private void proceedWithFilterChain( FilterChain chain, HttpServletRequest httpRequest, HttpServletResponse httpResponse) throws IOException, ServletException { BesServletRequestReader.param2Attr(httpRequest, Constants.REQ_PARAM_SUB_KEY); BesServletRequestReader.param2Attr(httpRequest, Constants.REQ_PARAM_CONTEXT_PATH); BesServletRequestReader.param2Attr(httpRequest, Constants.REQ_PARAM_SUPPLIER_ID); BesServletRequestReader.param2Attr(httpRequest, Constants.REQ_ATTR_SERVICE_LOGIN_TYPE); BesServletRequestReader.param2Attr(httpRequest, Constants.REQ_ATTR_ERROR_KEY); chain.doFilter(httpRequest, httpResponse); }
void redirectToPrimarilyRequestedUrl( FilterChain chain, HttpServletRequest httpRequest, HttpServletResponse httpResponse, ServiceAccess serviceAccess, AuthorizationRequestData rdo) throws IOException, ServletException { String forwardUrl = (String) httpRequest.getSession().getAttribute(Constants.SESS_ATTR_FORWARD_URL); if (BesServletRequestReader.onlyServiceLogin(httpRequest.getSession())) { if (forwardUrl == null) { forwardUrl = Constants.SERVICE_BASE_URI + "/" + rdo.getSubscriptionKey() + "/"; } JSFUtils.sendRedirect(httpResponse, httpRequest.getContextPath() + forwardUrl); return; } if (ADMStringUtils.isBlank(forwardUrl) || forwardUrl.startsWith(MenuBean.LINK_DEFAULT)) { forwardUrl = getDefaultUrl(serviceAccess, rdo, httpRequest); } if ((ADMStringUtils.isBlank(forwardUrl) || rdo.getRelativePath().startsWith(forwardUrl)) && !rdo.isMarketplaceLoginPage()) { chain.doFilter(httpRequest, httpResponse); } else { JSFUtils.sendRedirect(httpResponse, httpRequest.getContextPath() + forwardUrl); } }
private void setErrorAttributesAndForward( String forwardUrl, HttpServletRequest httpRequest, HttpServletResponse httpResponse, SaaSApplicationException e) throws ServletException, IOException { BesServletRequestReader.setErrorAttributes(httpRequest, e); forward(forwardUrl, httpRequest, httpResponse); }
private HttpServletRequest handleServiceUrl( FilterChain chain, HttpServletRequest httpRequest, HttpServletResponse httpResponse, AuthorizationRequestData rdo) throws IOException, ServletException { VOMarketplace mpl; try { mpl = determineMarketplaceForSubscription(httpRequest, rdo); } catch (ObjectNotFoundException e) { logger.logError( Log4jLogger.SYSTEM_LOG, e, LogMessageIdentifier.ERROR_SUBSCRIPTION_NOT_FOUND, rdo.getSubscriptionKey()); BesServletRequestReader.setErrorAttributes(httpRequest, e); handleSubscriptionNotFound(chain, httpRequest, httpResponse, rdo); return null; } // Bug 9588: Marketplace may have been deleted if (mpl != null) { httpRequest.setAttribute( Constants.REQ_ATTR_SERVICE_LOGIN_TYPE, Constants.REQ_ATTR_LOGIN_TYPE_MPL); httpRequest .getSession() .setAttribute(Constants.REQ_PARAM_MARKETPLACE_ID, mpl.getMarketplaceId()); } else { httpRequest.setAttribute( Constants.REQ_ATTR_SERVICE_LOGIN_TYPE, Constants.REQ_ATTR_LOGIN_TYPE_NO_MPL); } String contextPath = rdo.getContextPath(); if (!ADMStringUtils.isBlank(httpRequest.getQueryString())) { contextPath += "?" + httpRequest.getQueryString(); } httpRequest.setAttribute(Constants.REQ_PARAM_SUB_KEY, rdo.getSubscriptionKey()); httpRequest.setAttribute(Constants.REQ_PARAM_CONTEXT_PATH, contextPath); return processServiceUrl( httpRequest, httpResponse, chain, rdo.getSubscriptionKey(), contextPath, rdo); }
private void handleServletException( HttpServletRequest httpRequest, HttpServletResponse httpResponse, ServletException e) throws IOException, ServletException { EJBException ejbEx = ExceptionHandler.getEJBException(e); if (ejbEx != null && ejbEx.getCause() instanceof Exception && ejbEx.getCausedByException() instanceof AccessException) { String forwardErrorPage; if (BesServletRequestReader.isMarketplaceRequest(httpRequest)) { forwardErrorPage = Marketplace.MARKETPLACE_ROOT + Constants.INSUFFICIENT_AUTHORITIES_URI; } else { forwardErrorPage = Constants.INSUFFICIENT_AUTHORITIES_URI; } JSFUtils.sendRedirect(httpResponse, httpRequest.getContextPath() + forwardErrorPage); } else { // make sure we do not catch exceptions cause by // ViewExpiredException here, they'll be handled directly in the // doFilter() throw e; } }
protected boolean loginUser( FilterChain chain, HttpServletRequest httpRequest, HttpServletResponse httpResponse, VOUser voUser, AuthorizationRequestData rdo, IdentityService identityService) throws ServletException, IOException { HttpSession session = httpRequest.getSession(); boolean onlyServiceLogin = BesServletRequestReader.onlyServiceLogin(session); String forwardUrl = (String) session.getAttribute(Constants.SESS_ATTR_FORWARD_URL); SessionBean sessionBean = (SessionBean) session.getAttribute(Constants.SESS_ATTR_SESSION_BEAN); ServiceAccess serviceAccess = ServiceAccess.getServiceAcccessFor(session); if (onlyServiceLogin) { session.setAttribute(Constants.SESS_ATTR_ONLY_SERVICE_LOGIN, Boolean.TRUE); } if (!ADMStringUtils.isBlank(forwardUrl)) { session.setAttribute(Constants.SESS_ATTR_FORWARD_URL, forwardUrl); } if (sessionBean != null) { session.setAttribute(Constants.SESS_ATTR_SESSION_BEAN, sessionBean); } if (!ADMStringUtils.isBlank(rdo.getMarketplaceId())) { session.setAttribute(Constants.REQ_PARAM_MARKETPLACE_ID, rdo.getMarketplaceId()); } // authenticate the user // IMPORTANT: Changes to this method must also be applied to // UserBean.login() try { serviceAccess.login(voUser, rdo.getPassword(), httpRequest, httpResponse); } catch (CommunicationException e) { handleCommunicationException(chain, httpRequest, httpResponse, rdo); return false; } catch (LoginException e) { logger.logInfo( Log4jLogger.ACCESS_LOG, LogMessageIdentifier.INFO_USER_LOGIN_INVALID, httpRequest.getRemoteHost(), Integer.toString(httpRequest.getRemotePort()), StringUtils.isNotBlank(voUser.getUserId()) ? voUser.getUserId() : "", IPResolver.resolveIpAddress(httpRequest), voUser.getTenantId()); try { voUser = identityService.getUser(voUser); } catch (ObjectNotFoundException e1) { handleUserNotRegistered(chain, httpRequest, httpResponse, rdo); return false; } catch (SaaSApplicationException e1) { setErrorAttributesAndForward(errorPage, httpRequest, httpResponse, e1); return false; } if (voUser.getStatus() != null && voUser.getStatus().getLockLevel() > UserAccountStatus.LOCK_LEVEL_LOGIN) { httpRequest.setAttribute(Constants.REQ_ATTR_ERROR_KEY, BaseBean.ERROR_USER_LOCKED); forward(errorPage, httpRequest, httpResponse); return false; } handleLoginException(chain, httpRequest, httpResponse, rdo); return false; } if (!rdo.isMarketplace() && !rdo.isAccessToServiceUrl() // BE09588 Login is OK if a // service is accessed, whose // subscription has no // marketplace && identityService.getCurrentUserDetails().getOrganizationRoles().size() == 1 && identityService .getCurrentUserDetails() .getOrganizationRoles() .contains(OrganizationRoleType.CUSTOMER)) { if (ADMStringUtils.isBlank(rdo.getMarketplaceId())) { if (redirectToMpUrl(httpRequest, httpResponse)) { setupUserDetail(httpRequest, rdo, identityService, session); return false; } else { httpRequest.setAttribute( Constants.REQ_ATTR_ERROR_KEY, BaseBean.ERROR_INVALID_MARKETPLACE_URL); forward(BaseBean.MARKETPLACE_ERROR_PAGE, httpRequest, httpResponse); } } else { setupUserDetail(httpRequest, rdo, identityService, session); forward(BaseBean.MARKETPLACE_START_SITE, httpRequest, httpResponse); } return false; } // get the service again because the credentials have been // changed (important for WS usage) identityService = serviceAccess.getService(IdentityService.class); try { identityService.refreshLdapUser(); } catch (ValidationException e) { logger.logDebug( "Refresh of LDAP user failed, most likely due to missing/wrong LDAP settings"); } logger.logInfo( Log4jLogger.ACCESS_LOG, LogMessageIdentifier.INFO_USER_LOGIN_SUCCESS, StringUtils.isNotBlank(voUser.getUserId()) ? voUser.getUserId() : "", IPResolver.resolveIpAddress(httpRequest), voUser.getTenantId()); return true; }
/** * If the user wants to access a service URL we must check if he is logged into the service. * * @return the given HTTP request, a request wrapper which must be used to perform the service * login or null if the caller should continue with the filter chain * @throws IOException * @throws ServletException * @throws DatatypeConfigurationException * @throws SAML2AuthnRequestException * @throws Exception */ private HttpServletRequest processServiceUrl( HttpServletRequest request, HttpServletResponse response, FilterChain chain, String subKey, String contextPath, AuthorizationRequestData rdo) throws ServletException, IOException { HttpSession session = request.getSession(); ServiceAccess serviceAccess = ServiceAccess.getServiceAcccessFor(session); if ("/".equals(contextPath) && !BesServletRequestReader.onlyServiceLogin(session)) { // if the user accesses a subscription from the my subscription list // we check the subscription key map in the session (this causes // some overhead - EJB call - and should NOT be done for every // service request) // preserve mId String mId = (String) session.getAttribute(Constants.REQ_PARAM_MARKETPLACE_ID); SessionListener.cleanup(session); session = request.getSession(); session.setAttribute(Constants.REQ_PARAM_MARKETPLACE_ID, mId); } Map<String, VOSubscription> map = getSubMapFromSession(session); VOSubscription sub = map.get(subKey); VOUserDetails userDetails = (VOUserDetails) session.getAttribute(Constants.SESS_ATTR_USER); if (BesServletRequestReader.onlyServiceLogin(session)) { session.removeAttribute(Constants.SESS_ATTR_ONLY_SERVICE_LOGIN); // at least remove the user details from the session session.removeAttribute(Constants.SESS_ATTR_USER); if (userDetails != null) { session.setAttribute(Constants.REQ_PARAM_LOCALE, userDetails.getLocale()); } } if (userDetails != null && userDetails.getStatus() != UserAccountStatus.PASSWORD_MUST_BE_CHANGED) { // the user is already logged in if (sub == null) { // the user is not logged in the service, we must call the // SSO bridge sub = getSubscription(serviceAccess, subKey); if (sub == null) { UserNotAssignedException e = new UserNotAssignedException(subKey, userDetails.getUserId()); logger.logError( Log4jLogger.SYSTEM_LOG | Log4jLogger.AUDIT_LOG, e, LogMessageIdentifier.ERROR_ACTIVE_SUBSCRIPTION_FOR_CURRENT_USER_FAILED, subKey); setErrorAttributesAndForward( getDefaultUrl(serviceAccess, rdo, request), request, response, e); return null; } else if (sub.getStatus() != SubscriptionStatus.ACTIVE && sub.getStatus() != SubscriptionStatus.PENDING_UPD) { SubscriptionStateException e = new SubscriptionStateException( "Subscription '" + subKey + "' not active or pending update.", Reason.ONLY_ACTIVE); logger.logError( Log4jLogger.SYSTEM_LOG | Log4jLogger.AUDIT_LOG, e, LogMessageIdentifier.ERROR_SUBSCRIPTION_NOT_ACTIVE, subKey); setErrorAttributesAndForward( getDefaultUrl(serviceAccess, rdo, request), request, response, e); return null; } else if (!sub.getServiceBaseURL() .toLowerCase() .startsWith(request.getScheme().toLowerCase() + "://")) { setErrorAttributesAndForward(errorPage, request, response, new ServiceSchemeException()); return null; } String userToken = ADMStringUtils.getRandomString(40); // create a service session database record (which is used by // the service to resolve the user token) try { synchronized (map) { createServiceSession(serviceAccess, subKey, session.getId(), userToken); // the map must be filled after the service session was // created otherwise the session listener cleanup method // might clear the list map.put(subKey, sub); } } catch (ObjectNotFoundException e) { handleSubscriptionNotFound(chain, request, response, rdo); return null; } catch (ServiceParameterException e) { setErrorAttributesAndForward(Constants.SERVICE_USAGE_ERROR_URI, request, response, e); return null; } catch (SaaSApplicationException e) { setErrorAttributesAndForward(errorPage, request, response, e); return null; } if (sub.getServiceAccessType() == ServiceAccessType.LOGIN) { // perform a redirect to the SSO bridge with the user token String url = removeEndingSlash(sub.getServiceBaseURL()); if (sub.getServiceLoginPath() != null) { url += sub.getServiceLoginPath(); } if (url.contains("?")) { url += "&"; } else { url += "?"; } SsoParameters ssoParameters = new SsoParameters(); ssoParameters.setContextPath(contextPath); ssoParameters.setInstanceId(sub.getServiceInstanceId()); ssoParameters.setLanguage(userDetails.getLocale()); ssoParameters.setSubscriptionKey(subKey); ssoParameters.setBssId(request.getSession().getId()); ssoParameters.setUsertoken(userToken); url += ssoParameters.getQueryString(); JSFUtils.sendRedirect(response, url); return null; } } else { if (sub.getServiceAccessType() == ServiceAccessType.LOGIN) { // send a redirect to the service base URL, the service // session should be still active JSFUtils.sendRedirect(response, sub.getServiceBaseURL()); return null; } // nothing to do (the user is logged in the platform and the // service) the rewriting is done by the subsequent filters in // the filter chain which is activated by the caller } } else { // the user is not logged in if (sub == null) { // the user is neither logged in platform nor in the // service, // // The later processing will forward to the service login // page processing. After the login there will be a redirect to // the primarily requested URL which will perform the service // login session.setAttribute(Constants.SESS_ATTR_ONLY_SERVICE_LOGIN, Boolean.TRUE); } else { // the user is logged in the service if (sub.getServiceAccessType() == ServiceAccessType.LOGIN) { // send a redirect to the service base URL, the service // session should be still active JSFUtils.sendRedirect(response, sub.getServiceBaseURL()); } else { // don't perform any other checks continue with the // filter chain which will perform the rewriting chain.doFilter(request, response); } return null; } } return request; }