Example 21 with AuthLoginException
use of com.sun.identity.authentication.spi.AuthLoginException in project OpenAM by OpenRock.
the class Cert method setLdapStoreParam.
private void setLdapStoreParam() throws AuthLoginException {
/*
* Setup the LDAP certificate directory service context for
* use in verification of the users certificates.
*/
try {
ldapParam = AMCertStore.setLdapStoreParam(amAuthCert_serverHost, amAuthCert_serverPort, amAuthCert_principleUser, amAuthCert_principlePasswd, amAuthCert_startSearchLoc, amAuthCert_uriParamsCRL, amAuthCert_useSSL.equalsIgnoreCase("true"));
ldapParam.setDoCRLCaching(doCRLCaching);
ldapParam.setDoCRLUpdate(doCRLUpdate);
} catch (Exception e) {
debug.error("validate.SSLSocketFactory", e);
setFailureID(userTokenId);
throw new AuthLoginException(amAuthCert, "sslSokFactoryFail", null);
}
return;
}
Also used :
AuthLoginException(com.sun.identity.authentication.spi.AuthLoginException)
UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException)
AuthLoginException(com.sun.identity.authentication.spi.AuthLoginException)
Example 22 with AuthLoginException
use of com.sun.identity.authentication.spi.AuthLoginException in project OpenAM by OpenRock.
the class Cert method getTokenFromSubjectAltExt.
private void getTokenFromSubjectAltExt(X509Certificate cert) throws AuthLoginException {
try {
X509CertImpl certImpl = new X509CertImpl(cert.getEncoded());
X509CertInfo cinfo = new X509CertInfo(certImpl.getTBSCertificate());
CertificateExtensions exts = (CertificateExtensions) cinfo.get(X509CertInfo.EXTENSIONS);
SubjectAlternativeNameExtension altNameExt = (SubjectAlternativeNameExtension) exts.get(SubjectAlternativeNameExtension.NAME);
if (altNameExt != null) {
GeneralNames names = (GeneralNames) altNameExt.get(SubjectAlternativeNameExtension.SUBJECT_NAME);
GeneralName generalname = null;
ObjectIdentifier upnoid = new ObjectIdentifier(UPNOID);
Iterator itr = (Iterator) names.iterator();
while ((userTokenId == null) && itr.hasNext()) {
generalname = (GeneralName) itr.next();
if (generalname != null) {
if (amAuthCert_subjectAltExtMapper.equalsIgnoreCase("UPN") && (generalname.getType() == GeneralNameInterface.NAME_ANY)) {
OtherName othername = (OtherName) generalname.getName();
if (upnoid.equals((Object) (othername.getOID()))) {
byte[] nval = othername.getNameValue();
DerValue derValue = new DerValue(nval);
userTokenId = derValue.getData().getUTF8String();
}
} else if (amAuthCert_subjectAltExtMapper.equalsIgnoreCase("RFC822Name") && (generalname.getType() == GeneralNameInterface.NAME_RFC822)) {
RFC822Name email = (RFC822Name) generalname.getName();
userTokenId = email.getName();
}
}
}
}
} catch (Exception e) {
debug.error("Certificate - " + "Error in getTokenFromSubjectAltExt = ", e);
throw new AuthLoginException(amAuthCert, "CertNoReg", null);
}
}
Also used :
X509CertInfo(sun.security.x509.X509CertInfo)
SubjectAlternativeNameExtension(sun.security.x509.SubjectAlternativeNameExtension)
OtherName(sun.security.x509.OtherName)
AuthLoginException(com.sun.identity.authentication.spi.AuthLoginException)
CertificateExtensions(sun.security.x509.CertificateExtensions)
UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException)
AuthLoginException(com.sun.identity.authentication.spi.AuthLoginException)
GeneralNames(sun.security.x509.GeneralNames)
RFC822Name(sun.security.x509.RFC822Name)
X509CertImpl(sun.security.x509.X509CertImpl)
DerValue(sun.security.util.DerValue)
Iterator(java.util.Iterator)
GeneralName(sun.security.x509.GeneralName)
ObjectIdentifier(sun.security.util.ObjectIdentifier)
Example 23 with AuthLoginException
use of com.sun.identity.authentication.spi.AuthLoginException in project OpenAM by OpenRock.
the class Cert method doJCERevocationValidation.
private int doJCERevocationValidation(X509Certificate[] allCerts) throws AuthLoginException {
int ret = ISAuthConstants.LOGIN_IGNORE;
try {
Vector crls = new Vector();
for (X509Certificate cert : allCerts) {
X509CRL crl = AMCRLStore.getCRL(ldapParam, cert, amAuthCert_chkAttributesCRL);
if (crl != null) {
crls.add(crl);
}
}
if (debug.messageEnabled()) {
debug.message("Cert.doRevocationValidation: crls size = " + crls.size());
if (crls.size() > 0) {
debug.message("CRL = " + crls.toString());
}
}
AMCertPath certpath = new AMCertPath(crls);
if (!certpath.verify(allCerts, crlEnabled, ocspEnabled)) {
debug.error("CertPath:verify failed.");
return ret;
} else {
if (debug.messageEnabled()) {
debug.message("CertPath:verify success.");
}
}
ret = ISAuthConstants.LOGIN_SUCCEED;
} catch (Exception e) {
debug.error("Cert.doRevocationValidation: verify failed.", e);
}
return ret;
}
Also used :
X509CRL(java.security.cert.X509CRL)
AMCertPath(com.sun.identity.security.cert.AMCertPath)
Vector(java.util.Vector)
X509Certificate(java.security.cert.X509Certificate)
UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException)
AuthLoginException(com.sun.identity.authentication.spi.AuthLoginException)
Example 24 with AuthLoginException
use of com.sun.identity.authentication.spi.AuthLoginException in project OpenAM by OpenRock.
the class ServerConfigMgr method authenticateDsameUser.
private static boolean authenticateDsameUser(SSOToken ssoToken, String oldPassword, String newPassword) {
Callback[] idCallbacks = new Callback[2];
NameCallback nameCallback = new NameCallback("dummy");
nameCallback.setName("dsameuser");
idCallbacks[0] = nameCallback;
PasswordCallback passwordCallback = new PasswordCallback("dummy", false);
passwordCallback.setPassword(oldPassword.toCharArray());
idCallbacks[1] = passwordCallback;
try {
AMIdentityRepository amir = new AMIdentityRepository("/", ssoToken);
if (!amir.authenticate(idCallbacks)) {
passwordCallback.setPassword(newPassword.toCharArray());
return amir.authenticate(idCallbacks);
}
return true;
} catch (AuthLoginException ex) {
return false;
} catch (IdRepoException ex) {
return false;
}
}
Also used :
PasswordCallback(javax.security.auth.callback.PasswordCallback)
Callback(javax.security.auth.callback.Callback)
NameCallback(javax.security.auth.callback.NameCallback)
NameCallback(javax.security.auth.callback.NameCallback)
AMIdentityRepository(com.sun.identity.idm.AMIdentityRepository)
IdRepoException(com.sun.identity.idm.IdRepoException)
PasswordCallback(javax.security.auth.callback.PasswordCallback)
AuthLoginException(com.sun.identity.authentication.spi.AuthLoginException)
Example 25 with AuthLoginException
use of com.sun.identity.authentication.spi.AuthLoginException in project OpenAM by OpenRock.
the class AuthenticatorOATH method checkOTP.
/**
* Checks the input OTP.
*
* @param otp The OTP to verify.
* @param id The user for whom to verify the OTP.
* @param settings With which the OTP was configured.
* @return true if the OTP is valid; false if the OTP is invalid, or out of
* sync with server.
* @throws AuthLoginException on any error
*/
private boolean checkOTP(String otp, AMIdentity id, OathDeviceSettings settings) throws AuthLoginException {
//check settings aren't null
if (settings == null) {
debug.error("OATH.checkOTP() : Invalid stored settings.");
throw new AuthLoginException(amAuthOATH, "authFailed", null);
}
String secretKey = parseSecretKey(settings.getSharedSecret());
if (minSecretKeyLength <= 0) {
debug.error("OATH.checkOTP() : Min Secret Key Length is not a valid value");
throw new AuthLoginException(amAuthOATH, "authFailed", null);
}
//check size of key
if (secretKey == null || secretKey.isEmpty()) {
debug.error("OATH.checkOTP() : Secret key is not a valid value");
throw new AuthLoginException(amAuthOATH, "authFailed", null);
}
//make sure secretkey is not smaller than minSecretKeyLength
if (secretKey.length() < minSecretKeyLength) {
if (debug.errorEnabled()) {
debug.error("OATH.checkOTP() : Secret key of length " + secretKey.length() + " is less than the minimum secret key length");
}
throw new AuthLoginException(amAuthOATH, "authFailed", null);
}
//convert secretkey hex string to hex.
byte[] secretKeyBytes = DatatypeConverter.parseHexBinary(secretKey);
//check password length MUST be 6 or higher according to RFC
if (passLen < 6) {
debug.error("OATH.checkOTP() : Password length is smaller than 6");
throw new AuthLoginException(amAuthOATH, "authFailed", null);
}
String otpGen;
try {
if (algorithm == HOTP) {
/*
* HOTP check section
*/
int counter = settings.getCounter();
//test the counter in the lookahead window
for (int i = 0; i <= windowSize; i++) {
otpGen = HOTPAlgorithm.generateOTP(secretKeyBytes, counter + i, passLen, checksum, truncationOffset);
if (isEqual(otpGen, otp)) {
//OTP is correct set the counter value to counter+i (+1 for having been successful)
setCounterAttr(id, counter + i + 1, settings);
return true;
}
}
} else if (algorithm == TOTP) {
/*
* TOTP check section
*/
//get Last login time
long lastLoginTimeStep = settings.getLastLogin() / totpTimeStep;
//Check TOTP values for validity
if (lastLoginTimeStep < 0) {
debug.error("OATH.checkOTP() : invalid login time value : ");
throw new AuthLoginException(amAuthOATH, "authFailed", null);
}
//must be greater than 0 or we get divide by 0, and cant be negative
if (totpTimeStep <= 0) {
debug.error("OATH.checkOTP() : invalid TOTP time step interval : ");
throw new AuthLoginException(amAuthOATH, "authFailed", null);
}
if (totpStepsInWindow < 0) {
debug.error("OATH.checkOTP() : invalid TOTP steps in window value : ");
throw new AuthLoginException(amAuthOATH, "authFailed", null);
}
//get Time Step
long localTime = (time / totpTimeStep) + (settings.getClockDriftSeconds() / totpTimeStep);
if (lastLoginTimeStep == localTime) {
debug.error("OATH.checkOTP(): Login failed attempting to use the same OTP in same Time Step: " + localTime);
throw new InvalidPasswordException(amAuthOATH, "authFailed", null, userName, null);
}
boolean sameWindow = false;
if (lastLoginTimeStep >= (localTime - totpStepsInWindow) && lastLoginTimeStep <= (localTime + totpStepsInWindow)) {
if (debug.messageEnabled()) {
debug.message("OATH.checkOTP() : Logging in in the same TOTP window");
}
sameWindow = true;
}
String passLenStr = Integer.toString(passLen);
otpGen = TOTPAlgorithm.generateTOTP(secretKey, Long.toHexString(localTime), passLenStr);
if (isEqual(otpGen, otp)) {
setLoginTime(id, localTime, settings);
return true;
}
for (int i = 1; i <= totpStepsInWindow; i++) {
long time1 = localTime + i;
long time2 = localTime - i;
//check time step after current time
otpGen = TOTPAlgorithm.generateTOTP(secretKey, Long.toHexString(time1), passLenStr);
if (isEqual(otpGen, otp)) {
setLoginTime(id, time1, settings);
return true;
}
//check time step before current time
otpGen = TOTPAlgorithm.generateTOTP(secretKey, Long.toHexString(time2), passLenStr);
if (isEqual(otpGen, otp) && sameWindow) {
debug.error("OATH.checkOTP() : Logging in in the same window with a OTP that is older " + "than the current times OTP");
return false;
} else if (isEqual(otpGen, otp) && !sameWindow) {
setLoginTime(id, time2, settings);
return true;
}
}
} else {
debug.error("OATH.checkOTP() : No OTP algorithm selected");
throw new AuthLoginException(amAuthOATH, "authFailed", null);
}
} catch (AuthLoginException e) {
// Re-throw to avoid the catch-all block below that would log and lose the error message.
throw e;
} catch (Exception e) {
debug.error("OATH.checkOTP() : checkOTP process failed : ", e);
throw new AuthLoginException(amAuthOATH, "authFailed", null);
}
return false;
}
Also used :
AuthLoginException(com.sun.identity.authentication.spi.AuthLoginException)
InvalidPasswordException(com.sun.identity.authentication.spi.InvalidPasswordException)
IdRepoException(com.sun.identity.idm.IdRepoException)
SMSException(com.sun.identity.sm.SMSException)
DecoderException(org.apache.commons.codec.DecoderException)
IOException(java.io.IOException)
AuthLoginException(com.sun.identity.authentication.spi.AuthLoginException)
InvalidPasswordException(com.sun.identity.authentication.spi.InvalidPasswordException)
SSOException(com.iplanet.sso.SSOException)
Aggregations
AuthLoginException (com.sun.identity.authentication.spi.AuthLoginException)118
SSOException (com.iplanet.sso.SSOException)39
Callback (javax.security.auth.callback.Callback)29
IdRepoException (com.sun.identity.idm.IdRepoException)27
InvalidPasswordException (com.sun.identity.authentication.spi.InvalidPasswordException)25
NameCallback (javax.security.auth.callback.NameCallback)24
PasswordCallback (javax.security.auth.callback.PasswordCallback)23
IOException (java.io.IOException)20
Set (java.util.Set)18
HttpServletRequest (javax.servlet.http.HttpServletRequest)15
SSOToken (com.iplanet.sso.SSOToken)14
HashMap (java.util.HashMap)14
AuthContext (com.sun.identity.authentication.AuthContext)13
Map (java.util.Map)12
UnsupportedCallbackException (javax.security.auth.callback.UnsupportedCallbackException)12
Test (org.testng.annotations.Test)12
HashSet (java.util.HashSet)9
LoginException (javax.security.auth.login.LoginException)8
SSOTokenManager (com.iplanet.sso.SSOTokenManager)7
AuthException (com.sun.identity.authentication.service.AuthException)7
