コード例 #1
0
  private void proceedWithFilterChain(
      FilterChain chain, HttpServletRequest httpRequest, HttpServletResponse httpResponse)
      throws IOException, ServletException {

    BesServletRequestReader.param2Attr(httpRequest, Constants.REQ_PARAM_SUB_KEY);
    BesServletRequestReader.param2Attr(httpRequest, Constants.REQ_PARAM_CONTEXT_PATH);
    BesServletRequestReader.param2Attr(httpRequest, Constants.REQ_PARAM_SUPPLIER_ID);
    BesServletRequestReader.param2Attr(httpRequest, Constants.REQ_ATTR_SERVICE_LOGIN_TYPE);
    BesServletRequestReader.param2Attr(httpRequest, Constants.REQ_ATTR_ERROR_KEY);

    chain.doFilter(httpRequest, httpResponse);
  }
コード例 #2
0
  void redirectToPrimarilyRequestedUrl(
      FilterChain chain,
      HttpServletRequest httpRequest,
      HttpServletResponse httpResponse,
      ServiceAccess serviceAccess,
      AuthorizationRequestData rdo)
      throws IOException, ServletException {

    String forwardUrl =
        (String) httpRequest.getSession().getAttribute(Constants.SESS_ATTR_FORWARD_URL);

    if (BesServletRequestReader.onlyServiceLogin(httpRequest.getSession())) {
      if (forwardUrl == null) {
        forwardUrl = Constants.SERVICE_BASE_URI + "/" + rdo.getSubscriptionKey() + "/";
      }
      JSFUtils.sendRedirect(httpResponse, httpRequest.getContextPath() + forwardUrl);
      return;
    }

    if (ADMStringUtils.isBlank(forwardUrl) || forwardUrl.startsWith(MenuBean.LINK_DEFAULT)) {
      forwardUrl = getDefaultUrl(serviceAccess, rdo, httpRequest);
    }

    if ((ADMStringUtils.isBlank(forwardUrl) || rdo.getRelativePath().startsWith(forwardUrl))
        && !rdo.isMarketplaceLoginPage()) {
      chain.doFilter(httpRequest, httpResponse);
    } else {
      JSFUtils.sendRedirect(httpResponse, httpRequest.getContextPath() + forwardUrl);
    }
  }
コード例 #3
0
 private void setErrorAttributesAndForward(
     String forwardUrl,
     HttpServletRequest httpRequest,
     HttpServletResponse httpResponse,
     SaaSApplicationException e)
     throws ServletException, IOException {
   BesServletRequestReader.setErrorAttributes(httpRequest, e);
   forward(forwardUrl, httpRequest, httpResponse);
 }
コード例 #4
0
  private HttpServletRequest handleServiceUrl(
      FilterChain chain,
      HttpServletRequest httpRequest,
      HttpServletResponse httpResponse,
      AuthorizationRequestData rdo)
      throws IOException, ServletException {

    VOMarketplace mpl;
    try {
      mpl = determineMarketplaceForSubscription(httpRequest, rdo);
    } catch (ObjectNotFoundException e) {

      logger.logError(
          Log4jLogger.SYSTEM_LOG,
          e,
          LogMessageIdentifier.ERROR_SUBSCRIPTION_NOT_FOUND,
          rdo.getSubscriptionKey());
      BesServletRequestReader.setErrorAttributes(httpRequest, e);

      handleSubscriptionNotFound(chain, httpRequest, httpResponse, rdo);
      return null;
    }

    // Bug 9588: Marketplace may have been deleted
    if (mpl != null) {
      httpRequest.setAttribute(
          Constants.REQ_ATTR_SERVICE_LOGIN_TYPE, Constants.REQ_ATTR_LOGIN_TYPE_MPL);

      httpRequest
          .getSession()
          .setAttribute(Constants.REQ_PARAM_MARKETPLACE_ID, mpl.getMarketplaceId());
    } else {
      httpRequest.setAttribute(
          Constants.REQ_ATTR_SERVICE_LOGIN_TYPE, Constants.REQ_ATTR_LOGIN_TYPE_NO_MPL);
    }

    String contextPath = rdo.getContextPath();
    if (!ADMStringUtils.isBlank(httpRequest.getQueryString())) {
      contextPath += "?" + httpRequest.getQueryString();
    }
    httpRequest.setAttribute(Constants.REQ_PARAM_SUB_KEY, rdo.getSubscriptionKey());
    httpRequest.setAttribute(Constants.REQ_PARAM_CONTEXT_PATH, contextPath);

    return processServiceUrl(
        httpRequest, httpResponse, chain, rdo.getSubscriptionKey(), contextPath, rdo);
  }
コード例 #5
0
 private void handleServletException(
     HttpServletRequest httpRequest, HttpServletResponse httpResponse, ServletException e)
     throws IOException, ServletException {
   EJBException ejbEx = ExceptionHandler.getEJBException(e);
   if (ejbEx != null
       && ejbEx.getCause() instanceof Exception
       && ejbEx.getCausedByException() instanceof AccessException) {
     String forwardErrorPage;
     if (BesServletRequestReader.isMarketplaceRequest(httpRequest)) {
       forwardErrorPage = Marketplace.MARKETPLACE_ROOT + Constants.INSUFFICIENT_AUTHORITIES_URI;
     } else {
       forwardErrorPage = Constants.INSUFFICIENT_AUTHORITIES_URI;
     }
     JSFUtils.sendRedirect(httpResponse, httpRequest.getContextPath() + forwardErrorPage);
   } else {
     // make sure we do not catch exceptions cause by
     // ViewExpiredException here, they'll be handled directly in the
     // doFilter()
     throw e;
   }
 }
コード例 #6
0
  protected boolean loginUser(
      FilterChain chain,
      HttpServletRequest httpRequest,
      HttpServletResponse httpResponse,
      VOUser voUser,
      AuthorizationRequestData rdo,
      IdentityService identityService)
      throws ServletException, IOException {

    HttpSession session = httpRequest.getSession();
    boolean onlyServiceLogin = BesServletRequestReader.onlyServiceLogin(session);
    String forwardUrl = (String) session.getAttribute(Constants.SESS_ATTR_FORWARD_URL);
    SessionBean sessionBean = (SessionBean) session.getAttribute(Constants.SESS_ATTR_SESSION_BEAN);

    ServiceAccess serviceAccess = ServiceAccess.getServiceAcccessFor(session);

    if (onlyServiceLogin) {
      session.setAttribute(Constants.SESS_ATTR_ONLY_SERVICE_LOGIN, Boolean.TRUE);
    }

    if (!ADMStringUtils.isBlank(forwardUrl)) {
      session.setAttribute(Constants.SESS_ATTR_FORWARD_URL, forwardUrl);
    }

    if (sessionBean != null) {
      session.setAttribute(Constants.SESS_ATTR_SESSION_BEAN, sessionBean);
    }

    if (!ADMStringUtils.isBlank(rdo.getMarketplaceId())) {
      session.setAttribute(Constants.REQ_PARAM_MARKETPLACE_ID, rdo.getMarketplaceId());
    }

    // authenticate the user
    // IMPORTANT: Changes to this method must also be applied to
    // UserBean.login()
    try {
      serviceAccess.login(voUser, rdo.getPassword(), httpRequest, httpResponse);
    } catch (CommunicationException e) {
      handleCommunicationException(chain, httpRequest, httpResponse, rdo);
      return false;
    } catch (LoginException e) {
      logger.logInfo(
          Log4jLogger.ACCESS_LOG,
          LogMessageIdentifier.INFO_USER_LOGIN_INVALID,
          httpRequest.getRemoteHost(),
          Integer.toString(httpRequest.getRemotePort()),
          StringUtils.isNotBlank(voUser.getUserId()) ? voUser.getUserId() : "",
          IPResolver.resolveIpAddress(httpRequest),
          voUser.getTenantId());
      try {
        voUser = identityService.getUser(voUser);
      } catch (ObjectNotFoundException e1) {
        handleUserNotRegistered(chain, httpRequest, httpResponse, rdo);
        return false;
      } catch (SaaSApplicationException e1) {
        setErrorAttributesAndForward(errorPage, httpRequest, httpResponse, e1);
        return false;
      }

      if (voUser.getStatus() != null
          && voUser.getStatus().getLockLevel() > UserAccountStatus.LOCK_LEVEL_LOGIN) {
        httpRequest.setAttribute(Constants.REQ_ATTR_ERROR_KEY, BaseBean.ERROR_USER_LOCKED);
        forward(errorPage, httpRequest, httpResponse);
        return false;
      }

      handleLoginException(chain, httpRequest, httpResponse, rdo);
      return false;
    }

    if (!rdo.isMarketplace()
        && !rdo.isAccessToServiceUrl() // BE09588 Login is OK if a
        // service is accessed, whose
        // subscription has no
        // marketplace
        && identityService.getCurrentUserDetails().getOrganizationRoles().size() == 1
        && identityService
            .getCurrentUserDetails()
            .getOrganizationRoles()
            .contains(OrganizationRoleType.CUSTOMER)) {
      if (ADMStringUtils.isBlank(rdo.getMarketplaceId())) {
        if (redirectToMpUrl(httpRequest, httpResponse)) {
          setupUserDetail(httpRequest, rdo, identityService, session);
          return false;
        } else {
          httpRequest.setAttribute(
              Constants.REQ_ATTR_ERROR_KEY, BaseBean.ERROR_INVALID_MARKETPLACE_URL);
          forward(BaseBean.MARKETPLACE_ERROR_PAGE, httpRequest, httpResponse);
        }
      } else {
        setupUserDetail(httpRequest, rdo, identityService, session);
        forward(BaseBean.MARKETPLACE_START_SITE, httpRequest, httpResponse);
      }
      return false;
    }

    // get the service again because the credentials have been
    // changed (important for WS usage)
    identityService = serviceAccess.getService(IdentityService.class);
    try {
      identityService.refreshLdapUser();
    } catch (ValidationException e) {
      logger.logDebug(
          "Refresh of LDAP user failed, most likely due to missing/wrong LDAP settings");
    }

    logger.logInfo(
        Log4jLogger.ACCESS_LOG,
        LogMessageIdentifier.INFO_USER_LOGIN_SUCCESS,
        StringUtils.isNotBlank(voUser.getUserId()) ? voUser.getUserId() : "",
        IPResolver.resolveIpAddress(httpRequest),
        voUser.getTenantId());
    return true;
  }
コード例 #7
0
  /**
   * If the user wants to access a service URL we must check if he is logged into the service.
   *
   * @return the given HTTP request, a request wrapper which must be used to perform the service
   *     login or null if the caller should continue with the filter chain
   * @throws IOException
   * @throws ServletException
   * @throws DatatypeConfigurationException
   * @throws SAML2AuthnRequestException
   * @throws Exception
   */
  private HttpServletRequest processServiceUrl(
      HttpServletRequest request,
      HttpServletResponse response,
      FilterChain chain,
      String subKey,
      String contextPath,
      AuthorizationRequestData rdo)
      throws ServletException, IOException {

    HttpSession session = request.getSession();
    ServiceAccess serviceAccess = ServiceAccess.getServiceAcccessFor(session);

    if ("/".equals(contextPath) && !BesServletRequestReader.onlyServiceLogin(session)) {
      // if the user accesses a subscription from the my subscription list
      // we check the subscription key map in the session (this causes
      // some overhead - EJB call - and should NOT be done for every
      // service request)

      // preserve mId
      String mId = (String) session.getAttribute(Constants.REQ_PARAM_MARKETPLACE_ID);

      SessionListener.cleanup(session);

      session = request.getSession();
      session.setAttribute(Constants.REQ_PARAM_MARKETPLACE_ID, mId);
    }

    Map<String, VOSubscription> map = getSubMapFromSession(session);
    VOSubscription sub = map.get(subKey);
    VOUserDetails userDetails = (VOUserDetails) session.getAttribute(Constants.SESS_ATTR_USER);
    if (BesServletRequestReader.onlyServiceLogin(session)) {
      session.removeAttribute(Constants.SESS_ATTR_ONLY_SERVICE_LOGIN);

      // at least remove the user details from the session
      session.removeAttribute(Constants.SESS_ATTR_USER);
      if (userDetails != null) {
        session.setAttribute(Constants.REQ_PARAM_LOCALE, userDetails.getLocale());
      }
    }

    if (userDetails != null
        && userDetails.getStatus() != UserAccountStatus.PASSWORD_MUST_BE_CHANGED) {
      // the user is already logged in

      if (sub == null) {
        // the user is not logged in the service, we must call the
        // SSO bridge

        sub = getSubscription(serviceAccess, subKey);

        if (sub == null) {
          UserNotAssignedException e =
              new UserNotAssignedException(subKey, userDetails.getUserId());
          logger.logError(
              Log4jLogger.SYSTEM_LOG | Log4jLogger.AUDIT_LOG,
              e,
              LogMessageIdentifier.ERROR_ACTIVE_SUBSCRIPTION_FOR_CURRENT_USER_FAILED,
              subKey);
          setErrorAttributesAndForward(
              getDefaultUrl(serviceAccess, rdo, request), request, response, e);
          return null;

        } else if (sub.getStatus() != SubscriptionStatus.ACTIVE
            && sub.getStatus() != SubscriptionStatus.PENDING_UPD) {
          SubscriptionStateException e =
              new SubscriptionStateException(
                  "Subscription '" + subKey + "' not active or pending update.",
                  Reason.ONLY_ACTIVE);
          logger.logError(
              Log4jLogger.SYSTEM_LOG | Log4jLogger.AUDIT_LOG,
              e,
              LogMessageIdentifier.ERROR_SUBSCRIPTION_NOT_ACTIVE,
              subKey);
          setErrorAttributesAndForward(
              getDefaultUrl(serviceAccess, rdo, request), request, response, e);
          return null;

        } else if (!sub.getServiceBaseURL()
            .toLowerCase()
            .startsWith(request.getScheme().toLowerCase() + "://")) {
          setErrorAttributesAndForward(errorPage, request, response, new ServiceSchemeException());
          return null;
        }

        String userToken = ADMStringUtils.getRandomString(40);

        // create a service session database record (which is used by
        // the service to resolve the user token)
        try {
          synchronized (map) {
            createServiceSession(serviceAccess, subKey, session.getId(), userToken);
            // the map must be filled after the service session was
            // created otherwise the session listener cleanup method
            // might clear the list
            map.put(subKey, sub);
          }
        } catch (ObjectNotFoundException e) {
          handleSubscriptionNotFound(chain, request, response, rdo);
          return null;
        } catch (ServiceParameterException e) {
          setErrorAttributesAndForward(Constants.SERVICE_USAGE_ERROR_URI, request, response, e);
          return null;
        } catch (SaaSApplicationException e) {
          setErrorAttributesAndForward(errorPage, request, response, e);
          return null;
        }

        if (sub.getServiceAccessType() == ServiceAccessType.LOGIN) {
          // perform a redirect to the SSO bridge with the user token
          String url = removeEndingSlash(sub.getServiceBaseURL());
          if (sub.getServiceLoginPath() != null) {
            url += sub.getServiceLoginPath();
          }
          if (url.contains("?")) {
            url += "&";
          } else {
            url += "?";
          }
          SsoParameters ssoParameters = new SsoParameters();
          ssoParameters.setContextPath(contextPath);
          ssoParameters.setInstanceId(sub.getServiceInstanceId());
          ssoParameters.setLanguage(userDetails.getLocale());
          ssoParameters.setSubscriptionKey(subKey);
          ssoParameters.setBssId(request.getSession().getId());
          ssoParameters.setUsertoken(userToken);
          url += ssoParameters.getQueryString();
          JSFUtils.sendRedirect(response, url);
          return null;
        }

      } else {
        if (sub.getServiceAccessType() == ServiceAccessType.LOGIN) {
          // send a redirect to the service base URL, the service
          // session should be still active
          JSFUtils.sendRedirect(response, sub.getServiceBaseURL());
          return null;
        }

        // nothing to do (the user is logged in the platform and the
        // service) the rewriting is done by the subsequent filters in
        // the filter chain which is activated by the caller
      }
    } else {
      // the user is not logged in

      if (sub == null) {
        // the user is neither logged in platform nor in the
        // service,
        //
        // The later processing will forward to the service login
        // page processing. After the login there will be a redirect to
        // the primarily requested URL which will perform the service
        // login
        session.setAttribute(Constants.SESS_ATTR_ONLY_SERVICE_LOGIN, Boolean.TRUE);

      } else {
        // the user is logged in the service

        if (sub.getServiceAccessType() == ServiceAccessType.LOGIN) {
          // send a redirect to the service base URL, the service
          // session should be still active
          JSFUtils.sendRedirect(response, sub.getServiceBaseURL());
        } else {
          // don't perform any other checks continue with the
          // filter chain which will perform the rewriting
          chain.doFilter(request, response);
        }
        return null;
      }
    }
    return request;
  }