logonstatemachine.java

这是linux下ssl vpn的实现程序

package com.sslexplorer.security;

import java.util.Iterator;
import java.util.List;
import java.util.Vector;

import org.apache.struts.action.ActionForward;
import org.apache.struts.action.ActionMapping;

import com.maverick.crypto.security.SecureRandom;
import com.sslexplorer.core.CoreServlet;
import com.sslexplorer.policyframework.PolicyConstants;

/**
 * <p>
 * State machine which holds the logon state so that the display to the user can
 * be obfuscated.
 * 
 * @author James D Robinson <a href="mailto:james@3sp.com">&lt;james@3sp.com&gt;</a>
 * 
 * 03-Aug-2006
 */
public class LogonStateMachine {

    public static final String LOGON_STATE_MACHINE = "logonStateMachine";

    public static final int STATE_STARTED = 0;
    public static final int STATE_DISPLAY_USERNAME = 1;
    public static final int STATE_UNKNOWN_USERNAME = 2;
    public static final int STATE_UNKNOWN_USERNAME_PROMPT_FOR_PASSWORD = 3;
    public static final int STATE_USERNAME_KNOWN = 4;
    public static final int STATE_KNOWN_USERNAME_NO_SCHEME = 5;
    public static final int STATE_KNOWN_USERNAME_SINGLE_SCHEME = 6;
    public static final int STATE_KNOWN_USERNAME_MULTIPLE_SCHEMES = 7;
    public static final int STATE_KNOWN_USERNAME_WRONG_PASSWORD = 8;
    public static final int STATE_VALID_LOGON = 9;
    public static final int STATE_RETURN_TO_LOGON = 10;
    public static final int STATE_KNOWN_USERNAME_NO_SCHEME_SPOOF_PASSWORD_ENTRY = 11;

    private int state = 0;

    public LogonStateMachine() {
        super();
    }

    public int getState() {
        return state;
    }

    public void setState(int newState) {
        this.state = newState;
    }

    private ActionForward getSpecificSignOnForward(Integer resourceId, String userName) throws Exception {
        return new ActionForward("/showLogon.do?selectedAuthenticationScheme=" + resourceId + "&username=" + userName);
    }

    public ActionForward nextStateActionForward(ActionMapping mapping, String userName) throws Exception {

        switch (this.state) {
            case STATE_STARTED:
                // state start
                state = LogonStateMachine.STATE_DISPLAY_USERNAME;
                return mapping.findForward("usernameLogon");
            case STATE_DISPLAY_USERNAME:
                // display obfuscated sign on page.
                state = LogonStateMachine.STATE_UNKNOWN_USERNAME;
                return mapping.findForward("display");
            case STATE_UNKNOWN_USERNAME:
            case STATE_UNKNOWN_USERNAME_PROMPT_FOR_PASSWORD:
            case STATE_USERNAME_KNOWN:
                // unknown username
                List list = CoreServlet.getServlet().getSystemDatabase().getAuthenticationSchemeSequences();
                Vector foo = new Vector();
                AuthenticationSchemeSequence seq;
                for(Iterator it = list.iterator(); it.hasNext();) {
                    seq = (AuthenticationSchemeSequence)it.next();
                    if(seq.getResourceId()!=3 && seq.getResourceId()!= 4) {
                       foo.add(seq);
                    }
                }
                int id = SecureRandom.getInstance().nextInt(foo.size()) + 1;
                return new ActionForward("/showLogon.do?selectedAuthenticationScheme=0"/* + id*/);
            case STATE_KNOWN_USERNAME_NO_SCHEME:
                // state user exists has zero assigned auth schemes no schemes
                return new ActionForward("/showLogon.do?selectedAuthenticationScheme=0");
            case STATE_KNOWN_USERNAME_SINGLE_SCHEME:
                // state user exists has one assigned auth scheme, no forward as
                // the getSpecificSignOnForward() is used.
                return null; // new
            case STATE_KNOWN_USERNAME_MULTIPLE_SCHEMES:
                // state user exists has multiple assigned auth schemes
                return new ActionForward("/showSelectAuthenticationScheme.do?username="+userName);
            case STATE_KNOWN_USERNAME_WRONG_PASSWORD:
                // state user exists but the still faile to auth
                return mapping.findForward("refresh");
            case STATE_VALID_LOGON:
                // all good continue the auth
                return null;
            case STATE_RETURN_TO_LOGON:
                // all failed go to sign on page./showLogon
                return mapping.findForward("refresh");
            case STATE_KNOWN_USERNAME_NO_SCHEME_SPOOF_PASSWORD_ENTRY:
                // valid username, but spoof as no we want to contuinue the auth
                return null;
            default:
                throw new Exception("No Action Foward for state " + state);
        }
    }
    
    public ActionForward getSpecificSignOnForward(ActionMapping mapping, User user, boolean forcePassword) throws Exception{
        List resourceIds = CoreServlet.getServlet().getPolicyDatabase().getGrantedResourcesOfType(user,
                        PolicyConstants.AUTHENTICATION_SCHEMES_RESOURCE_TYPE);

        // remove the WebDav and Embedded Client as they are not
        // sign-on-able.
        resourceIds.remove(new Integer(3));
        resourceIds.remove(new Integer(4));

        if (forcePassword){
            this.setState(LogonStateMachine.STATE_KNOWN_USERNAME_SINGLE_SCHEME);
            return this.getSpecificSignOnForward(new Integer(1), user.getPrincipalName());
        }
        else if (resourceIds != null && resourceIds.size() < 1) {
            // here there are no schemes put the pwd
            this.setState(LogonStateMachine.STATE_KNOWN_USERNAME_NO_SCHEME);
            return this.nextStateActionForward(mapping, user.getPrincipalName());
        } else if (resourceIds != null && resourceIds.size() == 1) {
            this.setState(LogonStateMachine.STATE_KNOWN_USERNAME_SINGLE_SCHEME);
            return this.getSpecificSignOnForward((Integer) resourceIds.get(0), user.getPrincipalName());
        } else {
            this.setState(LogonStateMachine.STATE_KNOWN_USERNAME_MULTIPLE_SCHEMES);
            return this.nextStateActionForward(mapping, user.getPrincipalName());
        }
    }
}