use of eu.bcvsolutions.idm.core.security.api.exception.IdentityDisabledException in project CzechIdMng by bcvsolutions.
the class SsoIdmAuthenticationFilter method authorize.
@Override
public boolean authorize(String token, HttpServletRequest request, HttpServletResponse response) {
try {
LOG.debug("Starting SSO filter authorization, value of the SSO header is: [{}]", token);
if (Strings.isNullOrEmpty(token)) {
return false;
}
// Remove suffix from the token - typically the domain
String userName = removeUidSuffix(token);
// Check forbidden uids
if (isForbiddenUid(userName)) {
LOG.info("The uid [{}] is forbidden for SSO authentication.", userName);
return false;
}
// Find the corresponding identity
IdmIdentityDto identity = (IdmIdentityDto) lookupService.lookupDto(IdmIdentityDto.class, userName);
if (identity == null) {
throw new IdentityNotFoundException(MessageFormat.format("Check identity can login: The identity [{0}] either doesn't exist or is deleted.", userName));
}
// identity is valid
if (identity.isDisabled()) {
throw new IdentityDisabledException(MessageFormat.format("Check identity can login: The identity [{0}] is disabled.", userName));
}
// Check forbidden identity - identity can be found by different attribute than id / username - depends on registered lookup
if (isForbidden(identity)) {
LOG.info("The uid [{}] is forbidden for SSO authentication.", userName);
return false;
}
// Check that the identity can authenticate by SSO
if (isSsoDisabledForIdentity(identity)) {
LOG.info("The user [{}] can't be authenticated by SSO due to security reasons.", userName);
return false;
}
// Authenticate the user
LOG.info("User [{}] will be authenticated by SSO.", userName);
LoginDto loginDto = createLoginDto(userName);
LoginDto fullLoginDto = jwtAuthenticationService.createJwtAuthenticationAndAuthenticate(loginDto, identity, CoreModuleDescriptor.MODULE_ID);
//
return fullLoginDto != null;
} catch (IdmAuthenticationException e) {
LOG.warn("Authentication exception raised during SSO authentication: [{}].", e.getMessage());
}
return false;
}
Aggregations