Example 76 with AuthLoginException
use of com.sun.identity.authentication.spi.AuthLoginException in project OpenAM by OpenRock.
the class Adaptive method process.
@Override
public int process(Callback[] callbacks, int state) throws AuthLoginException {
int currentScore = 0;
debug.message("{}: process called with state = {}", ADAPTIVE, state);
if (state != ISAuthConstants.LOGIN_START) {
throw new AuthLoginException("Authentication failed: Internal Error - NOT LOGIN_START");
}
if (userName == null || userName.length() == 0) {
// session
try {
SSOTokenManager mgr = SSOTokenManager.getInstance();
InternalSession isess = getLoginState(ADAPTIVE).getOldSession();
if (isess == null) {
throw new AuthLoginException(ADAPTIVE, "noInternalSession", null);
}
SSOToken token = mgr.createSSOToken(isess.getID().toString());
userUUID = token.getPrincipal().getName();
userName = token.getProperty("UserToken");
if (debug.messageEnabled()) {
debug.message("{}.process() : UserName '{}' in SSOToken", ADAPTIVE, userName);
}
if (userName == null || userName.length() == 0) {
throw new AuthLoginException("amAuth", "noUserName", null);
}
} catch (SSOException e) {
debug.message("{}: amAuthIdentity NULL ", ADAPTIVE);
throw new AuthLoginException(ADAPTIVE, "noIdentity", null);
}
}
if (debug.messageEnabled()) {
debug.message("{}: Login Attempt Username = {}", ADAPTIVE, userName);
}
amAuthIdentity = getIdentity();
clientIP = ClientUtils.getClientIPAddress(getHttpServletRequest());
if (amAuthIdentity == null) {
throw new AuthLoginException(ADAPTIVE, "noIdentity", null);
}
try {
if (IPRangeCheck) {
int retVal = checkIPRange();
if (debug.messageEnabled()) {
debug.message("{}.checkIPRange: returns {}", ADAPTIVE, retVal);
}
currentScore += retVal;
}
if (IPHistoryCheck) {
int retVal = checkIPHistory();
if (debug.messageEnabled()) {
debug.message("{}.checkIPHistory: returns {}", ADAPTIVE, retVal);
}
currentScore += retVal;
}
if (knownCookieCheck) {
int retVal = checkKnownCookie();
if (debug.messageEnabled()) {
debug.message("{}.checkKnownCookie: returns {}", ADAPTIVE, retVal);
}
currentScore += retVal;
}
if (timeOfDayCheck) {
int retVal = checkTimeDay();
if (debug.messageEnabled()) {
debug.message("{}.checkTimeDay: returns {}", ADAPTIVE, retVal);
}
currentScore += retVal;
}
if (timeSinceLastLoginCheck) {
int retVal = checkLastLogin();
if (debug.messageEnabled()) {
debug.message("{}.checkLastLogin: returns {}", ADAPTIVE, retVal);
}
currentScore += retVal;
}
if (riskAttributeCheck) {
int retVal = checkRiskAttribute();
if (debug.messageEnabled()) {
debug.message("{}.checkRiskAttribute: returns {}", ADAPTIVE, retVal);
}
currentScore += retVal;
}
if (authFailureCheck) {
int retVal = checkAuthFailure();
if (debug.messageEnabled()) {
debug.message("{}.checkAuthFailure: returns {}", ADAPTIVE, retVal);
}
currentScore += retVal;
}
if (deviceCookieCheck) {
int retVal = checkRegisteredClient();
if (debug.messageEnabled()) {
debug.message("{}.checkRegisteredClient: returns {}", ADAPTIVE, retVal);
}
currentScore += retVal;
}
if (geoLocationCheck) {
int retVal = checkGeoLocation();
if (debug.messageEnabled()) {
debug.message("{}.checkGeoLocation: returns {}", ADAPTIVE, retVal);
}
currentScore += retVal;
}
if (reqHeaderCheck) {
int retVal = checkRequestHeader();
if (debug.messageEnabled()) {
debug.message("{}.checkRequestHeader: returns {}", ADAPTIVE, retVal);
}
currentScore += retVal;
}
} catch (Exception ex) {
currentScore = Integer.MAX_VALUE;
debug.error("{}.process() : Unknown exception occurred while executing checks, module will fail.", ADAPTIVE, ex);
}
setPostAuthNParams();
if (currentScore < adaptiveThreshold) {
if (debug.messageEnabled()) {
debug.message("{}: Returning Success. Username='{}'", ADAPTIVE, userName);
}
return ISAuthConstants.LOGIN_SUCCEED;
} else {
if (debug.messageEnabled()) {
debug.message("{}: Returning Fail. Username='{}'", ADAPTIVE, userName);
}
throw new AuthLoginException(ADAPTIVE + " - Risk determined.");
}
}
Also used :
SSOTokenManager(com.iplanet.sso.SSOTokenManager)
SSOToken(com.iplanet.sso.SSOToken)
InternalSession(com.iplanet.dpro.session.service.InternalSession)
AuthLoginException(com.sun.identity.authentication.spi.AuthLoginException)
SSOException(com.iplanet.sso.SSOException)
ParseException(java.text.ParseException)
AuthLoginException(com.sun.identity.authentication.spi.AuthLoginException)
SSOException(com.iplanet.sso.SSOException)
UnsupportedEncodingException(java.io.UnsupportedEncodingException)
IdRepoException(com.sun.identity.idm.IdRepoException)
GeoIp2Exception(com.maxmind.geoip2.exception.GeoIp2Exception)
IOException(java.io.IOException)
AuthenticationException(com.sun.identity.authentication.spi.AuthenticationException)
Example 77 with AuthLoginException
use of com.sun.identity.authentication.spi.AuthLoginException in project OpenAM by OpenRock.
the class Cert method initAuthConfig.
private void initAuthConfig() throws AuthLoginException {
if (options != null) {
debug.message("Certificate: getting attributes.");
// init auth level
String authLevel = CollectionHelper.getMapAttr(options, "iplanet-am-auth-cert-auth-level");
if (authLevel != null) {
try {
int tmp = Integer.parseInt(authLevel);
setAuthLevel(tmp);
} catch (Exception e) {
// invalid auth level
debug.error("Invalid auth level " + authLevel, e);
}
}
// will need access control to ldap server; passwd and user name
// will also need to yank out the user profile based on cn or dn
// out of "profile server"
amAuthCert_securityType = CollectionHelper.getMapAttr(options, "iplanet-am-auth-cert-security-type");
amAuthCert_principleUser = CollectionHelper.getMapAttr(options, "iplanet-am-auth-cert-principal-user");
amAuthCert_principlePasswd = CollectionHelper.getMapAttr(options, "iplanet-am-auth-cert-principal-passwd");
amAuthCert_useSSL = CollectionHelper.getMapAttr(options, "iplanet-am-auth-cert-use-ssl");
amAuthCert_userProfileMapper = CollectionHelper.getMapAttr(options, "iplanet-am-auth-cert-user-profile-mapper");
amAuthCert_altUserProfileMapper = CollectionHelper.getMapAttr(options, "iplanet-am-auth-cert-user-profile-mapper-other");
amAuthCert_subjectAltExtMapper = CollectionHelper.getMapAttr(options, "iplanet-am-auth-cert-user-profile-mapper-ext");
amAuthCert_chkCRL = CollectionHelper.getMapAttr(options, "iplanet-am-auth-cert-check-crl");
if (amAuthCert_chkCRL.equalsIgnoreCase("true")) {
amAuthCert_chkAttrCRL = CollectionHelper.getMapAttr(options, "iplanet-am-auth-cert-attr-check-crl");
if (amAuthCert_chkAttrCRL == null || amAuthCert_chkAttrCRL.equals("")) {
throw new AuthLoginException(amAuthCert, "noCRLAttr", null);
} else {
amAuthCert_chkAttributesCRL = trimItems(amAuthCert_chkAttrCRL.split(","));
}
amAuthCert_cacheCRL = CollectionHelper.getMapAttr(options, "openam-am-auth-cert-attr-cache-crl", "true");
if (amAuthCert_cacheCRL.equalsIgnoreCase("false")) {
doCRLCaching = false;
}
amAuthCert_updateCRL = CollectionHelper.getMapAttr(options, "openam-am-auth-cert-update-crl", "true");
if (amAuthCert_updateCRL.equalsIgnoreCase("false")) {
doCRLUpdate = false;
}
crlEnabled = true;
}
amAuthCert_validateCA = CollectionHelper.getMapAttr(options, "sunAMValidateCACert");
amAuthCert_uriParamsCRL = CollectionHelper.getMapAttr(options, "iplanet-am-auth-cert-param-get-crl");
amAuthCert_chkCertInLDAP = CollectionHelper.getMapAttr(options, "iplanet-am-auth-cert-check-cert-in-ldap");
if (amAuthCert_chkCertInLDAP.equalsIgnoreCase("true")) {
amAuthCert_chkAttrCertInLDAP = CollectionHelper.getMapAttr(options, "iplanet-am-auth-cert-attr-check-ldap");
if (amAuthCert_chkAttrCertInLDAP == null || amAuthCert_chkAttrCertInLDAP.equals("")) {
throw new AuthLoginException(amAuthCert, "noLDAPAttr", null);
}
}
String ocspChk = CollectionHelper.getMapAttr(options, "iplanet-am-auth-cert-check-ocsp");
ocspEnabled = (ocspChk != null && ocspChk.equalsIgnoreCase("true"));
//
// portal-style gateway cert auth enabled if
// explicitly specified in cert service template.
// "none", empty list, or null means disabled;
// "any" or non-empty list means enabled. also check
// non-empty list for remote client's addr.
//
String gwCertAuth = CollectionHelper.getMapAttr(options, "iplanet-am-auth-cert-gw-cert-auth-enabled");
certParamName = CollectionHelper.getMapAttr(options, "sunAMHttpParamName");
String client = getLoginState("process").getClient();
portal_gw_cert_auth_enabled = false;
if (gwCertAuth == null || gwCertAuth.equals("") || gwCertAuth.equalsIgnoreCase("none")) {
if (debug.messageEnabled()) {
debug.message("iplanet-am-auth-cert-gw-cert-auth-enabled = " + gwCertAuth);
}
} else if (gwCertAuth.equalsIgnoreCase("any")) {
portal_gw_cert_auth_enabled = true;
} else {
portalGateways = (Set) options.get("iplanet-am-auth-cert-gw-cert-auth-enabled");
if ((client != null) && (portalGateways.contains(client))) {
portal_gw_cert_auth_enabled = true;
} else {
if (debug.messageEnabled()) {
debug.message("gateway list does not contain client");
Iterator clientIter = portalGateways.iterator();
while (clientIter.hasNext()) {
String clientStr = (String) clientIter.next();
debug.message("client list entry = " + clientStr);
}
}
}
}
amAuthCert_emailAddrTag = bundle.getString("emailAddrTag");
amAuthCert_serverHost = CollectionHelper.getServerMapAttr(options, "iplanet-am-auth-cert-ldap-provider-url");
if (amAuthCert_serverHost == null && (amAuthCert_chkCertInLDAP.equalsIgnoreCase("true") || amAuthCert_chkCRL.equalsIgnoreCase("true"))) {
debug.error("Fatal error: LDAP Server and Port misconfigured");
throw new AuthLoginException(amAuthCert, "wrongLDAPServer", null);
}
if (amAuthCert_serverHost != null) {
// set LDAP Parameters
try {
LDAPUrl ldapUrl = LDAPUrl.valueOf("ldap://" + amAuthCert_serverHost);
amAuthCert_serverPort = ldapUrl.getPort();
amAuthCert_serverHost = ldapUrl.getHost();
} catch (Exception e) {
throw new AuthLoginException(amAuthCert, "wrongLDAPServer", null);
}
}
amAuthCert_startSearchLoc = CollectionHelper.getServerMapAttr(options, "iplanet-am-auth-cert-start-search-loc");
if (amAuthCert_startSearchLoc == null && (amAuthCert_chkCertInLDAP.equalsIgnoreCase("true") || amAuthCert_chkCRL.equalsIgnoreCase("true"))) {
debug.error("Fatal error: LDAP Start Search " + "DN is not configured");
throw new AuthLoginException(amAuthCert, "wrongStartDN", null);
}
if (amAuthCert_startSearchLoc != null) {
if (!LDAPUtils.isDN(amAuthCert_startSearchLoc)) {
throw new AuthLoginException(amAuthCert, "wrongStartDN", null);
}
}
if (debug.messageEnabled()) {
debug.message("\nldapProviderUrl=" + amAuthCert_serverHost + "\n\tamAuthCert_serverPort = " + amAuthCert_serverPort + "\n\tstartSearchLoc=" + amAuthCert_startSearchLoc + "\n\tsecurityType=" + amAuthCert_securityType + "\n\tprincipleUser=" + amAuthCert_principleUser + "\n\tauthLevel=" + authLevel + "\n\tuseSSL=" + amAuthCert_useSSL + "\n\tocspEnable=" + ocspEnabled + "\n\tuserProfileMapper=" + amAuthCert_userProfileMapper + "\n\tsubjectAltExtMapper=" + amAuthCert_subjectAltExtMapper + "\n\taltUserProfileMapper=" + amAuthCert_altUserProfileMapper + "\n\tchkCRL=" + amAuthCert_chkCRL + "\n\tchkAttrCRL=" + amAuthCert_chkAttrCRL + "\n\tchkAttributesCRL=" + Arrays.toString(amAuthCert_chkAttributesCRL) + "\n\tcacheCRL=" + doCRLCaching + "\n\tupdateCRLs=" + doCRLUpdate + "\n\tchkCertInLDAP=" + amAuthCert_chkCertInLDAP + "\n\tchkAttrCertInLDAP=" + amAuthCert_chkAttrCertInLDAP + "\n\temailAddr=" + amAuthCert_emailAddrTag + "\n\tgw-cert-auth-enabled=" + portal_gw_cert_auth_enabled + "\n\tclient=" + client);
}
} else {
debug.error("options is null");
throw new AuthLoginException(amAuthCert, "CERTex", null);
}
}
Also used :
Set(java.util.Set)
LDAPUrl(org.forgerock.opendj.ldap.LDAPUrl)
Iterator(java.util.Iterator)
AuthLoginException(com.sun.identity.authentication.spi.AuthLoginException)
UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException)
AuthLoginException(com.sun.identity.authentication.spi.AuthLoginException)
Example 78 with AuthLoginException
use of com.sun.identity.authentication.spi.AuthLoginException in project OpenAM by OpenRock.
the class Cert method getPortalStyleCert.
private X509Certificate getPortalStyleCert(HttpServletRequest request) throws AuthLoginException {
String certParam = null;
if ((certParamName != null) && (certParamName.length() > 0)) {
debug.message("getPortalStyleCert: checking cert in HTTP header");
StringTokenizer tok = new StringTokenizer(certParamName, ",");
while (tok.hasMoreTokens()) {
String key = tok.nextToken();
certParam = request.getHeader(key);
if (certParam == null) {
continue;
}
certParam = certParam.trim();
String begincert = "-----BEGIN CERTIFICATE-----";
String endcert = "-----END CERTIFICATE-----";
int idx = certParam.indexOf(endcert);
if (idx != -1) {
certParam = certParam.substring(begincert.length(), idx);
certParam = certParam.trim();
}
}
} else {
debug.message("getPortalStyleCert: checking cert in userCert param");
Hashtable requestHash = getLoginState("getPortalStyleCert()").getRequestParamHash();
if (requestHash != null) {
certParam = (String) requestHash.get("IDToken0");
if (certParam == null) {
certParam = (String) requestHash.get("Login.Token0");
}
}
}
if (debug.messageEnabled()) {
debug.message("in Certificate. validate certParam: " + certParam);
}
if (certParam == null || certParam.equals("")) {
debug.message("Certificate: no cert from HttpServletRequest");
throw new AuthLoginException(amAuthCert, "noCert", null);
}
byte[] decoded = Base64.decode(certParam);
if (decoded == null) {
debug.error("CertificateFromParameter(decode): failed, possibly invalid Base64 input");
throw new AuthLoginException(amAuthCert, "CERTex", null);
}
InputStream carray = new ByteArrayInputStream(decoded);
debug.message("Certificate: CertificateFactory.getInstance.");
CertificateFactory cf = null;
X509Certificate userCert = null;
try {
cf = CertificateFactory.getInstance("X.509");
userCert = (X509Certificate) cf.generateCertificate(carray);
} catch (Exception e) {
debug.error("CertificateFromParameter(X509Cert): exception ", e);
throw new AuthLoginException(amAuthCert, "CERTex", null);
}
if (userCert == null) {
throw new AuthLoginException(amAuthCert, "CERTex", null);
}
if (debug.messageEnabled()) {
debug.message("X509Certificate: principal is: " + userCert.getSubjectDN().getName() + "\nissuer DN:" + userCert.getIssuerDN().getName() + "\nserial number:" + String.valueOf(userCert.getSerialNumber()) + "\nsubject dn:" + userCert.getSubjectDN().getName());
}
return userCert;
}
Also used :
StringTokenizer(java.util.StringTokenizer)
ByteArrayInputStream(java.io.ByteArrayInputStream)
Hashtable(java.util.Hashtable)
ByteArrayInputStream(java.io.ByteArrayInputStream)
InputStream(java.io.InputStream)
AuthLoginException(com.sun.identity.authentication.spi.AuthLoginException)
CertificateFactory(java.security.cert.CertificateFactory)
X509Certificate(java.security.cert.X509Certificate)
UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException)
AuthLoginException(com.sun.identity.authentication.spi.AuthLoginException)
Example 79 with AuthLoginException
use of com.sun.identity.authentication.spi.AuthLoginException in project OpenAM by OpenRock.
the class Cert method process.
/**
* Process Certificate based auth request
* @param callbacks for auth
* @param state with auth framework
* @return proper jaas state for auth framework
* @throws AuthLoginException if auth fails
*/
public int process(Callback[] callbacks, int state) throws AuthLoginException {
initAuthConfig();
X509Certificate[] allCerts = null;
try {
HttpServletRequest servletRequest = getHttpServletRequest();
if (servletRequest != null) {
allCerts = (X509Certificate[]) servletRequest.getAttribute("javax.servlet.request.X509Certificate");
if (allCerts == null || allCerts.length == 0) {
debug.message("Certificate: checking for cert passed in the URL.");
if (!portal_gw_cert_auth_enabled) {
debug.error("Certificate: cert passed " + "in URL not enabled for this client");
throw new AuthLoginException(amAuthCert, "noURLCertAuth", null);
}
thecert = getPortalStyleCert(servletRequest);
allCerts = new X509Certificate[] { thecert };
} else {
if (debug.messageEnabled()) {
debug.message("Certificate: got all certs from " + "HttpServletRequest =" + allCerts.length);
}
thecert = allCerts[0];
}
} else {
thecert = sendCallback();
}
if (thecert == null) {
debug.message("Certificate: no cert passed in.");
throw new AuthLoginException(amAuthCert, "noCert", null);
}
// moved this call from the bottom to here so that url redirection
// can work.
getTokenFromCert(thecert);
storeUsernamePasswd(userTokenId, null);
if (debug.messageEnabled()) {
debug.message("in Certificate. userTokenId=" + userTokenId + " from getTokenFromCert");
}
} catch (AuthLoginException e) {
setFailureID(userTokenId);
debug.error("Certificate: exiting validate with exception", e);
throw new AuthLoginException(amAuthCert, "noCert", null);
}
/* debug statements added for cgi. */
if (debug.messageEnabled()) {
debug.message("Got client cert =\n" + thecert.toString());
}
if (amAuthCert_chkCertInLDAP.equalsIgnoreCase("false") && amAuthCert_chkCRL.equalsIgnoreCase("false") && !ocspEnabled) {
return ISAuthConstants.LOGIN_SUCCEED;
}
/*
* Based on the certificates presented, find the registered
* (representation) of the certificate. If no certificates
* match in the LDAP certificate directory return a failure
* status.
*/
if (ldapParam == null) {
setLdapStoreParam();
}
if (amAuthCert_chkCertInLDAP.equalsIgnoreCase("true")) {
X509Certificate ldapcert = AMCertStore.getRegisteredCertificate(ldapParam, thecert, amAuthCert_chkAttrCertInLDAP);
if (ldapcert == null) {
debug.error("X509Certificate: getRegCertificate is null");
setFailureID(userTokenId);
throw new AuthLoginException(amAuthCert, "CertNoReg", null);
}
}
int ret;
if (usingJSSHandler) {
ret = doJSSRevocationValidation(thecert);
} else {
ret = doJCERevocationValidation(allCerts);
}
if (ret != ISAuthConstants.LOGIN_SUCCEED) {
debug.error("X509Certificate:CRL / OCSP verify failed.");
setFailureID(userTokenId);
throw new AuthLoginException(amAuthCert, "CertVerifyFailed", null);
}
return ISAuthConstants.LOGIN_SUCCEED;
}
Also used :
HttpServletRequest(javax.servlet.http.HttpServletRequest)
AuthLoginException(com.sun.identity.authentication.spi.AuthLoginException)
X509Certificate(java.security.cert.X509Certificate)
Example 80 with AuthLoginException
use of com.sun.identity.authentication.spi.AuthLoginException in project OpenAM by OpenRock.
the class DevicePrintAuthenticationServiceTest method shouldThrowExceptionIfConfirmationCallbackSubmittedWithUnknownOption.
@Test
public void shouldThrowExceptionIfConfirmationCallbackSubmittedWithUnknownOption() throws AuthLoginException {
//Given
Callback[] callbacks = new Callback[2];
PasswordCallback smsOTPCallback = mock(PasswordCallback.class);
ConfirmationCallback confirmationCallback = mock(ConfirmationCallback.class);
int state = 2;
callbacks[0] = smsOTPCallback;
callbacks[1] = confirmationCallback;
given(confirmationCallback.getSelectedIndex()).willReturn(2);
//When
boolean exceptionCaught = false;
try {
devicePrintAuthenticationService.process(callbacks, state);
fail();
} catch (AuthLoginException e) {
exceptionCaught = true;
}
//Then
assertTrue(exceptionCaught);
}
Also used :
PasswordCallback(javax.security.auth.callback.PasswordCallback)
ChoiceCallback(javax.security.auth.callback.ChoiceCallback)
NameCallback(javax.security.auth.callback.NameCallback)
ConfirmationCallback(javax.security.auth.callback.ConfirmationCallback)
Callback(javax.security.auth.callback.Callback)
ConfirmationCallback(javax.security.auth.callback.ConfirmationCallback)
PasswordCallback(javax.security.auth.callback.PasswordCallback)
AuthLoginException(com.sun.identity.authentication.spi.AuthLoginException)
DevicePrint(org.forgerock.openam.authentication.modules.deviceprint.model.DevicePrint)
Test(org.testng.annotations.Test)
Aggregations
AuthLoginException (com.sun.identity.authentication.spi.AuthLoginException)118
SSOException (com.iplanet.sso.SSOException)39
Callback (javax.security.auth.callback.Callback)29
IdRepoException (com.sun.identity.idm.IdRepoException)27
InvalidPasswordException (com.sun.identity.authentication.spi.InvalidPasswordException)25
NameCallback (javax.security.auth.callback.NameCallback)24
PasswordCallback (javax.security.auth.callback.PasswordCallback)23
IOException (java.io.IOException)20
Set (java.util.Set)18
HttpServletRequest (javax.servlet.http.HttpServletRequest)15
SSOToken (com.iplanet.sso.SSOToken)14
HashMap (java.util.HashMap)14
AuthContext (com.sun.identity.authentication.AuthContext)13
Map (java.util.Map)12
UnsupportedCallbackException (javax.security.auth.callback.UnsupportedCallbackException)12
Test (org.testng.annotations.Test)12
HashSet (java.util.HashSet)9
LoginException (javax.security.auth.login.LoginException)8
SSOTokenManager (com.iplanet.sso.SSOTokenManager)7
AuthException (com.sun.identity.authentication.service.AuthException)7
