Merge commit from fork

* Add auth to addSessionListener

* change sso token validation from identity to session type

* change sso token validation from identity to session type

Author: maximthomas

openam-core/src/main/java/com/iplanet/dpro/session/Session.java

@@ -25,6 +25,7 @@
  * $Id: Session.java,v 1.25 2009/08/14 17:53:35 weisun2 Exp $
  *
  * Portions copyright 2010-2016 ForgeRock AS.
+ * Portions Copyrighted 2017-2026 3A Systems LLC
  */
 
 package com.iplanet.dpro.session;
@@ -33,12 +34,14 @@
 import static org.forgerock.openam.utils.Time.*;
 
 import java.net.URL;
+import java.security.AccessController;
 import java.util.HashSet;
 import java.util.Hashtable;
 import java.util.Set;
 import java.util.concurrent.TimeUnit;
 import java.util.concurrent.atomic.AtomicBoolean;
 
+import com.sun.identity.security.AdminTokenAction;
 import org.forgerock.guice.core.InjectorHolder;
 import org.forgerock.openam.blacklist.BlacklistException;
 import org.forgerock.openam.blacklist.Blacklistable;
@@ -825,7 +828,7 @@ protected void setRestriction(TokenRestriction restriction) {
         this.restriction = restriction;
     }
 
-    /**
+    /**restriction
       * populate context object with admin token
       * @exception SessionException
       * @param appSSOToken application SSO Token to bet set
@@ -862,9 +865,10 @@ public void timeout() {
      */
     public void addInternalSessionListener() {
         try {
+            final SSOToken appSSOToken = AccessController.doPrivileged(AdminTokenAction.getInstance());
             String url = WebtopNaming.getNotificationURL().toString();
             SessionOperations operations = sessionOperationStrategy.getOperation(sessionID);
-            operations.addSessionListener(this, url);
+            operations.addSessionListener(appSSOToken, this, url);
         } catch (Exception e) {
             sessionDebug.warning("error adding internal session listener", e);
         }

openam-core/src/main/java/com/iplanet/dpro/session/monitoring/MonitoredOperations.java

@@ -12,7 +12,7 @@
 * information: "Portions copyright [year] [name of copyright owner]".
 *
 * Copyright 2014-2016 ForgeRock AS.
-* Portions Copyrighted 2025 3A Systems, LLC.
+* Portions Copyrighted 2025-2026 3A Systems, LLC.
 */
 package com.iplanet.dpro.session.monitoring;
 
@@ -123,8 +123,8 @@ public SessionInfo getSessionInfo(SessionID sid, boolean reset) throws SessionEx
     }
 
     @Override
-    public void addSessionListener(Session session, String url) throws SessionException {
-        sessionOperations.addSessionListener(session, url); // Not monitored at present
+    public void addSessionListener(SSOToken clientToken, Session session, String url) throws SessionException {
+        sessionOperations.addSessionListener(clientToken, session, url); // Not monitored at present
     }
 
     @Override

openam-core/src/main/java/com/iplanet/dpro/session/operations/SessionOperations.java

@@ -12,6 +12,7 @@
  * the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
  * Header, with the fields enclosed by brackets [] replaced by your own identifying
  * information: "Portions copyright [year] [name of copyright owner]".
+ * Portions copyright 2026 3A Systems LLC
  */
 package com.iplanet.dpro.session.operations;
 
@@ -93,11 +94,13 @@ public interface SessionOperations {
 
     /**
      * Add a session listener notification url.  The url will receive a notification when session change events occur.
-     * @param session the session to listen to.
-     * @param url the listener notification url
+     *
+     * @param clientToken SSO Token of the client adding session listener (should be admin or agent).
+     * @param session     the session to listen to.
+     * @param url         the listener notification url
      * @throws SessionException if the session could not be accessed.
      */
-    void addSessionListener(Session session, String url) throws SessionException;
+    void addSessionListener(SSOToken clientToken, Session session, String url) throws SessionException;
 
     /**
      * Check whether a session identified by {code sessionId} can be retrieved.

openam-core/src/main/java/com/iplanet/dpro/session/operations/strategies/ClientSdkOperations.java

@@ -12,6 +12,7 @@
  * information: "Portions copyright [year] [name of copyright owner]".
  *
  * Copyright 2014-2016 ForgeRock AS.
+ * Portions copyright 2026 3A Systems LLC
  */
 package com.iplanet.dpro.session.operations.strategies;
 
@@ -195,7 +196,7 @@ public SessionInfo getSessionInfo(SessionID sid, boolean reset) {
     }
 
     @Override
-    public void addSessionListener(Session session, String url) throws SessionException {
+    public void addSessionListener(SSOToken clientToken, Session session, String url) throws SessionException {
         SessionRequest sreq = new SessionRequest(
                 SessionRequest.AddSessionListener,
                 session.getSessionID().toString(), false);

openam-core/src/main/java/com/iplanet/dpro/session/operations/strategies/LocalOperations.java

@@ -12,7 +12,7 @@
  * information: "Portions copyright [year] [name of copyright owner]".
  *
  * Copyright 2014-2016 ForgeRock AS.
- * Portions copyright 2025 3A Systems LLC.
+ * Portions copyright 2025-2026 3A Systems LLC.
  */
 package com.iplanet.dpro.session.operations.strategies;
 
@@ -21,9 +21,14 @@
 import static org.forgerock.openam.session.SessionEventType.MAX_TIMEOUT;
 import static org.forgerock.openam.utils.Time.currentTimeMillis;
 
+import java.security.AccessController;
 import java.text.MessageFormat;
 import java.util.Collection;
 
+import com.iplanet.am.util.SystemProperties;
+import com.iplanet.dpro.session.service.SessionType;
+import com.sun.identity.security.AdminTokenAction;
+import com.sun.identity.session.util.SessionUtils;
 import jakarta.inject.Inject;
 import jakarta.inject.Named;
 
@@ -201,7 +206,10 @@ public SessionInfo getSessionInfo(SessionID sessionID, boolean reset) throws Ses
     }
 
     @Override
-    public void addSessionListener(Session session, String url) throws SessionException {
+    public void addSessionListener(SSOToken clientToken, Session session, String url) throws SessionException {
+
+        checkAddSessionListenerPermission(clientToken);
+
         SessionID sessionId = session.getSessionID();
         InternalSession internalSession = resolveToken(sessionId);
         if (internalSession.getState() == INVALID) {
@@ -213,6 +221,32 @@ public void addSessionListener(Session session, String url) throws SessionExcept
         internalSession.addSessionEventURL(url, sessionId);
     }
 
+    static final String ADD_SESSION_LISTENER_SKIP_AUTH_CHECK =
+            "org.openidentityplatform.session.listener.skip-auth-check";
+    private void checkAddSessionListenerPermission(SSOToken clientToken) throws SessionException {
+
+        boolean clientTokenCheckFailed = false;
+        try {
+            if (clientToken == null) {
+                clientTokenCheckFailed = true;
+            } else if(!SessionUtils.isAdmin(AccessController.doPrivileged(AdminTokenAction.getInstance()), clientToken)) {
+                Session session = new Session(new SessionID(clientToken.getTokenID().toString()));
+                session.refresh(false);
+                SessionType type = session.getType();
+                if(session.isTimedOut() || !SessionType.APPLICATION.equals(type)) {
+                    clientTokenCheckFailed = true;
+                }
+            }
+        } catch (Exception e) {
+            throw new SessionException(e);
+        }
+
+        if(clientTokenCheckFailed
+                && !SystemProperties.getAsBoolean(ADD_SESSION_LISTENER_SKIP_AUTH_CHECK, false)) {
+            throw new IllegalArgumentException("Request should be authenticated");
+        }
+    }
+
     @Override
     public boolean checkSessionExists(SessionID sessionId) throws SessionException {
         // Attempt to load the session. If one is found, the InternalSesion is now local.

openam-core/src/main/java/com/iplanet/dpro/session/operations/strategies/StatelessOperations.java

@@ -131,7 +131,7 @@ public SessionInfo getSessionInfo(SessionID sid, boolean reset) throws SessionEx
     }
 
     @Override
-    public void addSessionListener(Session session, String url) throws SessionException {
+    public void addSessionListener(SSOToken clientToken, Session session, String url) throws SessionException {
         throw new UnsupportedOperationException();
     }
 

openam-core/src/main/java/com/iplanet/dpro/session/service/SessionRequestHandler.java

@@ -25,7 +25,7 @@
  * $Id: SessionRequestHandler.java,v 1.9 2009/04/02 04:11:44 ericow Exp $
  *
  * Portions Copyrighted 2011-2016 ForgeRock AS.
- * Portions Copyrighted 2025 3A Systems LLC.
+ * Portions Copyrighted 2025-2026 3A Systems LLC.
  */
 package com.iplanet.dpro.session.service;
 
@@ -352,7 +352,7 @@ private SessionResponse processMethod(SessionRequest req, Session requesterSessi
                 break;
 
             case SessionRequest.AddSessionListener:
-                sessionService.addSessionListener(requesterSession, req.getNotificationURL());
+                sessionService.addSessionListener(this.clientToken, requesterSession, req.getNotificationURL());
                 break;
 
             case SessionRequest.SetProperty:

openam-core/src/main/java/com/iplanet/dpro/session/service/SessionService.java

@@ -25,7 +25,7 @@
  * $Id: SessionService.java,v 1.37 2010/02/03 03:52:54 bina Exp $
  *
  * Portions Copyrighted 2010-2016 ForgeRock AS.
- * Portions Copyrighted 2023-2025 3A Systems LLC
+ * Portions Copyrighted 2023-2026 3A Systems LLC
  */
 package com.iplanet.dpro.session.service;
 
@@ -246,8 +246,8 @@ public void logout(final Session session) throws SessionException {
      * @param url
      * @throws SessionException Session is null OR the Session is invalid
      */
-    public void addSessionListener(Session session, String url) throws SessionException {
-        sessionOperationStrategy.getOperation(session.getSessionID()).addSessionListener(session, url);
+    public void addSessionListener(SSOToken clientToken, Session session, String url) throws SessionException {
+        sessionOperationStrategy.getOperation(session.getSessionID()).addSessionListener(clientToken, session, url);
     }
 
     /**