to the user. The user then provides the requested information for it to be
   * authenticated.
   *
   * @param noFilter flag to indicate if there is a Filter
   * @return an array of <code>Callback</code> objects requesting credentials from user.
   * @supported.api
   */
  public Callback[] getRequirements(boolean noFilter) {
    authDebug.message("AuthContextLocal::getRequirements()");

    if ((amlc.getStatus() == LoginStatus.AUTH_SUCCESS)
        || (amlc.getStatus() == LoginStatus.AUTH_FAILED)) {
      return null;
    } else {
      return (getCallbacks(informationRequired, noFilter));
    }
  }

  /**
   * Submit the populated <code>Callback</code> objects to the authentication plug-in modules.
   * Called after <code>getRequirements</code> method and obtaining user's response to these
   * requests.
   *
   * @param info array of <code>Callback</code> objects
   * @supported.api
   */
  public void submitRequirements(Callback[] info) {
    authDebug.message("AuthContextLocal::submitRequirements()");
    inSubmitRequirements = true;
    try {
      informationRequired = null;
      amlc.submitRequiredInfo(info);
      if (!amlc.isPureJAAS()) {
        amlc.runLogin();
      }
      if (amlc.getStatus() == LoginStatus.AUTH_SUCCESS) {
        loginStatus = AuthContext.Status.SUCCESS;
      } else if (amlc.getStatus() == LoginStatus.AUTH_FAILED) {
        loginStatus = AuthContext.Status.FAILED;
      }
      authDebug.message("AuthContextLocal::submitRequirements end");
      if (authDebug.messageEnabled()) {
        authDebug.message("Status at the end of submitRequirements() : " + loginStatus);
      }
    } finally {
      inSubmitRequirements = false;
    }
  }

  /**
   * Logs out the user and also invalidates the <code>SSOToken</code> associated with this <code>
   * AuthContextLocal</code>.
   *
   * @throws AuthLoginException if an error occurred during logout
   * @supported.api
   */
  public void logout() throws AuthLoginException {
    authDebug.message("AuthContextLocal::logout()");

    try {
      amlc.logout();
    } catch (Exception e) {
      if (authDebug.messageEnabled()) {
        authDebug.message("Exception in AMLoginContext::logout() " + e.getMessage());
      }
      throw new AuthLoginException(amAuthContextLocal, "logoutError", null, e);
    }

    authDebug.message("Called AMLoginContext::logout()");
    loginStatus = AuthContext.Status.COMPLETED;
  }

  /**
   * Returns login exception, if any, during the authentication process. Typically set when the
   * login fails.
   *
   * @return login exception.
   * @supported.api
   */
  public AuthLoginException getLoginException() {
    authDebug.message("AuthContextLocal::getLoginException()");
    return (loginException);
  }

  /**
   * Sets the login exception that represents errors during the authentication process.
   *
   * @param exception AuthLoginException to be set.
   */
  public void setLoginException(AuthLoginException exception) {
    loginException = exception;
  }

  /**
   * Returns the current status of the authentication process.
   *
   * @return the current status of the authentication process.
   * @supported.api
   */
  public AuthContext.Status getStatus() {
    authDebug.message("AuthContextLocal::getStatus()");
    if (amlc.getStatus() == LoginStatus.AUTH_SUCCESS) {
      loginStatus = AuthContext.Status.SUCCESS;
    } else if (amlc.getStatus() == LoginStatus.AUTH_FAILED) {
      loginStatus = AuthContext.Status.FAILED;
    } else if (amlc.getStatus() == LoginStatus.AUTH_RESET) {
      loginStatus = AuthContext.Status.RESET;
    } else if (amlc.getStatus() == LoginStatus.AUTH_ORG_MISMATCH) {
      loginStatus = AuthContext.Status.ORG_MISMATCH;
    } else if (amlc.getStatus() == LoginStatus.AUTH_IN_PROGRESS) {
      loginStatus = AuthContext.Status.IN_PROGRESS;
    } else if (amlc.getStatus() == LoginStatus.AUTH_COMPLETED) {
      loginStatus = AuthContext.Status.COMPLETED;
    }

    if (authDebug.messageEnabled()) {
      authDebug.message("AuthContextLocal:: Status : " + loginStatus);
    }

    return (loginStatus);
  }

  /**
   * Sets the login status. Used internally and not visible outside this package.
   *
   * @param status login status
   */
  protected void setLoginStatus(AuthContext.Status status) {
    authDebug.message("AuthContextLocal::setLoginStatus()");
    loginStatus = status;
  }

  /**
   * Returns the Single-Sign-On (SSO) Token for the authenticated user.Single-Sign-On token can be
   * used as the authenticated token.
   *
   * @return single-sign-on token
   * @supported.api
   */
  public SSOToken getSSOToken() {
    ssoToken = amlc.getSSOToken();
    return (ssoToken);
  }

  /**
   * Returns the Successful Login URL for the authenticated user.
   *
   * @return the Successful Login URL for the authenticated user.
   */
  public String getSuccessURL() {
    return amlc.getSuccessURL();
  }

  /**
   * Returns the Failure Login URL for the authenticating user.
   *
   * @return the Failure Login URL for the authenticating user.
   */
  public String getFailureURL() {
    return amlc.getFailureURL();
  }

  /**
   * Returns the the organization name that was set during the <code>AuthContextLocal</code>
   * constructor.
   *
   * @return Organization name.
   * @supported.api
   */
  public String getOrganizationName() {
    return (amlc.getOrganizationName());
  }

  /**
   * Terminates an ongoing <code>login</code> call that has not yet completed.
   *
   * @throws AuthLoginException if an error occurred during abort.
   * @supported.api
   */
  public void abort() throws AuthLoginException {
    authDebug.message("AuthContextLocal::abort()");

    try {
      amlc.abort();
    } catch (Exception e) {
      if (authDebug.messageEnabled()) {
        authDebug.message("Exception in AMLoginContext::abort() " + e.getMessage());
      }
      throw new AuthLoginException(amAuthContextLocal, "abortError", null, e);
    }

    loginStatus = AuthContext.Status.COMPLETED;
  }

  /**
   * Returns the error template.
   *
   * @return the error template.
   */
  public String getErrorTemplate() {
    return amlc.getErrorTemplate();
  }

  /**
   * Returns the error message.
   *
   * @return the error message.
   */
  public String getErrorMessage() {
    return amlc.getErrorMessage();
  }

  /**
   * Returns the error code.
   *
   * @return error code.
   */
  public String getErrorCode() {
    return amlc.getErrorCode();
  }

  /**
   * Returns the current 'authIdentifier' of the authentication process as String Session ID.
   *
   * @return <code>authIdentifier</code> of the authentication process
   */
  public String getAuthIdentifier() {
    return amlc.getAuthIdentifier();
  }

  /**
   * Returns the account lockout message. This can be either a dynamic message indicating the number
   * of tries left or the the account deactivated message.
   *
   * @return account lockout message.
   */
  public String getLockoutMsg() {

    String lockoutMsg = amlc.getLockoutMsg();

    if (authDebug.messageEnabled()) {
      authDebug.message("getLockoutMsg: lockoutMsg: " + lockoutMsg);
    }

    return lockoutMsg;
  }

  /**
   * Checks the account is locked out
   *
   * @return <code>true</code> if the account is locked, <code>false</code> otherwise
   */
  public boolean isLockedOut() {
    boolean isLockedOut = amlc.isLockedOut();
    if (authDebug.messageEnabled()) {
      authDebug.message("isLockedOut : " + isLockedOut);
    }

    return isLockedOut;
  }

  /**
   * Sets the client's host name , this method is used in case of remote authentication,to set the
   * client's hostname or IP address. This could be used by the policy component to restrict access
   * to resources.
   *
   * @param hostname Host name.
   */
  public void setClientHostName(String hostname) {
    hostName = hostname;
  }

  /**
   * Returns the clients host name
   *
   * @return hostname
   */
  protected String getClientHostName() {
    return (hostName);
  }

  public boolean submittedRequirements() {
    return inSubmitRequirements;
  }

  /**
   * Sets the <code>HttpSession</code> that will be used by the SSO component to store the session
   * information. In the absence of <code>HttpSession</code> the information is stored in <code>
   * HashMap</code> and will have issues with fail-over. With session fail-over turned on <code>
   * HttpSession</code> would be provide persistance storage mechanism for SSO.
   *
   * @param session HttpSession
   */
  public void setHttpSession(HttpSession session) {
    httpSession = session;
  }

  /**
   * Returns the <code>HTTPSession</code> associated with the current authentication context
   *
   * @return httpSession
   */
  protected HttpSession getHttpSession() {
    return (httpSession);
  }

  /**
   * Returns the array of <code>Callback</code> requirements objects
   *
   * @param recdCallbacks callbacks requirements
   * @param noFilter boolean to indicate if filter exists
   * @return an array of <code>Callback</code> objects
   */
  protected static Callback[] getCallbacks(Callback[] recdCallbacks, boolean noFilter) {
    if (recdCallbacks == null) {
      return (null);
    } else if (noFilter) {
      return recdCallbacks;
    } else {
      Callback[] answer = new Callback[0];
      ArrayList callbackList = new ArrayList();

      for (int i = 0; i < recdCallbacks.length; i++) {
        if (authDebug.messageEnabled()) {
          authDebug.message("In getCallbacks() callback : " + recdCallbacks[i]);
        }
        if (!(recdCallbacks[i] instanceof PagePropertiesCallback)) {
          callbackList.add(recdCallbacks[i]);
        }
      }
      return (Callback[]) callbackList.toArray(answer);
    }
  }

  /**
   * Sets the Login State
   *
   * @param state login state
   */
  public void setLoginState(LoginState state) {
    loginState = state;
  }

  /**
   * Returns the login state
   *
   * @return loginState
   */
  public LoginState getLoginState() {
    return loginState;
  }

  /**
   * Sets the Organization DN
   *
   * @param orgDN Organization DN
   */
  public void setOrgDN(String orgDN) {
    this.orgDN = orgDN;
  }

  /**
   * Returns the Organization DN
   *
   * @return the Organization DN
   */
  public String getOrgDN() {
    return orgDN;
  }

  /** Holds LDAP URL */
  public static final String LDAP_AUTH_URL = "ldap://";

  /** Holds ersistent cookie mode */
  public static final String PCOOKIE = "pCookieMode";
  /** Holds principal name to be authenticated */
  public static final String PRINCIPAL = "principal";
  /** Holds Password for the user */
  public static final String PASSWORD = "******";
  /** authentication subject */
  public static final String SUBJECT = "subject";
  /** authentication index type */
  public static final String INDEX_TYPE = "indexType";

  /** authentication index name */
  public static final String INDEX_NAME = "indexName";

  /** locale setting */
  public static final String LOCALE = "locale";

  /** Redirection URL */
  public static final String REDIRECT_URL = "redirectionURL";
}
Example #9
0
 public static String getString(String str) {
   if (namingBundle == null) {
     namingBundle = com.sun.identity.shared.locale.Locale.getInstallResourceBundle("amNaming");
   }
   return namingBundle.getString(str);
 }
  /**
   * Verifies signatures in entity descriptor represented by the <code>Document</code>.
   *
   * @param doc The document.
   * @throws SAML2MetaException if unable to verify the entity descriptor.
   */
  public static void verifySignature(Document doc) throws SAML2MetaException {
    NodeList sigElements = null;
    try {
      Element nscontext =
          org.apache.xml.security.utils.XMLUtils.createDSctx(doc, "ds", Constants.SignatureSpecNS);
      sigElements = XPathAPI.selectNodeList(doc, "//ds:Signature", nscontext);
    } catch (Exception ex) {
      if (debug.messageEnabled()) {
        debug.message("SAML2MetaSecurityUtils.verifySignature:", ex);
        throw new SAML2MetaException(ex.getMessage());
      }
    }
    int numSigs = sigElements.getLength();
    if (debug.messageEnabled()) {
      debug.message("SAML2MetaSecurityUtils.verifySignature:" + " # of signatures = " + numSigs);
    }

    if (numSigs == 0) {
      return;
    }

    // If there are signatures then explicitly identify the ID Attribute, See comments section of
    // http://bugs.java.com/bugdatabase/view_bug.do?bug_id=8017265
    doc.getDocumentElement().setIdAttribute(SAML2Constants.ID, true);

    initializeKeyStore();

    for (int i = 0; i < numSigs; i++) {
      Element sigElement = (Element) sigElements.item(i);
      String sigParentName = sigElement.getParentNode().getLocalName();
      Object[] objs = {sigParentName};
      if (debug.messageEnabled()) {
        debug.message(
            "SAML2MetaSecurityUtils.verifySignature: "
                + "verifying signature under "
                + sigParentName);
      }

      try {
        XMLSignature signature = new XMLSignature(sigElement, "");
        signature.addResourceResolver(new com.sun.identity.saml.xmlsig.OfflineResolver());
        KeyInfo ki = signature.getKeyInfo();

        X509Certificate x509cert = null;
        if (ki != null && ki.containsX509Data()) {
          if (keyStore != null) {
            StorageResolver sr = new StorageResolver(new KeyStoreResolver(keyStore));
            ki.addStorageResolver(sr);
          }
          x509cert = ki.getX509Certificate();
        }

        if (x509cert == null) {
          if (debug.messageEnabled()) {
            debug.message(
                "SAML2MetaSecurityUtils.verifySignature:" + " try to find cert in KeyDescriptor");
          }
          String xpath =
              "following-sibling::*[local-name()=\""
                  + TAG_KEY_DESCRIPTOR
                  + "\" and namespace-uri()=\""
                  + NS_META
                  + "\"]";
          Node node = XPathAPI.selectSingleNode(sigElement, xpath);

          if (node != null) {
            Element kd = (Element) node;
            String use = kd.getAttributeNS(null, ATTR_USE);
            if ((use.length() == 0) || use.equals("signing")) {
              NodeList nl = kd.getChildNodes();
              for (int j = 0; j < nl.getLength(); j++) {
                Node child = nl.item(j);
                if (child.getNodeType() == Node.ELEMENT_NODE) {
                  String localName = child.getLocalName();
                  String ns = child.getNamespaceURI();
                  if (TAG_KEY_INFO.equals(localName) && NS_XMLSIG.equals(ns)) {

                    ki = new KeyInfo((Element) child, "");
                    if (ki.containsX509Data()) {
                      if (keyStore != null) {
                        KeyStoreResolver ksr = new KeyStoreResolver(keyStore);
                        StorageResolver sr = new StorageResolver(ksr);
                        ki.addStorageResolver(sr);
                      }

                      x509cert = ki.getX509Certificate();
                    }
                  }
                  break;
                }
              }
            }
          }
        }

        if (x509cert == null) {
          throw new SAML2MetaException("verify_no_cert", objs);
        }

        if (checkCert
            && ((keyProvider == null) || (keyProvider.getCertificateAlias(x509cert) == null))) {
          throw new SAML2MetaException("untrusted_cert", objs);
        }

        PublicKey pk = x509cert.getPublicKey();

        if (!signature.checkSignatureValue(pk)) {
          throw new SAML2MetaException("verify_fail", objs);
        }
      } catch (SAML2MetaException sme) {
        throw sme;
      } catch (Exception ex) {
        debug.error("SAML2MetaSecurityUtils.verifySignature: ", ex);
        throw new SAML2MetaException(
            Locale.getString(SAML2MetaUtils.resourceBundle, "verify_fail", objs)
                + "\n"
                + ex.getMessage());
      }
    }
  }
Example #11
0
  static {
    bundle = Locale.getInstallResourceBundle("libSOAPBinding");
    faultStringServerError = bundle.getString("ServerError");
    debug = Debug.getInstance("libIDWSF");

    try {
      messageFactory = MessageFactory.newInstance();
    } catch (Exception ex) {
      debug.error("Utils.static: Unable to create SOAP Message Factory", ex);
    }

    String tmpNSPre = SystemPropertiesManager.get(NAMESPACE_PREFIX_MAPPING_LIST_PROP);
    if (tmpNSPre != null && tmpNSPre.length() > 0) {
      StringTokenizer stz = new StringTokenizer(tmpNSPre, "|");
      while (stz.hasMoreTokens()) {
        String token = stz.nextToken().trim();
        int index = token.indexOf('=');
        if (index != -1 && index != 0 && index != token.length() - 1) {
          String prefix = token.substring(0, index);
          String ns = token.substring(index + 1);
          if (debug.messageEnabled()) {
            debug.message("Utils.static: add ns = " + ns + ", prefix = " + prefix);
          }
          nsPrefix.put(ns, prefix);
        } else {
          if (debug.warningEnabled()) {
            debug.warning(
                "Utils.static: Invalid syntax " + "for Namespace Prefix Mapping List: " + token);
          }
        }
      }
    }

    String tmpJaxbPkgs = SystemPropertiesManager.get(JAXB_PACKAGE_LIST_PROP);
    if (tmpJaxbPkgs != null && tmpJaxbPkgs.length() > 0) {
      jaxbPackages = DEFAULT_JAXB_PACKAGES + ":" + tmpJaxbPkgs;
    } else {
      jaxbPackages = DEFAULT_JAXB_PACKAGES;
    }
    if (debug.messageEnabled()) {
      debug.message("Utils.static: jaxbPackages = " + jaxbPackages);
    }

    try {
      jc = JAXBContext.newInstance(jaxbPackages);
    } catch (JAXBException jaxbe) {
      Utils.debug.error("Utils.static:", jaxbe);
    }

    String tmpstr = SystemPropertiesManager.get(STALE_TIME_LIMIT_PROP);
    if (tmpstr != null) {
      try {
        stale_time_limit = Integer.parseInt(tmpstr);
      } catch (Exception ex) {
        if (debug.warningEnabled()) {
          debug.warning(
              "Utils.static: Unable to get stale time " + "limit. Default value will be used");
        }
      }
    }

    tmpstr = SystemPropertiesManager.get(SUPPORTED_ACTORS_PROP);
    if (tmpstr != null) {
      StringTokenizer stz = new StringTokenizer(tmpstr, "|");
      while (stz.hasMoreTokens()) {
        String token = stz.nextToken();
        if (token.length() > 0) {
          supportedActors.add(token);
        }
      }
    }
    tmpstr = SystemPropertiesManager.get(MESSAGE_ID_CACHE_CLEANUP_INTERVAL_PROP);
    if (tmpstr != null) {
      try {
        message_ID_cleanup_interval = Integer.parseInt(tmpstr);
      } catch (Exception ex) {
        if (debug.warningEnabled()) {
          debug.warning(
              "Utils.CleanUpThread.static: Unable to"
                  + " get stale time limit. Default value "
                  + "will be used");
        }
      }
    }
    messageIDMap = new PeriodicCleanUpMap(message_ID_cleanup_interval, stale_time_limit);
    SystemTimerPool.getTimerPool()
        .schedule(
            (TaskRunnable) messageIDMap,
            new Date(((System.currentTimeMillis() + message_ID_cleanup_interval) / 1000) * 1000));
  }
Example #12
0
  /*
   * Process the XMLRequest
   */
  private AuthXMLResponse processAuthXMLRequest(
      String xml,
      AuthXMLRequest authXMLRequest,
      HttpServletRequest servletRequest,
      HttpServletResponse servletResponse) {
    if (messageEnabled) {
      debug.message("authXMLRequest is : " + authXMLRequest);
    }
    int requestType = authXMLRequest.getRequestType();
    String sessionID = authXMLRequest.getAuthIdentifier();
    String orgName = authXMLRequest.getOrgName();
    AuthContextLocal authContext = authXMLRequest.getAuthContext();
    LoginState loginState = AuthUtils.getLoginState(authContext);
    String params = authXMLRequest.getParams();
    List envList = authXMLRequest.getEnvironment();
    Map envMap = toEnvMap(envList);
    AuthXMLResponse authResponse = new AuthXMLResponse(requestType);
    authResponse.setAuthContext(authContext);
    authResponse.setAuthIdentifier(sessionID);
    if (messageEnabled) {
      debug.message("authContext is : " + authContext);
      debug.message("requestType : " + requestType);
    }
    if (authXMLRequest.getValidSessionNoUpgrade()) {
      authResponse.setAuthXMLRequest(authXMLRequest);
      authResponse.setValidSessionNoUpgrade(true);
      return authResponse;
    }
    String securityEnabled = null;
    try {
      securityEnabled = AuthUtils.getRemoteSecurityEnabled();
    } catch (AuthException auExp) {
      debug.error("Got Exception", auExp);
      setErrorCode(authResponse, auExp);
      return authResponse;
    }
    if (debug.messageEnabled()) {
      debug.message("Security Enabled = " + securityEnabled);
    }

    if (requestType != 0) {
      if ((securityEnabled != null) && (securityEnabled.equals("true"))) {
        security = true;
        String indexNameLoc = authXMLRequest.getIndexName();
        AuthContext.IndexType indexTypeLoc = authXMLRequest.getIndexType();
        if (indexTypeLoc == null) {
          indexTypeLoc = AuthUtils.getIndexType(authContext);
          indexNameLoc = AuthUtils.getIndexName(authContext);
        }
        if (debug.messageEnabled()) {
          debug.message("Index Name Local : " + indexNameLoc);
          debug.message("Index Type Local : " + indexTypeLoc);
        }
        if (((indexTypeLoc == null) || (indexNameLoc == null))
            || !((indexTypeLoc == AuthContext.IndexType.MODULE_INSTANCE)
                && indexNameLoc.equals("Application"))) {
          try {
            String ssoTokenID = authXMLRequest.getAppSSOTokenID();

            if (debug.messageEnabled()) {
              debug.message("Session ID = : " + ssoTokenID);
            }

            SSOTokenManager manager = SSOTokenManager.getInstance();
            SSOToken appSSOToken = manager.createSSOToken(ssoTokenID);

            // if the token isn't valid, let the client know so they
            // retry
            if (!manager.isValidToken(appSSOToken)) {
              if (debug.messageEnabled()) {
                debug.message("App SSOToken is not valid");
              }

              setErrorCode(
                  authResponse,
                  new AuthException(AMAuthErrorCode.REMOTE_AUTH_INVALID_SSO_TOKEN, null));
              return authResponse;
            } else {
              debug.message("App SSOToken is VALID");
            }
          } catch (SSOException ssoe) {
            // token is unknown to OpenAM, let the client know so they
            // can retry
            if (debug.messageEnabled()) {
              debug.message("App SSOToken is not valid: " + ssoe.getMessage());
            }

            setErrorCode(
                authResponse,
                new AuthException(AMAuthErrorCode.REMOTE_AUTH_INVALID_SSO_TOKEN, null));
            return authResponse;
          } catch (Exception exp) {
            debug.error("Got Exception", exp);
            setErrorCode(authResponse, exp);
            return authResponse;
          }
        }
      }
    } else {
      security = false;
    }

    // if index type is level and choice callback has a
    // selected choice then start module based authentication.
    if ((AuthUtils.getIndexType(authContext) == AuthContext.IndexType.LEVEL)
        || (AuthUtils.getIndexType(authContext) == AuthContext.IndexType.COMPOSITE_ADVICE)) {
      Callback[] callbacks = authXMLRequest.getSubmittedCallbacks();
      if (messageEnabled) {
        debug.message("Callbacks are  : " + callbacks);
      }
      if (callbacks != null) {
        if (messageEnabled) {
          debug.message("Callback length is : " + callbacks.length);
        }

        if (callbacks[0] instanceof ChoiceCallback) {
          ChoiceCallback cc = (ChoiceCallback) callbacks[0];
          int[] selectedIndexes = cc.getSelectedIndexes();
          int selected = selectedIndexes[0];
          String[] choices = cc.getChoices();
          String indexName = choices[selected];
          if (messageEnabled) {
            debug.message("Selected Index is : " + indexName);
          }
          authXMLRequest.setIndexType("moduleInstance");
          authXMLRequest.setIndexName(indexName);
          authXMLRequest.setRequestType(AuthXMLRequest.LoginIndex);
          requestType = AuthXMLRequest.LoginIndex;
        }
      }
    }

    AuthContext.Status loginStatus = AuthContext.Status.IN_PROGRESS;
    HttpServletRequest clientRequest = authXMLRequest.getClientRequest();
    if (loginState != null) {
      loginState.setHttpServletRequest(clientRequest);
      loginState.setHttpServletResponse(authXMLRequest.getClientResponse());
      if (clientRequest != null) {
        loginState.setParamHash(AuthUtils.parseRequestParameters(clientRequest));
      }
    }
    switch (requestType) {
      case AuthXMLRequest.NewAuthContext:
        try {
          processNewRequest(servletRequest, servletResponse, authResponse, loginState, authContext);
          postProcess(loginState, authResponse);
        } catch (Exception ex) {
          debug.error("Error in NewAuthContext ", ex);
          setErrorCode(authResponse, ex);
        }
        break;
      case AuthXMLRequest.Login:
        try {
          if (sessionID != null && sessionID.equals("0")) {
            processNewRequest(
                servletRequest, servletResponse, authResponse, loginState, authContext);
          }
          String clientHost = null;
          if (security) {
            clientHost = authXMLRequest.getHostName();
            if (messageEnabled) {
              debug.message("Client Host from Request = " + clientHost);
            }
          }
          if ((clientHost == null) && (servletRequest != null)) {
            clientHost = ClientUtils.getClientIPAddress(servletRequest);
          }
          loginState.setClient(clientHost);
          authContext.login();
          // setServletRequest(servletRequest,authContext);
          processRequirements(xml, authContext, authResponse, params, servletRequest);
          loginStatus = authContext.getStatus();
          authResponse.setRemoteRequest(loginState.getHttpServletRequest());
          authResponse.setRemoteResponse(loginState.getHttpServletResponse());

          postProcess(loginState, authResponse);
          checkACException(authResponse, authContext);
        } catch (Exception ex) {
          debug.error("Error during login ", ex);
          setErrorCode(authResponse, ex);
          authResponse.setLoginStatus(authContext.getStatus());
        }
        break;
      case AuthXMLRequest.LoginIndex:
        try {
          AuthContext.IndexType indexType = authXMLRequest.getIndexType();
          String indexName = authXMLRequest.getIndexName();
          if (messageEnabled) {
            debug.message("indexName is : " + indexName);
            debug.message("indexType is : " + indexType);
          }
          if (sessionID != null && sessionID.equals("0")) {
            processNewRequest(
                servletRequest, servletResponse, authResponse, loginState, authContext);
          }
          String clientHost = null;
          if (security) {
            clientHost = authXMLRequest.getHostName();
            if (messageEnabled) {
              debug.message("Client Host from Request = " + clientHost);
            }
          }
          if ((clientHost == null) && (servletRequest != null)) {
            clientHost = ClientUtils.getClientIPAddress(servletRequest);
          }
          loginState.setClient(clientHost);
          String locale = authXMLRequest.getLocale();
          if (locale != null && locale.length() > 0) {
            if (debug.messageEnabled()) {
              debug.message("locale is : " + locale);
            }
            authContext.login(indexType, indexName, envMap, locale);
          } else {
            authContext.login(indexType, indexName, envMap, null);
          }
          // setServletRequest(servletRequest,authContext);
          processRequirements(xml, authContext, authResponse, params, servletRequest);
          loginStatus = authContext.getStatus();
          authResponse.setRemoteRequest(loginState.getHttpServletRequest());
          authResponse.setRemoteResponse(loginState.getHttpServletResponse());
          postProcess(loginState, authResponse);
          checkACException(authResponse, authContext);
        } catch (Exception ex) {
          debug.error("Exception during LoginIndex", ex);
          setErrorCode(authResponse, ex);
        }
        break;
      case AuthXMLRequest.LoginSubject:
        try {
          Subject subject = authXMLRequest.getSubject();
          authContext.login(subject);
          // setServletRequest(servletRequest,authContext);
          processRequirements(xml, authContext, authResponse, params, servletRequest);
          postProcess(loginState, authResponse);
          loginStatus = authContext.getStatus();
          checkACException(authResponse, authContext);
        } catch (AuthLoginException ale) {
          debug.error("Exception during LoginSubject", ale);
          setErrorCode(authResponse, ale);
        }
        break;
      case AuthXMLRequest.SubmitRequirements:
        try {
          // setServletRequest(servletRequest,authContext);
          Callback[] submittedCallbacks = authXMLRequest.getSubmittedCallbacks();
          authContext.submitRequirements(submittedCallbacks);
          Callback[] reqdCallbacks = null;
          if (authContext.hasMoreRequirements()) {
            reqdCallbacks = authContext.getRequirements();
            authResponse.setReqdCallbacks(reqdCallbacks);
          }
          authResponse.setRemoteRequest(loginState.getHttpServletRequest());
          authResponse.setRemoteResponse(loginState.getHttpServletResponse());
          postProcess(loginState, authResponse);
          loginStatus = authContext.getStatus();
          authResponse.setLoginStatus(loginStatus);
          InternalSession oldSession = loginState.getOldSession();
          authResponse.setOldSession(oldSession);
          checkACException(authResponse, authContext);
        } catch (Exception ex) {
          debug.error("Error during submit requirements ", ex);
          setErrorCode(authResponse, ex);
        }
        break;
      case AuthXMLRequest.QueryInformation:
        try {
          if (sessionID != null && sessionID.equals("0")) {
            processNewRequest(
                servletRequest, servletResponse, authResponse, loginState, authContext);
          }
          Set moduleNames = authContext.getModuleInstanceNames();
          authResponse.setModuleNames(moduleNames);
          authResponse.setAuthContext(authContext);
          postProcess(loginState, authResponse);
          checkACException(authResponse, authContext);
        } catch (Exception ex) {
          debug.error("Error during Query Information", ex);
          setErrorCode(authResponse, ex);
        }
        break;
      case AuthXMLRequest.Logout:
        // Object loginContext = null;
        // InternalSession intSess = null;
        // SSOToken token = null;
        // boolean logoutCalled = false;
        if (sessionID != null && !sessionID.equals("0")) {
          /*intSess = AuthD.getSession(sessionID);
                 try {
                     token = SSOTokenManager.getInstance().
                         createSSOToken(sessionID);
                     if (debug.messageEnabled()) {
                         debug.message("AuthXMLHandler."
                             + "processAuthXMLRequest: Created token "
                             + "during logout = "+token);
                     }
          } catch (com.iplanet.sso.SSOException ssoExp) {
                    if (debug.messageEnabled()) {
          debug.message("AuthXMLHandler.processAuthXMLRequest:"
                        + "SSOException checking validity of SSO Token");
                    }
          }*/
          try {
            AuthUtils.logout(sessionID, servletRequest, servletResponse);
          } catch (com.iplanet.sso.SSOException ssoExp) {
            if (debug.messageEnabled()) {
              debug.message(
                  "AuthXMLHandler.processAuthXMLRequest:"
                      + "SSOException checking validity of SSO Token");
            }
          }
        }

        /*if (intSess != null) {
                   loginContext = intSess.getObject(ISAuthConstants.
                       LOGIN_CONTEXT);
               }
               try {
                   if (loginContext != null) {
                       if (loginContext instanceof
                           javax.security.auth.login.LoginContext) {
                           javax.security.auth.login.LoginContext lc =
                               (javax.security.auth.login.LoginContext)
                                loginContext;
                           lc.logout();
                       } else {
                           com.sun.identity.authentication.jaas.LoginContext
                               jlc = (com.sun.identity.authentication.jaas.
                               LoginContext) loginContext;
                           jlc.logout();
                       }
                       logoutCalled = true;
                   }
               } catch (javax.security.auth.login.LoginException loginExp) {
                   debug.error("AuthXMLHandler.processAuthXMLRequest: "
                       + "Cannot Execute module Logout", loginExp);
               }
               Set postAuthSet = null;
               if (intSess != null) {
                   postAuthSet = (Set) intSess.getObject(ISAuthConstants.
                       POSTPROCESS_INSTANCE_SET);
               }
               if ((postAuthSet != null) && !(postAuthSet.isEmpty())) {
                   AMPostAuthProcessInterface postLoginInstance=null;
                   for(Iterator iter = postAuthSet.iterator();
                   iter.hasNext();) {
                       try {
                    postLoginInstance =
                  (AMPostAuthProcessInterface) iter.next();
                            postLoginInstance.onLogout(servletRequest,
                                servletResponse, token);
                       } catch (Exception exp) {
                          debug.error("AuthXMLHandler.processAuthXMLRequest: "
                              + "Failed in post logout.", exp);
                       }
            }
               } else {
                   String plis = null;
                   if (intSess != null) {
                       plis = intSess.getProperty(
                           ISAuthConstants.POST_AUTH_PROCESS_INSTANCE);
                   }
                   if (plis != null && plis.length() > 0) {
                       StringTokenizer st = new StringTokenizer(plis, "|");
                       if (token != null) {
                           while (st.hasMoreTokens()) {
                               String pli = (String)st.nextToken();
                               try {
                                   AMPostAuthProcessInterface postProcess =
                                           (AMPostAuthProcessInterface)
                                           Thread.currentThread().
                                           getContextClassLoader().
                                           loadClass(pli).newInstance();
                                   postProcess.onLogout(servletRequest,
                                       servletResponse, token);
                               } catch (Exception e) {
                                   debug.error("AuthXMLHandler."
                                       + "processAuthXMLRequest:" + pli, e);
                               }
                           }
                       }
                   }
               }
               try {
                   boolean isTokenValid = SSOTokenManager.getInstance().
                       isValidToken(token);
                   if ((token != null) && isTokenValid) {
                       AuthD.getAuth().logLogout(token);
                       Session session = Session.getSession(
                           new SessionID(sessionID));
                       session.logout();
                       debug.message("logout successful.");
                   }
        } catch (com.iplanet.dpro.session.SessionException
                   sessExp) {
                   if (debug.messageEnabled()) {
                       debug.message("AuthXMLHandler."
                           + "processAuthXMLRequest: SessionException"
                           + " checking validity of SSO Token");
                   }
        } catch (com.iplanet.sso.SSOException ssoExp) {
                   if (debug.messageEnabled()) {
                       debug.message("AuthXMLHandler."
                           + "processAuthXMLRequest: SSOException "
                           + "checking validity of SSO Token");
                   }
               }*/
        authResponse.setLoginStatus(AuthContext.Status.COMPLETED);
        break;
      case AuthXMLRequest.Abort:
        try {
          authContext.abort();
          loginStatus = authContext.getStatus();
          authResponse.setLoginStatus(loginStatus);
          checkACException(authResponse, authContext);
        } catch (AuthLoginException ale) {
          debug.error("Error aborting ", ale);
          setErrorCode(authResponse, ale);
        }
        break;
    }

    if (messageEnabled) {
      debug.message("loginStatus: " + loginStatus);

      if (authContext != null) {
        debug.message("error Code: " + authContext.getErrorCode());
        debug.message("error Template: " + authContext.getErrorTemplate());
      }
    }

    if (loginStatus == AuthContext.Status.FAILED) {
      if ((authContext.getErrorMessage() != null)
          && (authContext
              .getErrorMessage()
              .equals(
                  AMResourceBundleCache.getInstance()
                      .getResBundle(
                          "amAuthLDAP",
                          com.sun.identity.shared.locale.Locale.getLocale(loginState.getLocale()))
                      .getString(ISAuthConstants.EXCEED_RETRY_LIMIT)))) {
        loginState.setErrorCode(AMAuthErrorCode.AUTH_LOGIN_FAILED);
      }
      if ((authContext.getErrorCode() != null) && ((authContext.getErrorCode()).length() > 0)) {
        authResponse.setErrorCode(authContext.getErrorCode());
      }
      checkACException(authResponse, authContext);
      if ((authContext.getErrorTemplate() != null)
          && ((authContext.getErrorTemplate()).length() > 0)) {
        authResponse.setErrorTemplate(authContext.getErrorTemplate());
      }
      // Account Lockout Warning Check
      if ((authContext.getErrorCode() != null)
          && (authContext.getErrorCode().equals(AMAuthErrorCode.AUTH_INVALID_PASSWORD))) {
        String lockWarning = authContext.getLockoutMsg();
        if ((lockWarning != null) && (lockWarning.length() > 0)) {
          authResponse.setErrorMessage(lockWarning);
        }
      }
    }

    return authResponse;
  }