private synchronized ScopeValidator getScopeValidator() throws ServerException {
    if (scopeValidator == null) {
      try {
        final String scopeValidatorClassName =
            getStringSettingValue(OAuth2ProviderService.SCOPE_PLUGIN_CLASS);
        if (isEmpty(scopeValidatorClassName)) {
          logger.message("Scope Validator class not set.");
          throw new ServerException("Scope Validator class not set.");
        }

        final Class<?> scopeValidatorClass = Class.forName(scopeValidatorClassName);

        if (Scope.class.isAssignableFrom(scopeValidatorClass)) {
          final Scope scopeClass =
              InjectorHolder.getInstance(scopeValidatorClass.asSubclass(Scope.class));
          return new LegacyScopeValidator(scopeClass);
        }

        scopeValidator =
            InjectorHolder.getInstance(scopeValidatorClass.asSubclass(ScopeValidator.class));

      } catch (ClassNotFoundException e) {
        logger.error(e.getMessage());
        throw new ServerException(e);
      }
    }
    return scopeValidator;
  }
  private ResponseTypeHandler wrap(String responseTypeName, String responseTypeHandlerClassName)
      throws UnsupportedResponseTypeException {

    if (responseTypeHandlerClassName == null || responseTypeHandlerClassName.isEmpty()) {
      logger.warning(
          "Requested a response type that is not configured. response_type=" + responseTypeName);
      throw new UnsupportedResponseTypeException("Response type is not supported");
    } else if (responseTypeHandlerClassName.equalsIgnoreCase("none")) {
      return new NoneResponseTypeHandler();
    }
    try {
      final Class<?> responseTypeHandlerClass = Class.forName(responseTypeHandlerClassName);
      if (ResponseType.class.isAssignableFrom(responseTypeHandlerClass)) {
        ResponseType responseType =
            InjectorHolder.getInstance(responseTypeHandlerClass.asSubclass(ResponseType.class));
        return new LegacyResponseTypeHandler(
            responseType, realm, getSSOCookieName(), cookieExtractor);
      }

      return InjectorHolder.getInstance(
          responseTypeHandlerClass.asSubclass(ResponseTypeHandler.class));

    } catch (ClassNotFoundException e) {
      logger.error(e.getMessage());
      throw new UnsupportedResponseTypeException("Response type is not supported");
    }
  }
public class DestroyNextExpiringAction implements QuotaExhaustionAction {

  private static Debug debug =
      InjectorHolder.getInstance(Key.get(Debug.class, Names.named(SESSION_DEBUG)));

  private final SessionCache sessionCache;

  public DestroyNextExpiringAction() {
    this.sessionCache = InjectorHolder.getInstance(SessionCache.class);
  }

  @Inject
  public DestroyNextExpiringAction(SessionCache sessionCache) {
    this.sessionCache = sessionCache;
  }

  @Override
  public boolean action(InternalSession is, Map<String, Long> sessions) {

    String nextExpiringSessionID = null;
    long smallestExpTime = Long.MAX_VALUE;
    for (Map.Entry<String, Long> entry : sessions.entrySet()) {
      String sid = entry.getKey();
      long expirationTime = entry.getValue();
      if (expirationTime < smallestExpTime) {
        smallestExpTime = expirationTime;
        nextExpiringSessionID = sid;
      }
    }
    if (nextExpiringSessionID != null) {
      SessionID sessID = new SessionID(nextExpiringSessionID);
      try {
        Session s = sessionCache.getSession(sessID);
        s.destroySession(s);
      } catch (SessionException e) {
        if (debug.messageEnabled()) {
          debug.message("Failed to destroy the next " + "expiring session.", e);
        }
        // deny the session activation request
        // in this case
        return true;
      }
    }
    return false;
  }
}
  /**
   * Returns Session Service URL for a Session ID.
   *
   * @param sid Session ID
   * @return Session Service URL.
   * @exception SessionException
   */
  public URL getSessionServiceURL(SessionID sid) throws SessionException {
    String primaryId;

    if (SystemProperties.isServerMode()) {

      /**
       * Validate that the SessionID contains valid Server and Site references. This check is not
       * appropriate for client side code as only the Site reference is exposed to client code.
       */
      sid.validate();

      SessionService ss = InjectorHolder.getInstance(SessionService.class);
      if (ss.isSiteEnabled() && ss.isLocalSite(sid)) {
        if (ss.isSessionFailoverEnabled()) {
          return getSessionServiceURL(ss.getCurrentHostServer(sid));
        } else {
          primaryId = sid.getExtension().getPrimaryID();
          return getSessionServiceURL(primaryId);
        }
      }
    } else {
      primaryId = sid.getExtension().getPrimaryID();
      if (primaryId != null) {
        String secondarysites = WebtopNaming.getSecondarySites(primaryId);

        String serverID = SessionService.getAMServerID();
        if ((secondarysites != null) && (serverID != null)) {
          if (secondarysites.indexOf(serverID) != -1) {
            return getSessionServiceURL(serverID);
          }
        }
      }
    }

    return getSessionServiceURL(
        sid.getSessionServerProtocol(),
        sid.getSessionServer(),
        sid.getSessionServerPort(),
        sid.getSessionServerURI());
  }
 public DestroyNextExpiringAction() {
   this.sessionCache = InjectorHolder.getInstance(SessionCache.class);
 }
 /**
  * Returns the UMA router.
  *
  * @return The UMA router.
  */
 protected Router getRouter() {
   return InjectorHolder.getInstance(Key.get(Router.class, Names.named("UMARouter")));
 }
 /**
  * Simple creation of a SessionMonitoringTimingStore, using Guice.
  *
  * @return a new instance of a SessionMonitoringTimingStore
  */
 public SessionMonitoringTimingStore createSessionMonitoringTimingStore() {
   return InjectorHolder.getInstance(SessionMonitoringTimingStore.class);
 }
예제 #8
0
/**
 * <code>AuthXMLHandler</code> class implements the <code>RequestHandler</code>. It processes the
 * authentication request from remote client which comes in as XML document
 */
public class AuthXMLHandler implements RequestHandler {
  private String localAuthServerProtocol;
  private String localAuthServer;
  private String localAuthServerPort;
  private Locale locale;

  static Debug debug;
  private static String serviceURI;
  private static boolean messageEnabled = false;
  private boolean security = false;
  private static final SessionServiceURLService SESSION_SERVICE_URL_SERVICE =
      InjectorHolder.getInstance(SessionServiceURLService.class);

  static {
    debug = com.sun.identity.shared.debug.Debug.getInstance("amXMLHandler");
    messageEnabled = debug.messageEnabled();
    serviceURI = SystemProperties.get(Constants.AM_SERVICES_DEPLOYMENT_DESCRIPTOR) + "/authservice";
  }

  /** Creates <code>AuthXMLHandler</code> object */
  public AuthXMLHandler() {
    localAuthServerProtocol = SystemProperties.get(Constants.AM_SERVER_PROTOCOL);
    localAuthServer = SystemProperties.get(Constants.AM_SERVER_HOST);
    localAuthServerPort = SystemProperties.get(Constants.AM_SERVER_PORT);

    AuthContext.localAuthServiceID =
        localAuthServerProtocol + "://" + localAuthServer + ":" + localAuthServerPort;
    locale = (new ISLocaleContext()).getLocale();
  }

  /**
   * process the request and return the response
   *
   * @param requests Vector of <code>com.iplanet.services.comm.server.RequestHandler</code> objects.
   * @param servletRequest <code>HttpServletRequest</code>object for this request.
   * @param servletResponse <code>HttpServletResponse</code> object for this request.
   * @param servletContext <code>servletContext</code> object for this request
   * @return <code>ResponseSet</code> object for the processed request.
   */
  public ResponseSet process(
      List<Request> requests,
      HttpServletRequest servletRequest,
      HttpServletResponse servletResponse,
      ServletContext servletContext) {
    ResponseSet rset = new ResponseSet(AuthXMLTags.AUTH_SERVICE);
    for (Request req : requests) {
      Response res = processRequest(req, servletRequest, servletResponse);
      rset.addResponse(res);
    }
    return rset;
  }

  /* process the request */
  private Response processRequest(
      Request req, HttpServletRequest servletReq, HttpServletResponse servletRes) {

    // this call is to create a http session so that the JSESSIONID cookie
    // is created. The appserver(8.1) load balancer plugin relies on the
    // JSESSIONID cookie to set its JROUTE sticky cookie.
    debug.message("=======================Entering processRequest");
    servletReq.getSession(true);

    String content = req.getContent();
    AuthXMLResponse authResponse = null;

    // Check for mis-routed requests
    String cookieURL = null;
    int index = content.indexOf(AuthXMLTags.AUTH_ID_HANDLE);
    if (index != -1) {
      // Check for mis-routed requests, get server URL for
      // AuthIdentifier
      int beginIndex = content.indexOf('"', index);
      int endIndex = content.indexOf('"', beginIndex + 1);
      String authIdentifier = content.substring(beginIndex + 1, endIndex);
      if (debug.messageEnabled()) {
        debug.message(
            "authIdentifier = "
                + authIdentifier
                + "beginIndex = "
                + beginIndex
                + "endIndex ="
                + endIndex);
      }
      if (!authIdentifier.equals("0")) {
        try {
          SessionID sessionID = new SessionID(authIdentifier);
          URL sessionServerURL = SESSION_SERVICE_URL_SERVICE.getSessionServiceURL(sessionID);
          StringBuilder srtBuff = new StringBuilder(100);
          srtBuff
              .append(sessionServerURL.getProtocol())
              .append("://")
              .append(sessionServerURL.getHost())
              .append(":")
              .append(Integer.toString(sessionServerURL.getPort()))
              .append(serviceURI);
          cookieURL = srtBuff.toString();
        } catch (Exception exp) {
          debug.error("Error in getting URL from session", exp);
          cookieURL = null;
        }
      }
    }

    if ((cookieURL != null)
        && (cookieURL.trim().length() != 0)
        && !(AuthUtils.isLocalServer(cookieURL, serviceURI))) {
      // Routing to the correct server, the looks like a mis-routed
      // requested.
      HashMap cookieTable = new HashMap();
      Map headers = new HashMap();
      Enumeration headerNames = servletReq.getHeaderNames();
      while (headerNames.hasMoreElements()) {
        String headerName = (String) headerNames.nextElement();
        List headerValues = new ArrayList();
        Enumeration enum1 = servletReq.getHeaders(headerName);
        while (enum1.hasMoreElements()) {
          headerValues.add(enum1.nextElement());
        }
        headers.put(headerName, headerValues);
      }
      if (debug.messageEnabled()) {
        debug.message("Headers: " + headers);
      }
      PLLClient.parseCookies(headers, cookieTable);
      if (debug.messageEnabled()) {
        debug.message("Cookies: " + cookieTable);
      }
      RequestSet set = new RequestSet(AuthXMLTags.AUTH_SERVICE);
      set.addRequest(req);
      try {
        Vector responses = PLLClient.send(new URL(cookieURL), set, cookieTable);
        if (!responses.isEmpty()) {
          debug.message("=====================Returning redirected");
          return ((Response) responses.elementAt(0));
        }
      } catch (Exception e) {
        debug.error("Error in misrouted ", e);
        // Attempt to contact server failed
        authResponse = new AuthXMLResponse(AuthXMLRequest.NewAuthContext);
        setErrorCode(authResponse, e);
        return new Response(authResponse.toXMLString());
      }
    }

    // Either local request or new request, handle it locally
    try {
      AuthXMLRequest sreq = AuthXMLRequest.parseXML(content, servletReq);
      sreq.setHttpServletRequest(servletReq);
      authResponse = processAuthXMLRequest(content, sreq, servletReq, servletRes);
    } catch (AuthException e) {
      debug.error("Got Auth Exception", e);
      authResponse = new AuthXMLResponse(AuthXMLRequest.NewAuthContext);
      authResponse.setErrorCode(e.getErrorCode());
    } catch (Exception ex) {
      debug.error("Error while processing xml request", ex);
      authResponse = new AuthXMLResponse(AuthXMLRequest.NewAuthContext);
      setErrorCode(authResponse, ex);
    }
    debug.message("=======================Returning");
    return new Response(authResponse.toXMLString());
  }

  /*
   * Process the XMLRequest
   */
  private AuthXMLResponse processAuthXMLRequest(
      String xml,
      AuthXMLRequest authXMLRequest,
      HttpServletRequest servletRequest,
      HttpServletResponse servletResponse) {
    if (messageEnabled) {
      debug.message("authXMLRequest is : " + authXMLRequest);
    }
    int requestType = authXMLRequest.getRequestType();
    String sessionID = authXMLRequest.getAuthIdentifier();
    String orgName = authXMLRequest.getOrgName();
    AuthContextLocal authContext = authXMLRequest.getAuthContext();
    LoginState loginState = AuthUtils.getLoginState(authContext);
    String params = authXMLRequest.getParams();
    List envList = authXMLRequest.getEnvironment();
    Map envMap = toEnvMap(envList);
    AuthXMLResponse authResponse = new AuthXMLResponse(requestType);
    authResponse.setAuthContext(authContext);
    authResponse.setAuthIdentifier(sessionID);
    if (messageEnabled) {
      debug.message("authContext is : " + authContext);
      debug.message("requestType : " + requestType);
    }
    if (authXMLRequest.getValidSessionNoUpgrade()) {
      authResponse.setAuthXMLRequest(authXMLRequest);
      authResponse.setValidSessionNoUpgrade(true);
      return authResponse;
    }
    String securityEnabled = null;
    try {
      securityEnabled = AuthUtils.getRemoteSecurityEnabled();
    } catch (AuthException auExp) {
      debug.error("Got Exception", auExp);
      setErrorCode(authResponse, auExp);
      return authResponse;
    }
    if (debug.messageEnabled()) {
      debug.message("Security Enabled = " + securityEnabled);
    }

    if (requestType != 0) {
      if ((securityEnabled != null) && (securityEnabled.equals("true"))) {
        security = true;
        String indexNameLoc = authXMLRequest.getIndexName();
        AuthContext.IndexType indexTypeLoc = authXMLRequest.getIndexType();
        if (indexTypeLoc == null) {
          indexTypeLoc = AuthUtils.getIndexType(authContext);
          indexNameLoc = AuthUtils.getIndexName(authContext);
        }
        if (debug.messageEnabled()) {
          debug.message("Index Name Local : " + indexNameLoc);
          debug.message("Index Type Local : " + indexTypeLoc);
        }
        if (((indexTypeLoc == null) || (indexNameLoc == null))
            || !((indexTypeLoc == AuthContext.IndexType.MODULE_INSTANCE)
                && indexNameLoc.equals("Application"))) {
          try {
            String ssoTokenID = authXMLRequest.getAppSSOTokenID();

            if (debug.messageEnabled()) {
              debug.message("Session ID = : " + ssoTokenID);
            }

            SSOTokenManager manager = SSOTokenManager.getInstance();
            SSOToken appSSOToken = manager.createSSOToken(ssoTokenID);

            // if the token isn't valid, let the client know so they
            // retry
            if (!manager.isValidToken(appSSOToken)) {
              if (debug.messageEnabled()) {
                debug.message("App SSOToken is not valid");
              }

              setErrorCode(
                  authResponse,
                  new AuthException(AMAuthErrorCode.REMOTE_AUTH_INVALID_SSO_TOKEN, null));
              return authResponse;
            } else {
              debug.message("App SSOToken is VALID");
            }
          } catch (SSOException ssoe) {
            // token is unknown to OpenAM, let the client know so they
            // can retry
            if (debug.messageEnabled()) {
              debug.message("App SSOToken is not valid: " + ssoe.getMessage());
            }

            setErrorCode(
                authResponse,
                new AuthException(AMAuthErrorCode.REMOTE_AUTH_INVALID_SSO_TOKEN, null));
            return authResponse;
          } catch (Exception exp) {
            debug.error("Got Exception", exp);
            setErrorCode(authResponse, exp);
            return authResponse;
          }
        }
      }
    } else {
      security = false;
    }

    // if index type is level and choice callback has a
    // selected choice then start module based authentication.
    if ((AuthUtils.getIndexType(authContext) == AuthContext.IndexType.LEVEL)
        || (AuthUtils.getIndexType(authContext) == AuthContext.IndexType.COMPOSITE_ADVICE)) {
      Callback[] callbacks = authXMLRequest.getSubmittedCallbacks();
      if (messageEnabled) {
        debug.message("Callbacks are  : " + callbacks);
      }
      if (callbacks != null) {
        if (messageEnabled) {
          debug.message("Callback length is : " + callbacks.length);
        }

        if (callbacks[0] instanceof ChoiceCallback) {
          ChoiceCallback cc = (ChoiceCallback) callbacks[0];
          int[] selectedIndexes = cc.getSelectedIndexes();
          int selected = selectedIndexes[0];
          String[] choices = cc.getChoices();
          String indexName = choices[selected];
          if (messageEnabled) {
            debug.message("Selected Index is : " + indexName);
          }
          authXMLRequest.setIndexType("moduleInstance");
          authXMLRequest.setIndexName(indexName);
          authXMLRequest.setRequestType(AuthXMLRequest.LoginIndex);
          requestType = AuthXMLRequest.LoginIndex;
        }
      }
    }

    AuthContext.Status loginStatus = AuthContext.Status.IN_PROGRESS;
    HttpServletRequest clientRequest = authXMLRequest.getClientRequest();
    if (loginState != null) {
      loginState.setHttpServletRequest(clientRequest);
      loginState.setHttpServletResponse(authXMLRequest.getClientResponse());
      if (clientRequest != null) {
        loginState.setParamHash(AuthUtils.parseRequestParameters(clientRequest));
      }
    }
    switch (requestType) {
      case AuthXMLRequest.NewAuthContext:
        try {
          processNewRequest(servletRequest, servletResponse, authResponse, loginState, authContext);
          postProcess(loginState, authResponse);
        } catch (Exception ex) {
          debug.error("Error in NewAuthContext ", ex);
          setErrorCode(authResponse, ex);
        }
        break;
      case AuthXMLRequest.Login:
        try {
          if (sessionID != null && sessionID.equals("0")) {
            processNewRequest(
                servletRequest, servletResponse, authResponse, loginState, authContext);
          }
          String clientHost = null;
          if (security) {
            clientHost = authXMLRequest.getHostName();
            if (messageEnabled) {
              debug.message("Client Host from Request = " + clientHost);
            }
          }
          if ((clientHost == null) && (servletRequest != null)) {
            clientHost = ClientUtils.getClientIPAddress(servletRequest);
          }
          loginState.setClient(clientHost);
          authContext.login();
          // setServletRequest(servletRequest,authContext);
          processRequirements(xml, authContext, authResponse, params, servletRequest);
          loginStatus = authContext.getStatus();
          authResponse.setRemoteRequest(loginState.getHttpServletRequest());
          authResponse.setRemoteResponse(loginState.getHttpServletResponse());

          postProcess(loginState, authResponse);
          checkACException(authResponse, authContext);
        } catch (Exception ex) {
          debug.error("Error during login ", ex);
          setErrorCode(authResponse, ex);
          authResponse.setLoginStatus(authContext.getStatus());
        }
        break;
      case AuthXMLRequest.LoginIndex:
        try {
          AuthContext.IndexType indexType = authXMLRequest.getIndexType();
          String indexName = authXMLRequest.getIndexName();
          if (messageEnabled) {
            debug.message("indexName is : " + indexName);
            debug.message("indexType is : " + indexType);
          }
          if (sessionID != null && sessionID.equals("0")) {
            processNewRequest(
                servletRequest, servletResponse, authResponse, loginState, authContext);
          }
          String clientHost = null;
          if (security) {
            clientHost = authXMLRequest.getHostName();
            if (messageEnabled) {
              debug.message("Client Host from Request = " + clientHost);
            }
          }
          if ((clientHost == null) && (servletRequest != null)) {
            clientHost = ClientUtils.getClientIPAddress(servletRequest);
          }
          loginState.setClient(clientHost);
          String locale = authXMLRequest.getLocale();
          if (locale != null && locale.length() > 0) {
            if (debug.messageEnabled()) {
              debug.message("locale is : " + locale);
            }
            authContext.login(indexType, indexName, envMap, locale);
          } else {
            authContext.login(indexType, indexName, envMap, null);
          }
          // setServletRequest(servletRequest,authContext);
          processRequirements(xml, authContext, authResponse, params, servletRequest);
          loginStatus = authContext.getStatus();
          authResponse.setRemoteRequest(loginState.getHttpServletRequest());
          authResponse.setRemoteResponse(loginState.getHttpServletResponse());
          postProcess(loginState, authResponse);
          checkACException(authResponse, authContext);
        } catch (Exception ex) {
          debug.error("Exception during LoginIndex", ex);
          setErrorCode(authResponse, ex);
        }
        break;
      case AuthXMLRequest.LoginSubject:
        try {
          Subject subject = authXMLRequest.getSubject();
          authContext.login(subject);
          // setServletRequest(servletRequest,authContext);
          processRequirements(xml, authContext, authResponse, params, servletRequest);
          postProcess(loginState, authResponse);
          loginStatus = authContext.getStatus();
          checkACException(authResponse, authContext);
        } catch (AuthLoginException ale) {
          debug.error("Exception during LoginSubject", ale);
          setErrorCode(authResponse, ale);
        }
        break;
      case AuthXMLRequest.SubmitRequirements:
        try {
          // setServletRequest(servletRequest,authContext);
          Callback[] submittedCallbacks = authXMLRequest.getSubmittedCallbacks();
          authContext.submitRequirements(submittedCallbacks);
          Callback[] reqdCallbacks = null;
          if (authContext.hasMoreRequirements()) {
            reqdCallbacks = authContext.getRequirements();
            authResponse.setReqdCallbacks(reqdCallbacks);
          }
          authResponse.setRemoteRequest(loginState.getHttpServletRequest());
          authResponse.setRemoteResponse(loginState.getHttpServletResponse());
          postProcess(loginState, authResponse);
          loginStatus = authContext.getStatus();
          authResponse.setLoginStatus(loginStatus);
          InternalSession oldSession = loginState.getOldSession();
          authResponse.setOldSession(oldSession);
          checkACException(authResponse, authContext);
        } catch (Exception ex) {
          debug.error("Error during submit requirements ", ex);
          setErrorCode(authResponse, ex);
        }
        break;
      case AuthXMLRequest.QueryInformation:
        try {
          if (sessionID != null && sessionID.equals("0")) {
            processNewRequest(
                servletRequest, servletResponse, authResponse, loginState, authContext);
          }
          Set moduleNames = authContext.getModuleInstanceNames();
          authResponse.setModuleNames(moduleNames);
          authResponse.setAuthContext(authContext);
          postProcess(loginState, authResponse);
          checkACException(authResponse, authContext);
        } catch (Exception ex) {
          debug.error("Error during Query Information", ex);
          setErrorCode(authResponse, ex);
        }
        break;
      case AuthXMLRequest.Logout:
        // Object loginContext = null;
        // InternalSession intSess = null;
        // SSOToken token = null;
        // boolean logoutCalled = false;
        if (sessionID != null && !sessionID.equals("0")) {
          /*intSess = AuthD.getSession(sessionID);
                 try {
                     token = SSOTokenManager.getInstance().
                         createSSOToken(sessionID);
                     if (debug.messageEnabled()) {
                         debug.message("AuthXMLHandler."
                             + "processAuthXMLRequest: Created token "
                             + "during logout = "+token);
                     }
          } catch (com.iplanet.sso.SSOException ssoExp) {
                    if (debug.messageEnabled()) {
          debug.message("AuthXMLHandler.processAuthXMLRequest:"
                        + "SSOException checking validity of SSO Token");
                    }
          }*/
          try {
            AuthUtils.logout(sessionID, servletRequest, servletResponse);
          } catch (com.iplanet.sso.SSOException ssoExp) {
            if (debug.messageEnabled()) {
              debug.message(
                  "AuthXMLHandler.processAuthXMLRequest:"
                      + "SSOException checking validity of SSO Token");
            }
          }
        }

        /*if (intSess != null) {
                   loginContext = intSess.getObject(ISAuthConstants.
                       LOGIN_CONTEXT);
               }
               try {
                   if (loginContext != null) {
                       if (loginContext instanceof
                           javax.security.auth.login.LoginContext) {
                           javax.security.auth.login.LoginContext lc =
                               (javax.security.auth.login.LoginContext)
                                loginContext;
                           lc.logout();
                       } else {
                           com.sun.identity.authentication.jaas.LoginContext
                               jlc = (com.sun.identity.authentication.jaas.
                               LoginContext) loginContext;
                           jlc.logout();
                       }
                       logoutCalled = true;
                   }
               } catch (javax.security.auth.login.LoginException loginExp) {
                   debug.error("AuthXMLHandler.processAuthXMLRequest: "
                       + "Cannot Execute module Logout", loginExp);
               }
               Set postAuthSet = null;
               if (intSess != null) {
                   postAuthSet = (Set) intSess.getObject(ISAuthConstants.
                       POSTPROCESS_INSTANCE_SET);
               }
               if ((postAuthSet != null) && !(postAuthSet.isEmpty())) {
                   AMPostAuthProcessInterface postLoginInstance=null;
                   for(Iterator iter = postAuthSet.iterator();
                   iter.hasNext();) {
                       try {
                    postLoginInstance =
                  (AMPostAuthProcessInterface) iter.next();
                            postLoginInstance.onLogout(servletRequest,
                                servletResponse, token);
                       } catch (Exception exp) {
                          debug.error("AuthXMLHandler.processAuthXMLRequest: "
                              + "Failed in post logout.", exp);
                       }
            }
               } else {
                   String plis = null;
                   if (intSess != null) {
                       plis = intSess.getProperty(
                           ISAuthConstants.POST_AUTH_PROCESS_INSTANCE);
                   }
                   if (plis != null && plis.length() > 0) {
                       StringTokenizer st = new StringTokenizer(plis, "|");
                       if (token != null) {
                           while (st.hasMoreTokens()) {
                               String pli = (String)st.nextToken();
                               try {
                                   AMPostAuthProcessInterface postProcess =
                                           (AMPostAuthProcessInterface)
                                           Thread.currentThread().
                                           getContextClassLoader().
                                           loadClass(pli).newInstance();
                                   postProcess.onLogout(servletRequest,
                                       servletResponse, token);
                               } catch (Exception e) {
                                   debug.error("AuthXMLHandler."
                                       + "processAuthXMLRequest:" + pli, e);
                               }
                           }
                       }
                   }
               }
               try {
                   boolean isTokenValid = SSOTokenManager.getInstance().
                       isValidToken(token);
                   if ((token != null) && isTokenValid) {
                       AuthD.getAuth().logLogout(token);
                       Session session = Session.getSession(
                           new SessionID(sessionID));
                       session.logout();
                       debug.message("logout successful.");
                   }
        } catch (com.iplanet.dpro.session.SessionException
                   sessExp) {
                   if (debug.messageEnabled()) {
                       debug.message("AuthXMLHandler."
                           + "processAuthXMLRequest: SessionException"
                           + " checking validity of SSO Token");
                   }
        } catch (com.iplanet.sso.SSOException ssoExp) {
                   if (debug.messageEnabled()) {
                       debug.message("AuthXMLHandler."
                           + "processAuthXMLRequest: SSOException "
                           + "checking validity of SSO Token");
                   }
               }*/
        authResponse.setLoginStatus(AuthContext.Status.COMPLETED);
        break;
      case AuthXMLRequest.Abort:
        try {
          authContext.abort();
          loginStatus = authContext.getStatus();
          authResponse.setLoginStatus(loginStatus);
          checkACException(authResponse, authContext);
        } catch (AuthLoginException ale) {
          debug.error("Error aborting ", ale);
          setErrorCode(authResponse, ale);
        }
        break;
    }

    if (messageEnabled) {
      debug.message("loginStatus: " + loginStatus);

      if (authContext != null) {
        debug.message("error Code: " + authContext.getErrorCode());
        debug.message("error Template: " + authContext.getErrorTemplate());
      }
    }

    if (loginStatus == AuthContext.Status.FAILED) {
      if ((authContext.getErrorMessage() != null)
          && (authContext
              .getErrorMessage()
              .equals(
                  AMResourceBundleCache.getInstance()
                      .getResBundle(
                          "amAuthLDAP",
                          com.sun.identity.shared.locale.Locale.getLocale(loginState.getLocale()))
                      .getString(ISAuthConstants.EXCEED_RETRY_LIMIT)))) {
        loginState.setErrorCode(AMAuthErrorCode.AUTH_LOGIN_FAILED);
      }
      if ((authContext.getErrorCode() != null) && ((authContext.getErrorCode()).length() > 0)) {
        authResponse.setErrorCode(authContext.getErrorCode());
      }
      checkACException(authResponse, authContext);
      if ((authContext.getErrorTemplate() != null)
          && ((authContext.getErrorTemplate()).length() > 0)) {
        authResponse.setErrorTemplate(authContext.getErrorTemplate());
      }
      // Account Lockout Warning Check
      if ((authContext.getErrorCode() != null)
          && (authContext.getErrorCode().equals(AMAuthErrorCode.AUTH_INVALID_PASSWORD))) {
        String lockWarning = authContext.getLockoutMsg();
        if ((lockWarning != null) && (lockWarning.length() > 0)) {
          authResponse.setErrorMessage(lockWarning);
        }
      }
    }

    return authResponse;
  }

  /*
   * Process the new http request
   */
  private void processNewRequest(
      HttpServletRequest servletRequest,
      HttpServletResponse servletResponse,
      AuthXMLResponse authResponse,
      LoginState loginState,
      AuthContextLocal authContext)
      throws AuthException {
    if (authContext == null) {
      throw new AuthException(AMAuthErrorCode.AUTH_INVALID_DOMAIN, null);
    }
    InternalSession oldSession = loginState.getOldSession();
    authResponse.setOldSession(oldSession);

    authResponse.setLoginStatus(AuthContext.Status.IN_PROGRESS);
    AuthUtils.setlbCookie(authContext, servletRequest, servletResponse);
  }

  /*
   * reset the auth identifier, in case a status change(auth succeeds)
   * will cause sid change from that of HttpSession to InternalSession.
   */
  private void postProcess(LoginState loginState, AuthXMLResponse authResponse) {
    SessionID sid = loginState.getSid();
    String sidString = null;
    if (sid != null) {
      sidString = sid.toString();
    }
    if (messageEnabled) {
      debug.message("sidString is.. : " + sidString);
    }
    authResponse.setAuthIdentifier(sidString);
  }

  /*
   * Gets the next http request parameter
   */
  private String getNextParam(StringTokenizer st) {
    String retStr = null;
    if (st != null) {
      if (st.hasMoreTokens()) {
        retStr = st.nextToken();
      }
    }
    return retStr;
  }

  /*
   * process callbacks
   */
  private void processRequirements(
      String xml,
      AuthContextLocal authContext,
      AuthXMLResponse authResponse,
      String params,
      HttpServletRequest servletRequest) {
    String[] paramArray = null;
    StringTokenizer paramsSet = null;
    if (params != null) {
      paramsSet = new StringTokenizer(params, ISAuthConstants.PIPE_SEPARATOR);
    }
    boolean allCallbacksAreSet = true;
    String param;

    while (authContext.hasMoreRequirements()) {
      Callback[] reqdCallbacks = authContext.getRequirements();

      for (int i = 0; i < reqdCallbacks.length; i++) {
        if (reqdCallbacks[i] instanceof X509CertificateCallback) {
          X509CertificateCallback certCallback = (X509CertificateCallback) reqdCallbacks[i];
          LoginState loginState = AuthUtils.getLoginState(authContext);
          if (loginState != null) {
            X509Certificate cert = loginState.getX509Certificate(servletRequest);
            if (cert != null) {
              certCallback.setCertificate(cert);
              certCallback.setReqSignature(false);
            } else {
              allCallbacksAreSet = false;
            }
          }
        } else {
          param = null;

          if (reqdCallbacks[i] instanceof NameCallback) {
            param = getNextParam(paramsSet);

            if (param != null) {
              NameCallback nc = (NameCallback) reqdCallbacks[i];
              nc.setName(param);

              if (messageEnabled) {
                debug.message("Name callback set to " + param);
              }
            } else {
              allCallbacksAreSet = false;
              break;
            }
          } else if (reqdCallbacks[i] instanceof PasswordCallback) {
            param = getNextParam(paramsSet);

            if (param != null) {
              PasswordCallback pc = (PasswordCallback) reqdCallbacks[i];
              pc.setPassword(param.toCharArray());
              if (messageEnabled) {
                debug.message("Password callback is set");
              }
            } else {
              allCallbacksAreSet = false;
              break;
            }
          } else {
            if (params == null) {
              allCallbacksAreSet = false;
            }
          }
          // add more callbacks if required
        }
      }

      if (getNextParam(paramsSet) != null) {
        allCallbacksAreSet = false;
      }

      if (allCallbacksAreSet) {
        if (messageEnabled) {
          debug.message("submit callbacks with passed in params");
        }
        authContext.submitRequirements(reqdCallbacks);
      } else {
        authResponse.setReqdCallbacks(reqdCallbacks);
        break;
      }
    }
    if (!authContext.hasMoreRequirements()) {
      AuthContext.Status loginStatus = authContext.getStatus();
      if (messageEnabled) {
        debug.message(" Status: " + loginStatus);
      }
      authResponse.setLoginStatus(loginStatus);
    }
  }

  /*
   * Check for the AuthContext Exceptions
   */
  private void checkACException(AuthXMLResponse authResponse, AuthContextLocal acl) {
    AuthLoginException ale = acl.getLoginException();
    if (ale == null) {
      return;
    }

    /*
     * this code does not allow client to remotely select locale.
     * but this is a problem comes with the AuthContext API, cannot
     * be simply solved here.
     */
    if ((ale.getL10NMessage(locale) != null) && ((ale.getL10NMessage(locale)).length() > 0)) {
      authResponse.setErrorMessage(ale.getL10NMessage(locale));
    }
    authResponse.setIsException(true);
  }

  /*
   * Set the error code
   */
  private void setErrorCode(AuthXMLResponse authResponse, Exception e) {
    if (e == null) {
      return;
    }
    if (e instanceof L10NMessage) {
      authResponse.setErrorCode(getAuthErrorCode((L10NMessage) e));
    } else {
      authResponse.setErrorCode(e.getMessage());
    }
    authResponse.setIsException(true);
  }

  /*
   * Get the error code
   */
  private String getAuthErrorCode(L10NMessage le) {
    String errorCode = le.getErrorCode();
    if (errorCode == null) {
      errorCode = le.getMessage();
    }
    return errorCode;
  }

  private void setServletRequest(HttpServletRequest servletRequest, AuthContextLocal authContext) {
    LoginState theLoginState = AuthUtils.getLoginState(authContext);
    theLoginState.setHttpServletRequest(servletRequest);
    if (debug.messageEnabled()) {
      debug.message("AuthXMLHandler.setServletRequest(): Setting servlet request.");
    }
  }

  // Returns environment Map based on input environment List values
  // each value takes following format:
  // env-name|value1|value2|....
  private Map toEnvMap(List envList) {
    if (envList == null) {
      return null;
    }
    Map map = new HashMap();
    int size = envList.size();
    for (int i = 0; i < size; i++) {
      String value = (String) envList.get(i);
      StringTokenizer tokens = new StringTokenizer(value, ISAuthConstants.PIPE_SEPARATOR);
      String envName = null;
      if (tokens.hasMoreTokens()) {
        envName = (String) tokens.nextToken();
      }
      Set envValues = new HashSet();
      while (tokens.hasMoreTokens()) {
        envValues.add(AuthClientUtils.unescapePipe(tokens.nextToken()));
      }
      if ((envName != null) && !envValues.isEmpty()) {
        map.put(envName, envValues);
      }
    }
    return map;
  }
} // end class
 private Restlet getRestlet(String name) {
   return InjectorHolder.getInstance(Key.get(Restlet.class, Names.named(name)));
 }