ucReauthorizeUser

Purpose

ucReauthorizeUser used to redirect user to a reauthentication server, if this is directed by the workflow of processing an issue.

Applies To

User Authentication Methods

Signature

public boolean ucReauthorizeUser ( 
      HttpServletRequest request, 
      HttpServletResponse response,
      ProblemFormParam pfp, 
      SesameSession session,
      int sshState )

Notes

It is currently used when the user’s permissions in an SSO environment are not sufficient to perform an action. This routine can be used to reauthenticate the user with a different permission set.

Example

 public boolean ucReauthorizeUser(
                HttpServletRequest request, 
                HttpServletResponse response,
                ProblemFormParam pfp, 
                SesameSession session,
                int sshState) throws Exception {

        // set up a signature handler object
        StatusSignatureHandler ssh;

        // first, is there a CHANGE: state var with one of the key fields?
        String sv = pfp.getString("stateVar");

        // Log the state var
        Z.log.writeToLog(Z.log.DEBUG, "STATEVAR IN doReauth(): " + sv);

        // if you change this you also must change the list of esignature fields below.
        String fieldPat = "^CHANGE:" +
            "(P_RISK_SIG_REQUIRED)|" +
            "(P_GOVT_DCSNTREE_SIG_REQUIRED)|" +
            "(P_GOVT_DSCNTREE_RVW_SIG_REQ)|" +
            "(P_GOVT_MDR_DEC_SIG_REQ)|" +
            "(P_GOVT_REVIEW_SIG_REQ)|" +
            "(P_GOVT_OTH_DEC_SIG_REQ)|" +
            "(P_GOVT_AUS_DEC_SIG_REQ)|" +
            "(P_GOVT_CAN_DEC_SIG_REQ)|" +
            "(P_GOVT_VSR_DEC_SIG_REQ)|" +
            "(P_GOVT_VIGIL_REV_SIG_REQUIRED)|" +
            "(P_GOVT_MHLW_DEC_SIG_REQUIRED)|" +
            "(P_GOVT_MHLW_DEC_REV_SIG_REQ)" +
            "_\\d+$";

        Regex fieldParser = new Regex(fieldPat);
        boolean reauthFieldExists = fieldParser.search(sv.toUpperCase());

        // Is this refresh fired by a reauth field?
        Z.log.writeToLog(Z.log.DEBUG,
               "REFRESH FIRED BY A REAUTH FIELD: " + reauthFieldExists);

        // if no reauthFieldExists, there is no reason to do anything else, we
        // can return "false" immediately.
        if (!reauthFieldExists) {
            return false;
        }

        // next, is there a p_cached_req parameter?
        String cr = pfp.getString("CACHED_REQ");
        boolean crFieldExists = TextManager.isStringVisible(cr);

        // did we get the cached request parameter?
        Z.log.writeToLog(Z.log.DEBUG, 
               "CACHED REQUEST PARAMETER EXISTS: " + crFieldExists);
        Z.log.writeToLog(Z.log.DEBUG, 
               "CACEHD REQUEST PARAMETER: " + cr);

        // if reauthFieldExists and no crFieldExists, we have not yet been
        // through reauthentication. we must create the ssh object, redirect to
        // the SSO server, and return a true (we are doing reauth). Otherwise,
        // reauthField and crField both exist, get cached ssh, then check the
        // SSO authorization status.
        if (reauthFieldExists && !crFieldExists) {

            // log that we are making a new StatusSignatureHandler
            Z.log.writeToLog(Z.log.DEBUG, "MAKING NEW StatusSignatureHandler.");

            ssh = new StatusSignatureHandler(request, session, sshState);
            if (TextManager.isStringVisible(sv)) {
                ssh.setStateVar(sv);
            }

            // ssh reauth status before cache
            Z.log.writeToLog(Z.log.DEBUG, 
                "SSH REAUTH STATUS BEFORE CACHE: " + ssh.isReauthorizedCheck(session));

            // cache ssh in session
            ssh.cache();

            // ssh reauth status after cache
            Z.log.writeToLog(Z.log.DEBUG, 
                "SSH REAUTH STATUS AFTER CACHE: " + ssh.isReauthorizedCheck(session));
        } else {

            // we are retrieving a cached ssh
            Z.log.writeToLog(Z.log.DEBUG, 
                  "GETTING CACHED StatusSignatureHandler.");

            ssh = StatusSignatureHandler.getCached(cr, session);

            // check the cached ssh for reauthorization
            // if we are not using SSO, just reauthorize
            // them. otherwise, check the SSO reauth.
            boolean sso = "YES".equalsIgnoreCase(
                       Z.appDefaults.getAttribute("SSO_STATE"));

            // log sso state
            Z.log.writeToLog(Z.log.DEBUG, "SSO_STATE IS ON: " + sso);

            if (!sso) {
                // log what we do with respect to SSO
                Z.log.writeToLog(Z.log.DEBUG, "SSO NOT ON, REAUTHORIZING.");

                ssh.reauthorize();
            } else if (com.extraview.presentation.security.LoginDisplay.
                           doSSOReAuthorization(request)) {
                // log what we do with respect to SSO
                Z.log.writeToLog(Z.log.DEBUG, "SSO ON, 
                      doSSOReAuthorization PASSED, REATHORIZING.");

                ssh.reauthorize();
            } else {
                // log what we do with respect to SSO
                Z.log.writeToLog(Z.log.DEBUG, 
                      "SSO ON, doSSOReAuthorization FAILED, NOT REATHORIZING.");
            }
        }

        // Log wheter or not we are reauthorized
        Z.log.writeToLog(Z.log.DEBUG,
               "SSH SAYS WE ARE REAUTHORIZED: " + ssh.isReauthorizedCheck(session));

        // if we are reauthorized, do NOT redirect and return a status of false,
        // otherwise redirect and return a status of true (for redirected).
        if (ssh.isReauthorized(session)) {
            return false;
        } else {

            String reloginUrl = ssh.reloginUrl();

            // log reloginUrl
            Z.log.writeToLog(Z.log.DEBUG, 
                  "REAUTH URL WITH TARGET IMMEDIATELY BEFORE REDIRECTING: " 
                 + reloginUrl);

            response.sendRedirect(reloginUrl);
            return true;
        }
    }