void redirectToPrimarilyRequestedUrl( FilterChain chain, HttpServletRequest httpRequest, HttpServletResponse httpResponse, ServiceAccess serviceAccess, AuthorizationRequestData rdo) throws IOException, ServletException { String forwardUrl = (String) httpRequest.getSession().getAttribute(Constants.SESS_ATTR_FORWARD_URL); if (BesServletRequestReader.onlyServiceLogin(httpRequest.getSession())) { if (forwardUrl == null) { forwardUrl = Constants.SERVICE_BASE_URI + "/" + rdo.getSubscriptionKey() + "/"; } JSFUtils.sendRedirect(httpResponse, httpRequest.getContextPath() + forwardUrl); return; } if (ADMStringUtils.isBlank(forwardUrl) || forwardUrl.startsWith(MenuBean.LINK_DEFAULT)) { forwardUrl = getDefaultUrl(serviceAccess, rdo, httpRequest); } if ((ADMStringUtils.isBlank(forwardUrl) || rdo.getRelativePath().startsWith(forwardUrl)) && !rdo.isMarketplaceLoginPage()) { chain.doFilter(httpRequest, httpResponse); } else { JSFUtils.sendRedirect(httpResponse, httpRequest.getContextPath() + forwardUrl); } }
/** This method is not adapted used in SAML_SP case. */ void reLogginUserIfRequired( HttpServletRequest httpRequest, HttpServletResponse httpResponse, AuthorizationRequestData rdo, StringBuffer url) { final String userId = httpRequest.getParameter(PARAM_LOGIN_USER_ID); if (!ADMStringUtils.isBlank(userId)) { // user login data was just provided by the login dialog try { ServiceAccess serviceAccess = ServiceAccess.getServiceAcccessFor(httpRequest.getSession()); IdentityService identityService = serviceAccess.getService(IdentityService.class); rdo.setUserId(userId); rdo.setPassword(httpRequest.getParameter(PARAM_LOGIN_PASSWORD)); VOUser voUser = readTechnicalUserFromDb(identityService, rdo); serviceAccess.login(voUser, rdo.getPassword(), httpRequest, httpResponse); httpRequest .getSession() .setAttribute(Constants.SESS_ATTR_USER, identityService.getCurrentUserDetails()); } catch (Exception e2) { httpRequest.setAttribute(Constants.REQ_ATTR_ERROR_KEY, BaseBean.ERROR_LOGIN); // open marketplace login dialog again and fill in // userId appendParam( url, Constants.REQ_PARAM_AUTO_OPEN_MP_LOGIN_DIALOG, Boolean.TRUE.toString(), httpRequest.getCharacterEncoding()); appendParam(url, Constants.REQ_PARAM_USER_ID, userId, httpRequest.getCharacterEncoding()); } } }
VOUser readTechnicalUserFromDb(IdentityService service, AuthorizationRequestData ard) throws ObjectNotFoundException, OperationNotPermittedException, OrganizationRemovedException { VOUser voUser = new VOUser(); voUser.setUserId(ard.getUserId()); voUser.setTenantId(ard.getTenantID()); voUser = service.getUser(voUser); return voUser; }
boolean handleLoggedInUser( FilterChain chain, HttpServletRequest httpRequest, HttpServletResponse httpResponse, ServiceAccess serviceAccess, AuthorizationRequestData rdo) throws ServletException, IOException { VOUserDetails userDetails = rdo.getUserDetails(); if (userDetails != null) { httpRequest.getSession().setAttribute(PORTAL_HAS_BEEN_REQUESTED, !rdo.isMarketplace()); // if the user wants to use another organization he must login // again (the service sessions are destroyed as well) // don't let a user with status PASSWORD_MUST_BE_CHANGED see any // site but the one to change the pwd if (!authSettings.isServiceProvider()) { if (userDetails.getStatus() == UserAccountStatus.PASSWORD_MUST_BE_CHANGED && !rdo.isRequestedToChangePwd()) { forwardToPwdPage(userDetails.getUserId(), httpRequest, httpResponse); return true; } } // TODO stavreva: check this again if (authSettings.isServiceProvider() || !rdo.isRequestedToChangePwd()) { long t = System.currentTimeMillis(); if (ADMStringUtils.isBlank(httpRequest.getServletPath()) || httpRequest.getServletPath().startsWith(MenuBean.LINK_DEFAULT)) { String defaultUrl = getDefaultUrl(serviceAccess, rdo, httpRequest); forward(defaultUrl, httpRequest, httpResponse); } if (loginPage.equalsIgnoreCase(httpRequest.getServletPath())) { sendRedirect(httpRequest, httpResponse, MenuBean.LINK_DEFAULT); } if (isPageForbiddenToAccess(httpRequest, rdo, serviceAccess)) { forward(insufficientAuthoritiesUrl, httpRequest, httpResponse); } chain.doFilter(httpRequest, httpResponse); if (logger.isDebugLoggingEnabled()) { logger.logDebug( "URL='" + rdo.getRelativePath() + "' processed in " + (System.currentTimeMillis() - t) + "ms"); } return true; } } return false; }
/** * @param httpRequest * @param rdo * @param identityService * @param session */ private void setupUserDetail( HttpServletRequest httpRequest, AuthorizationRequestData rdo, IdentityService identityService, HttpSession session) { rdo.setUserDetails(identityService.getCurrentUserDetails()); HttpSession httpSession = httpRequest.getSession(false); if (httpSession != null) { session.setAttribute(Constants.SESS_ATTR_USER, rdo.getUserDetails()); } }
/** * Returns true if one of the following conditions is matching:<br> * 1) the landing page is requested and defined as public <br> * 2) the requested URL matches the public URL-pattern */ boolean isPublicAccess(AuthorizationRequestData rdo, HttpServletRequest request) { // first, check if landing page is public if (rdo.isLandingPage()) { LandingpageConfigurationService service = lookupLandingpageConfigurationService(request); try { LandingpageType type = service.loadLandingpageType(rdo.getMarketplaceId()); return type.isDefault(); } catch (Exception e) { return false; } } // second, check url pattern of request return rdo.isPublicURL(publicUrlPattern); }
private HttpServletRequest handleServiceUrl( FilterChain chain, HttpServletRequest httpRequest, HttpServletResponse httpResponse, AuthorizationRequestData rdo) throws IOException, ServletException { VOMarketplace mpl; try { mpl = determineMarketplaceForSubscription(httpRequest, rdo); } catch (ObjectNotFoundException e) { logger.logError( Log4jLogger.SYSTEM_LOG, e, LogMessageIdentifier.ERROR_SUBSCRIPTION_NOT_FOUND, rdo.getSubscriptionKey()); BesServletRequestReader.setErrorAttributes(httpRequest, e); handleSubscriptionNotFound(chain, httpRequest, httpResponse, rdo); return null; } // Bug 9588: Marketplace may have been deleted if (mpl != null) { httpRequest.setAttribute( Constants.REQ_ATTR_SERVICE_LOGIN_TYPE, Constants.REQ_ATTR_LOGIN_TYPE_MPL); httpRequest .getSession() .setAttribute(Constants.REQ_PARAM_MARKETPLACE_ID, mpl.getMarketplaceId()); } else { httpRequest.setAttribute( Constants.REQ_ATTR_SERVICE_LOGIN_TYPE, Constants.REQ_ATTR_LOGIN_TYPE_NO_MPL); } String contextPath = rdo.getContextPath(); if (!ADMStringUtils.isBlank(httpRequest.getQueryString())) { contextPath += "?" + httpRequest.getQueryString(); } httpRequest.setAttribute(Constants.REQ_PARAM_SUB_KEY, rdo.getSubscriptionKey()); httpRequest.setAttribute(Constants.REQ_PARAM_CONTEXT_PATH, contextPath); return processServiceUrl( httpRequest, httpResponse, chain, rdo.getSubscriptionKey(), contextPath, rdo); }
private void handleNumberFormatException( FilterChain chain, HttpServletRequest httpRequest, HttpServletResponse httpResponse, NumberFormatException e, AuthorizationRequestData rdo) throws ServletException, IOException { logger.logError( Log4jLogger.SYSTEM_LOG, e, LogMessageIdentifier.ERROR_PARSE_SUBSCRIPTION_KEY_FAILED, rdo.getSubscriptionKey()); if (authSettings.isServiceProvider()) { httpRequest.setAttribute(Constants.REQ_ATTR_ERROR_KEY, BaseBean.ERROR_SUBSCRIPTION_KEY); forward(errorPage, httpRequest, httpResponse); } else { httpRequest.setAttribute(Constants.REQ_ATTR_ERROR_KEY, BaseBean.ERROR_LOGIN); forwardToLoginPage(rdo.getRelativePath(), false, httpRequest, httpResponse, chain); } }
/** Retrieve the marketplace for the given subscription in order to login */ private VOMarketplace determineMarketplaceForSubscription( HttpServletRequest httpRequest, AuthorizationRequestData rdo) throws ObjectNotFoundException { Map<String, VOMarketplace> cachedMarketplaces = getMarketplaceMapFromSession(httpRequest.getSession()); VOMarketplace mpl = cachedMarketplaces.get(rdo.getSubscriptionKey()); if (mpl == null) { MarketplaceService marketplaceService = ServiceAccess.getServiceAcccessFor(httpRequest.getSession()) .getService(MarketplaceService.class); mpl = marketplaceService.getMarketplaceForSubscription( ADMStringUtils.parseUnsignedLong(rdo.getSubscriptionKey()), "en"); // Bug 9588: Marketplace may have been deleted if (mpl != null) { cachedMarketplaces.put(rdo.getSubscriptionKey(), mpl); } } return mpl; }
private void handleCommunicationException( FilterChain chain, HttpServletRequest httpRequest, HttpServletResponse httpResponse, AuthorizationRequestData rdo) throws ServletException, IOException { httpRequest.setAttribute(Constants.REQ_ATTR_ERROR_KEY, BaseBean.ERROR_LOGIN_IMPOSSIBLE); if (authSettings.isServiceProvider()) { forward(errorPage, httpRequest, httpResponse); } else { forwardToLoginPage(rdo.getRelativePath(), false, httpRequest, httpResponse, chain); } }
private void handleSubscriptionNotFound( FilterChain chain, HttpServletRequest httpRequest, HttpServletResponse httpResponse, AuthorizationRequestData rdo) throws IOException, ServletException { if (authSettings.isServiceProvider()) { httpRequest.setAttribute(Constants.REQ_ATTR_ERROR_KEY, BaseBean.ERROR_SUBSCRIPTION_NOT_FOUND); forward(errorPage, httpRequest, httpResponse); } else { forwardToLoginPage(rdo.getRelativePath(), false, httpRequest, httpResponse, chain); } }
private void handleUserNotRegistered( FilterChain chain, HttpServletRequest httpRequest, HttpServletResponse httpResponse, AuthorizationRequestData rdo) throws IOException, ServletException { if (authSettings.isServiceProvider()) { httpRequest.setAttribute(Constants.REQ_ATTR_ERROR_KEY, BaseBean.ERROR_LOGIN_SAML_SP); forward(errorPage, httpRequest, httpResponse); } else { httpRequest.setAttribute(Constants.REQ_ATTR_ERROR_KEY, BaseBean.ERROR_LOGIN); forwardToLoginPage(rdo.getRelativePath(), false, httpRequest, httpResponse, chain); } }
/** * Check if the current URL is protected and the current session doesn't contain a user object. If * this is the case perform a login. * * <p>The doFilter method of the Filter is called by the container each time a request/response * pair is passed through the chain due to a client request for a resource at the end of the * chain. * * @throws IOException * @throws ServletException */ @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletRequest httpRequest = new IgnoreCharacterEncodingHttpRequestWrapper((HttpServletRequest) request); HttpServletResponse httpResponse = (HttpServletResponse) response; AuthorizationRequestData rdo = initializeRequestDataObject(httpRequest); try { if (isPublicAccess(rdo, httpRequest)) { proceedWithFilterChain(chain, httpRequest, httpResponse); } else { handleProtectedUrlAndChangePwdCase(chain, httpRequest, httpResponse, rdo); } } catch (ServletException e) { // relogin is not possible in this case, // no SAML response to extract userid and generate password. if (authSettings.isServiceProvider()) { throw e; } if (e.getCause() instanceof ViewExpiredException) { // if we were logged in but a logout occurs from a different // browser tab, we get this exception - so redirect to the // same page to stay on it (Bug 7552) final StringBuffer url = new StringBuffer(rdo.getRelativePath() == null ? "" : rdo.getRelativePath()); reLogginUserIfRequired(httpRequest, httpResponse, rdo, url); sendRedirect(httpRequest, httpResponse, url.toString()); } else { throw e; } } }
private String getTenantIDFromMarketplace( HttpServletRequest httpRequest, AuthorizationRequestData ard) throws MarketplaceRemovedException { String marketplaceId = ard.getMarketplaceId(); String tenantID = null; if (StringUtils.isNotBlank(marketplaceId)) { tenantID = getMarketplaceServiceCache(httpRequest).getConfiguration(marketplaceId).getTenantId(); if (StringUtils.isBlank(tenantID)) { try { tenantID = getMarketplaceService(httpRequest).getMarketplaceById(marketplaceId).getTenantId(); } catch (ObjectNotFoundException e) { throw new MarketplaceRemovedException(); } } } return tenantID; }
private void refreshData( AuthenticationSettings authSettings, AuthorizationRequestData rdo, HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException, MarketplaceRemovedException { if (authSettings.isServiceProvider()) { rdo.setTenantID(getTenantID(rdo, request)); if (!isSamlForward(request)) { return; } rdo.refreshData(request); SAMLCredentials samlCredentials = new SAMLCredentials(request); if (rdo.getUserId() == null) { rdo.setUserId(samlCredentials.getUserId()); } if (rdo.getPassword() == null) { String generatedPassword = samlCredentials.generatePassword(); if (generatedPassword == null) { request.setAttribute(Constants.REQ_ATTR_ERROR_KEY, BaseBean.ERROR_SAML_TIMEOUT); forward(errorPage, request, response); } rdo.setPassword(generatedPassword); // if generated password is null, then timeout!!! } } else { rdo.refreshData(request); // store some parameters if the login fails (needed for login.xhtml) request.setAttribute(Constants.REQ_PARAM_USER_ID, rdo.getUserId()); } }
private boolean isPageForbiddenToAccess( HttpServletRequest httpRequest, AuthorizationRequestData rdo, ServiceAccess serviceAccess) { @SuppressWarnings("unchecked") List<PageAuthorization> pageAuthorizationList = ((List<PageAuthorization>) httpRequest.getSession().getAttribute(Constants.SESS_ATTR_PAGE_AUTHORIZATION)); if (pageAuthorizationList == null) { PageAuthorizationBuilder builder = new PageAuthorizationBuilder(serviceAccess); pageAuthorizationList = builder.buildPageAuthorizationList(new User(rdo.getUserDetails())); httpRequest .getSession() .setAttribute(Constants.SESS_ATTR_PAGE_AUTHORIZATION, pageAuthorizationList); } for (PageAuthorization page : pageAuthorizationList) { if (page.getCurrentPageLink().equalsIgnoreCase(httpRequest.getServletPath())) { return !page.isAuthorized(); } } return false; }
public String getTenantID(AuthorizationRequestData ard, HttpServletRequest httpRequest) throws MarketplaceRemovedException { String tenantID; if (ard.isMarketplace()) { tenantID = getTenantIDFromMarketplace(httpRequest, ard); } else { tenantID = getTenantIDFromRequest(httpRequest); } if (StringUtils.isNotBlank(tenantID)) { httpRequest.getSession().setAttribute(REQ_PARAM_TENANT_ID, tenantID); } else { tenantID = (String) httpRequest.getSession().getAttribute(REQ_PARAM_TENANT_ID); } if (StringUtils.isBlank(tenantID)) { logger.logDebug("TenantID is missing. Using default."); tenantID = getConfigurationService(httpRequest) .getVOConfigurationSetting(SSO_DEFAULT_TENANT_ID, GLOBAL_CONTEXT) .getValue(); httpRequest.getSession().setAttribute(REQ_PARAM_TENANT_ID, tenantID); } return tenantID; }
/** * Invokes the validators and bean actions specified in the xhtml file to change the user's * password. * * @throws ServletException * @throws IOException * @throws DatatypeConfigurationException * @throws SAML2AuthnRequestException */ protected boolean handleChangeUserPasswordRequest( FilterChain chain, HttpServletRequest httpRequest, HttpServletResponse httpResponse, AuthorizationRequestData rdo, IdentityService identityService) throws IOException, ServletException { if (rdo.isRequestedToChangePwd()) { if (!PasswordValidator.validPasswordLength(rdo.getNewPassword()) || !PasswordValidator.validPasswordLength(rdo.getNewPassword2()) || !PasswordValidator.passwordsAreEqual(rdo.getNewPassword(), rdo.getNewPassword2())) { // Let JSF run the validators and return the response! chain.doFilter(httpRequest, httpResponse); return false; } // Run the validators and bean methods. Prevent JSF // from writing content to the response, otherwise the following // redirect's wouldn't work. HttpServletResponse resp = new HttpServletResponseWrapper(httpResponse) { @Override public void flushBuffer() throws IOException {} @Override public PrintWriter getWriter() throws IOException { return new PrintWriter(getOutputStream()); } @Override public ServletOutputStream getOutputStream() throws IOException { return new ServletOutputStream() { @Override public void write(int b) throws IOException {} }; } }; chain.doFilter(httpRequest, resp); httpResponse.reset(); } VOUser voUser = new VOUser(); voUser.setUserId(rdo.getUserId()); try { voUser = identityService.getUser(voUser); } catch (ObjectNotFoundException e) { handleUserNotRegistered(chain, httpRequest, httpResponse, rdo); return false; } catch (SaaSApplicationException e) { setErrorAttributesAndForward(errorPage, httpRequest, httpResponse, e); return false; } if (httpRequest.getAttribute(Constants.REQ_ATTR_ERROR_KEY) != null) { // Error occurred - check if user is locked now if (voUser.getStatus() != null && voUser.getStatus().getLockLevel() > UserAccountStatus.LOCK_LEVEL_LOGIN) { httpRequest.setAttribute(Constants.REQ_ATTR_ERROR_KEY, BaseBean.ERROR_USER_LOCKED); sendRedirect(httpRequest, httpResponse, errorPage); } else { // Run it again to get error result on current response chain.doFilter(httpRequest, httpResponse); } return false; } if (voUser.getStatus() != UserAccountStatus.ACTIVE) { // the password change request failed // set the REQ_ATTR_ERROR_KEY to avoid an infinite loop httpRequest .getSession() .setAttribute(Constants.SESS_ATTR_USER, identityService.getCurrentUserDetails()); httpRequest.setAttribute(Constants.REQ_ATTR_ERROR_KEY, ""); if (rdo.isMarketplace()) { forward(BaseBean.MARKETPLACE_LOGIN, httpRequest, httpResponse); } else { forward(pwdPage, httpRequest, httpResponse); } return false; } rdo.setPassword(httpRequest.getParameter(BesServletRequestReader.REQ_PARAM_PASSWORD_NEW)); rdo.getUserDetails().setStatus(UserAccountStatus.ACTIVE); return true; }
protected void handleProtectedUrlAndChangePwdCase( FilterChain chain, HttpServletRequest httpRequest, HttpServletResponse httpResponse, AuthorizationRequestData rdo) throws IOException, ServletException { if (logger.isDebugLoggingEnabled()) { logger.logDebug("Access to protected URL='" + rdo.getRelativePath() + "'"); } ServiceAccess serviceAccess = ServiceAccess.getServiceAcccessFor(httpRequest.getSession()); try { if (rdo.isAccessToServiceUrl()) { /* * We must NOT read the request parameters for service URLs * because this would cause a state switch of the request. * Afterwards the rewriting of a POST request may fail because * the parameters can't be accessed via the request input * stream. */ httpRequest = handleServiceUrl(chain, httpRequest, httpResponse, rdo); if (httpRequest == null) { return; } } else if (ADMStringUtils.isBlank(rdo.getUserId())) { if (authSettings.isServiceProvider()) { if (isSamlForward(httpRequest)) { SAMLCredentials samlCredentials = new SAMLCredentials(httpRequest); rdo.setUserId(samlCredentials.getUserId()); if (rdo.getUserId() == null) { httpRequest.setAttribute( Constants.REQ_ATTR_ERROR_KEY, BaseBean.ERROR_INVALID_SAML_RESPONSE); forward(errorPage, httpRequest, httpResponse); } } } else { rdo.setUserId(httpRequest.getParameter(Constants.REQ_PARAM_USER_ID)); } } // continue if user is already logged-in if (handleLoggedInUser(chain, httpRequest, httpResponse, serviceAccess, rdo)) { return; } // the httpRequest was already processed and we forwarded to the // corresponding page therefore we must not try to login again if (httpRequest.getAttribute(Constants.REQ_ATTR_ERROR_KEY) != null) { chain.doFilter(httpRequest, httpResponse); return; } refreshData(authSettings, rdo, httpRequest, httpResponse); // user not logged in, check user-name and password before login // don't do a trim on password because it may have // leading/trailing/only blanks if (authSettings.isServiceProvider()) { rollbackDefaultTimeout(httpRequest); if (ADMStringUtils.isBlank(rdo.getUserId())) { httpRequest.setAttribute( Constants.REQ_ATTR_ERROR_KEY, BaseBean.ERROR_INVALID_SAML_RESPONSE); if (isSamlForward(httpRequest)) { forward(errorPage, httpRequest, httpResponse); } else { forwardToLoginPage(rdo.getRelativePath(), true, httpRequest, httpResponse, chain); } return; } } else { if (ADMStringUtils.isBlank(rdo.getUserId()) || !rdo.isPasswordSet()) { if (!rdo.isMarketplace() && (!ADMStringUtils.isBlank(rdo.getUserId()) || rdo.isPasswordSet())) { // login data not complete, user or password empty httpRequest.setAttribute(Constants.REQ_ATTR_ERROR_KEY, BaseBean.ERROR_LOGIN); } forwardToLoginPage(rdo.getRelativePath(), true, httpRequest, httpResponse, chain); return; } } IdentityService identityService = serviceAccess.getService(IdentityService.class); VOUser voUser; try { voUser = readTechnicalUserFromDb(identityService, rdo); } catch (ObjectNotFoundException e) { handleUserNotRegistered(chain, httpRequest, httpResponse, rdo); return; } catch (SaaSApplicationException e) { setErrorAttributesAndForward(errorPage, httpRequest, httpResponse, e); return; } if (!authSettings.isServiceProvider()) { if (isAccountLocked(httpRequest, httpResponse, voUser)) { return; } } final boolean operationSucceeded; if (!authSettings.isServiceProvider() && rdo.isRequestedToChangePwd()) { operationSucceeded = handleChangeUserPasswordRequest(chain, httpRequest, httpResponse, rdo, identityService); } else { operationSucceeded = loginUser(chain, httpRequest, httpResponse, voUser, rdo, identityService); } if (!operationSucceeded) { return; } rdo.setUserDetails(identityService.getCurrentUserDetails()); // read user details value object and store it in the session, DON'T // use old session, because it might have been invalidated httpRequest.getSession().setAttribute(Constants.SESS_ATTR_USER, rdo.getUserDetails()); if (isPageForbiddenToAccess(httpRequest, rdo, serviceAccess)) { forward(insufficientAuthoritiesUrl, httpRequest, httpResponse); } // check if user must change his password if (!authSettings.isServiceProvider() && (rdo.getUserDetails().getStatus() == UserAccountStatus.PASSWORD_MUST_BE_CHANGED)) { forwardToPwdPage(rdo.getUserDetails().getUserId(), httpRequest, httpResponse); } else { redirectToPrimarilyRequestedUrl(chain, httpRequest, httpResponse, serviceAccess, rdo); } } catch (NumberFormatException e) { handleNumberFormatException(chain, httpRequest, httpResponse, e, rdo); } catch (ServletException e) { handleServletException(httpRequest, httpResponse, e); } catch (MarketplaceRemovedException e) { handleMarketplaceRemovedException(httpRequest, httpResponse); } }
protected boolean loginUser( FilterChain chain, HttpServletRequest httpRequest, HttpServletResponse httpResponse, VOUser voUser, AuthorizationRequestData rdo, IdentityService identityService) throws ServletException, IOException { HttpSession session = httpRequest.getSession(); boolean onlyServiceLogin = BesServletRequestReader.onlyServiceLogin(session); String forwardUrl = (String) session.getAttribute(Constants.SESS_ATTR_FORWARD_URL); SessionBean sessionBean = (SessionBean) session.getAttribute(Constants.SESS_ATTR_SESSION_BEAN); ServiceAccess serviceAccess = ServiceAccess.getServiceAcccessFor(session); if (onlyServiceLogin) { session.setAttribute(Constants.SESS_ATTR_ONLY_SERVICE_LOGIN, Boolean.TRUE); } if (!ADMStringUtils.isBlank(forwardUrl)) { session.setAttribute(Constants.SESS_ATTR_FORWARD_URL, forwardUrl); } if (sessionBean != null) { session.setAttribute(Constants.SESS_ATTR_SESSION_BEAN, sessionBean); } if (!ADMStringUtils.isBlank(rdo.getMarketplaceId())) { session.setAttribute(Constants.REQ_PARAM_MARKETPLACE_ID, rdo.getMarketplaceId()); } // authenticate the user // IMPORTANT: Changes to this method must also be applied to // UserBean.login() try { serviceAccess.login(voUser, rdo.getPassword(), httpRequest, httpResponse); } catch (CommunicationException e) { handleCommunicationException(chain, httpRequest, httpResponse, rdo); return false; } catch (LoginException e) { logger.logInfo( Log4jLogger.ACCESS_LOG, LogMessageIdentifier.INFO_USER_LOGIN_INVALID, httpRequest.getRemoteHost(), Integer.toString(httpRequest.getRemotePort()), StringUtils.isNotBlank(voUser.getUserId()) ? voUser.getUserId() : "", IPResolver.resolveIpAddress(httpRequest), voUser.getTenantId()); try { voUser = identityService.getUser(voUser); } catch (ObjectNotFoundException e1) { handleUserNotRegistered(chain, httpRequest, httpResponse, rdo); return false; } catch (SaaSApplicationException e1) { setErrorAttributesAndForward(errorPage, httpRequest, httpResponse, e1); return false; } if (voUser.getStatus() != null && voUser.getStatus().getLockLevel() > UserAccountStatus.LOCK_LEVEL_LOGIN) { httpRequest.setAttribute(Constants.REQ_ATTR_ERROR_KEY, BaseBean.ERROR_USER_LOCKED); forward(errorPage, httpRequest, httpResponse); return false; } handleLoginException(chain, httpRequest, httpResponse, rdo); return false; } if (!rdo.isMarketplace() && !rdo.isAccessToServiceUrl() // BE09588 Login is OK if a // service is accessed, whose // subscription has no // marketplace && identityService.getCurrentUserDetails().getOrganizationRoles().size() == 1 && identityService .getCurrentUserDetails() .getOrganizationRoles() .contains(OrganizationRoleType.CUSTOMER)) { if (ADMStringUtils.isBlank(rdo.getMarketplaceId())) { if (redirectToMpUrl(httpRequest, httpResponse)) { setupUserDetail(httpRequest, rdo, identityService, session); return false; } else { httpRequest.setAttribute( Constants.REQ_ATTR_ERROR_KEY, BaseBean.ERROR_INVALID_MARKETPLACE_URL); forward(BaseBean.MARKETPLACE_ERROR_PAGE, httpRequest, httpResponse); } } else { setupUserDetail(httpRequest, rdo, identityService, session); forward(BaseBean.MARKETPLACE_START_SITE, httpRequest, httpResponse); } return false; } // get the service again because the credentials have been // changed (important for WS usage) identityService = serviceAccess.getService(IdentityService.class); try { identityService.refreshLdapUser(); } catch (ValidationException e) { logger.logDebug( "Refresh of LDAP user failed, most likely due to missing/wrong LDAP settings"); } logger.logInfo( Log4jLogger.ACCESS_LOG, LogMessageIdentifier.INFO_USER_LOGIN_SUCCESS, StringUtils.isNotBlank(voUser.getUserId()) ? voUser.getUserId() : "", IPResolver.resolveIpAddress(httpRequest), voUser.getTenantId()); return true; }