static { String status = SystemProperties.get(Constants.AM_LOGSTATUS, "INACTIVE"); if ("ACTIVE".equalsIgnoreCase(status)) { logStatus = true; } // Get Directory Port value try { directoryPort = Integer.parseInt(SystemProperties.get(Constants.AM_DIRECTORY_PORT)); } catch (java.lang.NumberFormatException nfex) { directoryPort = 0; } // Get Session store String useHttpSessionStr = SystemProperties.get(ISAuthConstants.SESSION_STORE); if (useHttpSessionStr != null && useHttpSessionStr.equalsIgnoreCase("HttpSession")) { useHttpSession = true; } debug = Debug.getInstance(BUNDLE_NAME); if (debug.messageEnabled()) { debug.message("Directory Host: " + directoryHostName + "\nDirectory PORT : " + directoryPort); debug.message("Session store using " + useHttpSessionStr); } }
/** * This method will be invoked when a service's global configuration data has been changed. The * parameter <code>groupName</code> denote the name of the configuration grouping (e.g. default) * and <code>serviceComponent</code> denotes the service's sub-component that changed (e.g. <code> * /NamedPolicy</code>, <code>/Templates</code>). * * @param serviceName Name of the service. * @param version Version of the service. * @param groupName Name of the configuration grouping. * @param serviceComponent Name of the service components that changed. * @param type change type, i.e., ADDED, REMOVED or MODIFIED. */ public void globalConfigChanged( String serviceName, String version, String groupName, String serviceComponent, int type) { if (serviceName.equals(Constants.SVC_NAME_PLATFORM)) { if (serviceComponent.startsWith("/" + ConfigurationBase.CONFIG_SERVERS + "/")) { String serverName = serviceComponent.substring(PARENT_LEN); if (serverName.equals(ServerConfiguration.DEFAULT_SERVER_CONFIG) || serverName.equals(SystemProperties.getServerInstanceName())) { // always use the server instance name with initialising properties if (serverName.equals(ServerConfiguration.DEFAULT_SERVER_CONFIG)) { serverName = SystemProperties.getServerInstanceName(); } SSOToken adminToken = AccessController.doPrivileged(AdminTokenAction.getInstance()); try { Properties newProp = ServerConfiguration.getServerInstance(adminToken, serverName); SystemProperties.initializeProperties(newProp, true, true); notifies(Constants.SVC_NAME_PLATFORM); } catch (SSOException | IOException | SMSException ex) { // ignored } } } else { notifies(Constants.SVC_NAME_PLATFORM); } } else { /* need to do this else bcoz some of the property have been moved * to services */ notifies(serviceName); } }
/** * Retrieves all server info set on the server. * * @param context Current Server Context. * @param realm realm in whose security context we use. */ private Promise<ResourceResponse, ResourceException> getAllServerInfo( Context context, String realm) { JsonValue result = new JsonValue(new LinkedHashMap<String, Object>(1)); Set<String> cookieDomains; ResourceResponse resource; // added for the XUI to be able to understand its locale to request the appropriate translations // to cache ISLocaleContext localeContext = new ISLocaleContext(); HttpContext httpContext = context.asContext(HttpContext.class); localeContext.setLocale( httpContext); // we have nothing else to go on at this point other than their request SelfServiceInfo selfServiceInfo = configHandler.getConfig(realm, SelfServiceInfoBuilder.class); RestSecurity restSecurity = restSecurityProvider.get(realm); Set<String> protectedUserAttributes = new HashSet<>(); protectedUserAttributes.addAll(selfServiceInfo.getProtectedUserAttributes()); protectedUserAttributes.addAll(restSecurity.getProtectedUserAttributes()); try { cookieDomains = AuthClientUtils.getCookieDomains(); result.put("domains", cookieDomains); result.put("protectedUserAttributes", protectedUserAttributes); result.put( "cookieName", SystemProperties.get(Constants.AM_COOKIE_NAME, "iPlanetDirectoryPro")); result.put("secureCookie", CookieUtils.isCookieSecure()); result.put("forgotPassword", String.valueOf(selfServiceInfo.isForgottenPasswordEnabled())); result.put("forgotUsername", String.valueOf(selfServiceInfo.isForgottenUsernameEnabled())); result.put("kbaEnabled", String.valueOf(selfServiceInfo.isKbaEnabled())); result.put("selfRegistration", String.valueOf(selfServiceInfo.isUserRegistrationEnabled())); result.put("lang", getJsLocale(localeContext.getLocale())); result.put("successfulUserRegistrationDestination", "default"); result.put("socialImplementations", getSocialAuthnImplementations(realm)); result.put("referralsEnabled", Boolean.FALSE.toString()); result.put("zeroPageLogin", AuthUtils.getZeroPageLoginConfig(realm)); result.put("realm", realm); result.put( "xuiUserSessionValidationEnabled", SystemProperties.getAsBoolean(Constants.XUI_USER_SESSION_VALIDATION_ENABLED, true)); if (debug.messageEnabled()) { debug.message( "ServerInfoResource.getAllServerInfo ::" + " Added resource to response: " + ALL_SERVER_INFO); } resource = newResourceResponse(ALL_SERVER_INFO, Integer.toString(result.asMap().hashCode()), result); return newResultPromise(resource); } catch (Exception e) { debug.error( "ServerInfoResource.getAllServerInfo : Cannot retrieve all server info domains.", e); return new NotFoundException(e.getMessage()).asPromise(); } }
/** Creates <code>AuthXMLHandler</code> object */ public AuthXMLHandler() { localAuthServerProtocol = SystemProperties.get(Constants.AM_SERVER_PROTOCOL); localAuthServer = SystemProperties.get(Constants.AM_SERVER_HOST); localAuthServerPort = SystemProperties.get(Constants.AM_SERVER_PORT); AuthContext.localAuthServiceID = localAuthServerProtocol + "://" + localAuthServer + ":" + localAuthServerPort; locale = (new ISLocaleContext()).getLocale(); }
/** * Updates the <code>iPlanetAMLoggingService<code> service schema. * * @return true if successful otherwise false. */ public boolean migrateService() { boolean isSuccess = false; try { // read the values from AMConfig.properties String logStatus = SystemProperties.get("com.iplanet.am.logStatus"); String resolveHostName = SystemProperties.get("com.sun.identity.log.resolveHostName"); // update default value Set defaultValues = new HashSet(); defaultValues.add("NameID"); UpgradeUtils.addAttributeDefaultValues( SERVICE_NAME, null, schemaType, LOG_ALL_FIELDS_ATTR_NAME, defaultValues); // update choice value Map choiceValuesMap = new HashMap(); choiceValuesMap.put("choiceNameID", defaultValues); UpgradeUtils.addAttributeChoiceValues( SERVICE_NAME, null, schemaType, LOG_ATTR_NAME, choiceValuesMap); // add new attribute schema String fileName = UpgradeUtils.getAbsolutePath(SERVICE_DIR, SCHEMA_FILE); UpgradeUtils.addAttributeToSchema(SERVICE_NAME, schemaType, fileName); // populate the default values for logstatus & resolveHostName // from amconfig.properties defaultValues.clear(); defaultValues.add(logStatus); UpgradeUtils.setAttributeDefaultValues( SERVICE_NAME, null, schemaType, LOG_STATUS_ATTR, defaultValues); defaultValues.clear(); defaultValues.add(resolveHostName); UpgradeUtils.setAttributeDefaultValues( SERVICE_NAME, null, schemaType, RESOLVE_HOSTNAME_ATTR, defaultValues); String histNumFile = UpgradeUtils.getAttributeValueString(SERVICE_NAME, LOG_HIST_NUM_ATTR_NAME, schemaType); if (histNumFile != null && histNumFile.equals(DEFAULT_HIST_NUM)) { defaultValues.clear(); defaultValues.add(NEW_DEFAULT_HIST_NUM); UpgradeUtils.setAttributeDefaultValues( SERVICE_NAME, null, schemaType, LOG_HIST_NUM_ATTR_NAME, defaultValues); } String maxLogSize = UpgradeUtils.getAttributeValueString( SERVICE_NAME, LOG_MAX_FILE_SIZE_ATTR_NAME, schemaType); if (maxLogSize != null && maxLogSize.equals(DEFAULT_LOG_SIZE)) { defaultValues.clear(); defaultValues.add(NEW_DEFAULT_LOG_SIZE); UpgradeUtils.setAttributeDefaultValues( SERVICE_NAME, null, schemaType, LOG_MAX_FILE_SIZE_ATTR_NAME, defaultValues); } isSuccess = true; } catch (UpgradeException e) { UpgradeUtils.debug.error("Error loading data:" + SERVICE_NAME, e); } return isSuccess; }
private void createAttributeMapping() { // this does not apply client mode because client's property // never get store in SMS services if (SystemProperties.isServerMode()) { Map attributeMap = SystemProperties.getAttributeMap(); for (Iterator i = attributeMap.values().iterator(); i.hasNext(); ) { AttributeStruct a = (AttributeStruct) i.next(); migratedServiceNames.add(a.getServiceName()); } } }
/** * @param config the ServletConfig object that contains configutation information for this * servlet. * @exception ServletException if an exception occurs that interrupts the servlet's normal * operation. */ public void init(ServletConfig config) throws ServletException { super.init(config); if (debug.messageEnabled()) { debug.message("CDCClientServlet.init:CDCClientServlet " + "Initializing..."); } try { tokenManager = SSOTokenManager.getInstance(); } catch (SSOException ssoe) { debug.error("CDCClientServlet.init:unable to get SSOTokenManager", ssoe); } authURLCookieName = SystemProperties.get(Constants.AUTH_UNIQUE_COOKIE_NAME, "sunIdentityServerAuthNServer"); authURLCookieDomain = SystemProperties.get(Constants.AUTH_UNIQUE_COOKIE_DOMAIN, ""); deployDescriptor = SystemProperties.get(Constants.AM_DISTAUTH_DEPLOYMENT_DESCRIPTOR, "/distauth"); }
/** * Perform a remote setProperty on the Session using the remote Service URL. * * <p>{@inheritDoc} */ public void setProperty(Session session, String name, String value) throws SessionException { if (debug.messageEnabled()) { debug.message(MessageFormat.format("Remote setProperty {0} {1}={2}", session, name, value)); } SessionID sessionID = session.getID(); SessionRequest sreq = new SessionRequest(SessionRequest.SetProperty, sessionID.toString(), false); sreq.setPropertyName(name); sreq.setPropertyValue(value); if (SystemProperties.isServerMode() && InternalSession.isProtectedProperty(name)) { try { SSOToken admSSOToken = SessionUtils.getAdminToken(); sreq.setRequester(RestrictedTokenContext.marshal(admSSOToken)); } catch (SSOException e) { throw new SessionException(e); } catch (Exception e) { throw new SessionException(e); } if (debug.messageEnabled()) { debug.message( "Session.setProperty: " + "added admSSOToken in sreq to set " + "externalProtectedProperty in remote server"); } } requests.sendRequestWithRetry(session.getSessionServiceURL(), sreq, session); }
private void generateSvrReport(String path) { if (loadConfig(path)) { ssoToken = getAdminSSOToken(); if (ssoToken != null) { // All the properties should be loaded at this point Properties prop = SystemProperties.getAll(); Properties amProp = new Properties(); Properties sysProp = new Properties(); for (Enumeration e = prop.propertyNames(); e.hasMoreElements(); ) { String key = (String) e.nextElement(); String val = (String) prop.getProperty(key); if (key.startsWith(AM_PROP_SUN_SUFFIX) || key.startsWith(AM_PROP_SUFFIX) || key.startsWith(ENC_PWD_PROPERTY)) { amProp.put(key, val); } else { sysProp.put(key, val); } } printProperties(amProp, DEF_PROP); printProperties(sysProp, SYS_PROP); getInstanceProperties(ssoToken); } else { toolOutWriter.printError("rpt-auth-msg"); } } else { toolOutWriter.printStatusMsg(false, "rpt-svr-gen"); } }
/** * Returns Replication Status by invoking OpenDJ <code>dsreplication</code> CLI * * @param port LDAP port number of embedded OpenDJ * @param passwd Directory Manager password * @param oo Standard output * @param err : Standard error * @return <code>dsreplication</code> CLI exit code. */ public static int getReplicationStatus( String port, String passwd, OutputStream oo, OutputStream err) { Debug debug = Debug.getInstance(SetupConstants.DEBUG_NAME); String baseDir = SystemProperties.get(SystemProperties.CONFIG_PATH); String[] statusCmd = { "status", "--no-prompt", "-h", "localhost", "-p", port, "--adminUID", "admin", "--adminPassword", passwd, "-s", "--configFile", baseDir + "/opends/config/config.ldif" }; if (debug.messageEnabled()) { String dbgcmd = concat(statusCmd).replaceAll(passwd, "****"); debug.message("EmbeddedOpenDS:getReplicationStatus:exec dsreplication :" + dbgcmd); } int ret = ReplicationCliMain.mainCLI(statusCmd, false, oo, err, null); if (debug.messageEnabled()) { debug.message("EmbeddedOpenDS:getReplicationStatus:dsreplication ret:" + ret); } return ret; }
/* build the trust source set*/ private static Set getTrustedSourceList() throws SessionException { Set result = new HashSet(); try { String rawList = SystemProperties.get(Constants.TRUSTED_SOURCE_LIST); if (rawList != null) { StringTokenizer stk = new StringTokenizer(rawList, ","); while (stk.hasMoreTokens()) { result.add(InetAddress.getByName(stk.nextToken())); } } else { // use platform server list as a default fallback Vector psl = WebtopNaming.getPlatformServerList(); if (psl == null) { throw new SessionException(SessionBundle.rbName, "emptyTrustedSourceList", null); } for (Enumeration e = psl.elements(); e.hasMoreElements(); ) { try { URL url = new URL((String) e.nextElement()); result.add(InetAddress.getByName(url.getHost())); } catch (Exception ex) { debug.error("SessionUtils.getTrustedSourceList : " + "Validating Host exception", ex); } } } } catch (Exception e) { throw new SessionException(e); } return result; }
private AuthD() { debug.message("AuthD initializing"); try { rootSuffix = defaultOrg = ServiceManager.getBaseDN(); initAuthSessions(); initAuthServiceGlobalSettings(); initPlatformServiceGlobalSettings(); initSessionServiceDynamicSettings(); initAuthConfigGlobalSettings(); bundle = com.sun.identity.shared.locale.Locale.getInstallResourceBundle(BUNDLE_NAME); ResourceBundle platBundle = com.sun.identity.shared.locale.Locale.getInstallResourceBundle("amPlatform"); platformCharset = platBundle.getString(ISAuthConstants.PLATFORM_CHARSET_ATTR); printProfileAttrs(); // Initialize AuthXMLHandler so that AdminTokenAction can // generate DPro Session's SSOToken new com.sun.identity.authentication.server.AuthXMLHandler(); authInitFailed = false; } catch (Exception ex) { debug.error("AuthD init()", ex); authInitFailed = true; } try { enforceJAASThread = Boolean.valueOf(SystemProperties.get(Constants.ENFORCE_JAAS_THREAD)).booleanValue(); } catch (Exception e) { if (debug.messageEnabled()) { debug.message("Wrong format of " + Constants.ENFORCE_JAAS_THREAD); } } }
@Override public StoreMode getStoreMode() { String mode = SystemProperties.get(STORE_LOCATION); if (StringUtils.isNotEmpty(mode)) { return StoreMode.valueOf(mode.toUpperCase()); } else { return StoreMode.DEFAULT; } }
private static HashSet getPropertyRetryErrorCodes(String key) { HashSet codes = new HashSet(); String retryErrorStr = SystemProperties.get(key); if (retryErrorStr != null && retryErrorStr.trim().length() > 0) { StringTokenizer stz = new StringTokenizer(retryErrorStr, ","); while (stz.hasMoreTokens()) { codes.add(stz.nextToken().trim()); } } return codes; }
private static void initConfig() { adviceParams.add("module"); adviceParams.add("authlevel"); adviceParams.add("role"); adviceParams.add("service"); adviceParams.add("user"); adviceParams.add("realm"); adviceParams.add("org"); adviceParams.add("resource"); adviceParams.add("sunamcompositeadvice"); String invalidStrings = SystemPropertiesManager.get(Constants.INVALID_GOTO_STRINGS); if (INVALID_SET.isEmpty()) { debug.message("CDCClientServlet.initConfig: creating invalidSet"); if (invalidStrings == null) { debug.message("CDCClientServlet.initConfig: invalidStrings is null"); INVALID_SET.add(LEFT_ANGLE); INVALID_SET.add(RIGHT_ANGLE); INVALID_SET.add(URLENC_LEFT_ANGLE); INVALID_SET.add(URLENC_RIGHT_ANGLE); INVALID_SET.add(JAVASCRIPT); INVALID_SET.add(URLENC_JAVASCRIPT); } else { if (debug.messageEnabled()) { debug.message("CDCClientServlet.initConfig: invalidStrings is: " + invalidStrings); } StringTokenizer st = new StringTokenizer(invalidStrings, DELIM); while (st.hasMoreTokens()) { INVALID_SET.add(st.nextToken()); } } debug.message("CDCClientServlet.initConfig: created invalidSet " + INVALID_SET); } String urlFromProps = SystemProperties.get(Constants.CDCSERVLET_LOGIN_URL); cdcAuthURI = (urlFromProps != null) ? urlFromProps : AUTHURI; String validLoginURIStrings = SystemPropertiesManager.get(Constants.VALID_LOGIN_URIS); debug.message("CDCClientServlet.initConfig: creating validLoginURISet"); if (validLoginURIStrings == null) { debug.message( "CDCClientServlet.initConfig: validLoginURIStrings is null, creating default set"); VALID_LOGIN_URIS.add(cdcAuthURI); } else { if (debug.messageEnabled()) { debug.message( "CDCClientServlet.initConfig: validLoginURIStrings is: " + validLoginURIStrings); } StringTokenizer st = new StringTokenizer(validLoginURIStrings, DELIM); while (st.hasMoreTokens()) { VALID_LOGIN_URIS.add(st.nextToken()); } } debug.message("CDCClientServlet.initConfig: created validLoginURISet " + VALID_LOGIN_URIS); }
static { String tmp = SystemProperties.get("com.iplanet.am.jssproxy.trustAllServerCerts"); trustAllServerCerts = (tmp != null && tmp.equalsIgnoreCase("true")); tmp = SystemProperties.get("com.iplanet.am.jssproxy.checkSubjectAltName"); checkSubjectAltName = (tmp != null && tmp.equalsIgnoreCase("true")); tmp = SystemProperties.get("com.iplanet.am.jssproxy.resolveIPAddress"); resolveIPAddress = (tmp != null && tmp.equalsIgnoreCase("true")); tmp = SystemProperties.get("com.iplanet.am.jssproxy.SSLTrustHostList", null); if (tmp != null) { getSSLTrustHosts(tmp); } if (debug.messageEnabled()) { debug.message("AMHostnameVerifier trustAllServerCerts = " + trustAllServerCerts); debug.message("AMHostnameVerifier checkSubjectAltName = " + checkSubjectAltName); debug.message("AMHostnameVerifier resolveIPAddress = " + resolveIPAddress); debug.message("AMHostnameVerifier SSLTrustHostList = " + sslTrustHosts.toString()); } }
public Class<? extends DataLayerConnectionModule> getConfigurationClass() { String configuredTypeKey = CONFIGURATION_CLASS_PROPERTY_PREFIX + this.name(); String configuredType = SystemProperties.get(configuredTypeKey); if (StringUtils.isNotBlank(configuredType)) { try { return Class.forName(configuredType).asSubclass(DataLayerConnectionModule.class); } catch (ClassNotFoundException e) { throw new IllegalStateException( "Configured data layer configuration type does not exist: " + configuredTypeKey + " is configured as " + configuredType); } } return configurationClass; }
// Static Initialization Stanza. static { sessionDebug = Debug.getInstance("amSession"); if (doRequestFlag != null) { if (doRequestFlag.equals("false")) doRequest = false; } if (hcPath == null) { String deployuri = SystemProperties.get(Constants.AM_SERVICES_DEPLOYMENT_DESCRIPTOR, "/openam"); hcPath = deployuri + "/namingservice"; if (!hcPath.startsWith("/")) { hcPath += "/" + hcPath; } GET_REQUEST = "GET " + hcPath + " HTTP/1.0"; } } // End of Static Initialization Stanza
@Override public void updateExternalLdapConfiguration( ModifiedProperty<String> hosts, ModifiedProperty<String> username, ModifiedProperty<String> password, ModifiedProperty<String> maxConnections, ModifiedProperty<Boolean> sslMode, ModifiedProperty<Integer> heartbeat) { hosts.set(SystemProperties.get(STORE_HOSTNAME)); username.set(SystemProperties.get(STORE_USERNAME)); password.set(AMPasswordUtil.decrypt(SystemProperties.get(STORE_PASSWORD))); maxConnections.set(SystemProperties.get(STORE_MAX_CONNECTIONS)); sslMode.set(SystemProperties.getAsBoolean(STORE_SSL_ENABLED, false)); heartbeat.set(SystemProperties.getAsInt(STORE_HEARTBEAT, -1)); }
/** Create the global information report * @return */ private JsonValue globalInformationReport(Record record) { JsonObject report = JsonValueBuilder.jsonValue(); synchronized (dateFormat) { report.put(DATE_LABEL, dateFormat.format(new Date())); } report.put(OPENAM_VERSION_LABEL, SystemPropertiesManager.get(Constants.AM_VERSION)); // OpenAM properties contain a part of the OpenAM configuration, we need to have the config // export enable if (record.getRecordProperties().isConfigExportEnabled()) { JsonObject openAMPropertiesJson = JsonValueBuilder.jsonValue(); Properties sysProps = SystemProperties.getProperties(); for (String propertyName : sysProps.stringPropertyNames()) { report.put(propertyName, sysProps.getProperty(propertyName)); } report.put(OPENAM_PROPERTIES_LABEL, openAMPropertiesJson.build().asMap()); } return report.build(); }
/** * Returns Session Service URL for a Session ID. * * @param sid Session ID * @return Session Service URL. * @exception SessionException */ public URL getSessionServiceURL(SessionID sid) throws SessionException { String primaryId; if (SystemProperties.isServerMode()) { /** * Validate that the SessionID contains valid Server and Site references. This check is not * appropriate for client side code as only the Site reference is exposed to client code. */ sid.validate(); SessionService ss = InjectorHolder.getInstance(SessionService.class); if (ss.isSiteEnabled() && ss.isLocalSite(sid)) { if (ss.isSessionFailoverEnabled()) { return getSessionServiceURL(ss.getCurrentHostServer(sid)); } else { primaryId = sid.getExtension().getPrimaryID(); return getSessionServiceURL(primaryId); } } } else { primaryId = sid.getExtension().getPrimaryID(); if (primaryId != null) { String secondarysites = WebtopNaming.getSecondarySites(primaryId); String serverID = SessionService.getAMServerID(); if ((secondarysites != null) && (serverID != null)) { if (secondarysites.indexOf(serverID) != -1) { return getSessionServiceURL(serverID); } } } } return getSessionServiceURL( sid.getSessionServerProtocol(), sid.getSessionServer(), sid.getSessionServerPort(), sid.getSessionServerURI()); }
/** * Method to check if caching is enabled or disabled and configure the size of the cache * accordingly. */ private static void initializeParams() { // Check if the caching property is set in System runtime. String cacheSize = SystemProperties.get(CACHE_MAX_SIZE_KEY, "10000"); try { maxSize = Integer.parseInt(cacheSize); if (maxSize < 1) { maxSize = 10000; // Default } if (getDebug().messageEnabled()) { getDebug() .message( "CachedRemoteServicesImpl." + "intializeParams() Caching size set to: " + maxSize); } } catch (NumberFormatException ne) { maxSize = 10000; getDebug() .warning( "CachedRemoteServicesImpl.initializeParams() " + "- invalid value for cache size specified. Setting " + "to default value: " + maxSize); } }
private int validateTokenId(HttpServletRequest request) throws ServletException, IOException { String tokenId = request.getHeader(RestServiceManager.SUBJECT_HEADER_NAME); String hashed = request.getParameter(RestServiceManager.HASHED_SUBJECT_QUERY); if (((tokenId == null) || (tokenId.trim().length() == 0)) && ((hashed == null) || (hashed.trim().length() == 0))) { // by pass the check return HttpServletResponse.SC_OK; } if ((tokenId == null) || (tokenId.trim().length() == 0)) { try { SSOTokenManager mgr = SSOTokenManager.getInstance(); SSOToken token = mgr.createSSOToken(request); tokenId = token.getTokenID().toString(); } catch (SSOException e) { return HttpServletResponse.SC_UNAUTHORIZED; } } if (!Boolean.parseBoolean( SystemProperties.get(RestServiceManager.DISABLE_HASHED_SUBJECT_CHECK, "false"))) { if ((hashed == null) || (hashed.trim().length() == 0)) { return HttpServletResponse.SC_UNAUTHORIZED; } else { int idx = tokenId.indexOf(':'); if (idx != -1) { tokenId = tokenId.substring(idx + 1); } if (!Hash.hash(tokenId).equals(hashed)) { return HttpServletResponse.SC_UNAUTHORIZED; } } } return HttpServletResponse.SC_OK; }
private static int getPropertyIntValue(String key, int defaultValue) { int value = defaultValue; String valueStr = SystemProperties.get(key); if (valueStr != null && valueStr.trim().length() > 0) { try { value = Integer.parseInt(valueStr); } catch (NumberFormatException e) { value = defaultValue; if (debugger.warningEnabled()) { debugger.warning( "EventService.getPropertyIntValue(): " + "Invalid value for property: " + EVENT_CONNECTION_NUM_RETRIES + " Defaulting to value: " + defaultValue); } } } if (debugger.messageEnabled()) { debugger.message("EventService.getPropertyIntValue(): " + key + " = " + value); } return value; }
private String getSsoTokenId(OAuth2Request request) { return cookieExtractor.extract( ServletUtils.getRequest(request.<Request>getRequest()), SystemProperties.get("com.iplanet.am.cookie.name")); }
static { debug = com.sun.identity.shared.debug.Debug.getInstance("amXMLHandler"); messageEnabled = debug.messageEnabled(); serviceURI = SystemProperties.get(Constants.AM_SERVICES_DEPLOYMENT_DESCRIPTOR) + "/authservice"; }
/** * This class Implements utility methods for handling HTTP Session. * * <p> */ public class SessionUtils { /** The QUERY encoding scheme */ public static final short QUERY = 0; /** The SLASH encoding scheme */ public static final short SLASH = 1; /** The SEMICOLON encoding scheme */ public static final short SEMICOLON = 2; static Debug debug = Debug.getInstance("amSessionUtils"); /** Set of trusted Inetaddresses */ private static Set trustedSources = null; /** The HTTPClient IPHeader */ private static final String httpClientIPHeader = SystemProperties.get(Constants.HTTP_CLIENT_IP_HEADER, "proxy-ip"); /** The SESSION_ENCRYPTION to check if this is encrypted session */ private static final boolean SESSION_ENCRYPTION = Boolean.valueOf(SystemProperties.get(Constants.SESSION_REPOSITORY_ENCRYPTION, "false")) .booleanValue(); /** * Returns a SessionID string based on a HttpServletRequest object or null if session id is not * present or there was an error. * * <p> * * @param request The HttpServletRequest object which contains the session string. * @return an encodeURL with sessionID or the url if session was not present or there was an * error. */ public static String getSessionId(HttpServletRequest request) { String sidString = (new SessionID(request)).toString(); if (sidString.length() == 0) { sidString = null; } return sidString; } /** * Returns URL encoded with the cookie Value (SSOToken ID) if cookies are not support. Throws an * SSOException in case of an error. * * <p>The cookie Value is written in the URL based on the encodingScheme specified. The Cookie * Value could be written as path info separated by either a "/" OR ";" or as a query string. * * <p>If the encoding scheme is SLASH then the cookie value would be written in the URL as extra * path info in the following format: * * <pre> * protocol://server:port/servletpath/<cookieName>=<cookieValue>? * queryString * </pre> * * <p>Note that this format works only if the path is a servlet, if a a jsp file is specified then * webcontainers return with "File Not found" error. To rewrite links which are JSP files with * cookie value use the SEMICOLON OR QUERY encoding scheme. * * <p>If the encoding scheme is SEMICOLON then the cookie value would be written in the URL as * extra path info in the following format: * * <pre> * protocol://server:port/path;<cookieName=cookieValue>?queryString * </pre> * * Note that this is not supported in the servlet specification and some web containers do not * support this. * * <p>If the encoding scheme is QUERY then the cookie value would be written in the URL in the * following format: * * <pre> * protocol://server:port/path?<cookieName>=<cookieValue> * protocol://server:port/path?queryString& * <cookieName>=<cookieValue> * </pre> * * <p>This is the default and OpenSSO always encodes in this format unless otherwise specified. If * the URL passed in has query parameter then entity escaping of ampersand will be done before * appending the cookie if the escape is true.Only the ampersand before appending cookie parameter * will be entity escaped. * * <p> * * @param ssoToken Single Sign Token which contains the session string. * @param url the URL to be encoded * @param encodingScheme possible values are <code>QUERY</code>, <code>SLASH</code>, <code> * SEMICOLON</code>. * @param escape <code>true</code> to escape ampersand when appending the Single Sign On Token ID * to request query string. * @return encoded URL with cookie value (session ID) based on the encoding scheme. * @exception SSOException if URL cannot be encoded. */ public static String encodeURL( SSOToken ssoToken, String url, short encodingScheme, boolean escape) throws SSOException { String encodedURL = url; try { SSOTokenID ssoTokenId = ssoToken.getTokenID(); SessionID sessionID = new SessionID(ssoTokenId.toString()); Session session = Session.getSession(sessionID); encodedURL = session.encodeURL(url, encodingScheme, escape); } catch (Exception e) { debug.message("Exception encoding URL ", e); throw new SSOException(e); } return encodedURL; } /** * Returns URL encoded with the cookie Value (SSOToken ID) if cookies are not supported. * * <p>This method assumes default encoding scheme which is QUERY. The cookie value would be * written in the URL in the following format: * * <pre> * protocol://server:port/path?<cookieName>=<cookieValue> * protocol://server:port/path?queryString& * <cookieName>=<cookieValue> * </pre> * * <p>This is the default and OpenSSO always encodes in this format unless otherwise specified. If * the URL passed in has query parameter then entity escaping of ampersand will be done before * appending the cookie if the escape is true.Only the ampersand before appending cookie parameter * will be entity escaped. * * <p> * * @param ssoToken Single Sign Token which contains the session string. * @param url the URL to be encoded. * @param escape <code>true</code> to escape ampersand when appending the Single Sign On Token ID * to request query string. * @return URL encoded with cookie Value in the query string. * @exception SSOException if URL cannot be encoded. */ public static String encodeURL(SSOToken ssoToken, String url, boolean escape) throws SSOException { String encodedURL = url; try { encodedURL = encodeURL(ssoToken, url, QUERY, escape); } catch (Exception e) { debug.message("Exception encoding url", e); throw new SSOException(e); } return encodedURL; } /** * Returns the remote IP address of the client * * @param servletRequest The HttpServletRequest object which contains the session string. * @return InetAddress the client address * @exception Exception */ public static InetAddress getClientAddress(HttpServletRequest servletRequest) throws Exception { InetAddress remoteClient = InetAddress.getByName(servletRequest.getRemoteAddr()); if (isTrustedSource(remoteClient)) { String proxyHeader = servletRequest.getHeader(httpClientIPHeader); if (proxyHeader != null) { remoteClient = InetAddress.getByName(proxyHeader); } } return remoteClient; } /* build the trust source set*/ private static Set getTrustedSourceList() throws SessionException { Set result = new HashSet(); try { String rawList = SystemProperties.get(Constants.TRUSTED_SOURCE_LIST); if (rawList != null) { StringTokenizer stk = new StringTokenizer(rawList, ","); while (stk.hasMoreTokens()) { result.add(InetAddress.getByName(stk.nextToken())); } } else { // use platform server list as a default fallback Vector psl = WebtopNaming.getPlatformServerList(); if (psl == null) { throw new SessionException(SessionBundle.rbName, "emptyTrustedSourceList", null); } for (Enumeration e = psl.elements(); e.hasMoreElements(); ) { try { URL url = new URL((String) e.nextElement()); result.add(InetAddress.getByName(url.getHost())); } catch (Exception ex) { debug.error("SessionUtils.getTrustedSourceList : " + "Validating Host exception", ex); } } } } catch (Exception e) { throw new SessionException(e); } return result; } /** * Returns the remote IP address of the client is a trusted source * * @param source the InetAddress of the remote client * @return a <code>true </code> if is a trusted source.<code>false> otherwise * @exception Exception */ public static boolean isTrustedSource(InetAddress source) throws SessionException { if (trustedSources == null) { trustedSources = getTrustedSourceList(); } return trustedSources.contains(source); } /** * Helper method to serialize and encrypt objects saved in the repository * * @param obj object to be serialized and encrypted * @return encrypted byte array containing serialized objects * @throws Exception if anything goes wrong */ public static byte[] encode(Object obj) throws Exception { ByteArrayOutputStream byteOut = new ByteArrayOutputStream(); ObjectOutputStream objOutStream = new ObjectOutputStream(byteOut); // convert object to byte using streams objOutStream.writeObject(obj); objOutStream.close(); final byte[] blob = byteOut.toByteArray(); if (SESSION_ENCRYPTION) { return (byte[]) AccessController.doPrivileged( new PrivilegedExceptionAction() { public Object run() throws Exception { return Crypt.getEncryptor().encrypt(blob); } }); } return blob; } /** * Deserializes and decrypts objects retrieved from the repository. * * @param blob Byte array containing serialized and encrypted object value. * @return retrieved object. * @throws Exception if anything goes wrong. */ public static Object decode(final byte blob[]) throws Exception { byte[] decryptedBlob; if (SESSION_ENCRYPTION) { decryptedBlob = (byte[]) AccessController.doPrivileged( new PrivilegedExceptionAction() { public Object run() throws Exception { return Crypt.getEncryptor().decrypt(blob); } }); } else { decryptedBlob = blob; } ByteArrayInputStream byteIn = new ByteArrayInputStream(decryptedBlob); ObjectInputStream objInStream = new ObjectInputStream(byteIn); return objInStream.readObject(); } /** * Helper method to get the encrypted session storage key * * @param sessionID SessionID * @return encrypted session storage key * @throws Exception if anything goes wrong */ public static String getEncryptedStorageKey(SessionID sessionID) throws Exception { String sKey = sessionID.getExtension(SessionID.STORAGE_KEY); if (SESSION_ENCRYPTION) { String strEncrypted = (String) AccessController.doPrivileged( new EncodeAction(sKey, Crypt.getHardcodedKeyEncryptor())); return strEncrypted; } return sKey; } /** * Helper method to get admin token. This is not amadmin user but the user configured in * serverconfig.xml as super user. * * @return SSOToken of super admin. */ public static SSOToken getAdminToken() throws SSOException { SSOToken adminToken = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance()); if (adminToken == null) { I18n i18n = I18n.getInstance(IUMSConstants.UMS_PKG); String rbName = i18n.getResBundleName(); throw new SSOException(rbName, IUMSConstants.NULL_TOKEN, null); } return (adminToken); } /** * Helper method to compare if the user token passed is same as admin token. It does not check if * user token or admin token is valid. * * @param admToken Admin Single Sign-On token. * @param usrToken User Single Sign-On token to compare against admin Single Sign-On token. * @return <code>true</code> if they both are same. */ public static boolean isAdmin(SSOToken admToken, SSOToken usrToken) { if (usrToken == null) { debug.error("SessionUtils.isAdmin(): user token is null"); return false; } if (admToken == null) { debug.error("SessionUtils.isAdmin(): admin token is null"); return false; } boolean result = false; String usrName = null; String admName = null; try { usrName = usrToken.getPrincipal().getName(); } catch (SSOException ssoEx) { debug.error("SessionUtils.isAdmin(): user token fails" + "to get principal"); return false; } try { admName = admToken.getPrincipal().getName(); } catch (SSOException ssoEx) { debug.error("SessionUtils.isAdmin(): admin token fails " + "to get principal"); return false; } if (usrName.equalsIgnoreCase(admName)) { result = true; } if (debug.messageEnabled()) { debug.message( "SessionUtils.isAdmin(): returns " + result + " for user principal: " + usrName + " against admin principal: " + admName); } return result; } /** * Helper method to check if client has taken permission to set value to it. If * * @param clientToken Token of the client setting protected property. * @param key Property key * @param value Property value. * @throws SessionException if the key is protected property. */ public static void checkPermissionToSetProperty(SSOToken clientToken, String key, String value) throws SessionException { if (InternalSession.isProtectedProperty(key)) { if (clientToken == null) { // Throw Ex. Client should identify itself. if (SessionService.sessionDebug.warningEnabled()) { SessionService.sessionDebug.warning( "SessionUtils.checkPermissionToSetProperty(): " + "Attempt to set protected property without client " + "token [" + key + "=" + value + "]"); } throw new SessionException( SessionBundle.getString("protectedPropertyNoClientToken") + " " + key); } SSOTokenManager ssoTokenManager = null; try { ssoTokenManager = SSOTokenManager.getInstance(); } catch (SSOException ssoEx) { // Throw Ex. Not able to get SSOTokenManager instance. SessionService.sessionDebug.error( "SessionUtils.checkPermissionToSetProperty(): " + "Cannot get instance of SSOTokenManager."); throw new SessionException( SessionBundle.getString("protectedPropertyNoSSOTokenMgrInstance") + " " + key); } if (!ssoTokenManager.isValidToken(clientToken)) { // Throw Ex. Client should identify itself. if (SessionService.sessionDebug.warningEnabled()) { SessionService.sessionDebug.warning( "SessionUtils.checkPermissionToSetProperty(): " + "Attempt to set protected property with invalid client" + " token [" + key + "=" + value + "]"); } throw new SessionException( SessionBundle.getString("protectedPropertyInvalidClientToken") + " " + key); } SSOToken admToken = null; try { admToken = SessionUtils.getAdminToken(); } catch (SSOException ssoEx) { // Throw Ex. Server not able to get Admin Token. SessionService.sessionDebug.error( "SessionUtils.checkPermissionToSetProperty(): " + "Cannot get Admin Token for validation to set protected " + "property [" + key + "=" + value + "]"); throw new SessionException( SessionBundle.getString("protectedPropertyNoAdminToken") + " " + key); } if (!SessionUtils.isAdmin(admToken, clientToken)) { // Throw Ex. Client not authorized to set this property. SessionService.sessionDebug.error( "SessionUtils.checkPermissionToSetProperty(): " + "Client does not have permission to set protected " + "property" + key + "=" + value + "]"); throw new SessionException( SessionBundle.getString("protectedPropertyNoPermission") + " " + key); } } } }
/** * Determine the listener list based on the diable list property and SMS DataStore notification * property in Realm mode */ private static void getListenerList() { String list = SystemProperties.get(EVENT_LISTENER_DISABLE_LIST, ""); if (debugger.messageEnabled()) { debugger.message( "EventService.getListenerList(): " + EVENT_LISTENER_DISABLE_LIST + ": " + list); } boolean enableDataStoreNotification = Boolean.parseBoolean(SystemProperties.get(Constants.SMS_ENABLE_DB_NOTIFICATION)); if (debugger.messageEnabled()) { debugger.message( "EventService.getListenerList(): " + "com.sun.identity.sm.enableDataStoreNotification: " + enableDataStoreNotification); } boolean configTime = Boolean.parseBoolean(SystemProperties.get(Constants.SYS_PROPERTY_INSTALL_TIME)); if (debugger.messageEnabled()) { debugger.message( "EventService.getListenerList(): " + Constants.SYS_PROPERTY_INSTALL_TIME + ": " + configTime); } // Copy the default listeners String[] tmpListeners = new String[ALL_LISTENERS.length]; System.arraycopy(ALL_LISTENERS, 0, tmpListeners, 0, ALL_LISTENERS.length); // Process the configured disabled list first boolean disableACI = false, disableUM = false, disableSM = false; if (list.length() != 0) { StringTokenizer st = new StringTokenizer(list, ","); String listener = ""; while (st.hasMoreTokens()) { listener = st.nextToken().trim(); if (listener.equalsIgnoreCase("aci")) { disableACI = true; } else if (listener.equalsIgnoreCase("um")) { disableUM = true; } else if (listener.equalsIgnoreCase("sm")) { disableSM = true; } else { debugger.error( "EventService.getListenerList() - " + "Invalid listener name: " + listener); } } } if (!disableUM || !disableACI) { // Check if AMSDK is configured boolean disableAMSDK = true; if (!configTime) { try { ServiceSchemaManager scm = new ServiceSchemaManager(getSSOToken(), IdConstants.REPO_SERVICE, "1.0"); ServiceSchema idRepoSubSchema = scm.getOrganizationSchema(); Set idRepoPlugins = idRepoSubSchema.getSubSchemaNames(); if (idRepoPlugins.contains("amSDK")) { disableAMSDK = false; } } catch (SMSException ex) { if (debugger.warningEnabled()) { debugger.warning( "EventService.getListenerList() - " + "Unable to obtain idrepo service", ex); } } catch (SSOException ex) { // Should not happen, ignore the exception } } if (disableAMSDK) { disableUM = true; disableACI = true; if (debugger.messageEnabled()) { debugger.message( "EventService.getListener" + "List(): AMSDK is not configured or config time. " + "Disabling UM and ACI event listeners"); } } } // Verify if SMSnotification should be enabled if (configTime || ServiceManager.isRealmEnabled()) { disableSM = !enableDataStoreNotification; if (debugger.messageEnabled()) { debugger.message( "EventService.getListenerList(): In realm " + "mode or config time, SMS listener is set to datastore " + "notification flag: " + enableDataStoreNotification); } } // Disable the selected listeners if (disableACI) { tmpListeners[0] = null; } if (disableUM) { tmpListeners[1] = null; } if (disableSM) { tmpListeners[2] = null; } listeners = tmpListeners; // if all disabled, signal to not start the thread if (disableACI && disableUM && disableSM) { if (debugger.messageEnabled()) { debugger.message( "EventService.getListenerList() - " + "all listeners are disabled, EventService won't start"); } _allDisabled = true; } else { _allDisabled = false; } }
/** * A <code>ClusterStateService </code> class implements monitoring the state of server instances * that are participating in the cluster environment. It is used in making routing decisions in * "internal request routing" mode */ public class ClusterStateService extends GeneralTaskRunnable { // Inner Class definition of ServerInfo Object. // Contains information about each Server. private class ServerInfo implements Comparable { String id; String protocol; URL url; InetSocketAddress address; boolean isUp; boolean isLocal; public int compareTo(Object o) { return id.compareTo(((ServerInfo) o).id); } /** * toString Override. * * @return String representation of this Inner Object Class. */ public String toString() { StringBuilder sb = new StringBuilder(); sb.append("ServerInfo ID:[").append(this.id).append("], "); sb.append("Protocol:[").append(this.protocol).append("], "); sb.append("URL:[").append(((this.url == null) ? "null" : this.url.toString())); sb.append("], "); sb.append("Address:["); if (this.address == null) { sb.append("null], "); } else { sb.append(this.address.toString()).append("], Unresolved:["); sb.append(this.address.isUnresolved()).append("], "); } sb.append("Local:[").append(this.isLocal).append("], "); sb.append("Up:[").append(this.isUp).append("].\n"); return sb.toString(); } } // . End of Inner Class Definition. /** Service Globals */ public static Debug sessionDebug = null; /** Servers in the cluster environment */ private static Map<String, ServerInfo> servers = new HashMap<String, ServerInfo>(); /** Servers are down in the cluster environment */ private static Set<String> downServers = new HashSet<String>(); /** Server Information */ private static ServerInfo[] serverSelectionList = new ServerInfo[0]; /** Last selected Server */ private static int lastSelected = -1; /** individual server wait default time out 10 milliseconds */ public static final int DEFAULT_TIMEOUT = 1000; private static String GET_REQUEST = ""; private static final String EMPTY_STRING = ""; private static final String SUCCESS_200 = "200"; private static final String HTTP = "http"; private static String hcPath = SystemProperties.get(Constants.URLCHECKER_TARGET_URL, null); private static boolean doRequest = true; private static final String doRequestFlag = SystemProperties.get(Constants.URLCHECKER_DOREQUEST, "false"); private int timeout = DEFAULT_TIMEOUT; // in milliseconds /** default ServerInfo check time 10 milliseconds */ public static final long DEFAULT_PERIOD = 1000; private static long period = DEFAULT_PERIOD; // in milliseconds // server instance id private static String localServerId = null; // SessionService private static volatile SessionService sessionService = null; // Static Initialization Stanza. static { sessionDebug = Debug.getInstance("amSession"); if (doRequestFlag != null) { if (doRequestFlag.equals("false")) doRequest = false; } if (hcPath == null) { String deployuri = SystemProperties.get(Constants.AM_SERVICES_DEPLOYMENT_DESCRIPTOR, "/openam"); hcPath = deployuri + "/namingservice"; if (!hcPath.startsWith("/")) { hcPath += "/" + hcPath; } GET_REQUEST = "GET " + hcPath + " HTTP/1.0"; } } // End of Static Initialization Stanza /** * Get Servers within Cluster * * @return Map<String, ServerInfo> */ protected Map<String, ServerInfo> getServers() { return servers; } /** * Get Server IDs which are in a Down State. * * @return Set<String> */ protected Set<String> getDownServers() { return downServers; } /** * Get the Server Selection List, common to all Servers in Cluster. * * @return ServerInfo[] Array of Servers in Selection list in proper order. */ protected ServerInfo[] getServerSelectionList() { return serverSelectionList; } /** * Get our Local Server Id * * @return String of Local Server Id. */ protected String getLocalServerId() { return localServerId; } /** * Is Specified ServerId our Local Server Id? * * @param serverId * @return boolean indicating true if specified server id is our local Server Id or false ir not. */ protected boolean isLocalServerId(String serverId) { return ((serverId == null) || (!serverId.equalsIgnoreCase(this.localServerId))) ? false : true; } /** * Constructs an instance for the cluster service * * @param localServerId id of the server instance in which this ClusterStateService instance is * running * @param timeout timeout for waiting on an individual server (millisec) * @param period checking cycle period (millisecs) * @param members map if server id - > url for all cluster members * @throws Exception */ protected ClusterStateService( SessionService sessionService, String localServerId, int timeout, long period, Map<String, String> members) throws Exception { if ((localServerId == null) || (localServerId.isEmpty())) { String message = "ClusterStateService: Local Server Id argument is null, unable to instantiate Cluster State Service!"; sessionDebug.error(message); throw new IllegalArgumentException(message); } // Ensure we Synchronize this Instantiation. synchronized (this) { this.sessionService = sessionService; this.localServerId = localServerId; this.timeout = timeout; this.period = period; serverSelectionList = new ServerInfo[members.size()]; for (Map.Entry<String, String> entry : members.entrySet()) { ServerInfo info = new ServerInfo(); info.id = entry.getKey(); URL url = new URL(entry.getValue() + "/namingservice"); info.url = url; info.protocol = url.getProtocol(); info.address = new InetSocketAddress(url.getHost(), url.getPort()); // Fix for Deadlock. If this is our server, set to true, else false. info.isUp = isLocalServerId(info.id); info.isLocal = info.isUp; // Set our Local Server Indicator, per above interrogation. // Check for Down Servers. if (!info.isUp) { downServers.add(info.id); } // Add Server to Server List. servers.put(info.id, info); // Associate to a Server Selection Bucket. serverSelectionList[getNextSelected()] = info; if (sessionDebug.messageEnabled()) { sessionDebug.error("Added Server to ClusterStateService: " + info.toString()); } } // End of For Loop. // to ensure that ordering in different server instances is identical Arrays.sort(serverSelectionList); SystemTimer.getTimer().schedule(this, new Date((System.currentTimeMillis() / 1000) * 1000)); } // End of Synchronized Block. } /** * Implements "wrap-around" lastSelected index advancement * * @return updated lastSelected index value */ private int getNextSelected() { return lastSelected = (lastSelected + 1) % serverSelectionList.length; } /** * Returns currently known status of the server instance identified by serverId * * @param serverId server instance id * @return true if server is up, false otherwise */ boolean isUp(String serverId) { if ((serverId == null) || (serverId.isEmpty())) { return false; } if (serverId.equalsIgnoreCase(this.localServerId)) { return true; } if ((servers == null) || servers.isEmpty()) { return false; } return (servers.get(serverId) != null) ? servers.get(serverId).isUp : false; } /** * Actively checks and updates the status of the server instance identified by serverId * * @param serverId server instance id * @return true if server is up, false otherwise */ boolean checkServerUp(String serverId) { if ((serverId == null) || (serverId.isEmpty())) { return false; } if (serverId.equalsIgnoreCase(this.localServerId)) { return true; } if ((servers == null) || servers.isEmpty()) { return false; } ServerInfo info = servers.get(serverId); info.isUp = checkServerUp(info); return info.isUp; } /** * Returns size of the server list * * @return size of the server list */ int getServerSelectionListSize() { return (serverSelectionList == null) ? 0 : serverSelectionList.length; } /** * Returns server id for a given index inside the server list or null if out of bounds. * * @param index index in the server list, relative to Zero. * @return server id */ String getServerSelection(int index) { if ((getServerSelectionListSize() <= 0) || (index < 0) || (index >= getServerSelectionListSize())) { return null; } return serverSelectionList[index].id; } /** * Implements for GeneralTaskRunnable * * @return The run period of the task. */ public long getRunPeriod() { return period; } /** * Implements for GeneralTaskRunnable. * * @return false since this class will not be used as container. */ public boolean addElement(Object obj) { return false; } /** * Implements for GeneralTaskRunnable. * * @return false since this class will not be used as container. */ public boolean removeElement(Object obj) { return false; } /** * Implements for GeneralTaskRunnable. * * @return true since this class will not be used as container. */ public boolean isEmpty() { return true; } /** Monitoring logic used by background thread */ public void run() { try { boolean cleanRemoteSessions = false; synchronized (servers) { for (Map.Entry<String, ServerInfo> server : servers.entrySet()) { ServerInfo info = server.getValue(); info.isUp = checkServerUp(info); if (!info.isUp) { downServers.add(info.id); } else { if (!downServers.isEmpty() && downServers.remove(info.id)) { cleanRemoteSessions = true; } } } } if (cleanRemoteSessions) { sessionService.cleanUpRemoteSessions(); } } catch (Exception ex) { sessionDebug.error( "cleanRemoteSessions Background thread has encountered an Exception: " + ex.getMessage(), ex); } } /** * Internal method for checking health status using sock.connect() * * <p>TODO -- Use a better mechanism for alive status. 10.1+. * * @param info server info instance * @return true if server is up, false otherwise */ private boolean checkServerUp(ServerInfo info) { if (info == null) { return false; } if (localServerId.equals(info.id)) { return true; } boolean result = false; Socket sock = new Socket(); PrintWriter out = null; BufferedReader in = null; try { sock.connect(info.address, timeout); /* * If we need to check for a front end proxy, we need * to send a request. */ if (doRequest) { if (info.protocol.equals(HTTP)) { out = new PrintWriter(sock.getOutputStream()); in = new BufferedReader(new InputStreamReader(sock.getInputStream())); out.println(GET_REQUEST); out.println(EMPTY_STRING); out.flush(); String response = in.readLine(); if (response.contains(SUCCESS_200)) { result = true; } else { result = false; } } else { HttpsURLConnection connection = null; int responseCode = 0; InputStream is = null; try { connection = (HttpsURLConnection) info.url.openConnection(); connection.setHostnameVerifier( new HostnameVerifier() { public boolean verify(String hostname, SSLSession session) { return true; } }); responseCode = connection.getResponseCode(); is = connection.getInputStream(); int ret = 0; byte[] buf = new byte[512]; // clear the stream while ((ret = is.read(buf)) > 0) { // do nothing } // close the inputstream is.close(); } catch (IOException ioe) { InputStream es = null; try { es = ((HttpsURLConnection) connection).getErrorStream(); int ret = 0; byte[] buf = new byte[512]; // read the response body to clear while ((ret = es.read(buf)) > 0) { // do nothing } // close the errorstream es.close(); } catch (IOException ex) { // deal with the exception } } if (responseCode == HttpURLConnection.HTTP_OK) { result = true; } else { result = false; } } } else { result = true; } } catch (Exception ex) { result = false; } finally { try { sock.close(); } catch (Exception ex) { } } return result; } // TODO -- Develop Method to write our Server State to the Session Persistence Store. /** * Override toString * * @return */ @Override public String toString() { final StringBuffer sb = new StringBuffer(); sb.append("ClusterStateService: "); sb.append("{ lastSelected=").append(lastSelected); sb.append(", timeout=").append(timeout).append("\n"); sb.append(" Current Server Selection List:").append("\n"); for (ServerInfo serverInfo : getServerSelectionList()) { sb.append(serverInfo.toString()); } sb.append('}'); return sb.toString(); } }
/** * The <code>CDCClientServlet</code> is the heart of the Cross Domain Single Signon mechanism of * OpenAM in the DMZ along with the distributed auth. <br> * The following is the algorithm used by the program: * * <ol> * <li>If request does not contain SSO related cookie or policy has generated some advices then * redirect request to the distributed auth service. * <li>If request contains SSO related cookie and no advices. * <ul> * <li>Tunnel the Request to OpenAM. * <li>Send the received AuthNResponse as Form POST to the original request requested using * the goto parameter in the query string. * </ul> * </ol> */ public class CDCClientServlet extends HttpServlet { private static final ArrayList adviceParams = new ArrayList(); private static final Set<String> INVALID_SET = new HashSet<String>(); private static final Set<String> VALID_LOGIN_URIS = new HashSet<String>(); private static final String LEFT_ANGLE = "<"; private static final String RIGHT_ANGLE = ">"; private static final String URLENC_RIGHT_ANGLE = "%3e"; private static final String URLENC_LEFT_ANGLE = "%3c"; private static final String URLENC_JAVASCRIPT = "javascript%3a"; private static final String JAVASCRIPT = "javascript:"; private static final String DELIM = ","; private static final String DEBUG_FILE_NAME = "amCDC"; private static final char QUESTION_MARK = '?'; private static final char AMPERSAND = '&'; private static final char EQUAL_TO = '='; private static final char SEMI_COLON = ';'; private static final char SPACE = ' '; private static final String GOTO_PARAMETER = "goto"; private static final String TARGET_PARAMETER = "TARGET"; private static final String CDCURI = "/cdcservlet"; private static final String LOGIN_URI = "loginURI"; private static String cdcAuthURI; private static final String AUTHURI = "/UI/Login"; private static final String RESPONSE_HEADER_ALERT = "X-DSAME-Assertion-Form"; private static final String RESPONSE_HEADER_ALERT_VALUE = "true"; private static final String FORBIDDEN_STR_MATCH = "#403x"; private static final String SERVER_ERROR_STR_MATCH = "#500x"; static Debug debug = Debug.getInstance(DEBUG_FILE_NAME); static { initConfig(); } private static SSOTokenManager tokenManager; private static String sessionServiceName = "iPlanetAMSessionService"; private static String authURLCookieName; private static String authURLCookieDomain; private static String deployDescriptor; boolean serverMode = Boolean.valueOf( System.getProperty( Constants.SERVER_MODE, SystemProperties.get(Constants.SERVER_MODE, "false"))) .booleanValue(); private static boolean cookieEncoding = SystemProperties.getAsBoolean(Constants.AM_COOKIE_ENCODE); /** * @param config the ServletConfig object that contains configutation information for this * servlet. * @exception ServletException if an exception occurs that interrupts the servlet's normal * operation. */ public void init(ServletConfig config) throws ServletException { super.init(config); if (debug.messageEnabled()) { debug.message("CDCClientServlet.init:CDCClientServlet " + "Initializing..."); } try { tokenManager = SSOTokenManager.getInstance(); } catch (SSOException ssoe) { debug.error("CDCClientServlet.init:unable to get SSOTokenManager", ssoe); } authURLCookieName = SystemProperties.get(Constants.AUTH_UNIQUE_COOKIE_NAME, "sunIdentityServerAuthNServer"); authURLCookieDomain = SystemProperties.get(Constants.AUTH_UNIQUE_COOKIE_DOMAIN, ""); deployDescriptor = SystemProperties.get(Constants.AM_DISTAUTH_DEPLOYMENT_DESCRIPTOR, "/distauth"); } /** * Handles the HTTP GET request. * * @param request an HttpServletRequest object that contains the request the client has made of * the servlet. * @param response an HttpServletResponse object that contains the response the servlet sends to * the client. * @exception ServletException if an input or output error is detected when the servlet handles * the GET request * @exception IOException if the request for the GET could not be handled */ @Override public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { doGetPost(request, response); } /** * Handles the HTTP POST request. * * @param request an HttpServletRequest object that contains the request the client has made of * the servlet. * @param response an HttpServletResponse object that contains the response the servlet sends to * the client. * @exception ServletException if an input or output error is detected when the servlet handles * the GET request * @exception IOException if the request for the GET could not be handled */ @Override public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { doGetPost(request, response); } /** * The method redirects the user to the authentication module if he is not authenticated; else * redirects him back to the original referrer. * * @param request an HttpServletRequest object that contains the request the client has made of * the servlet. * @param response an HttpServletResponse object that contains the response the servlet sends to * the client. * @exception ServletException if an input or output error is detected when the servlet handles * the GET request * @exception IOException if the request for the GET could not be handled */ private void doGetPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { if (debug.messageEnabled()) { debug.message( "CDCClientServlet.doGetPost:Query String received= " + request.getQueryString()); } String gotoParameter = request.getParameter(GOTO_PARAMETER); String targetParameter = request.getParameter(TARGET_PARAMETER); if (targetParameter == null) { targetParameter = request.getParameter(TARGET_PARAMETER.toLowerCase()); } // if check if goto ot target have invalid strings, to avoid // accepting invalid injected javascript. if ((gotoParameter != null) || (targetParameter != null)) { if (debug.messageEnabled()) { debug.message( "CDCClientServlet:doGetPost():validating goto: " + gotoParameter + " and target: " + targetParameter); } for (String invalidStr : INVALID_SET) { if (gotoParameter != null && gotoParameter.toLowerCase().contains(invalidStr)) { showError(response, SERVER_ERROR_STR_MATCH + "GOTO parameter has invalid characters"); return; } if (targetParameter != null && targetParameter.toLowerCase().contains(invalidStr)) { showError(response, SERVER_ERROR_STR_MATCH + "TARGET parameter has invalid characters"); return; } } } /* Steps to be done * 1. If no SSOToken or policy advice present , forward to * authentication. * 2. If SSOToken is valid tunnel request to the backend AM's * CDCServlet and Form POST the received response to the agent. */ // Check for a valid SSOToken in the request. If SSOToken is not found // or if the token is invalid, redirect the user for authentication. // Also re-direct if there are policy advices in the query string SSOToken token = getSSOToken(request, response); // collect advices in parsedRequestParams[0] String and rest of params // other than original goto url in parsedRequestParams[1] String. String[] parsedRequestParams = parseRequestParams(request); if ((token == null) || (parsedRequestParams[0] != null)) { // Redirect to authentication redirectForAuthentication(request, response, parsedRequestParams[0], parsedRequestParams[1]); } else { // tunnel request to AM // send the request to the CDCServlet of AM where the session // was created. sendAuthnRequest(request, response, token); } } /** * This the main method of this servlet which takes in the request opens a URLConnection to the * CDCServlet endpoint in the OpenAM, and tunnels the request content to it. It parses the * Response received and if the HTTP_STATUS is "HTTP_OK" or "HTTP_MOVED_TEMP" POSTs the received * Liberty Authn Response to the goto URL specified in the original request. */ private void sendAuthnRequest( HttpServletRequest request, HttpServletResponse response, SSOToken token) throws ServletException, IOException { SessionID sessid = new SessionID(request); URL CDCServletURL = null; URL sessionServiceURL = null; try { sessionServiceURL = Session.getSessionServiceURL(sessid); } catch (SessionException se) { debug.error( "CDCClientServlet.sendAuthnRequest: Cannot locate" + " OpenAM instance to forward to.", se); showError(response, "Cannot locate OpenAM instance to forward to"); } if (sessionServiceURL == null) { showError(response, "Cannot locate OpenAM instance to forward to"); } // replace "sessionservice" by cdcservlet in obtained URL // we use naming so that we get the URL of the exact server // where the session is located and get the right deployment // descriptor. String sessionServiceURLString = sessionServiceURL.toString(); int serviceNameIndex = sessionServiceURLString.lastIndexOf( "/", sessionServiceURLString.length() - 2); // avoiding trailing "/" // if any StringBuilder buffer = new StringBuilder(150); buffer .append(sessionServiceURLString.substring(0, serviceNameIndex)) .append(CDCURI) .append(QUESTION_MARK) .append(request.getQueryString()); // add query string to // CDCServletURL CDCServletURL = new URL(buffer.toString()); // save the go to URL of the agent side to ultimately // POST to. try { HttpURLConnection connection = HttpURLConnectionManager.getConnection(CDCServletURL); connection.setRequestMethod("GET"); connection.setRequestProperty("Content-Type", "text/html;charset=UTF-8"); connection.setDoOutput(true); connection.setUseCaches(false); // replay cookies String strCookies = getCookiesFromRequest(request); if (strCookies != null) { if (debug.messageEnabled()) { debug.message("CDCClientServlet.sendAuthnRequest:Setting " + "cookies = " + strCookies); } connection.setRequestProperty("Cookie", strCookies); } // dont wish to follow redirect to agent, since // the response needs to go via the CDCClientServlet. HttpURLConnection.setFollowRedirects(false); // Receiving input from CDCServlet on the AM server instance if (debug.messageEnabled()) { debug.message( "CDCClientServlet.sendAuthnRequest:Getting " + "response back from " + CDCServletURL); debug.message( "CDCClientServlet.sendAuthnRequest:Response " + "Code " + connection.getResponseCode()); debug.message( "CDCClientServlet.sendAuthnRequest:Response " + "Message= " + connection.getResponseMessage()); } // Check response code if ((connection.getResponseCode() == HttpURLConnection.HTTP_OK) || (connection.getResponseCode() == HttpURLConnection.HTTP_MOVED_TEMP)) { /** * Read the response back from CDCServlet, got a redirect since this response contains the * "LARES" ( Liberty authn response, which needs to be posted back to the dest url (agent). */ StringBuilder inBuf = new StringBuilder(); BufferedReader in = new BufferedReader(new InputStreamReader(connection.getInputStream(), "UTF-8")); int len; char[] buf = new char[1024]; while ((len = in.read(buf, 0, buf.length)) != -1) { inBuf.append(buf, 0, len); } String inString = inBuf.toString(); if (debug.messageEnabled()) { debug.message( "CDCClientServlet.sendAuthnRequest:" + "Received response data = " + inString); } // put the received Liberty Auth Response // in the servlet's response. sendAuthnResponse(request, response, inString); } else { debug.error("CDCClientServlet.sendAuthnRequest: Response " + "code NOT OK/MOVED_TEMP "); showError( response, "ERROR: Received HTTP error code " + connection.getResponseCode() + " from " + CDCServletURL); } } catch (ConnectException ce) { // Debug the exception if (debug.warningEnabled()) { debug.warning( "CDCClientServlet.sendAuthnRequest: " + "Connection Exception to " + CDCServletURL, ce); } showError( response, "Could not connect to CDCServlet at " + CDCServletURL + ":" + ce.getMessage()); } } // Get cookies string from HTTP request object private String getCookiesFromRequest(HttpServletRequest request) { Cookie cookies[] = CookieUtils.getCookieArrayFromReq(request); // above call would return pure sid in iPlanetDirectoryPro cookie // independent of container encoding StringBuilder cookieStr = null; String strCookies = null; if (cookies != null) { for (int nCookie = 0; nCookie < cookies.length; nCookie++) { String cookieName = cookies[nCookie].getName(); String cookieVal = cookies[nCookie].getValue(); if (cookieName.equals(CookieUtils.getAmCookieName()) && cookieEncoding) { cookieVal = URLEncDec.encode(cookieVal); } if (debug.messageEnabled()) { debug.message("CDCClientServlet.getCookiesFromRequest:" + "Cookie name = " + cookieName); debug.message("CDCClientServlet.getCookiesFromRequest:" + "Cookie val= " + cookieVal); } if (cookieStr == null) { cookieStr = new StringBuilder(); } else { cookieStr.append(SEMI_COLON).append(SPACE); } cookieStr.append(cookieName).append(EQUAL_TO).append(cookieVal); } } if (cookieStr != null) { strCookies = cookieStr.toString(); } return strCookies; } /** * Gathers the parameters in the request as a HTTP URL string. to form request parameters and * policy advice String array. It collects all the parameters from the original request except the * original goto url and any advice parameters. Note: All the paramters will be url decoded by * default., we should make sure that these values are encoded again * * @param request an HttpServletRequest object that contains the request the client has made of * the servlet. * @return An String array, index 0 is policy advice, index 1 is rest of the request parameters */ private String[] parseRequestParams(HttpServletRequest request) { StringBuilder adviceList = null; StringBuilder parameterString = new StringBuilder(100); for (Enumeration e = request.getParameterNames(); e.hasMoreElements(); ) { String paramName = (String) e.nextElement(); if (adviceParams.contains(paramName.toLowerCase())) { if (adviceList == null) { adviceList = new StringBuilder(); } else { adviceList.append(AMPERSAND); } String[] values = request.getParameterValues(paramName); for (int i = 0; values != null && i < values.length; i++) { adviceList.append(paramName).append(EQUAL_TO).append(values[i]); } } else { if (!paramName.equals(GOTO_PARAMETER)) { String[] values = request.getParameterValues(paramName); for (int i = 0; values != null && i < values.length; i++) { parameterString .append(AMPERSAND) .append(paramName) .append(EQUAL_TO) .append(URLEncDec.encode(values[i])); } } } } if (debug.messageEnabled()) { debug.message("CDCClientServlet.parseRequestParams:" + "Advice List is = " + adviceList); debug.message( "CDCClientServlet.parseRequestParams:" + "Parameter String is = " + parameterString.toString()); } String policyAdviceList; String requestParams; if (adviceList == null) { policyAdviceList = null; } else { policyAdviceList = adviceList.toString(); } if (parameterString.length() > 0) { requestParams = (parameterString.deleteCharAt(0).toString()); } else { requestParams = parameterString.toString(); } return new String[] {policyAdviceList, requestParams}; } /** * Redirects the HTTP request to the Authentication module. It gets the authentication url from * <code>SystemProperties</code>. * * @param request an HttpServletRequest object that contains the request the client has made of * the servlet. * @param response an HttpServletResponse object that contains the response the servlet sends to * the client. * @exception IOException If an input or output exception occurs */ private void redirectForAuthentication( HttpServletRequest request, HttpServletResponse response, String policyAdviceList, String requestParams) throws IOException { if (debug.messageEnabled()) { debug.message( "CDCClientServlet.redirectForAuthentication: " + "requestURL=" + request.getRequestURL()); } StringBuilder redirectURL = new StringBuilder(100); StringBuilder gotoURL = new StringBuilder(100); // Check if user has authenticated to another OpenAM // instance String authURL = null; Cookie authCookie = CookieUtils.getCookieFromReq(request, authURLCookieName); if (authCookie != null) { authURL = CookieUtils.getCookieValue(authCookie); if (debug.messageEnabled()) { debug.message( "CDCClientServlet.redirectForAuthentication: " + "got an authenticated URL= " + authURL); } } try { if (authURL == null || authURL.length() == 0 || !authURL.toLowerCase().startsWith("http") || policyAdviceList != null) { String finalURL = request.getParameter(GOTO_PARAMETER); if (finalURL == null || finalURL.equals("")) { finalURL = request.getParameter(TARGET_PARAMETER); } if (finalURL == null || finalURL.equals("")) { if (debug.messageEnabled()) { debug.message( "CDCClientServlet.redirectForAuthentication: " + "goto or target parameter is missing in the request."); } showError(response, SERVER_ERROR_STR_MATCH); return; } gotoURL .append(deployDescriptor) .append(CDCURI) .append(QUESTION_MARK) .append(TARGET_PARAMETER) .append(EQUAL_TO) .append(URLEncDec.encode(finalURL)) .append(AMPERSAND) .append(requestParams); // Construct the login URL String loginURI = request.getParameter(LOGIN_URI); String cdcUri; if (loginURI != null && !loginURI.isEmpty() && isValidCDCURI(loginURI)) { if (debug.messageEnabled()) { debug.message( "CDCClientServlet.redirectForAuthentication:found " + LOGIN_URI + "=" + loginURI); } cdcUri = loginURI; } else { cdcUri = cdcAuthURI; } if (debug.messageEnabled()) { debug.message( "CDCClientServlet.redirectForAuthentication: Login URI is set to = " + cdcUri); } if (cdcUri.indexOf(QUESTION_MARK) == -1) { redirectURL.append(cdcUri).append(QUESTION_MARK); } else { redirectURL.append(cdcUri).append(AMPERSAND); } if (policyAdviceList != null) { redirectURL.append(policyAdviceList).append(AMPERSAND); } redirectURL .append(GOTO_PARAMETER) .append(EQUAL_TO) .append(URLEncDec.encode(gotoURL.toString())); if (debug.messageEnabled()) { debug.message( "CDCClientServlet.redirectForAuthentication" + ":redirectURL before dispatching is=" + redirectURL); } RequestDispatcher dispatcher = request.getRequestDispatcher(redirectURL.toString()); dispatcher.forward(request, response); } else { // Redirect the user to the authenticated URL redirectURL .append(authURL) .append(deployDescriptor) .append(CDCURI) .append(QUESTION_MARK) .append(request.getQueryString()); // Reset the cookie value to null, to avoid continuous loop // when a load balancer is used if (authCookie != null) { authCookie.setValue(""); response.addCookie(authCookie); } response.sendRedirect(redirectURL.toString()); } if (debug.messageEnabled()) { debug.message( "CDCClientServlet.redirectForAuthentication:" + "Forwarding for authentication to= " + redirectURL); } } catch (IOException ex) { debug.error( "CDCClientServlet.redirectForAuthentication: Failed " + "in forwarding to Authentication service. IOException", ex); showError(response, "Could for forward to authentication service:" + ex.getMessage()); } catch (ServletException se) { debug.error( "CDCClientServlet.redirectForAuthentication : Failed " + "in forwarding to Authentication service. ServletException", se); showError(response, "Could for forward to authentication service:" + se.getMessage()); } catch (IllegalStateException ie) { debug.error( "CDCClientServlet.redirectForAuthentication : Failed " + "in forwarding to Authentication service. Illegal state", ie); showError(response, "Could for forward to authentication service:" + ie.getMessage()); } } /** * Shows Application Error message to the user. * * @param response an HttpServletResponse object that contains the response the servlet sends to * the client. * @param msg Message to be displayed. */ private void showError(HttpServletResponse response, String msg) throws IOException { ServletOutputStream out = null; if (msg == null || msg.equals("") || msg.contains(SERVER_ERROR_STR_MATCH)) { response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR); return; } try { out = response.getOutputStream(); out.println(msg); out.flush(); } catch (IOException e) { debug.error("CDCClientServlet.showError::Could not show error " + "message to the user " + e); } finally { try { out.close(); } catch (IOException ignore) { } } } /** * Returns the SSOToken of the user. If user has not authenticated re-directs the user to login * page */ private SSOToken getSSOToken(HttpServletRequest request, HttpServletResponse response) throws IOException { SSOToken token = null; try { /* SSOTokenManager.createSSOToken() throws an SSOException if the * token is not valid, so for a invalid token manager.isValidToken() * will never get executed for an invalid token. */ if (((token = tokenManager.createSSOToken(request)) == null) || !tokenManager.isValidToken(token)) { if (debug.messageEnabled()) { debug.message( "CDCClientServlet.getSSOToken:SSOToken is " + "either null or not valid: " + token + "\nRedirecting for authentication"); } token = null; } } catch (com.iplanet.sso.SSOException e) { if (debug.messageEnabled()) { debug.message("CDCClientServlet.getSSOToken:SSOException " + "caught= " + e); } token = null; } return (token); } private void sendAuthnResponse( HttpServletRequest request, HttpServletResponse response, String authnResponse) { if (debug.messageEnabled()) { debug.message("CDCClientServlet.sendAuthnResponse: Called"); } try { if (debug.messageEnabled()) { debug.message("CDCClientServlet.sendAuthnResponse: " + "AuthnResponse= " + authnResponse); } response.setContentType("text/html"); response.setHeader("Pragma", "no-cache"); response.setHeader(RESPONSE_HEADER_ALERT, RESPONSE_HEADER_ALERT_VALUE); if (authnResponse.contains(FORBIDDEN_STR_MATCH)) { if (debug.messageEnabled()) { debug.message( "CDCClientServlet.sendAuthnResponse: " + "AuthnResponse showing 403 error page"); } response.sendError(HttpServletResponse.SC_FORBIDDEN); return; } if (authnResponse.contains(SERVER_ERROR_STR_MATCH)) { if (debug.messageEnabled()) { debug.error( "CDCClientServlet.sendAuthnResponse: " + "ERROR: An application error has occured."); } response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR); return; } PrintWriter out = response.getWriter(); out.println(authnResponse); out.close(); if (debug.messageEnabled()) { debug.message("CDCClientServlet.sendAuthnResponse: " + "AuthnResponse sent successfully"); } return; } catch (IOException ioe) { debug.error("CDCClientServlet.sendAuthnResponse:" + ioe.getMessage()); } } /** * Return <code>true</code> if the passed URI is valid compared to the valid set loaded during * initialization. * * @param cdcUri The URI to test. * @return <code>true</code> if the URI is considered valid, <code>false</code> otherwise. */ private boolean isValidCDCURI(String cdcUri) { int questionMark = cdcUri.indexOf(QUESTION_MARK); // We are only interested in the URI part up to any parameters that may be included. if (questionMark != -1) { cdcUri = cdcUri.substring(0, questionMark); } // If there is not an exact match for the passed value then it cannot be considered valid boolean result = VALID_LOGIN_URIS.contains(cdcUri); if (debug.messageEnabled()) { debug.message( "CDCClientServlet.isValidCDCURI: checking if " + cdcUri + " is in validLoginURISet: " + VALID_LOGIN_URIS + " result:" + result); } return result; } private static void initConfig() { adviceParams.add("module"); adviceParams.add("authlevel"); adviceParams.add("role"); adviceParams.add("service"); adviceParams.add("user"); adviceParams.add("realm"); adviceParams.add("org"); adviceParams.add("resource"); adviceParams.add("sunamcompositeadvice"); String invalidStrings = SystemPropertiesManager.get(Constants.INVALID_GOTO_STRINGS); if (INVALID_SET.isEmpty()) { debug.message("CDCClientServlet.initConfig: creating invalidSet"); if (invalidStrings == null) { debug.message("CDCClientServlet.initConfig: invalidStrings is null"); INVALID_SET.add(LEFT_ANGLE); INVALID_SET.add(RIGHT_ANGLE); INVALID_SET.add(URLENC_LEFT_ANGLE); INVALID_SET.add(URLENC_RIGHT_ANGLE); INVALID_SET.add(JAVASCRIPT); INVALID_SET.add(URLENC_JAVASCRIPT); } else { if (debug.messageEnabled()) { debug.message("CDCClientServlet.initConfig: invalidStrings is: " + invalidStrings); } StringTokenizer st = new StringTokenizer(invalidStrings, DELIM); while (st.hasMoreTokens()) { INVALID_SET.add(st.nextToken()); } } debug.message("CDCClientServlet.initConfig: created invalidSet " + INVALID_SET); } String urlFromProps = SystemProperties.get(Constants.CDCSERVLET_LOGIN_URL); cdcAuthURI = (urlFromProps != null) ? urlFromProps : AUTHURI; String validLoginURIStrings = SystemPropertiesManager.get(Constants.VALID_LOGIN_URIS); debug.message("CDCClientServlet.initConfig: creating validLoginURISet"); if (validLoginURIStrings == null) { debug.message( "CDCClientServlet.initConfig: validLoginURIStrings is null, creating default set"); VALID_LOGIN_URIS.add(cdcAuthURI); } else { if (debug.messageEnabled()) { debug.message( "CDCClientServlet.initConfig: validLoginURIStrings is: " + validLoginURIStrings); } StringTokenizer st = new StringTokenizer(validLoginURIStrings, DELIM); while (st.hasMoreTokens()) { VALID_LOGIN_URIS.add(st.nextToken()); } } debug.message("CDCClientServlet.initConfig: created validLoginURISet " + VALID_LOGIN_URIS); } }