Search in sources :

Example 1 with VerificationCodeFor2FARequiredException

use of org.orcid.frontend.web.exception.VerificationCodeFor2FARequiredException in project ORCID-Source by ORCID.

the class OauthLoginController method authenticateAndAuthorize.

@RequestMapping(value = { "/oauth/custom/signin.json", "/oauth/custom/login.json" }, method = RequestMethod.POST)
@ResponseBody
public OauthAuthorizeForm authenticateAndAuthorize(HttpServletRequest request, HttpServletResponse response, @RequestBody OauthAuthorizeForm form) {
    // Clean form errors
    form.setErrors(new ArrayList<String>());
    RequestInfoForm requestInfoForm = (RequestInfoForm) request.getSession().getAttribute(REQUEST_INFO_FORM);
    boolean willBeRedirected = false;
    if (form.getApproved()) {
        // Validate name and password
        validateUserNameAndPassword(form);
        if (form.getErrors().isEmpty()) {
            try {
                // Authenticate user
                copy2FAFields(form, request);
                Authentication auth = authenticateUser(request, form.getUserName().getValue(), form.getPassword().getValue());
                profileEntityManager.updateLastLoginDetails(auth.getName(), OrcidRequestUtil.getIpAddress(request));
                // Create authorization params
                SimpleSessionStatus status = new SimpleSessionStatus();
                Map<String, Object> model = new HashMap<String, Object>();
                Map<String, String> params = new HashMap<String, String>();
                Map<String, String> approvalParams = new HashMap<String, String>();
                fillOauthParams(requestInfoForm, params, approvalParams, form.getPersistentTokenEnabled(), form.isEmailAccessAllowed());
                // Authorize
                try {
                    authorizationEndpoint.authorize(model, params, status, auth);
                } catch (RedirectMismatchException rUriError) {
                    String redirectUri = this.getBaseUri() + REDIRECT_URI_ERROR;
                    // Set the client id
                    redirectUri = redirectUri.replace("{0}", requestInfoForm.getClientId());
                    // Set the response type if needed
                    if (!PojoUtil.isEmpty(requestInfoForm.getResponseType()))
                        redirectUri += "&response_type=" + requestInfoForm.getResponseType();
                    // Set the redirect uri
                    if (!PojoUtil.isEmpty(requestInfoForm.getRedirectUrl()))
                        redirectUri += "&redirect_uri=" + requestInfoForm.getRedirectUrl();
                    // Set the scope param
                    if (!PojoUtil.isEmpty(requestInfoForm.getScopesAsString()))
                        redirectUri += "&scope=" + requestInfoForm.getScopesAsString();
                    // Copy the state param if present
                    if (!PojoUtil.isEmpty(requestInfoForm.getStateParam()))
                        redirectUri += "&state=" + requestInfoForm.getStateParam();
                    form.setRedirectUrl(redirectUri);
                    LOGGER.info("OauthLoginController being sent to client browser: " + form.getRedirectUrl());
                    return form;
                }
                // Approve
                RedirectView view = (RedirectView) authorizationEndpoint.approveOrDeny(approvalParams, model, status, auth);
                form.setRedirectUrl(view.getUrl());
                willBeRedirected = true;
            } catch (AuthenticationException ae) {
                if (ae.getCause() instanceof DisabledException) {
                    // Handle this message in angular to allow AJAX action
                    form.getErrors().add("orcid.frontend.security.orcid_deactivated");
                } else if (ae.getCause() instanceof UnclaimedProfileExistsException) {
                    String email = PojoUtil.isEmpty(form.getUserName()) ? null : form.getUserName().getValue();
                    String resendEmailUrl = createResendClaimUrl(email, request);
                    String errorMessage = getMessage("orcid.frontend.security.unclaimed_exists_1");
                    errorMessage += "<a href=\"" + resendEmailUrl + "\">";
                    errorMessage += getMessage("orcid.frontend.security.unclaimed_exists_2");
                    errorMessage += "</a>" + getMessage("orcid.frontend.security.unclaimed_exists_3");
                    form.getErrors().add(errorMessage);
                } else if (ae instanceof VerificationCodeFor2FARequiredException) {
                    form.setVerificationCodeRequired(true);
                } else if (ae instanceof Bad2FAVerificationCodeException) {
                    form.getErrors().add(getMessage("orcid.frontend.security.2fa.bad_verification_code"));
                } else if (ae instanceof Bad2FARecoveryCodeException) {
                    form.getErrors().add(getMessage("orcid.frontend.security.2fa.bad_recovery_code"));
                } else {
                    form.getErrors().add(getMessage("orcid.frontend.security.bad_credentials"));
                }
            }
        }
    } else {
        form.setRedirectUrl(buildDenyRedirectUri(requestInfoForm.getRedirectUrl(), requestInfoForm.getStateParam()));
        willBeRedirected = true;
    }
    // not be redirected yet
    if (willBeRedirected) {
        if (new HttpSessionRequestCache().getRequest(request, response) != null)
            new HttpSessionRequestCache().removeRequest(request, response);
        LOGGER.info("OauthConfirmAccessController form.getRedirectUri being sent to client browser: " + requestInfoForm.getRedirectUrl());
    }
    return form;
}
Also used : HashMap(java.util.HashMap) AuthenticationException(org.springframework.security.core.AuthenticationException) DisabledException(org.springframework.security.authentication.DisabledException) HttpSessionRequestCache(org.springframework.security.web.savedrequest.HttpSessionRequestCache) Bad2FAVerificationCodeException(org.orcid.frontend.web.exception.Bad2FAVerificationCodeException) UnclaimedProfileExistsException(org.orcid.core.security.UnclaimedProfileExistsException) VerificationCodeFor2FARequiredException(org.orcid.frontend.web.exception.VerificationCodeFor2FARequiredException) Bad2FARecoveryCodeException(org.orcid.frontend.web.exception.Bad2FARecoveryCodeException) Authentication(org.springframework.security.core.Authentication) RedirectMismatchException(org.springframework.security.oauth2.common.exceptions.RedirectMismatchException) RedirectView(org.springframework.web.servlet.view.RedirectView) RequestInfoForm(org.orcid.pojo.ajaxForm.RequestInfoForm) SimpleSessionStatus(org.springframework.web.bind.support.SimpleSessionStatus) RequestMapping(org.springframework.web.bind.annotation.RequestMapping) ResponseBody(org.springframework.web.bind.annotation.ResponseBody)

Example 2 with VerificationCodeFor2FARequiredException

use of org.orcid.frontend.web.exception.VerificationCodeFor2FARequiredException in project ORCID-Source by ORCID.

the class AjaxAuthenticationFailureHandler method onAuthenticationFailure.

public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {
    response.setContentType("application/json");
    PrintWriter writer = response.getWriter();
    writer.println("{");
    writer.println("\"success\": false");
    if (exception.getCause() instanceof UnclaimedProfileExistsException) {
        writer.println(",");
        writer.println("\"unclaimed\": true");
    } else if (exception.getCause() instanceof DeprecatedProfileException) {
        writer.println(",");
        writer.println("\"deprecated\": true");
        DeprecatedProfileException exc = (DeprecatedProfileException) exception.getCause();
        if (exc != null && exc.getPrimary() != null) {
            writer.println(",");
            writer.println("\"primary\":\"" + exc.getPrimary() + "\"");
        }
    } else if (exception.getCause() instanceof DisabledException) {
        writer.println(",");
        writer.println("\"disabled\": true");
    } else if (exception instanceof VerificationCodeFor2FARequiredException) {
        writer.println(",");
        writer.println("\"verificationCodeRequired\": true");
    } else if (exception instanceof Bad2FAVerificationCodeException) {
        writer.println(",");
        writer.println("\"badVerificationCode\": true");
        writer.println(",");
        writer.println("\"verificationCodeRequired\": true");
    } else if (exception instanceof Bad2FARecoveryCodeException) {
        writer.println(",");
        writer.println("\"badRecoveryCode\": true");
    }
    writer.println("}");
}
Also used : VerificationCodeFor2FARequiredException(org.orcid.frontend.web.exception.VerificationCodeFor2FARequiredException) Bad2FARecoveryCodeException(org.orcid.frontend.web.exception.Bad2FARecoveryCodeException) DisabledException(org.springframework.security.authentication.DisabledException) DeprecatedProfileException(org.orcid.core.security.DeprecatedProfileException) Bad2FAVerificationCodeException(org.orcid.frontend.web.exception.Bad2FAVerificationCodeException) UnclaimedProfileExistsException(org.orcid.core.security.UnclaimedProfileExistsException) PrintWriter(java.io.PrintWriter)

Example 3 with VerificationCodeFor2FARequiredException

use of org.orcid.frontend.web.exception.VerificationCodeFor2FARequiredException in project ORCID-Source by ORCID.

the class OrcidAuthenticationProvider method authenticate.

@Override
public Authentication authenticate(Authentication auth) throws AuthenticationException {
    Authentication result = super.authenticate(auth);
    if (!result.isAuthenticated()) {
        return result;
    }
    ProfileEntity profile = getProfileEntity(auth.getName());
    if ((profile == null)) {
        throw new BadCredentialsException("Invalid username or password");
    }
    if (profile.getUsing2FA()) {
        String recoveryCode = ((OrcidWebAuthenticationDetails) auth.getDetails()).getRecoveryCode();
        if (recoveryCode != null && !recoveryCode.isEmpty()) {
            if (!backupCodeManager.verify(profile.getId(), recoveryCode)) {
                throw new Bad2FARecoveryCodeException();
            }
        } else {
            String verificationCode = ((OrcidWebAuthenticationDetails) auth.getDetails()).getVerificationCode();
            if (verificationCode == null || verificationCode.isEmpty()) {
                throw new VerificationCodeFor2FARequiredException();
            }
            if (!twoFactorAuthenticationManager.verificationCodeIsValid(verificationCode, profile)) {
                throw new Bad2FAVerificationCodeException();
            }
        }
    }
    UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(profile.getId(), result.getCredentials(), result.getAuthorities());
    authentication.setDetails(orcidUserDetailsService.loadUserByProfile(profile));
    return authentication;
}
Also used : VerificationCodeFor2FARequiredException(org.orcid.frontend.web.exception.VerificationCodeFor2FARequiredException) Bad2FARecoveryCodeException(org.orcid.frontend.web.exception.Bad2FARecoveryCodeException) Authentication(org.springframework.security.core.Authentication) Bad2FAVerificationCodeException(org.orcid.frontend.web.exception.Bad2FAVerificationCodeException) UsernamePasswordAuthenticationToken(org.springframework.security.authentication.UsernamePasswordAuthenticationToken) BadCredentialsException(org.springframework.security.authentication.BadCredentialsException) ProfileEntity(org.orcid.persistence.jpa.entities.ProfileEntity)

Aggregations

Bad2FARecoveryCodeException (org.orcid.frontend.web.exception.Bad2FARecoveryCodeException)3 Bad2FAVerificationCodeException (org.orcid.frontend.web.exception.Bad2FAVerificationCodeException)3 VerificationCodeFor2FARequiredException (org.orcid.frontend.web.exception.VerificationCodeFor2FARequiredException)3 UnclaimedProfileExistsException (org.orcid.core.security.UnclaimedProfileExistsException)2 DisabledException (org.springframework.security.authentication.DisabledException)2 Authentication (org.springframework.security.core.Authentication)2 PrintWriter (java.io.PrintWriter)1 HashMap (java.util.HashMap)1 DeprecatedProfileException (org.orcid.core.security.DeprecatedProfileException)1 ProfileEntity (org.orcid.persistence.jpa.entities.ProfileEntity)1 RequestInfoForm (org.orcid.pojo.ajaxForm.RequestInfoForm)1 BadCredentialsException (org.springframework.security.authentication.BadCredentialsException)1 UsernamePasswordAuthenticationToken (org.springframework.security.authentication.UsernamePasswordAuthenticationToken)1 AuthenticationException (org.springframework.security.core.AuthenticationException)1 RedirectMismatchException (org.springframework.security.oauth2.common.exceptions.RedirectMismatchException)1 HttpSessionRequestCache (org.springframework.security.web.savedrequest.HttpSessionRequestCache)1 RequestMapping (org.springframework.web.bind.annotation.RequestMapping)1 ResponseBody (org.springframework.web.bind.annotation.ResponseBody)1 SimpleSessionStatus (org.springframework.web.bind.support.SimpleSessionStatus)1 RedirectView (org.springframework.web.servlet.view.RedirectView)1