/** {@inheritDoc} */
public Map<String, ResponseTypeHandler> getAllowedResponseTypes()
throws UnsupportedResponseTypeException, ServerException {
try {
Set<String> responseTypeSet = getSetting(realm, OAuth2ProviderService.RESPONSE_TYPE_LIST);
if (responseTypeSet == null || responseTypeSet.isEmpty()) {
return Collections.emptyMap();
}
Map<String, ResponseTypeHandler> responseTypes = new HashMap<String, ResponseTypeHandler>();
for (String responseType : responseTypeSet) {
String[] parts = responseType.split("\\|");
if (parts.length != 2) {
logger.error("Response type wrong format for realm: " + realm);
continue;
}
responseTypes.put(parts[0], wrap(parts[0], parts[1]));
}
return responseTypes;
} catch (SMSException e) {
logger.error(e.getMessage());
throw new ServerException(e);
} catch (SSOException e) {
logger.error(e.getMessage());
throw new ServerException(e);
}
}
/** {@inheritDoc} */
public AuthorizationCode readAuthorizationCode(OAuth2Request request, String code)
throws InvalidGrantException, ServerException, NotFoundException {
if (logger.messageEnabled()) {
logger.message("Reading Authorization code: " + code);
}
final JsonValue token;
// Read from CTS
try {
token = tokenStore.read(code);
} catch (CoreTokenException e) {
logger.error("Unable to read authorization code corresponding to id: " + code, e);
throw new ServerException("Could not read token from CTS: " + e.getMessage());
}
if (token == null) {
logger.error("Unable to read authorization code corresponding to id: " + code);
throw new InvalidGrantException("The provided access grant is invalid, expired, or revoked.");
}
OpenAMAuthorizationCode authorizationCode = new OpenAMAuthorizationCode(token);
validateTokenRealm(authorizationCode.getRealm(), request);
request.setToken(AuthorizationCode.class, authorizationCode);
return authorizationCode;
}
/** {@inheritDoc} */
public AccessToken readAccessToken(OAuth2Request request, String tokenId)
throws ServerException, InvalidGrantException, NotFoundException {
logger.message("Reading access token");
JsonValue token;
// Read from CTS
try {
token = tokenStore.read(tokenId);
} catch (CoreTokenException e) {
logger.error("Unable to read access token corresponding to id: " + tokenId, e);
throw new ServerException("Could not read token in CTS: " + e.getMessage());
}
if (token == null) {
logger.error("Unable to read access token corresponding to id: " + tokenId);
throw new InvalidGrantException("Could not read token in CTS");
}
OpenAMAccessToken accessToken = new OpenAMAccessToken(token);
validateTokenRealm(accessToken.getRealm(), request);
request.setToken(AccessToken.class, accessToken);
return accessToken;
}
/**
* Method which creates a DC Tree for the given org, if the <code>sunPreferredDomain</code>
* attribute is present and has a fully qualified domain name as value.
*
* @param token SSOToken
* @param orgGuid identifiication of Organization entry to be mapped from dctree to organization
* DIT organization
* @param domainName set the domain this organization belongs to.
* @param attrSet the AttrSet of the organization
* @exception AMException if unsuccessful in creating a dc tree for the organization or
* unsuccessful in setting the mapping between dc tree and the organization
*/
protected void createDomain(SSOToken token, Guid orgGuid, String domainName, AttrSet attrSet)
throws AMException {
if (DCTREE_START_DN == null) {
throw new AMException(AMSDKBundle.getString("355"), "355");
}
// Create a DC tree for specified domain.
if ((domainName != null) && (domainName != "")) {
try {
DomainComponentTree dcTree = new DomainComponentTree(token, new Guid(DCTREE_START_DN));
dcTree.addDomain(domainName);
// Set the domain mapping
dcTree.setDomainMapping(domainName, orgGuid);
String status = attrSet.getValue(INET_DOMAIN_STATUS_ATTR);
if (status != null) {
dcTree.setDomainStatus(domainName, status);
}
} catch (InvalidDCRootException ie) {
debug.error("DCTree.createDomain(): ", ie);
throw new AMException(AMSDKBundle.getString("343"), "343");
} catch (UMSException ue) {
debug.error("DCTree.createDomain(): ", ue);
throw new AMException(AMSDKBundle.getString("344"), "344");
}
}
}
protected AttrSet getDomainAttributes(SSOToken token, String orgDN, String[] attrNames)
throws AMException, SSOException {
String domainName = null;
try {
AttrSet domAttrSet;
domainName = getCanonicalDomain(token, orgDN);
if (domainName == null) {
debug.error("DCTree.getDomainAttributes-> " + "Domain not found for: " + orgDN);
return null;
}
DomainComponentTree dcTree = new DomainComponentTree(token, new Guid(DCTREE_START_DN));
DomainComponent dcNode = dcTree.getDomainComponent(domainName);
if (attrNames != null) {
domAttrSet = dcNode.getAttributes(attrNames);
} else {
domAttrSet = dcNode.getAttributes(dcNode.getAttributeNames());
}
AttrSet[] attrArray = splitAttrSet(null, domAttrSet);
return attrArray[1];
} catch (UMSException umse) {
debug.error(
"DCTree.getDomainAttributes: " + " error getting attributes for domain " + domainName);
}
return null;
}
static void initialize(SSOToken token) throws SMSException, SSOException {
// Validate SSOToken
SMSEntry.validateToken(token);
// Check if already initialized
if (initialized) return;
// Initilaize the parameters
try {
// Get the service names and cache it
serviceNames = CachedSubEntries.getInstance(token, serviceDN);
if (serviceNames.getSMSEntry().isNewEntry()) {
if (debug.warningEnabled()) {
debug.warning("SeviceManager:: Root service node " + "does not exists: " + serviceDN);
}
String[] msgs = new String[1];
msgs[0] = serviceDN;
throw (new SMSException(
IUMSConstants.UMS_BUNDLE_NAME, IUMSConstants.SMS_services_node_does_not_exist, msgs));
}
} catch (SMSException e) {
debug.error("ServiceManager::unable to get " + "services node: " + serviceDN, e);
throw (e);
}
// Check if realm is enabled and set appropriate flags
checkFlags(token);
initialized = true;
}
/**
* Verify the signature in <code>Response</code>.
*
* @param pepEntityID entity identifier of PEP.
* @param pdpEntityID entity identifier of PDP.
* @param response <code>Response</code> to be verified
* @return true if signature is valid.
* @throws <code>SAML2Exception</code> if error in verifying the signature.
*/
public static boolean verifySignedResponse(
String pepEntityID, String pdpEntityID, Response response) throws SAML2Exception {
String classMethod = "QueryClient:verifySignedResponse: ";
String realm = "/";
XACMLAuthzDecisionQueryConfigElement pepConfig = getPEPConfig(realm, pepEntityID);
String wantResponseSigned =
getAttributeValueFromPEPConfig(pepConfig, "wantXACMLAuthzDecisionResponseSigned");
boolean valid = false;
if (wantResponseSigned != null && wantResponseSigned.equalsIgnoreCase("true")) {
XACMLPDPDescriptorElement pdpDescriptor =
saml2MetaManager.getPolicyDecisionPointDescriptor(null, pdpEntityID);
X509Certificate signingCert = KeyUtil.getPDPVerificationCert(pdpDescriptor, pdpEntityID);
if (signingCert != null) {
valid = response.isSignatureValid(signingCert);
if (debug.messageEnabled()) {
debug.message(classMethod + "Signature is valid :" + valid);
}
} else {
debug.error(classMethod + "Incorrect configuration for Signing Certificate.");
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("metaDataError"));
}
} else {
if (debug.messageEnabled()) {
debug.message(classMethod + "Response doesn't need to be verified.");
}
valid = true;
}
return valid;
}
/**
* Returns the SSOToken of the user. If user has not authenticated re-directs the user to login
* page
*/
private SSOToken getSSOToken(HttpServletRequest request, HttpServletResponse response)
throws IOException {
SSOToken token = null;
try {
/* SSOTokenManager.createSSOToken() throws an SSOException if the
* token is not valid, so for a invalid token manager.isValidToken()
* will never get executed for an invalid token.
*/
if (((token = tokenManager.createSSOToken(request)) == null)
|| !tokenManager.isValidToken(token)) {
if (debug.messageEnabled()) {
debug.message(
"CDCClientServlet.getSSOToken:SSOToken is "
+ "either null or not valid: "
+ token
+ "\nRedirecting for authentication");
}
token = null;
}
} catch (com.iplanet.sso.SSOException e) {
if (debug.messageEnabled()) {
debug.message("CDCClientServlet.getSSOToken:SSOException " + "caught= " + e);
}
token = null;
}
return (token);
}
/**
* This method parses out the local_attribute=source_attributes as they are encapsulated in the
* authN module configurations into a more usable, Map<String, String> format.
*
* @param configuredMappings The set of local=source mappings.
* @return The derived Map instance.
*/
public static Map<String, String> parseMappings(Set<String> configuredMappings) {
Map<String, String> parsedMappings = new HashMap<String, String>();
for (String mapping : configuredMappings) {
if (mapping.indexOf(EQUALS) == -1) {
continue;
}
StringTokenizer tokenizer = new StringTokenizer(mapping, EQUALS);
final String key = tokenizer.nextToken();
final String value = tokenizer.nextToken();
/*
The ldap_attr=spource_attr mapping is user-generated, so I want to warn about duplicate entries. In a
HashMap, repeated insertion of the same key will over-write previous entries, but I want to warn about
duplicate entries, and will persist the first entry.
*/
if (!parsedMappings.containsKey(key)) {
parsedMappings.put(key, value);
} else {
if (debug.warningEnabled()) {
debug.warning(
"In MappingUtils.parseMappings, the user-entered attribute mappings contain "
+ "duplicate entries. The first entry will be preserved: "
+ configuredMappings);
}
}
}
if (parsedMappings.isEmpty()) {
throw new IllegalArgumentException(
"The mapping Set does not contain any mappings in format "
+ "local_attribute=source_attribute.");
}
return Collections.unmodifiableMap(parsedMappings);
}
private Map<String, Object> createRSAJWK(RSAPublicKey key, KeyUse use, String alg)
throws ServerException {
String alias = null;
try {
alias = getStringSetting(realm, OAuth2Constants.OAuth2ProviderService.KEYSTORE_ALIAS);
} catch (SSOException | SMSException e) {
logger.error(e.getMessage());
throw new ServerException(e);
}
if (StringUtils.isBlank(alias)) {
logger.error("Alias of ID Token Signing Key not set.");
throw new ServerException("Alias of ID Token Signing Key not set.");
} else if ("test".equals(alias)) {
logger.warning("Alias of ID Token Signing Key should be changed from default, 'test'.");
}
String kid =
Hash.hash(alias + key.getModulus().toString() + key.getPublicExponent().toString());
return json(object(
field("kty", "RSA"),
field(OAuth2Constants.JWTTokenParams.KEY_ID, kid),
field("use", use.toString()),
field("alg", alg),
field("n", Base64url.encode(key.getModulus().toByteArray())),
field("e", Base64url.encode(key.getPublicExponent().toByteArray()))))
.asMap();
}
// Get cookies string from HTTP request object
private String getCookiesFromRequest(HttpServletRequest request) {
Cookie cookies[] = CookieUtils.getCookieArrayFromReq(request);
// above call would return pure sid in iPlanetDirectoryPro cookie
// independent of container encoding
StringBuilder cookieStr = null;
String strCookies = null;
if (cookies != null) {
for (int nCookie = 0; nCookie < cookies.length; nCookie++) {
String cookieName = cookies[nCookie].getName();
String cookieVal = cookies[nCookie].getValue();
if (cookieName.equals(CookieUtils.getAmCookieName()) && cookieEncoding) {
cookieVal = URLEncDec.encode(cookieVal);
}
if (debug.messageEnabled()) {
debug.message("CDCClientServlet.getCookiesFromRequest:" + "Cookie name = " + cookieName);
debug.message("CDCClientServlet.getCookiesFromRequest:" + "Cookie val= " + cookieVal);
}
if (cookieStr == null) {
cookieStr = new StringBuilder();
} else {
cookieStr.append(SEMI_COLON).append(SPACE);
}
cookieStr.append(cookieName).append(EQUAL_TO).append(cookieVal);
}
}
if (cookieStr != null) {
strCookies = cookieStr.toString();
}
return strCookies;
}
private Set<String> getWithoutTranslations(String key, Set<String> cached)
throws ServerException {
if (cached != null) {
return cached;
}
Set<String> claims = new HashSet<>();
try {
synchronized (attributeCache) {
for (String claim : getSetting(realm, key)) {
int pipe = claim.indexOf('|');
if (pipe > -1) {
claims.add(claim.substring(0, pipe));
} else {
claims.add(claim);
}
}
return claims;
}
} catch (SMSException e) {
logger.error(e.getMessage());
throw new ServerException(e);
} catch (SSOException e) {
logger.error(e.getMessage());
throw new ServerException(e);
}
}
private synchronized ScopeValidator getScopeValidator() throws ServerException {
if (scopeValidator == null) {
try {
final String scopeValidatorClassName =
getStringSettingValue(OAuth2ProviderService.SCOPE_PLUGIN_CLASS);
if (isEmpty(scopeValidatorClassName)) {
logger.message("Scope Validator class not set.");
throw new ServerException("Scope Validator class not set.");
}
final Class<?> scopeValidatorClass = Class.forName(scopeValidatorClassName);
if (Scope.class.isAssignableFrom(scopeValidatorClass)) {
final Scope scopeClass =
InjectorHolder.getInstance(scopeValidatorClass.asSubclass(Scope.class));
return new LegacyScopeValidator(scopeClass);
}
scopeValidator =
InjectorHolder.getInstance(scopeValidatorClass.asSubclass(ScopeValidator.class));
} catch (ClassNotFoundException e) {
logger.error(e.getMessage());
throw new ServerException(e);
}
}
return scopeValidator;
}
private ResponseTypeHandler wrap(String responseTypeName, String responseTypeHandlerClassName)
throws UnsupportedResponseTypeException {
if (responseTypeHandlerClassName == null || responseTypeHandlerClassName.isEmpty()) {
logger.warning(
"Requested a response type that is not configured. response_type=" + responseTypeName);
throw new UnsupportedResponseTypeException("Response type is not supported");
} else if (responseTypeHandlerClassName.equalsIgnoreCase("none")) {
return new NoneResponseTypeHandler();
}
try {
final Class<?> responseTypeHandlerClass = Class.forName(responseTypeHandlerClassName);
if (ResponseType.class.isAssignableFrom(responseTypeHandlerClass)) {
ResponseType responseType =
InjectorHolder.getInstance(responseTypeHandlerClass.asSubclass(ResponseType.class));
return new LegacyResponseTypeHandler(
responseType, realm, getSSOCookieName(), cookieExtractor);
}
return InjectorHolder.getInstance(
responseTypeHandlerClass.asSubclass(ResponseTypeHandler.class));
} catch (ClassNotFoundException e) {
logger.error(e.getMessage());
throw new UnsupportedResponseTypeException("Response type is not supported");
}
}
/**
* removes the listener from the list of Persistent Search listeners of the asynchronous seach for
* the given search ID.
*
* @param request The request returned by the addListener
* @supported.api
*/
protected void removeListener(Request request) {
LDAPConnection connection = request.getLDAPConnection();
if (connection != null) {
if (debugger.messageEnabled()) {
debugger.message(
"EventService.removeListener(): Removing "
+ "listener requestID: "
+ request.getRequestID()
+ " Listener: "
+ request.getListener());
}
try {
if ((connection != null) && (connection.isConnected())) {
connection.abandon(request.getId());
connection.disconnect();
}
} catch (LDAPException le) {
// Might have to check the reset codes and try to reset
if (debugger.warningEnabled()) {
debugger.warning(
"EventService.removeListener(): " + "LDAPException, when trying to remove listener",
le);
}
}
}
}
protected HashMap<String, String> getAttributeNameToSection() {
HashMap<String, String> result = new HashMap<String, String>();
InputStream inputStream =
getClass()
.getClassLoader()
.getResourceAsStream("/" + schema.getName() + ".section" + ".properties");
if (inputStream != null) {
String line;
BufferedReader reader = new BufferedReader(new InputStreamReader(inputStream));
try {
while ((line = reader.readLine()) != null) {
if (!(line.matches("^\\#.*") || line.isEmpty())) {
String[] attributeValue = line.split("=");
final String sectionName = attributeValue[0];
result.put(attributeValue[1], sectionName);
}
}
} catch (IOException e) {
if (debug.errorEnabled()) {
debug.error("Error reading section properties file", e);
}
}
}
return result;
}
/**
* Creates Organization within OpenAM
*
* @param ocm Organization Configuration Manager
* @param jVal JSONvalue that contains the payload
* @param realm Name of the realm to be created
* @throws SMSException
* @throws Exception
*/
private void createOrganization(
OrganizationConfigManager ocm, JsonValue jVal, String realm, String realmPath)
throws Exception {
Map defaultValues = null;
OrganizationConfigManager realmCreatedOcm;
if (realmPath != null && !realmPath.endsWith("/")) {
realmPath = realmPath + "/";
}
try {
JsonValue realmDetails = jVal;
if (jVal != null) {
defaultValues = createServicesMap(jVal);
}
ocm.createSubOrganization(realm, defaultValues);
// Get the Organization Configuration Manager for the new Realm
realmCreatedOcm = new OrganizationConfigManager(getSSOToken(), realmPath + realm);
List newServiceNames = realmDetails.get(SERVICE_NAMES).asList();
if (newServiceNames != null && !newServiceNames.isEmpty()) {
// assign services to realm
assignServices(realmCreatedOcm, newServiceNames);
}
} catch (SMSException smse) {
debug.error("RealmResource.createOrganization()", smse);
throw smse;
} catch (Exception e) {
debug.error("RealmResource.createOrganization()", e);
throw e;
}
}
/** {@inheritDoc} */
public AMIdentity searchUser(AMIdentityRepository idrepo, Map<String, Set<String>> attr) {
AMIdentity identity = null;
if (attr == null || attr.isEmpty()) {
debug.warning("DefaultAccountMapper.searchUser: empty search");
return null;
}
IdSearchControl ctrl = getSearchControl(IdSearchOpModifier.OR, attr);
IdSearchResults results;
try {
results = idrepo.searchIdentities(IdType.USER, "*", ctrl);
Iterator<AMIdentity> iter = results.getSearchResults().iterator();
if (iter.hasNext()) {
identity = iter.next();
if (debug.messageEnabled()) {
debug.message("getUser: user found : " + identity.getName());
}
}
} catch (IdRepoException ex) {
debug.error(
"DefaultAccountMapper.searchUser: Problem while searching for the user. IdRepo", ex);
} catch (SSOException ex) {
debug.error(
"DefaultAccountMapper.searchUser: Problem while searching for the user. SSOExc", ex);
}
return identity;
}
/**
* Returns the Policy Decision Point End Point (PDP) URL.
*
* @param pdpEntityID entity Identifier of the PDP.
* @return the PDP endpoint URL.
* @exception if there is an error retreiving the endpoint from the configuration.
*/
private static String getPDPEndPoint(String pdpEntityID) throws SAML2Exception {
String endPoint = null;
String classMethod = "QueryClient:getPDPEndPoint";
if (saml2MetaManager != null) {
try {
XACMLPDPDescriptorElement pdpDescriptor =
saml2MetaManager.getPolicyDecisionPointDescriptor(null, pdpEntityID);
if (pdpDescriptor != null) {
List xacmlPDP = pdpDescriptor.getXACMLAuthzService();
if (xacmlPDP != null) {
Iterator i = xacmlPDP.iterator();
while (i.hasNext()) {
Object o = (Object) i.next();
if (o instanceof XACMLAuthzServiceElement) {
XACMLAuthzServiceElement xType = (XACMLAuthzServiceElement) o;
endPoint = xType.getLocation();
if (debug.messageEnabled()) {
debug.message(classMethod + "EndPoint :" + endPoint);
}
}
break;
}
}
}
} catch (SAML2MetaException sme) {
if (debug.messageEnabled()) {
debug.message(classMethod + "Error retreiving PDP Meta", sme);
}
String[] args = {pdpEntityID};
LogUtil.error(Level.INFO, LogUtil.PDP_METADATA_ERROR, args);
throw new SAML2Exception(SAML2SDKUtils.BUNDLE_NAME, "pdpMetaRetreivalError", args);
}
}
return endPoint;
}
/** {@inheritDoc} */
public AMIdentity provisionUser(AMIdentityRepository idrepo, Map<String, Set<String>> attributes)
throws AuthLoginException {
AMIdentity identity = null;
try {
String userId;
Set<String> idAttribute = attributes.get(idNameAttribute);
if (idAttribute != null && !idAttribute.isEmpty()) {
userId = idAttribute.iterator().next();
} else {
userId = UUID.randomUUID().toString();
}
identity = idrepo.createIdentity(IdType.USER, userId, attributes);
} catch (IdRepoException ire) {
debug.error("DefaultAccountMapper.getAccount: IRE ", ire);
debug.error("LDAPERROR Code = " + ire.getLDAPErrorCode());
if (ire.getLDAPErrorCode() != null && !ire.getLDAPErrorCode().equalsIgnoreCase("68")) {
throw new AuthLoginException("Failed to create user");
}
} catch (SSOException ex) {
debug.error(
"DefaultAccountMapper.getAttributes: Problem while creating the user. SSOExc", ex);
throw new AuthLoginException("Failed to create user");
}
return identity;
}
/** Gets list of replicated servers from local OpenDJ directory. */
public static Set getServerSet(LDAPConnection lc) {
final String[] attrs = {"uniqueMember"};
Debug debug = Debug.getInstance(SetupConstants.DEBUG_NAME);
try {
if (lc != null) {
LDAPEntry le = lc.read(replDN, attrs);
if (le != null) {
Set hostSet = new HashSet();
LDAPAttribute la = le.getAttribute(attrs[0]);
if (la != null) {
Enumeration en = la.getStringValues();
while (en != null && en.hasMoreElements()) {
String val = (String) en.nextElement();
// strip "cn="
hostSet.add(val.substring(3, val.length()));
}
}
return hostSet;
} else {
debug.error(
"EmbeddedOpenDS:syncOpenDSServer():" + "Could not find trustkey for:" + replDN);
}
} else {
debug.error(
"EmbeddedOpenDS:syncOpenDSServer():" + "Could not connect to local opends instance.");
}
} catch (Exception ex) {
debug.error("EmbeddedOpenDS.syncOpenDSServer()." + " Error getting replication key:", ex);
}
return null;
}
/** {@inheritDoc} */
public Promise<ResourceResponse, ResourceException> readInstance(
Context context, String resourceId, ReadRequest request) {
final String realm = getRealm(context);
debug.message("ServerInfoResource :: READ : in realm: " + realm);
if (COOKIE_DOMAINS.equalsIgnoreCase(resourceId)) {
return getCookieDomains();
} else if (ALL_SERVER_INFO.equalsIgnoreCase(resourceId)) {
return getAllServerInfo(context, realm);
} else { // for now this is the only case coming in, so fail if otherwise
final ResourceException e =
new NotSupportedException("ResourceId not supported: " + resourceId);
if (debug.errorEnabled()) {
debug.error(
"ServerInfoResource :: READ : in realm: "
+ realm
+ ": Cannot receive information on requested resource: "
+ resourceId,
e);
}
return e.asPromise();
}
}
/**
* Method which removes the DC Tree corresponding to the Org
*
* @param token SSOToken
* @param orgDN String representing the DN correponding to the organization
* @exception AMException if error occured in accessing the org corresponding to orgDN or during
* the removal of the dc tree corresponding to the orgDN
*/
protected void removeDomain(SSOToken token, String orgDN) throws AMException {
// String orgAttribute[] = {IPLANET_DOMAIN_NAME_ATTR};
try {
PersistentObject po = UMSObject.getObject(token, new Guid(orgDN));
if (!(po instanceof com.iplanet.ums.Organization)) {
if (debug.messageEnabled()) {
debug.message("DCTree.removeDomain-> " + orgDN + " is not an organization");
}
return;
}
String domainName = getCanonicalDomain(token, orgDN);
if (debug.messageEnabled()) {
debug.message("DCTree.removeDomain-> " + "Obtained canon domain " + domainName);
}
if ((domainName != null) && (domainName.length() > 0)) {
DomainComponentTree dcTree = new DomainComponentTree(token, new Guid(DCTREE_START_DN));
if (debug.messageEnabled()) {
debug.message("DCTree.removeDomain: removing domain: " + domainName);
}
dcTree.removeDomain(domainName);
} else {
if (debug.warningEnabled()) {
debug.warning("DCTree.removeDomain(): " + " unable to get domain for " + orgDN);
}
}
} catch (UMSException ue) {
if (debug.warningEnabled()) {
debug.warning("DCTree.removeDomain(): ", ue);
}
}
}
/**
* Perform a remote setProperty on the Session using the remote Service URL.
*
* <p>{@inheritDoc}
*/
public void setProperty(Session session, String name, String value) throws SessionException {
if (debug.messageEnabled()) {
debug.message(MessageFormat.format("Remote setProperty {0} {1}={2}", session, name, value));
}
SessionID sessionID = session.getID();
SessionRequest sreq =
new SessionRequest(SessionRequest.SetProperty, sessionID.toString(), false);
sreq.setPropertyName(name);
sreq.setPropertyValue(value);
if (SystemProperties.isServerMode() && InternalSession.isProtectedProperty(name)) {
try {
SSOToken admSSOToken = SessionUtils.getAdminToken();
sreq.setRequester(RestrictedTokenContext.marshal(admSSOToken));
} catch (SSOException e) {
throw new SessionException(e);
} catch (Exception e) {
throw new SessionException(e);
}
if (debug.messageEnabled()) {
debug.message(
"Session.setProperty: "
+ "added admSSOToken in sreq to set "
+ "externalProtectedProperty in remote server");
}
}
requests.sendRequestWithRetry(session.getSessionServiceURL(), sreq, session);
}
/**
* Method which creates a <Code>Domain Component Tree </Code> for the given organization, if the
* <code>sunPreferredDomain</code> attribute is present and has a fully qualified domain name as
* value.
*
* @param token SSO Token
* @param orgGuid identifiication of organization entry to be mapped from <Code>dctree</Code> to
* organization DIT organization
* @param attrSet the attributes to be set on creation of domain.
* @exception AMException if unsuccessful in creating a dc tree for the organization or
* unsuccessful in setting the mapping between dc tree and the organization
*/
protected void createDomain(SSOToken token, Guid orgGuid, AttrSet attrSet)
throws AMException, SSOException {
if (DCTREE_START_DN == null) {
throw new AMException(AMSDKBundle.getString("355"), "355");
}
// Create a DC tree is value is specified for
// sunPreferredDomain attribute
String domainName = attrSet.getValue(IPLANET_DOMAIN_NAME_ATTR);
// remove the attribute from the attribute set.
attrSet.remove(IPLANET_DOMAIN_NAME_ATTR);
if ((domainName != null) && (domainName != "")) {
try {
DomainComponentTree dcTree = new DomainComponentTree(token, new Guid(DCTREE_START_DN));
dcTree.addDomain(domainName);
// Set the domain mapping
dcTree.setDomainMapping(domainName, orgGuid);
String status = attrSet.getValue(INET_DOMAIN_STATUS_ATTR);
if (status != null) {
dcTree.setDomainStatus(domainName, status);
}
AttrSet[] attrSetArray = splitAttrSet(orgGuid.getDn(), attrSet);
if (attrSetArray[1] != null) {
setDomainAttributes(token, orgGuid.getDn(), attrSetArray[1]);
}
} catch (InvalidDCRootException ie) {
debug.error("DCTree.createDomain(): ", ie);
throw new AMException(AMSDKBundle.getString("343"), "343");
} catch (UMSException ue) {
debug.error("DCTree.createDomain(): ", ue);
throw new AMException(AMSDKBundle.getString("344"), "344");
}
}
}
/**
* Response message carries a LDAP error. Response with the code 0 (SUCCESS), should never be
* received as persistent search never completes, it has to be abandon. Referral messages are
* ignored
*/
protected boolean processResponseMessage(LDAPResponse rsp, Request request) {
_retryErrorCodes = getPropertyRetryErrorCodes(EVENT_CONNECTION_ERROR_CODES);
int resultCode = rsp.getResultCode();
if (_retryErrorCodes.contains("" + resultCode)) {
if (debugger.messageEnabled()) {
debugger.message(
"EventService.processResponseMessage() - "
+ "received LDAP Response for requestID: "
+ request.getRequestID()
+ " Listener: "
+ request.getListener()
+ "Need restarting");
}
resetErrorSearches(false);
} else if (resultCode != 0 || resultCode != LDAPException.REFERRAL) {
// If not neither of the cases then
if (resultCode == LDAPException.BUSY) {
debugger.error(
"EventService.processResponseMessage() - received error BUSY, call retryManager");
return retryManager(false);
}
LDAPException ex =
new LDAPException(
"Error result", rsp.getResultCode(), rsp.getErrorMessage(), rsp.getMatchedDN());
dispatchException(ex, request);
}
return true;
}
@Override
public void updateRefreshToken(RefreshToken refreshToken) {
try {
deleteRefreshToken(refreshToken.getTokenId());
tokenStore.create(refreshToken);
} catch (CoreTokenException e) {
logger.error(
"DefaultOAuthTokenStoreImpl::Unable to create refresh token " + refreshToken.getTokenId(),
e);
throw new OAuthProblemException(
Status.SERVER_ERROR_INTERNAL.getCode(),
"Internal error",
"Could not create token in CTS",
null);
} catch (InvalidRequestException e) {
logger.error(
"DefaultOAuthTokenStoreImpl::Unable to delete refresh token " + refreshToken.getTokenId(),
e);
throw new OAuthProblemException(
Status.SERVER_ERROR_INTERNAL.getCode(),
"Internal error",
"Could not delete token in CTS",
null);
}
}
/** Create naming event from a change control */
private DSEvent createDSEvent(LDAPEntry entry, LDAPEntryChangeControl changeCtrl, Request req)
throws Exception {
DSEvent dsEvent = new DSEvent();
if (debugger.messageEnabled()) {
debugger.message(
"EventService.createDSEvent() - Notifying event " + "to: " + req.getListener());
}
// Get the dn from the entry
String dn = entry.getDN();
dsEvent.setID(dn);
// Get information on the type of change made
int changeType = changeCtrl.getChangeType();
dsEvent.setEventType(changeType);
// Pass the search ID as the event's change info
dsEvent.setSearchID(req.getRequestID());
// set the object class name
String className = entry.getAttribute("objectclass").toString();
dsEvent.setClassName(className);
return dsEvent;
}
@Override
public boolean action(InternalSession is, Map<String, Long> sessions) {
String nextExpiringSessionID = null;
long smallestExpTime = Long.MAX_VALUE;
for (Map.Entry<String, Long> entry : sessions.entrySet()) {
String sid = entry.getKey();
long expirationTime = entry.getValue();
if (expirationTime < smallestExpTime) {
smallestExpTime = expirationTime;
nextExpiringSessionID = sid;
}
}
if (nextExpiringSessionID != null) {
SessionID sessID = new SessionID(nextExpiringSessionID);
try {
Session s = sessionCache.getSession(sessID);
s.destroySession(s);
} catch (SessionException e) {
if (debug.messageEnabled()) {
debug.message("Failed to destroy the next " + "expiring session.", e);
}
// deny the session activation request
// in this case
return true;
}
}
return false;
}
/**
* Converts a JAXB object to a <code>org.w3c.dom.Element</code>.
*
* @param jaxbObj a JAXB object
* @return a <code>org.w3c.dom.Element</code>
* @throws JAXBException if an error occurs while converting JAXB object.
* @supported.api
*/
public static Element convertJAXBToElement(Object jaxbObj, boolean checkIdref)
throws JAXBException {
Marshaller m = jc.createMarshaller();
try {
m.setProperty("com.sun.xml.bind.namespacePrefixMapper", new NamespacePrefixMapperImpl());
} catch (PropertyException ex) {
debug.error("Utils.convertJAXBToElement", ex);
}
if (!checkIdref) {
m.setEventHandler(
new DefaultValidationEventHandler() {
public boolean handleEvent(ValidationEvent event) {
if (event instanceof NotIdentifiableEvent) {
return true;
}
return super.handleEvent(event);
}
});
}
Document doc = null;
try {
doc = XMLUtils.newDocument();
} catch (Exception ex) {
debug.error("Utils.convertJAXBToElement:", ex);
}
m.marshal(jaxbObj, doc);
return doc.getDocumentElement();
}
