private AuthD() {
debug.message("AuthD initializing");
try {
rootSuffix = defaultOrg = ServiceManager.getBaseDN();
initAuthSessions();
initAuthServiceGlobalSettings();
initPlatformServiceGlobalSettings();
initSessionServiceDynamicSettings();
initAuthConfigGlobalSettings();
bundle = com.sun.identity.shared.locale.Locale.getInstallResourceBundle(BUNDLE_NAME);
ResourceBundle platBundle =
com.sun.identity.shared.locale.Locale.getInstallResourceBundle("amPlatform");
platformCharset = platBundle.getString(ISAuthConstants.PLATFORM_CHARSET_ATTR);
printProfileAttrs();
// Initialize AuthXMLHandler so that AdminTokenAction can
// generate DPro Session's SSOToken
new com.sun.identity.authentication.server.AuthXMLHandler();
authInitFailed = false;
} catch (Exception ex) {
debug.error("AuthD init()", ex);
authInitFailed = true;
}
try {
enforceJAASThread =
Boolean.valueOf(SystemProperties.get(Constants.ENFORCE_JAAS_THREAD)).booleanValue();
} catch (Exception e) {
if (debug.messageEnabled()) {
debug.message("Wrong format of " + Constants.ENFORCE_JAAS_THREAD);
}
}
}
/** The <code>PAOSUtils</code> contains utility methods for PAOS implementation. */
public class PAOSUtils {
public static Debug debug = Debug.getInstance("libIDWSF");
public static final String BUNDLE_NAME = "libPAOS";
public static ResourceBundle bundle = Locale.getInstallResourceBundle(BUNDLE_NAME);
}
private void setLocale(HttpServletRequest request) {
if (request != null) {
String superLocale = request.getParameter("locale");
if (superLocale != null && superLocale.length() > 0) {
configLocale = Locale.getLocaleObjFromAcceptLangHeader(superLocale);
} else {
String acceptLangHeader = (String) request.getHeader("Accept-Language");
if ((acceptLangHeader != null) && (acceptLangHeader.length() > 0)) {
configLocale = Locale.getLocaleObjFromAcceptLangHeader(acceptLangHeader);
} else {
configLocale = java.util.Locale.getDefault();
}
}
try {
rb = ResourceBundle.getBundle(RB_NAME, configLocale);
} catch (MissingResourceException mre) {
// do nothing
}
}
}
public String getLocalizedString(String i18nKey) {
if (rb == null) {
initializeResourceBundle();
}
String localizedValue = null;
try {
localizedValue = Locale.getString(rb, i18nKey, debug);
} catch (MissingResourceException mre) {
// do nothing
}
return (localizedValue == null) ? i18nKey : localizedValue;
}
/**
* Constructor
*
* @param lang Language for the properties file.
*/
public PPInteractionHelper(String lang) {
if (lang != null) {
props =
ResourceBundle.getBundle(
idppProps,
com.sun.identity.shared.locale.Locale.getLocaleObjFromAcceptLangHeader(lang));
} else {
props = IDPPUtils.bundle;
}
try {
defaultMinChars = props.getString("defaultMinTextChars");
defaultMaxChars = props.getString("defaultMaxTextChars");
} catch (MissingResourceException mre) {
IDPPUtils.debug.error(
"PPInteractHelper.Static: Could not find min" + " or maximum text characters.", mre);
}
}
/**
* Returns Resource bundle of a locale.
*
* @param locale Locale.
* @return Resource bundle of a locale.
*/
public ResourceBundle getResourceBundle(String locale) {
if (locale == null) {
return bundle;
}
ResourceBundle rb = (ResourceBundle) bundles.get(locale);
if (rb == null) {
rb = com.sun.identity.shared.locale.Locale.getResourceBundle(BUNDLE_NAME, locale);
if (rb == null) {
rb = bundle;
}
bundles.put(locale, rb);
}
return rb;
}
public class EncryptionUtils {
public static Debug debug = Debug.getInstance("libEncryption");
public static final String BUNDLE_NAME = "libEncryption";
public static ResourceBundle bundle = Locale.getInstallResourceBundle(BUNDLE_NAME);
}
/**
* The <code>AuthContextLocal</code> provides the implementation for authenticating users.
*
* <p>A typical caller instantiates this class and starts the login process. The caller then obtains
* an array of <code>Callback</code> objects, which contains the information required by the
* authentication plug-in module. The caller requests information from the user. On receiving the
* information from the user, the caller submits the same to this class. If more information is
* required, the above process continues until all the information required by the
* plug-ins/authentication modules, has been supplied. The caller then checks if the user has
* successfully been authenticated. If successfully authenticated, the caller can then get the
* <code>Subject</code> and <code>SSOToken</code> for the user; if not successfully authenticated,
* the caller obtains the AuthLoginException.
*
* <p>The implementation supports authenticating users either locally i.e., in process with all
* authentication modules configured or remotely to an authentication service/framework. (See
* documentation to configure in either of the modes).
*
* <p>The <code>getRequirements()</code> and <code>submitRequirements()</code> are used to pass the
* user credentials for authentication by the plugin modules,<code>getStatus()</code> returns the
* authentication status.
*
* <p>It should be serializable as a requirement to be stored in HttpSession.
*/
public final class AuthContextLocal extends Object implements java.io.Serializable {
/*
* Protected variables used locally
*/
// Debug & I18N class
private static final String amAuthContextLocal = "amAuthContextLocal";
/** Hold the debug instance */
protected static Debug authDebug = Debug.getInstance(amAuthContextLocal);
/** Holds the locale-specific information */
protected static ResourceBundle bundle = Locale.getInstallResourceBundle(amAuthContextLocal);
/** Holds organizationName */
protected String organizationName;
/** Holds the set of module instance names */
protected Set moduleInstanceNames;
/** Holds the index type */
protected AuthContext.IndexType indexType;
/** Holds the index name */
protected String indexName;
/** Holds the login status */
protected AuthContext.Status loginStatus;
/** Holds the host name */
protected String hostName;
/** Holds the http session */
protected HttpSession httpSession;
/** Holds Single Sign on Token */
protected SSOToken ssoToken;
/** AuthLoginException */
protected volatile AuthLoginException loginException = null;
/** Holds call back information */
protected Callback[] informationRequired = null;
/** AuthLoginContext */
public AMLoginContext amlc = null;
/** Holds LoginStatus */
public LoginStatus ls;
/** Holds subject */
protected Subject subject;
/** character array for password */
protected char[] password;
private LoginState loginState = null;
private String orgDN = null;
/** Holds information about submittion of requirements */
private boolean inSubmitRequirements = false;
/**
* Creates <code>AuthContextLocal</code> instance is obtained for a given organization name, or
* sub organization name. <code>login</code> method is then used to start the authentication
* process.
*
* @param orgName name of the user's organization.
* @supported.api
*/
public AuthContextLocal(String orgName) {
authDebug.message("AuthContextLocal() constructor called");
organizationName = orgName;
amlc = new AMLoginContext(this);
if (authDebug.messageEnabled()) {
authDebug.message("AMLoginContext object is... " + amlc);
}
reset();
}
/**
* Returns authentication module/s instances(or) plugin(s) configured for an organization, or
* sub-organization that was set during the <code>AuthContext</code> constructor.
*
* @return authentication module/s instances (or plugins).
* @throws UnsupportedOperationException if an error occurred.
* @supported.api
*/
public Set getModuleInstanceNames() {
moduleInstanceNames = amlc.getModuleInstanceNames();
return (moduleInstanceNames);
}
/**
* Starts the login process for the given <code>AuthContextLocal</code> object.
*
* @exception AuthLoginException if an error occurred during login.
* @supported.api
*/
public void login() throws AuthLoginException {
login(null);
}
/**
* Starts the login process for the given <code>AuthContextLocal</code>s object for the given
* <code>Principal</code> and the user's password. This method should be called primarily when the
* authenticator knows there would no other credentials needed to complete the authentication
* process.
*
* @param principal <code>Principal</code> of the user to be authenticated.
* @param password password for the user.
* @throws AuthLoginException if an error occurred during login.
* @supported.api
*/
public void login(Principal principal, char[] password) throws AuthLoginException {
// Make sure principal and password are not null
if (principal == null)
throw new AuthLoginException(amAuthContextLocal, "invalid-username", null);
if (password == null)
throw new AuthLoginException(amAuthContextLocal, "invalid-password", null);
// Copy the password
this.password = password;
login(null, null, principal, password, null, false);
}
/**
* Start the login process for the <code>AuthContextLocal</code> object identified by the index
* type and index name. The <code>IndexType</code> defines the possible kinds of "objects" or
* "resources" for which an authentication can be performed. Currently supported index types are
* users, roles, services (or application), levels and mechanism.
*
* @param type authentication index type.
* @param indexName authentication index name.
* @throws AuthLoginException if an error occurred during login.
* @supported.api
*/
public void login(AuthContext.IndexType type, String indexName) throws AuthLoginException {
if (authDebug.messageEnabled()) {
authDebug.message(
"AuthContextLocal::login() called "
+ "with IndexType : "
+ type
+ " & Indexname : "
+ indexName);
}
login(type, indexName, null, null, null, false);
}
/**
* Starts the login process for the given <code>AuthContextLocal</code> object for the given
* <code>Subject</code>. Refer to JAAS for description on <code>Subject</code>.
*
* @param subject <code>Subject</code> of the user to be authenticated.
* @throws AuthLoginException if an error occurred during login.
* @supported.api
*/
public void login(Subject subject) throws AuthLoginException {
login(null, null, null, null, subject, false);
}
/**
* Starts the login process for the given <code>AuthContextLocal</code> object identified by the
* index type and index name. The <code>IndexType</code> defines the possible kinds of "objects"
* or "resources" for which an authentication can be performed.Currently supported index types are
* users, roles, services (or application), levels and mechanism. The pCookieMode indicates that a
* persistent cookie exists for this request.
*
* @param type authentication index type.
* @param indexName authentication index name.
* @param locale locale setting.
* @throws AuthLoginException if an error occurred during login process.
*/
public void login(AuthContext.IndexType type, String indexName, String locale)
throws AuthLoginException {
if (authDebug.messageEnabled()) {
authDebug.message(
"AuthContextLocal::login() called "
+ "with IndexType : "
+ type
+ " & Indexname : "
+ indexName
+ " & locale : "
+ locale);
}
login(type, indexName, null, null, null, false, null, locale);
}
/**
* Starts the login process for the given <code>AuthContextLocal</code> object identified by the
* index type and index name. The <code>IndexType</code> defines the possible kinds of "objects"
* or "resources" for which an authentication can be performed.Currently supported index types are
* users, roles, services (or application), levels and mechanism. The pCookieMode indicates that a
* persistent cookie exists for this request.
*
* @param type authentication index type.
* @param indexName authentication index name.
* @param pCookieMode <code>true</code> if persistent Cookie exists, <code>false</code> otherwise
* @throws AuthLoginException if an error occurred during login process.
*/
public void login(AuthContext.IndexType type, String indexName, boolean pCookieMode)
throws AuthLoginException {
if (authDebug.messageEnabled()) {
authDebug.message(
"AuthContextLocal::login() called "
+ "with IndexType : "
+ type
+ " & Indexname : "
+ indexName
+ " & pCookieMode : "
+ pCookieMode);
}
login(type, indexName, null, null, null, pCookieMode);
}
/**
* Starts the login process for the given <code>AuthContextLocal</code> object identified by the
* index type and index name. The <code>IndexType</code> defines the possible kinds of "objects"
* or "resources" for which an authentication can be performed.Currently supported index types are
* users, roles, services (or application), levels and mechanism. The pCookieMode indicates that a
* persistent cookie exists for this request. The locale specifies the user preferred locale
* setting.
*
* @param type authentication index type.
* @param indexName authentication index name.
* @param pCookieMode <code>true</code> if persistent Cookie exists, <code>false</code> otherwise
* @param locale locale setting.
* @throws AuthLoginException if an error occurred during login process.
*/
public void login(
AuthContext.IndexType type, String indexName, boolean pCookieMode, String locale)
throws AuthLoginException {
if (authDebug.messageEnabled()) {
authDebug.message(
"AuthContextLocal::login() called "
+ "with IndexType : "
+ type
+ " & Indexname : "
+ indexName
+ " & pCookieMode : "
+ pCookieMode
+ " & locale : "
+ locale);
}
login(type, indexName, null, null, null, pCookieMode, null, locale);
}
/**
* Starts the login process for the given <code>AuthContextLocal</code> object identified by the
* index type and index name. The <code>IndexType</code> defines the possible kinds of "objects"
* or "resources" for which an authentication can be performed.Currently supported index types are
* users, roles, services (or application), levels and mechanism. The pCookieMode indicates that a
* persistent cookie exists for this request. The locale specifies the user preferred locale
* setting.
*
* @param type authentication index type.
* @param indexName authentication index name.
* @param pCookieMode <code>true</code> if persistent Cookie exists, <code>false</code> otherwise
* @param envMap Environment Map, key is String, value is set of string. this is applicable only
* when the type is <code>AuthContext.IndexType.RESOURCE</code>
* @param locale locale setting.
* @throws AuthLoginException if an error occurred during login process.
*/
public void login(
AuthContext.IndexType type, String indexName, boolean pCookieMode, Map envMap, String locale)
throws AuthLoginException {
if (authDebug.messageEnabled()) {
authDebug.message(
"AuthContextLocal::login() called "
+ "with IndexType : "
+ type
+ " & Indexname : "
+ indexName
+ " & pCookieMode : "
+ pCookieMode
+ " & locale : "
+ locale
+ " & envMap : "
+ envMap);
}
login(type, indexName, null, null, null, pCookieMode, envMap, locale);
}
/**
* Performs the Login for the given AuthContext
*
* @param type authentication index type
* @param indexName authentication index name
* @param principal principal name of the user to be authenticated
* @param password password for the user
* @param subject authentication subject
* @param pCookieMode <code>true</code>persistent Cookie exists, <code>false</code> otherwise
* @throws AuthLoginException if error occurs during login
*/
protected void login(
AuthContext.IndexType type,
String indexName,
Principal principal,
char[] password,
Subject subject,
boolean pCookieMode)
throws AuthLoginException {
login(type, indexName, principal, password, subject, pCookieMode, null, null);
}
/**
* Performs the Login for the given AuthContext
*
* @param type authentication index type
* @param indexName authentication index name
* @param principal principal name of the user to be authenticated
* @param password password for the user
* @param subject authentication subject
* @param pCookieMode <code>true</code>persistent Cookie exists, <code>false</code> otherwise
* @param envMap Environment map, this is applicable only when the type is <code>
* AuthContext.IndexType.RESOURCE</code>
* @param locale locale setting
* @throws AuthLoginException if error occurs during login
*/
protected void login(
AuthContext.IndexType type,
String indexName,
Principal principal,
char[] password,
Subject subject,
boolean pCookieMode,
Map envMap,
String locale)
throws AuthLoginException {
try {
/*if (!getStatus().equals(AuthContext.Status.NOT_STARTED)) {
if (authDebug.messageEnabled()) {
authDebug.message("AuthContextLocal::login called " +
"when the current login status is : " + getStatus());
}
throw new AuthLoginException(amAuthContextLocal,
"invalidMethod", new Object[]{getStatus()});
}*/
// switch the login status
loginStatus = AuthContext.Status.IN_PROGRESS;
String redirectUrl = null;
// specially processing for resouce/IP/Environement based auth
if ((type != null) && type.equals(AuthContext.IndexType.RESOURCE)) {
// this is resouce/IP/Env based authentication
// call Policy Decision Util to find out the actual auth type
// required by policy
List result = Collections.EMPTY_LIST;
try {
result = PolicyDecisionUtils.doResourceIPEnvAuth(indexName, organizationName, envMap);
} catch (PolicyException pe) {
// ignore, continue to default realm based authentication
// may need to revisit this in the future
authDebug.warning(
"AuthContextLocal.login() policy error " + "indexName=" + indexName, pe);
type = null;
indexName = null;
}
if (authDebug.messageEnabled()) {
authDebug.message("AuthContextLocal.login: policy decision=" + result);
}
if (result.size() == 2) {
type = (AuthContext.IndexType) result.get(0);
indexName = (String) result.get(1);
} else if (result.size() == 1) {
// this is the redirection case (Policy Redirection Advice)
redirectUrl = (String) result.get(0);
// append goto parameter for federation case
Set tmp = (Set) envMap.get(ISAuthConstants.GOTO_PARAM);
if ((tmp != null) && !tmp.isEmpty()) {
String gotoParam = (String) tmp.iterator().next();
if ((gotoParam != null) && (gotoParam.length() != 0)) {
if ((redirectUrl != null) && (redirectUrl.indexOf("?") != -1)) {
redirectUrl =
redirectUrl
+ "&"
+ ISAuthConstants.GOTO_PARAM
+ "="
+ URLEncDec.encode(gotoParam);
} else {
redirectUrl =
redirectUrl
+ "?"
+ ISAuthConstants.GOTO_PARAM
+ "="
+ URLEncDec.encode(gotoParam);
}
}
}
type = null;
indexName = null;
} else {
// no policy decision, use default realm login
type = null;
indexName = null;
}
}
HashMap loginParamsMap = new HashMap();
loginParamsMap.put(INDEX_TYPE, type);
loginParamsMap.put(INDEX_NAME, indexName);
loginParamsMap.put(PRINCIPAL, principal);
loginParamsMap.put(PASSWORD, password);
loginParamsMap.put(SUBJECT, subject);
loginParamsMap.put(PCOOKIE, Boolean.valueOf(pCookieMode));
loginParamsMap.put(LOCALE, locale);
if (redirectUrl != null) {
loginParamsMap.put(REDIRECT_URL, redirectUrl);
}
if (authDebug.messageEnabled()) {
authDebug.message("loginParamsMap : " + loginParamsMap.toString());
}
authDebug.message("calling AMLoginContext::exceuteLogin : "******"after AMLoginContext::exceuteLogin : "******"Status at the end of login() : " + loginStatus);
}
} catch (AuthLoginException e) {
if (authDebug.messageEnabled()) {
authDebug.message("Exception in ac.login : "******"AuthContextLocal::reset() called");
loginStatus = AuthContext.Status.NOT_STARTED;
informationRequired = null;
loginException = null;
}
/**
* Returns the set of Principals the user has been authenticated as. This should be invoked only
* after successful authentication. If the authentication fails or the authentication is in
* process, this will return <code>null</code>.
*
* @return The set of Principals the user has been authenticated as.
* @supported.api
*/
public Subject getSubject() {
if (!loginStatus.equals(AuthContext.Status.SUCCESS)) {
return (null);
}
if (subject == null) {
subject = amlc.getSubject();
}
return (subject);
}
/**
* Checks if the login process requires more information from the user to complete the
* authentication.
*
* @return <code>true</code> if more credentials are required from the user.
* @supported.api
*/
public boolean hasMoreRequirements() {
authDebug.message("AuthContextLocal::hasMoreRequirements()");
if ((amlc.getStatus() == LoginStatus.AUTH_SUCCESS)
|| (amlc.getStatus() == LoginStatus.AUTH_FAILED)) {
return false;
} else {
informationRequired = amlc.getRequiredInfo();
return (informationRequired != null);
}
}
/**
* Checks if the login process requires more information from the user to complete the
* authentication
*
* @param noFilter falg to indicate if there is a Filter
* @return <code>true</code> if more credentials are required from the user.
*/
public boolean hasMoreRequirements(boolean noFilter) {
authDebug.message("AuthContextLocal::hasMoreRequirements()");
if ((amlc.getStatus() == LoginStatus.AUTH_SUCCESS)
|| (amlc.getStatus() == LoginStatus.AUTH_FAILED)) {
return false;
} else {
informationRequired = amlc.getRequiredInfo();
return (getCallbacks(informationRequired, noFilter) != null);
}
}
/**
* Returns an array of <code>Callback</code> objects that must be populated by the user and
* returned back. These objects are requested by the authentication plug-ins, and these are
* usually displayed to the user. The user then provides the requested information for it to be
* authenticated.
*
* @return an array of <code>Callback</code> objects requesting credentials from user.
* @supported.api
*/
public Callback[] getRequirements() {
authDebug.message("AuthContextLocal::getRequirements()");
if ((amlc.getStatus() == LoginStatus.AUTH_SUCCESS)
|| (amlc.getStatus() == LoginStatus.AUTH_FAILED)) {
return null;
} else {
return (informationRequired);
}
}
/**
* Returns an array of <code>Callback</code> objects that must be populated by the user and
* returned back. These objects are requested by the authentication plug-ins, and these are
* usually displayed to the user. The user then provides the requested information for it to be
* authenticated.
*
* @param noFilter flag to indicate if there is a Filter
* @return an array of <code>Callback</code> objects requesting credentials from user.
* @supported.api
*/
public Callback[] getRequirements(boolean noFilter) {
authDebug.message("AuthContextLocal::getRequirements()");
if ((amlc.getStatus() == LoginStatus.AUTH_SUCCESS)
|| (amlc.getStatus() == LoginStatus.AUTH_FAILED)) {
return null;
} else {
return (getCallbacks(informationRequired, noFilter));
}
}
/**
* Submit the populated <code>Callback</code> objects to the authentication plug-in modules.
* Called after <code>getRequirements</code> method and obtaining user's response to these
* requests.
*
* @param info array of <code>Callback</code> objects
* @supported.api
*/
public void submitRequirements(Callback[] info) {
authDebug.message("AuthContextLocal::submitRequirements()");
inSubmitRequirements = true;
try {
informationRequired = null;
amlc.submitRequiredInfo(info);
if (!amlc.isPureJAAS()) {
amlc.runLogin();
}
if (amlc.getStatus() == LoginStatus.AUTH_SUCCESS) {
loginStatus = AuthContext.Status.SUCCESS;
} else if (amlc.getStatus() == LoginStatus.AUTH_FAILED) {
loginStatus = AuthContext.Status.FAILED;
}
authDebug.message("AuthContextLocal::submitRequirements end");
if (authDebug.messageEnabled()) {
authDebug.message("Status at the end of submitRequirements() : " + loginStatus);
}
} finally {
inSubmitRequirements = false;
}
}
/**
* Logs out the user and also invalidates the <code>SSOToken</code> associated with this <code>
* AuthContextLocal</code>.
*
* @throws AuthLoginException if an error occurred during logout
* @supported.api
*/
public void logout() throws AuthLoginException {
authDebug.message("AuthContextLocal::logout()");
try {
amlc.logout();
} catch (Exception e) {
if (authDebug.messageEnabled()) {
authDebug.message("Exception in AMLoginContext::logout() " + e.getMessage());
}
throw new AuthLoginException(amAuthContextLocal, "logoutError", null, e);
}
authDebug.message("Called AMLoginContext::logout()");
loginStatus = AuthContext.Status.COMPLETED;
}
/**
* Returns login exception, if any, during the authentication process. Typically set when the
* login fails.
*
* @return login exception.
* @supported.api
*/
public AuthLoginException getLoginException() {
authDebug.message("AuthContextLocal::getLoginException()");
return (loginException);
}
/**
* Sets the login exception that represents errors during the authentication process.
*
* @param exception AuthLoginException to be set.
*/
public void setLoginException(AuthLoginException exception) {
loginException = exception;
}
/**
* Returns the current status of the authentication process.
*
* @return the current status of the authentication process.
* @supported.api
*/
public AuthContext.Status getStatus() {
authDebug.message("AuthContextLocal::getStatus()");
if (amlc.getStatus() == LoginStatus.AUTH_SUCCESS) {
loginStatus = AuthContext.Status.SUCCESS;
} else if (amlc.getStatus() == LoginStatus.AUTH_FAILED) {
loginStatus = AuthContext.Status.FAILED;
} else if (amlc.getStatus() == LoginStatus.AUTH_RESET) {
loginStatus = AuthContext.Status.RESET;
} else if (amlc.getStatus() == LoginStatus.AUTH_ORG_MISMATCH) {
loginStatus = AuthContext.Status.ORG_MISMATCH;
} else if (amlc.getStatus() == LoginStatus.AUTH_IN_PROGRESS) {
loginStatus = AuthContext.Status.IN_PROGRESS;
} else if (amlc.getStatus() == LoginStatus.AUTH_COMPLETED) {
loginStatus = AuthContext.Status.COMPLETED;
}
if (authDebug.messageEnabled()) {
authDebug.message("AuthContextLocal:: Status : " + loginStatus);
}
return (loginStatus);
}
/**
* Sets the login status. Used internally and not visible outside this package.
*
* @param status login status
*/
protected void setLoginStatus(AuthContext.Status status) {
authDebug.message("AuthContextLocal::setLoginStatus()");
loginStatus = status;
}
/**
* Returns the Single-Sign-On (SSO) Token for the authenticated user.Single-Sign-On token can be
* used as the authenticated token.
*
* @return single-sign-on token
* @supported.api
*/
public SSOToken getSSOToken() {
ssoToken = amlc.getSSOToken();
return (ssoToken);
}
/**
* Returns the Successful Login URL for the authenticated user.
*
* @return the Successful Login URL for the authenticated user.
*/
public String getSuccessURL() {
return amlc.getSuccessURL();
}
/**
* Returns the Failure Login URL for the authenticating user.
*
* @return the Failure Login URL for the authenticating user.
*/
public String getFailureURL() {
return amlc.getFailureURL();
}
/**
* Returns the the organization name that was set during the <code>AuthContextLocal</code>
* constructor.
*
* @return Organization name.
* @supported.api
*/
public String getOrganizationName() {
return (amlc.getOrganizationName());
}
/**
* Terminates an ongoing <code>login</code> call that has not yet completed.
*
* @throws AuthLoginException if an error occurred during abort.
* @supported.api
*/
public void abort() throws AuthLoginException {
authDebug.message("AuthContextLocal::abort()");
try {
amlc.abort();
} catch (Exception e) {
if (authDebug.messageEnabled()) {
authDebug.message("Exception in AMLoginContext::abort() " + e.getMessage());
}
throw new AuthLoginException(amAuthContextLocal, "abortError", null, e);
}
loginStatus = AuthContext.Status.COMPLETED;
}
/**
* Returns the error template.
*
* @return the error template.
*/
public String getErrorTemplate() {
return amlc.getErrorTemplate();
}
/**
* Returns the error message.
*
* @return the error message.
*/
public String getErrorMessage() {
return amlc.getErrorMessage();
}
/**
* Returns the error code.
*
* @return error code.
*/
public String getErrorCode() {
return amlc.getErrorCode();
}
/**
* Returns the current 'authIdentifier' of the authentication process as String Session ID.
*
* @return <code>authIdentifier</code> of the authentication process
*/
public String getAuthIdentifier() {
return amlc.getAuthIdentifier();
}
/**
* Returns the account lockout message. This can be either a dynamic message indicating the number
* of tries left or the the account deactivated message.
*
* @return account lockout message.
*/
public String getLockoutMsg() {
String lockoutMsg = amlc.getLockoutMsg();
if (authDebug.messageEnabled()) {
authDebug.message("getLockoutMsg: lockoutMsg: " + lockoutMsg);
}
return lockoutMsg;
}
/**
* Checks the account is locked out
*
* @return <code>true</code> if the account is locked, <code>false</code> otherwise
*/
public boolean isLockedOut() {
boolean isLockedOut = amlc.isLockedOut();
if (authDebug.messageEnabled()) {
authDebug.message("isLockedOut : " + isLockedOut);
}
return isLockedOut;
}
/**
* Sets the client's host name , this method is used in case of remote authentication,to set the
* client's hostname or IP address. This could be used by the policy component to restrict access
* to resources.
*
* @param hostname Host name.
*/
public void setClientHostName(String hostname) {
hostName = hostname;
}
/**
* Returns the clients host name
*
* @return hostname
*/
protected String getClientHostName() {
return (hostName);
}
public boolean submittedRequirements() {
return inSubmitRequirements;
}
/**
* Sets the <code>HttpSession</code> that will be used by the SSO component to store the session
* information. In the absence of <code>HttpSession</code> the information is stored in <code>
* HashMap</code> and will have issues with fail-over. With session fail-over turned on <code>
* HttpSession</code> would be provide persistance storage mechanism for SSO.
*
* @param session HttpSession
*/
public void setHttpSession(HttpSession session) {
httpSession = session;
}
/**
* Returns the <code>HTTPSession</code> associated with the current authentication context
*
* @return httpSession
*/
protected HttpSession getHttpSession() {
return (httpSession);
}
/**
* Returns the array of <code>Callback</code> requirements objects
*
* @param recdCallbacks callbacks requirements
* @param noFilter boolean to indicate if filter exists
* @return an array of <code>Callback</code> objects
*/
protected static Callback[] getCallbacks(Callback[] recdCallbacks, boolean noFilter) {
if (recdCallbacks == null) {
return (null);
} else if (noFilter) {
return recdCallbacks;
} else {
Callback[] answer = new Callback[0];
ArrayList callbackList = new ArrayList();
for (int i = 0; i < recdCallbacks.length; i++) {
if (authDebug.messageEnabled()) {
authDebug.message("In getCallbacks() callback : " + recdCallbacks[i]);
}
if (!(recdCallbacks[i] instanceof PagePropertiesCallback)) {
callbackList.add(recdCallbacks[i]);
}
}
return (Callback[]) callbackList.toArray(answer);
}
}
/**
* Sets the Login State
*
* @param state login state
*/
public void setLoginState(LoginState state) {
loginState = state;
}
/**
* Returns the login state
*
* @return loginState
*/
public LoginState getLoginState() {
return loginState;
}
/**
* Sets the Organization DN
*
* @param orgDN Organization DN
*/
public void setOrgDN(String orgDN) {
this.orgDN = orgDN;
}
/**
* Returns the Organization DN
*
* @return the Organization DN
*/
public String getOrgDN() {
return orgDN;
}
/** Holds LDAP URL */
public static final String LDAP_AUTH_URL = "ldap://";
/** Holds ersistent cookie mode */
public static final String PCOOKIE = "pCookieMode";
/** Holds principal name to be authenticated */
public static final String PRINCIPAL = "principal";
/** Holds Password for the user */
public static final String PASSWORD = "******";
/** authentication subject */
public static final String SUBJECT = "subject";
/** authentication index type */
public static final String INDEX_TYPE = "indexType";
/** authentication index name */
public static final String INDEX_NAME = "indexName";
/** locale setting */
public static final String LOCALE = "locale";
/** Redirection URL */
public static final String REDIRECT_URL = "redirectionURL";
}
public static String getString(String str) {
if (namingBundle == null) {
namingBundle = com.sun.identity.shared.locale.Locale.getInstallResourceBundle("amNaming");
}
return namingBundle.getString(str);
}
/**
* Verifies signatures in entity descriptor represented by the <code>Document</code>.
*
* @param doc The document.
* @throws SAML2MetaException if unable to verify the entity descriptor.
*/
public static void verifySignature(Document doc) throws SAML2MetaException {
NodeList sigElements = null;
try {
Element nscontext =
org.apache.xml.security.utils.XMLUtils.createDSctx(doc, "ds", Constants.SignatureSpecNS);
sigElements = XPathAPI.selectNodeList(doc, "//ds:Signature", nscontext);
} catch (Exception ex) {
if (debug.messageEnabled()) {
debug.message("SAML2MetaSecurityUtils.verifySignature:", ex);
throw new SAML2MetaException(ex.getMessage());
}
}
int numSigs = sigElements.getLength();
if (debug.messageEnabled()) {
debug.message("SAML2MetaSecurityUtils.verifySignature:" + " # of signatures = " + numSigs);
}
if (numSigs == 0) {
return;
}
// If there are signatures then explicitly identify the ID Attribute, See comments section of
// http://bugs.java.com/bugdatabase/view_bug.do?bug_id=8017265
doc.getDocumentElement().setIdAttribute(SAML2Constants.ID, true);
initializeKeyStore();
for (int i = 0; i < numSigs; i++) {
Element sigElement = (Element) sigElements.item(i);
String sigParentName = sigElement.getParentNode().getLocalName();
Object[] objs = {sigParentName};
if (debug.messageEnabled()) {
debug.message(
"SAML2MetaSecurityUtils.verifySignature: "
+ "verifying signature under "
+ sigParentName);
}
try {
XMLSignature signature = new XMLSignature(sigElement, "");
signature.addResourceResolver(new com.sun.identity.saml.xmlsig.OfflineResolver());
KeyInfo ki = signature.getKeyInfo();
X509Certificate x509cert = null;
if (ki != null && ki.containsX509Data()) {
if (keyStore != null) {
StorageResolver sr = new StorageResolver(new KeyStoreResolver(keyStore));
ki.addStorageResolver(sr);
}
x509cert = ki.getX509Certificate();
}
if (x509cert == null) {
if (debug.messageEnabled()) {
debug.message(
"SAML2MetaSecurityUtils.verifySignature:" + " try to find cert in KeyDescriptor");
}
String xpath =
"following-sibling::*[local-name()=\""
+ TAG_KEY_DESCRIPTOR
+ "\" and namespace-uri()=\""
+ NS_META
+ "\"]";
Node node = XPathAPI.selectSingleNode(sigElement, xpath);
if (node != null) {
Element kd = (Element) node;
String use = kd.getAttributeNS(null, ATTR_USE);
if ((use.length() == 0) || use.equals("signing")) {
NodeList nl = kd.getChildNodes();
for (int j = 0; j < nl.getLength(); j++) {
Node child = nl.item(j);
if (child.getNodeType() == Node.ELEMENT_NODE) {
String localName = child.getLocalName();
String ns = child.getNamespaceURI();
if (TAG_KEY_INFO.equals(localName) && NS_XMLSIG.equals(ns)) {
ki = new KeyInfo((Element) child, "");
if (ki.containsX509Data()) {
if (keyStore != null) {
KeyStoreResolver ksr = new KeyStoreResolver(keyStore);
StorageResolver sr = new StorageResolver(ksr);
ki.addStorageResolver(sr);
}
x509cert = ki.getX509Certificate();
}
}
break;
}
}
}
}
}
if (x509cert == null) {
throw new SAML2MetaException("verify_no_cert", objs);
}
if (checkCert
&& ((keyProvider == null) || (keyProvider.getCertificateAlias(x509cert) == null))) {
throw new SAML2MetaException("untrusted_cert", objs);
}
PublicKey pk = x509cert.getPublicKey();
if (!signature.checkSignatureValue(pk)) {
throw new SAML2MetaException("verify_fail", objs);
}
} catch (SAML2MetaException sme) {
throw sme;
} catch (Exception ex) {
debug.error("SAML2MetaSecurityUtils.verifySignature: ", ex);
throw new SAML2MetaException(
Locale.getString(SAML2MetaUtils.resourceBundle, "verify_fail", objs)
+ "\n"
+ ex.getMessage());
}
}
}
static {
bundle = Locale.getInstallResourceBundle("libSOAPBinding");
faultStringServerError = bundle.getString("ServerError");
debug = Debug.getInstance("libIDWSF");
try {
messageFactory = MessageFactory.newInstance();
} catch (Exception ex) {
debug.error("Utils.static: Unable to create SOAP Message Factory", ex);
}
String tmpNSPre = SystemPropertiesManager.get(NAMESPACE_PREFIX_MAPPING_LIST_PROP);
if (tmpNSPre != null && tmpNSPre.length() > 0) {
StringTokenizer stz = new StringTokenizer(tmpNSPre, "|");
while (stz.hasMoreTokens()) {
String token = stz.nextToken().trim();
int index = token.indexOf('=');
if (index != -1 && index != 0 && index != token.length() - 1) {
String prefix = token.substring(0, index);
String ns = token.substring(index + 1);
if (debug.messageEnabled()) {
debug.message("Utils.static: add ns = " + ns + ", prefix = " + prefix);
}
nsPrefix.put(ns, prefix);
} else {
if (debug.warningEnabled()) {
debug.warning(
"Utils.static: Invalid syntax " + "for Namespace Prefix Mapping List: " + token);
}
}
}
}
String tmpJaxbPkgs = SystemPropertiesManager.get(JAXB_PACKAGE_LIST_PROP);
if (tmpJaxbPkgs != null && tmpJaxbPkgs.length() > 0) {
jaxbPackages = DEFAULT_JAXB_PACKAGES + ":" + tmpJaxbPkgs;
} else {
jaxbPackages = DEFAULT_JAXB_PACKAGES;
}
if (debug.messageEnabled()) {
debug.message("Utils.static: jaxbPackages = " + jaxbPackages);
}
try {
jc = JAXBContext.newInstance(jaxbPackages);
} catch (JAXBException jaxbe) {
Utils.debug.error("Utils.static:", jaxbe);
}
String tmpstr = SystemPropertiesManager.get(STALE_TIME_LIMIT_PROP);
if (tmpstr != null) {
try {
stale_time_limit = Integer.parseInt(tmpstr);
} catch (Exception ex) {
if (debug.warningEnabled()) {
debug.warning(
"Utils.static: Unable to get stale time " + "limit. Default value will be used");
}
}
}
tmpstr = SystemPropertiesManager.get(SUPPORTED_ACTORS_PROP);
if (tmpstr != null) {
StringTokenizer stz = new StringTokenizer(tmpstr, "|");
while (stz.hasMoreTokens()) {
String token = stz.nextToken();
if (token.length() > 0) {
supportedActors.add(token);
}
}
}
tmpstr = SystemPropertiesManager.get(MESSAGE_ID_CACHE_CLEANUP_INTERVAL_PROP);
if (tmpstr != null) {
try {
message_ID_cleanup_interval = Integer.parseInt(tmpstr);
} catch (Exception ex) {
if (debug.warningEnabled()) {
debug.warning(
"Utils.CleanUpThread.static: Unable to"
+ " get stale time limit. Default value "
+ "will be used");
}
}
}
messageIDMap = new PeriodicCleanUpMap(message_ID_cleanup_interval, stale_time_limit);
SystemTimerPool.getTimerPool()
.schedule(
(TaskRunnable) messageIDMap,
new Date(((System.currentTimeMillis() + message_ID_cleanup_interval) / 1000) * 1000));
}
/*
* Process the XMLRequest
*/
private AuthXMLResponse processAuthXMLRequest(
String xml,
AuthXMLRequest authXMLRequest,
HttpServletRequest servletRequest,
HttpServletResponse servletResponse) {
if (messageEnabled) {
debug.message("authXMLRequest is : " + authXMLRequest);
}
int requestType = authXMLRequest.getRequestType();
String sessionID = authXMLRequest.getAuthIdentifier();
String orgName = authXMLRequest.getOrgName();
AuthContextLocal authContext = authXMLRequest.getAuthContext();
LoginState loginState = AuthUtils.getLoginState(authContext);
String params = authXMLRequest.getParams();
List envList = authXMLRequest.getEnvironment();
Map envMap = toEnvMap(envList);
AuthXMLResponse authResponse = new AuthXMLResponse(requestType);
authResponse.setAuthContext(authContext);
authResponse.setAuthIdentifier(sessionID);
if (messageEnabled) {
debug.message("authContext is : " + authContext);
debug.message("requestType : " + requestType);
}
if (authXMLRequest.getValidSessionNoUpgrade()) {
authResponse.setAuthXMLRequest(authXMLRequest);
authResponse.setValidSessionNoUpgrade(true);
return authResponse;
}
String securityEnabled = null;
try {
securityEnabled = AuthUtils.getRemoteSecurityEnabled();
} catch (AuthException auExp) {
debug.error("Got Exception", auExp);
setErrorCode(authResponse, auExp);
return authResponse;
}
if (debug.messageEnabled()) {
debug.message("Security Enabled = " + securityEnabled);
}
if (requestType != 0) {
if ((securityEnabled != null) && (securityEnabled.equals("true"))) {
security = true;
String indexNameLoc = authXMLRequest.getIndexName();
AuthContext.IndexType indexTypeLoc = authXMLRequest.getIndexType();
if (indexTypeLoc == null) {
indexTypeLoc = AuthUtils.getIndexType(authContext);
indexNameLoc = AuthUtils.getIndexName(authContext);
}
if (debug.messageEnabled()) {
debug.message("Index Name Local : " + indexNameLoc);
debug.message("Index Type Local : " + indexTypeLoc);
}
if (((indexTypeLoc == null) || (indexNameLoc == null))
|| !((indexTypeLoc == AuthContext.IndexType.MODULE_INSTANCE)
&& indexNameLoc.equals("Application"))) {
try {
String ssoTokenID = authXMLRequest.getAppSSOTokenID();
if (debug.messageEnabled()) {
debug.message("Session ID = : " + ssoTokenID);
}
SSOTokenManager manager = SSOTokenManager.getInstance();
SSOToken appSSOToken = manager.createSSOToken(ssoTokenID);
// if the token isn't valid, let the client know so they
// retry
if (!manager.isValidToken(appSSOToken)) {
if (debug.messageEnabled()) {
debug.message("App SSOToken is not valid");
}
setErrorCode(
authResponse,
new AuthException(AMAuthErrorCode.REMOTE_AUTH_INVALID_SSO_TOKEN, null));
return authResponse;
} else {
debug.message("App SSOToken is VALID");
}
} catch (SSOException ssoe) {
// token is unknown to OpenAM, let the client know so they
// can retry
if (debug.messageEnabled()) {
debug.message("App SSOToken is not valid: " + ssoe.getMessage());
}
setErrorCode(
authResponse,
new AuthException(AMAuthErrorCode.REMOTE_AUTH_INVALID_SSO_TOKEN, null));
return authResponse;
} catch (Exception exp) {
debug.error("Got Exception", exp);
setErrorCode(authResponse, exp);
return authResponse;
}
}
}
} else {
security = false;
}
// if index type is level and choice callback has a
// selected choice then start module based authentication.
if ((AuthUtils.getIndexType(authContext) == AuthContext.IndexType.LEVEL)
|| (AuthUtils.getIndexType(authContext) == AuthContext.IndexType.COMPOSITE_ADVICE)) {
Callback[] callbacks = authXMLRequest.getSubmittedCallbacks();
if (messageEnabled) {
debug.message("Callbacks are : " + callbacks);
}
if (callbacks != null) {
if (messageEnabled) {
debug.message("Callback length is : " + callbacks.length);
}
if (callbacks[0] instanceof ChoiceCallback) {
ChoiceCallback cc = (ChoiceCallback) callbacks[0];
int[] selectedIndexes = cc.getSelectedIndexes();
int selected = selectedIndexes[0];
String[] choices = cc.getChoices();
String indexName = choices[selected];
if (messageEnabled) {
debug.message("Selected Index is : " + indexName);
}
authXMLRequest.setIndexType("moduleInstance");
authXMLRequest.setIndexName(indexName);
authXMLRequest.setRequestType(AuthXMLRequest.LoginIndex);
requestType = AuthXMLRequest.LoginIndex;
}
}
}
AuthContext.Status loginStatus = AuthContext.Status.IN_PROGRESS;
HttpServletRequest clientRequest = authXMLRequest.getClientRequest();
if (loginState != null) {
loginState.setHttpServletRequest(clientRequest);
loginState.setHttpServletResponse(authXMLRequest.getClientResponse());
if (clientRequest != null) {
loginState.setParamHash(AuthUtils.parseRequestParameters(clientRequest));
}
}
switch (requestType) {
case AuthXMLRequest.NewAuthContext:
try {
processNewRequest(servletRequest, servletResponse, authResponse, loginState, authContext);
postProcess(loginState, authResponse);
} catch (Exception ex) {
debug.error("Error in NewAuthContext ", ex);
setErrorCode(authResponse, ex);
}
break;
case AuthXMLRequest.Login:
try {
if (sessionID != null && sessionID.equals("0")) {
processNewRequest(
servletRequest, servletResponse, authResponse, loginState, authContext);
}
String clientHost = null;
if (security) {
clientHost = authXMLRequest.getHostName();
if (messageEnabled) {
debug.message("Client Host from Request = " + clientHost);
}
}
if ((clientHost == null) && (servletRequest != null)) {
clientHost = ClientUtils.getClientIPAddress(servletRequest);
}
loginState.setClient(clientHost);
authContext.login();
// setServletRequest(servletRequest,authContext);
processRequirements(xml, authContext, authResponse, params, servletRequest);
loginStatus = authContext.getStatus();
authResponse.setRemoteRequest(loginState.getHttpServletRequest());
authResponse.setRemoteResponse(loginState.getHttpServletResponse());
postProcess(loginState, authResponse);
checkACException(authResponse, authContext);
} catch (Exception ex) {
debug.error("Error during login ", ex);
setErrorCode(authResponse, ex);
authResponse.setLoginStatus(authContext.getStatus());
}
break;
case AuthXMLRequest.LoginIndex:
try {
AuthContext.IndexType indexType = authXMLRequest.getIndexType();
String indexName = authXMLRequest.getIndexName();
if (messageEnabled) {
debug.message("indexName is : " + indexName);
debug.message("indexType is : " + indexType);
}
if (sessionID != null && sessionID.equals("0")) {
processNewRequest(
servletRequest, servletResponse, authResponse, loginState, authContext);
}
String clientHost = null;
if (security) {
clientHost = authXMLRequest.getHostName();
if (messageEnabled) {
debug.message("Client Host from Request = " + clientHost);
}
}
if ((clientHost == null) && (servletRequest != null)) {
clientHost = ClientUtils.getClientIPAddress(servletRequest);
}
loginState.setClient(clientHost);
String locale = authXMLRequest.getLocale();
if (locale != null && locale.length() > 0) {
if (debug.messageEnabled()) {
debug.message("locale is : " + locale);
}
authContext.login(indexType, indexName, envMap, locale);
} else {
authContext.login(indexType, indexName, envMap, null);
}
// setServletRequest(servletRequest,authContext);
processRequirements(xml, authContext, authResponse, params, servletRequest);
loginStatus = authContext.getStatus();
authResponse.setRemoteRequest(loginState.getHttpServletRequest());
authResponse.setRemoteResponse(loginState.getHttpServletResponse());
postProcess(loginState, authResponse);
checkACException(authResponse, authContext);
} catch (Exception ex) {
debug.error("Exception during LoginIndex", ex);
setErrorCode(authResponse, ex);
}
break;
case AuthXMLRequest.LoginSubject:
try {
Subject subject = authXMLRequest.getSubject();
authContext.login(subject);
// setServletRequest(servletRequest,authContext);
processRequirements(xml, authContext, authResponse, params, servletRequest);
postProcess(loginState, authResponse);
loginStatus = authContext.getStatus();
checkACException(authResponse, authContext);
} catch (AuthLoginException ale) {
debug.error("Exception during LoginSubject", ale);
setErrorCode(authResponse, ale);
}
break;
case AuthXMLRequest.SubmitRequirements:
try {
// setServletRequest(servletRequest,authContext);
Callback[] submittedCallbacks = authXMLRequest.getSubmittedCallbacks();
authContext.submitRequirements(submittedCallbacks);
Callback[] reqdCallbacks = null;
if (authContext.hasMoreRequirements()) {
reqdCallbacks = authContext.getRequirements();
authResponse.setReqdCallbacks(reqdCallbacks);
}
authResponse.setRemoteRequest(loginState.getHttpServletRequest());
authResponse.setRemoteResponse(loginState.getHttpServletResponse());
postProcess(loginState, authResponse);
loginStatus = authContext.getStatus();
authResponse.setLoginStatus(loginStatus);
InternalSession oldSession = loginState.getOldSession();
authResponse.setOldSession(oldSession);
checkACException(authResponse, authContext);
} catch (Exception ex) {
debug.error("Error during submit requirements ", ex);
setErrorCode(authResponse, ex);
}
break;
case AuthXMLRequest.QueryInformation:
try {
if (sessionID != null && sessionID.equals("0")) {
processNewRequest(
servletRequest, servletResponse, authResponse, loginState, authContext);
}
Set moduleNames = authContext.getModuleInstanceNames();
authResponse.setModuleNames(moduleNames);
authResponse.setAuthContext(authContext);
postProcess(loginState, authResponse);
checkACException(authResponse, authContext);
} catch (Exception ex) {
debug.error("Error during Query Information", ex);
setErrorCode(authResponse, ex);
}
break;
case AuthXMLRequest.Logout:
// Object loginContext = null;
// InternalSession intSess = null;
// SSOToken token = null;
// boolean logoutCalled = false;
if (sessionID != null && !sessionID.equals("0")) {
/*intSess = AuthD.getSession(sessionID);
try {
token = SSOTokenManager.getInstance().
createSSOToken(sessionID);
if (debug.messageEnabled()) {
debug.message("AuthXMLHandler."
+ "processAuthXMLRequest: Created token "
+ "during logout = "+token);
}
} catch (com.iplanet.sso.SSOException ssoExp) {
if (debug.messageEnabled()) {
debug.message("AuthXMLHandler.processAuthXMLRequest:"
+ "SSOException checking validity of SSO Token");
}
}*/
try {
AuthUtils.logout(sessionID, servletRequest, servletResponse);
} catch (com.iplanet.sso.SSOException ssoExp) {
if (debug.messageEnabled()) {
debug.message(
"AuthXMLHandler.processAuthXMLRequest:"
+ "SSOException checking validity of SSO Token");
}
}
}
/*if (intSess != null) {
loginContext = intSess.getObject(ISAuthConstants.
LOGIN_CONTEXT);
}
try {
if (loginContext != null) {
if (loginContext instanceof
javax.security.auth.login.LoginContext) {
javax.security.auth.login.LoginContext lc =
(javax.security.auth.login.LoginContext)
loginContext;
lc.logout();
} else {
com.sun.identity.authentication.jaas.LoginContext
jlc = (com.sun.identity.authentication.jaas.
LoginContext) loginContext;
jlc.logout();
}
logoutCalled = true;
}
} catch (javax.security.auth.login.LoginException loginExp) {
debug.error("AuthXMLHandler.processAuthXMLRequest: "
+ "Cannot Execute module Logout", loginExp);
}
Set postAuthSet = null;
if (intSess != null) {
postAuthSet = (Set) intSess.getObject(ISAuthConstants.
POSTPROCESS_INSTANCE_SET);
}
if ((postAuthSet != null) && !(postAuthSet.isEmpty())) {
AMPostAuthProcessInterface postLoginInstance=null;
for(Iterator iter = postAuthSet.iterator();
iter.hasNext();) {
try {
postLoginInstance =
(AMPostAuthProcessInterface) iter.next();
postLoginInstance.onLogout(servletRequest,
servletResponse, token);
} catch (Exception exp) {
debug.error("AuthXMLHandler.processAuthXMLRequest: "
+ "Failed in post logout.", exp);
}
}
} else {
String plis = null;
if (intSess != null) {
plis = intSess.getProperty(
ISAuthConstants.POST_AUTH_PROCESS_INSTANCE);
}
if (plis != null && plis.length() > 0) {
StringTokenizer st = new StringTokenizer(plis, "|");
if (token != null) {
while (st.hasMoreTokens()) {
String pli = (String)st.nextToken();
try {
AMPostAuthProcessInterface postProcess =
(AMPostAuthProcessInterface)
Thread.currentThread().
getContextClassLoader().
loadClass(pli).newInstance();
postProcess.onLogout(servletRequest,
servletResponse, token);
} catch (Exception e) {
debug.error("AuthXMLHandler."
+ "processAuthXMLRequest:" + pli, e);
}
}
}
}
}
try {
boolean isTokenValid = SSOTokenManager.getInstance().
isValidToken(token);
if ((token != null) && isTokenValid) {
AuthD.getAuth().logLogout(token);
Session session = Session.getSession(
new SessionID(sessionID));
session.logout();
debug.message("logout successful.");
}
} catch (com.iplanet.dpro.session.SessionException
sessExp) {
if (debug.messageEnabled()) {
debug.message("AuthXMLHandler."
+ "processAuthXMLRequest: SessionException"
+ " checking validity of SSO Token");
}
} catch (com.iplanet.sso.SSOException ssoExp) {
if (debug.messageEnabled()) {
debug.message("AuthXMLHandler."
+ "processAuthXMLRequest: SSOException "
+ "checking validity of SSO Token");
}
}*/
authResponse.setLoginStatus(AuthContext.Status.COMPLETED);
break;
case AuthXMLRequest.Abort:
try {
authContext.abort();
loginStatus = authContext.getStatus();
authResponse.setLoginStatus(loginStatus);
checkACException(authResponse, authContext);
} catch (AuthLoginException ale) {
debug.error("Error aborting ", ale);
setErrorCode(authResponse, ale);
}
break;
}
if (messageEnabled) {
debug.message("loginStatus: " + loginStatus);
if (authContext != null) {
debug.message("error Code: " + authContext.getErrorCode());
debug.message("error Template: " + authContext.getErrorTemplate());
}
}
if (loginStatus == AuthContext.Status.FAILED) {
if ((authContext.getErrorMessage() != null)
&& (authContext
.getErrorMessage()
.equals(
AMResourceBundleCache.getInstance()
.getResBundle(
"amAuthLDAP",
com.sun.identity.shared.locale.Locale.getLocale(loginState.getLocale()))
.getString(ISAuthConstants.EXCEED_RETRY_LIMIT)))) {
loginState.setErrorCode(AMAuthErrorCode.AUTH_LOGIN_FAILED);
}
if ((authContext.getErrorCode() != null) && ((authContext.getErrorCode()).length() > 0)) {
authResponse.setErrorCode(authContext.getErrorCode());
}
checkACException(authResponse, authContext);
if ((authContext.getErrorTemplate() != null)
&& ((authContext.getErrorTemplate()).length() > 0)) {
authResponse.setErrorTemplate(authContext.getErrorTemplate());
}
// Account Lockout Warning Check
if ((authContext.getErrorCode() != null)
&& (authContext.getErrorCode().equals(AMAuthErrorCode.AUTH_INVALID_PASSWORD))) {
String lockWarning = authContext.getLockoutMsg();
if ((lockWarning != null) && (lockWarning.length() > 0)) {
authResponse.setErrorMessage(lockWarning);
}
}
}
return authResponse;
}