Examples with IdentityDisabledException eu.bcvsolutions.idm.core.security.api.exception.IdentityDisabledException used on opensource projects

Example 1 with IdentityDisabledException

use of eu.bcvsolutions.idm.core.security.api.exception.IdentityDisabledException in project CzechIdMng by bcvsolutions.

the class DefaultLoginService method getValidIdentity.

private IdmIdentityDto getValidIdentity(LoginDto loginDto, boolean propagateException) {
    String username = loginDto.getUsername();
    LOG.info("Identity with username [{}] authenticating", username);
    IdmIdentityDto identity = identityService.getByUsername(username);
    // identity exists
    if (identity == null) {
        String validationMessage = MessageFormat.format("Check identity can login: The identity " + "[{0}] either doesn't exist or is deleted.", username);
        if (!propagateException) {
            LOG.debug(validationMessage);
            return null;
        }
        throw new IdentityNotFoundException(validationMessage);
    }
    // identity is valid
    if (identity.isDisabled()) {
        String validationMessage = MessageFormat.format("Check identity can login: The identity [{0}] is disabled.", username);
        if (!propagateException) {
            LOG.debug(validationMessage);
            return null;
        }
        throw new IdentityDisabledException(validationMessage);
    }
    // GuardedString isn't necessary password is in hash.
    IdmPasswordDto password = passwordService.findOneByIdentity(identity.getId());
    if (password == null) {
        String validationMessage = MessageFormat.format("Identity [{0}] does not have pasword stored in IdM.", username);
        if (!propagateException) {
            LOG.debug(validationMessage);
            return null;
        }
        throw new IdmAuthenticationException(validationMessage);
    }
    // check if password expired
    if (password.getValidTill() != null && password.getValidTill().isBefore(LocalDate.now())) {
        String validationMessage = MessageFormat.format("Password for identity [{0}] is expired.", username);
        if (!propagateException) {
            LOG.debug(validationMessage);
            return null;
        }
        throw new ResultCodeException(CoreResultCode.PASSWORD_EXPIRED);
    }
    // given password is correct
    if (!passwordService.checkPassword(loginDto.getPassword(), password)) {
        String validationMessage = MessageFormat.format("Identity [{0}] password check failed.", username);
        if (!propagateException) {
            LOG.debug(validationMessage);
            return null;
        }
        throw new IdmAuthenticationException(validationMessage);
    }
    // 
    return identity;
}

Example 2 with IdentityDisabledException

use of eu.bcvsolutions.idm.core.security.api.exception.IdentityDisabledException in project CzechIdMng by bcvsolutions.

the class LoginController method casLoginResponse.

/**
 * Redirect to FE, after CAS authentication.
 *
 * @return redirect to FE
 * @since 12.0.0
 */
@RequestMapping(path = CAS_LOGIN_RESPONSE_PATH, method = RequestMethod.GET)
public ResponseEntity<Void> casLoginResponse() {
    // process ticket + add token into url parameter
    IdmTokenDto currentToken = tokenManager.getCurrentToken();
    StringBuilder url = new StringBuilder(configurationService.getFrontendUrl(CAS_LOGIN_RESPONSE_PATH));
    // set token into url - ok
    if (currentToken != null) {
        IdmJwtAuthentication authentication = jwtTokenMapper.fromDto(currentToken);
        url.append('?');
        url.append(JwtAuthenticationMapper.AUTHENTICATION_TOKEN_NAME.toLowerCase());
        url.append('=');
        url.append(jwtTokenMapper.writeToken(authentication));
    } else if (ctx != null) {
        // not - ok => resolve exception
        ResultCodeException resultCodeException = ctx.getCodeEx();
        if (resultCodeException == null) {
            // resolve concrete exception
            url.append("?status-code=");
            if (ctx.getAuthEx() instanceof IdentityNotFoundException) {
                // same as from standard login
                url.append(CoreResultCode.AUTH_FAILED.getCode().toLowerCase());
            } else if (ctx.getAuthEx() instanceof IdentityDisabledException) {
                // same as from standard login
                url.append(CoreResultCode.AUTH_FAILED.getCode().toLowerCase());
            } else if (ctx.getAuthEx() instanceof CasTicketValidationException) {
                url.append(CoreResultCode.CAS_TICKET_VALIDATION_FAILED.getCode().toLowerCase());
            } else {
                // common error - login failed
                url.append(CoreResultCode.LOG_IN_FAILED.getCode().toLowerCase());
            }
        } else if (resultCodeException instanceof TwoFactorAuthenticationRequiredException) {
            // handle two factor login
            url.append('?');
            url.append(JwtAuthenticationMapper.AUTHENTICATION_TOKEN_NAME.toLowerCase());
            url.append('=');
            url.append(((TwoFactorAuthenticationRequiredException) resultCodeException).getToken());
        } else {
            // concrete status code form result code exception
            url.append("?status-code=");
            url.append(resultCodeException.getError().getError().getStatusEnum().toLowerCase());
        }
    }
    // 
    return ResponseEntity.status(HttpStatus.FOUND).header(HttpHeaders.LOCATION, url.toString()).build();
}

Example 3 with IdentityDisabledException

use of eu.bcvsolutions.idm.core.security.api.exception.IdentityDisabledException in project CzechIdMng by bcvsolutions.

the class CasAuthenticationFilter method authorize.

@Override
public boolean authorize(String token, HttpServletRequest request, HttpServletResponse response) {
    String casUrl = casConfiguration.getUrl();
    String service = casConfiguration.getService(request, true);
    // 
    if (StringUtils.isBlank(casUrl)) {
        LOG.info("URL for CAS is not set in configuration [{}], CAS authentication will be skipped.", CasConfiguration.PROPERTY_URL);
        return false;
    }
    // 
    try {
        if (StringUtils.isBlank(token)) {
            LOG.info("No token from CAS");
            return false;
        }
        Assertion assertion = validationService.validate(token, service, casUrl);
        if (assertion == null) {
            LOG.info("No principal name.");
            return false;
        }
        if (!assertion.isValid()) {
            LOG.debug("CAS Ticket [{}] validation failed.", token);
            // 
            throw new CasTicketValidationException(MessageFormat.format("CAS Ticket [{0}] validation failed.", token));
        }
        // 
        String userName = assertion.getPrincipal().getName();
        LOG.debug("Username found [{}]", userName);
        // 
        IdmIdentityDto identity = identityService.getByUsername(userName);
        if (identity == null) {
            throw new IdentityNotFoundException(MessageFormat.format("Check identity can login: The identity " + "[{0}] either doesn't exist or is deleted.", userName));
        }
        // identity is valid
        if (identity.isDisabled()) {
            throw new IdentityDisabledException(MessageFormat.format("Check identity can login: The identity [{0}] is disabled.", userName));
        }
        LoginDto loginDto = jwtAuthenticationService.createJwtAuthenticationAndAuthenticate(createLoginDto(userName), identity, CoreModuleDescriptor.MODULE_ID);
        // 
        LOG.debug("User [{}] successfully logged in.", loginDto.getUsername());
        return true;
    } catch (TwoFactorAuthenticationRequiredException ex) {
        // must change password exception is never thrown
        ctx.setCodeEx(ex);
        // publish additional authentication requirement
        throw ex;
    } catch (IdmAuthenticationException ex) {
        ctx.setAuthEx(ex);
        LOG.warn("Authentication exception raised during CAS authentication: [{}].", ex.getMessage(), ex);
    } catch (Exception ex) {
        LOG.error("Exception was raised during CAS authentication: [{}].", ex.getMessage(), ex);
    }
    // 
    return false;
}

Example 4 with IdentityDisabledException

use of eu.bcvsolutions.idm.core.security.api.exception.IdentityDisabledException in project CzechIdMng by bcvsolutions.

the class AbstractAuthenticator method getValidIdentity.

/**
 * Get valid identity by username.
 *
 * @param loginDto input
 * @param propagateException authenticate / validate usage
 * @return valid identity, {@code null} or exception
 * @since 10.7.0
 */
protected IdmIdentityDto getValidIdentity(String username, boolean propagateException) {
    Assert.hasLength(username, "Identity username is required.");
    IdmIdentityDto identity = (IdmIdentityDto) lookupService.lookupDto(IdmIdentityDto.class, username);
    // check identity exists
    if (identity == null) {
        String validationMessage = MessageFormat.format("Check identity can login: The identity " + "[{0}] either doesn't exist or is deleted.", username);
        if (!propagateException) {
            LOG.debug(validationMessage);
            return null;
        }
        throw new IdentityNotFoundException(validationMessage);
    }
    // check valid identity
    if (identity.isDisabled()) {
        String validationMessage = MessageFormat.format("Check identity can login: The identity [{0}] is disabled.", username);
        if (!propagateException) {
            LOG.debug(validationMessage);
            return null;
        }
        throw new IdentityDisabledException(validationMessage);
    }
    // 
    return identity;
}

Example 5 with IdentityDisabledException

use of eu.bcvsolutions.idm.core.security.api.exception.IdentityDisabledException in project CzechIdMng by bcvsolutions.

the class DefaultJwtAuthenticationService method createJwtAuthenticationAndAuthenticate.

@Override
public LoginDto createJwtAuthenticationAndAuthenticate(LoginDto loginDto, IdmIdentityDto identity, IdmTokenDto preparedToken) {
    Assert.notNull(identity, "Identity is required.");
    UUID identityId = identity.getId();
    Assert.notNull(identityId, "Identity identifier is required.");
    // check identity is valid
    if (identity.isDisabled()) {
        throw new IdentityDisabledException(MessageFormat.format("Check identity can login: The identity [{0}] is disabled.", identity.getUsername()));
    }
    // two factor authentication is not configured for given identity
    if (tokenManager.isNew(preparedToken)) {
        if (// public password change page => login is needed, before password is changed
        loginDto.isSkipMustChange() || twoFactorAuthenticationManager.getTwoFactorAuthenticationType(identityId) == null) {
            preparedToken.setSecretVerified(true);
        } else {
            // two factor needed
            preparedToken.setSecretVerified(false);
        }
    }
    // create token
    IdmTokenDto token = jwtTokenMapper.createToken(identity, preparedToken);
    // check two factor authentication is required
    if (twoFactorAuthenticationManager.requireTwoFactorAuthentication(identityId, token.getId())) {
        IdmJwtAuthenticationDto authenticationDto = jwtTokenMapper.toDto(token);
        // token is needed in exception => sso login can be used and client doesn't have token
        throw new TwoFactorAuthenticationRequiredException(jwtTokenMapper.writeToken(authenticationDto));
    }
    // 
    return login(loginDto, token);
}