Example 1 with AccountNotFoundException
use of javax.security.auth.login.AccountNotFoundException in project cas by apereo.
the class QueryDatabaseAuthenticationHandler method authenticateUsernamePasswordInternal.
@Override
protected HandlerResult authenticateUsernamePasswordInternal(final UsernamePasswordCredential credential, final String originalPassword) throws GeneralSecurityException, PreventedException {
if (StringUtils.isBlank(this.sql) || getJdbcTemplate() == null) {
throw new GeneralSecurityException("Authentication handler is not configured correctly. " + "No SQL statement or JDBC template is found.");
}
final Map<String, Object> attributes = new LinkedHashMap<>(this.principalAttributeMap.size());
final String username = credential.getUsername();
final String password = credential.getPassword();
try {
final Map<String, Object> dbFields = getJdbcTemplate().queryForMap(this.sql, username);
final String dbPassword = (String) dbFields.get(this.fieldPassword);
if (StringUtils.isNotBlank(originalPassword) && !matches(originalPassword, dbPassword) || StringUtils.isBlank(originalPassword) && !StringUtils.equals(password, dbPassword)) {
throw new FailedLoginException("Password does not match value on record.");
}
if (StringUtils.isNotBlank(this.fieldDisabled)) {
final Object dbDisabled = dbFields.get(this.fieldDisabled);
if (dbDisabled != null && (Boolean.TRUE.equals(BooleanUtils.toBoolean(dbDisabled.toString())) || dbDisabled.equals(Integer.valueOf(1)))) {
throw new AccountDisabledException("Account has been disabled");
}
}
if (StringUtils.isNotBlank(this.fieldExpired)) {
final Object dbExpired = dbFields.get(this.fieldExpired);
if (dbExpired != null && (Boolean.TRUE.equals(BooleanUtils.toBoolean(dbExpired.toString())) || dbExpired.equals(Integer.valueOf(1)))) {
throw new AccountPasswordMustChangeException("Password has expired");
}
}
this.principalAttributeMap.entrySet().forEach(a -> {
final Object attribute = dbFields.get(a.getKey());
if (attribute != null) {
LOGGER.debug("Found attribute [{}] from the query results", a);
if (attribute != null) {
LOGGER.debug("Found attribute [{}] from the query results", a);
final String principalAttrName = a.getValue();
attributes.put(principalAttrName, attribute.toString());
} else {
LOGGER.warn("Requested attribute [{}] could not be found in the query results", a.getKey());
}
}
});
} catch (final IncorrectResultSizeDataAccessException e) {
if (e.getActualSize() == 0) {
throw new AccountNotFoundException(username + " not found with SQL query");
}
throw new FailedLoginException("Multiple records found for " + username);
} catch (final DataAccessException e) {
throw new PreventedException("SQL exception while executing query for " + username, e);
}
return createHandlerResult(credential, this.principalFactory.createPrincipal(username, attributes), null);
}
Also used :
FailedLoginException(javax.security.auth.login.FailedLoginException)
IncorrectResultSizeDataAccessException(org.springframework.dao.IncorrectResultSizeDataAccessException)
GeneralSecurityException(java.security.GeneralSecurityException)
PreventedException(org.apereo.cas.authentication.PreventedException)
AccountPasswordMustChangeException(org.apereo.cas.authentication.exceptions.AccountPasswordMustChangeException)
AccountNotFoundException(javax.security.auth.login.AccountNotFoundException)
AccountDisabledException(org.apereo.cas.authentication.exceptions.AccountDisabledException)
DataAccessException(org.springframework.dao.DataAccessException)
IncorrectResultSizeDataAccessException(org.springframework.dao.IncorrectResultSizeDataAccessException)
LinkedHashMap(java.util.LinkedHashMap)
Example 2 with AccountNotFoundException
use of javax.security.auth.login.AccountNotFoundException in project cas by apereo.
the class AbstractTokenWrapperAuthenticationHandler method convertToPac4jCredentials.
@Override
protected TokenCredentials convertToPac4jCredentials(final BasicIdentifiableCredential casCredential) throws GeneralSecurityException, PreventedException {
LOGGER.debug("CAS credentials: [{}]", casCredential);
final String id = this.principalNameTransformer.transform(casCredential.getId());
if (id == null) {
throw new AccountNotFoundException("Id is null.");
}
final TokenCredentials credentials = new TokenCredentials(id, getClass().getSimpleName());
LOGGER.debug("pac4j credentials: [{}]", credentials);
return credentials;
}
Also used :
AccountNotFoundException(javax.security.auth.login.AccountNotFoundException)
TokenCredentials(org.pac4j.core.credentials.TokenCredentials)
Example 3 with AccountNotFoundException
use of javax.security.auth.login.AccountNotFoundException in project cas by apereo.
the class RestAuthenticationHandler method authenticateUsernamePasswordInternal.
@Override
protected HandlerResult authenticateUsernamePasswordInternal(final UsernamePasswordCredential c, final String originalPassword) throws GeneralSecurityException, PreventedException {
try {
final UsernamePasswordCredential creds = new UsernamePasswordCredential(c.getUsername(), c.getPassword());
final ResponseEntity<SimplePrincipal> authenticationResponse = api.authenticate(creds);
if (authenticationResponse.getStatusCode() == HttpStatus.OK) {
final SimplePrincipal principalFromRest = authenticationResponse.getBody();
if (principalFromRest == null || StringUtils.isBlank(principalFromRest.getId())) {
throw new FailedLoginException("Could not determine authentication response from rest endpoint for " + c.getUsername());
}
return createHandlerResult(c, this.principalFactory.createPrincipal(principalFromRest.getId(), principalFromRest.getAttributes()), new ArrayList<>());
}
} catch (final HttpClientErrorException e) {
if (e.getStatusCode() == HttpStatus.FORBIDDEN) {
throw new AccountDisabledException("Could not authenticate forbidden account for " + c.getUsername());
}
if (e.getStatusCode() == HttpStatus.UNAUTHORIZED) {
throw new FailedLoginException("Could not authenticate account for " + c.getUsername());
}
if (e.getStatusCode() == HttpStatus.NOT_FOUND) {
throw new AccountNotFoundException("Could not locate account for " + c.getUsername());
}
if (e.getStatusCode() == HttpStatus.LOCKED) {
throw new AccountLockedException("Could not authenticate locked account for " + c.getUsername());
}
if (e.getStatusCode() == HttpStatus.PRECONDITION_REQUIRED) {
throw new AccountExpiredException("Could not authenticate expired account for " + c.getUsername());
}
throw new FailedLoginException("Rest endpoint returned an unknown status code " + e.getStatusCode() + " for " + c.getUsername());
}
throw new FailedLoginException("Rest endpoint returned an unknown response for " + c.getUsername());
}
Also used :
AccountLockedException(javax.security.auth.login.AccountLockedException)
FailedLoginException(javax.security.auth.login.FailedLoginException)
HttpClientErrorException(org.springframework.web.client.HttpClientErrorException)
AccountExpiredException(javax.security.auth.login.AccountExpiredException)
UsernamePasswordCredential(org.apereo.cas.authentication.UsernamePasswordCredential)
AccountNotFoundException(javax.security.auth.login.AccountNotFoundException)
SimplePrincipal(org.apereo.cas.authentication.principal.SimplePrincipal)
AccountDisabledException(org.apereo.cas.authentication.exceptions.AccountDisabledException)
Example 4 with AccountNotFoundException
use of javax.security.auth.login.AccountNotFoundException in project cas by apereo.
the class LdapAuthenticationHandler method authenticateUsernamePasswordInternal.
@Override
protected HandlerResult authenticateUsernamePasswordInternal(final UsernamePasswordCredential upc, final String originalPassword) throws GeneralSecurityException, PreventedException {
final AuthenticationResponse response;
try {
LOGGER.debug("Attempting LDAP authentication for [{}]. Authenticator pre-configured attributes are [{}], " + "additional requested attributes for this authentication request are [{}]", upc, authenticator.getReturnAttributes(), authenticatedEntryAttributes);
final AuthenticationRequest request = new AuthenticationRequest(upc.getUsername(), new org.ldaptive.Credential(upc.getPassword()), authenticatedEntryAttributes);
response = authenticator.authenticate(request);
} catch (final LdapException e) {
LOGGER.trace(e.getMessage(), e);
throw new PreventedException("Unexpected LDAP error", e);
}
LOGGER.debug("LDAP response: [{}]", response);
final List<MessageDescriptor> messageList;
final LdapPasswordPolicyConfiguration ldapPasswordPolicyConfiguration = (LdapPasswordPolicyConfiguration) super.getPasswordPolicyConfiguration();
if (ldapPasswordPolicyConfiguration != null) {
LOGGER.debug("Applying password policy to [{}]", response);
messageList = ldapPasswordPolicyConfiguration.getAccountStateHandler().handle(response, ldapPasswordPolicyConfiguration);
} else {
LOGGER.debug("No ldap password policy configuration is defined");
messageList = Collections.emptyList();
}
if (response.getResult()) {
LOGGER.debug("LDAP response returned a result. Creating the final LDAP principal");
return createHandlerResult(upc, createPrincipal(upc.getUsername(), response.getLdapEntry()), messageList);
}
if (AuthenticationResultCode.DN_RESOLUTION_FAILURE == response.getAuthenticationResultCode()) {
LOGGER.warn("DN resolution failed. [{}]", response.getMessage());
throw new AccountNotFoundException(upc.getUsername() + " not found.");
}
throw new FailedLoginException("Invalid credentials");
}
Also used :
FailedLoginException(javax.security.auth.login.FailedLoginException)
LdapPasswordPolicyConfiguration(org.apereo.cas.authentication.support.LdapPasswordPolicyConfiguration)
AuthenticationRequest(org.ldaptive.auth.AuthenticationRequest)
AuthenticationResponse(org.ldaptive.auth.AuthenticationResponse)
LdapException(org.ldaptive.LdapException)
AccountNotFoundException(javax.security.auth.login.AccountNotFoundException)
Example 5 with AccountNotFoundException
use of javax.security.auth.login.AccountNotFoundException in project cas by apereo.
the class YubiKeyAuthenticationHandler method doAuthentication.
@Override
protected HandlerResult doAuthentication(final Credential credential) throws GeneralSecurityException, PreventedException {
final YubiKeyCredential yubiKeyCredential = (YubiKeyCredential) credential;
final String otp = yubiKeyCredential.getToken();
if (!YubicoClient.isValidOTPFormat(otp)) {
LOGGER.debug("Invalid OTP format [{}]", otp);
throw new AccountNotFoundException("OTP format is invalid");
}
final RequestContext context = RequestContextHolder.getRequestContext();
final String uid = WebUtils.getAuthentication(context).getPrincipal().getId();
final String publicId = YubicoClient.getPublicId(otp);
if (this.registry != null && !this.registry.isYubiKeyRegisteredFor(uid, publicId)) {
LOGGER.debug("YubiKey public id [{}] is not registered for user [{}]", publicId, uid);
throw new AccountNotFoundException("YubiKey id is not recognized in registry");
}
try {
final VerificationResponse response = this.client.verify(otp);
final ResponseStatus status = response.getStatus();
if (status.compareTo(ResponseStatus.OK) == 0) {
LOGGER.debug("YubiKey response status [{}] at [{}]", status, response.getTimestamp());
return createHandlerResult(yubiKeyCredential, this.principalFactory.createPrincipal(uid), null);
}
throw new FailedLoginException("Authentication failed with status: " + status);
} catch (final YubicoVerificationException | YubicoValidationFailure e) {
LOGGER.error(e.getMessage(), e);
throw new FailedLoginException("YubiKey validation failed: " + e.getMessage());
}
}
Also used :
VerificationResponse(com.yubico.client.v2.VerificationResponse)
FailedLoginException(javax.security.auth.login.FailedLoginException)
ResponseStatus(com.yubico.client.v2.ResponseStatus)
RequestContext(org.springframework.webflow.execution.RequestContext)
AccountNotFoundException(javax.security.auth.login.AccountNotFoundException)
YubicoValidationFailure(com.yubico.client.v2.exceptions.YubicoValidationFailure)
YubicoVerificationException(com.yubico.client.v2.exceptions.YubicoVerificationException)
Aggregations
AccountNotFoundException (javax.security.auth.login.AccountNotFoundException)14
FailedLoginException (javax.security.auth.login.FailedLoginException)11
AccountLockedException (javax.security.auth.login.AccountLockedException)4
PreventedException (org.apereo.cas.authentication.PreventedException)4
AccountDisabledException (org.apereo.cas.authentication.exceptions.AccountDisabledException)4
SimpleCredentials (javax.jcr.SimpleCredentials)3
CredentialExpiredException (javax.security.auth.login.CredentialExpiredException)3
IOException (java.io.IOException)2
GeneralSecurityException (java.security.GeneralSecurityException)2
AccountExpiredException (javax.security.auth.login.AccountExpiredException)2
LoginException (javax.security.auth.login.LoginException)2
UsernamePasswordCredential (org.apereo.cas.authentication.UsernamePasswordCredential)2
AccountPasswordMustChangeException (org.apereo.cas.authentication.exceptions.AccountPasswordMustChangeException)2
DataAccessException (org.springframework.dao.DataAccessException)2
IncorrectResultSizeDataAccessException (org.springframework.dao.IncorrectResultSizeDataAccessException)2
RequestContext (org.springframework.webflow.execution.RequestContext)2
ResponseStatus (com.yubico.client.v2.ResponseStatus)1
VerificationResponse (com.yubico.client.v2.VerificationResponse)1
YubicoValidationFailure (com.yubico.client.v2.exceptions.YubicoValidationFailure)1
YubicoVerificationException (com.yubico.client.v2.exceptions.YubicoVerificationException)1
