use of eu.bcvsolutions.idm.core.security.api.exception.IdmAuthenticationException in project CzechIdMng by bcvsolutions.
the class DefaultLoginService method loginAuthenticatedUser.
@Override
public LoginDto loginAuthenticatedUser() {
if (!securityService.isAuthenticated()) {
throw new IdmAuthenticationException("Not authenticated!");
}
String username = securityService.getAuthentication().getCurrentUsername();
LOG.info("Identity with username [{}] authenticating", username);
//
IdmIdentityDto identity = identityService.getByUsername(username);
// identity doesn't exist
if (identity == null) {
throw new IdentityNotFoundException(MessageFormat.format("Check identity can login: The identity " + "[{0}] either doesn't exist or is deleted.", username));
}
//
// prevent to create duplicate token for logged identity
IdmTokenDto preparedToken = tokenManager.getCurrentToken();
if (preparedToken == null || !Objects.equals(preparedToken.getOwnerId(), identity.getId())) {
preparedToken = new IdmTokenDto();
preparedToken.setModuleId(CoreModuleDescriptor.MODULE_ID);
}
//
LoginDto loginDto = new LoginDto();
loginDto.setUsername(username);
loginDto = jwtAuthenticationService.createJwtAuthenticationAndAuthenticate(loginDto, identity, preparedToken);
LOG.info("Identity with username [{}] is authenticated", username);
return loginDto;
}
use of eu.bcvsolutions.idm.core.security.api.exception.IdmAuthenticationException in project CzechIdMng by bcvsolutions.
the class OAuthAuthenticationManager method authenticate.
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
if (!(authentication instanceof IdmJwtAuthentication)) {
throw new IdmAuthenticationException("Unsupported granted authority " + authentication.getClass().getName());
}
//
IdmJwtAuthentication idmJwtAuthentication = verifyAuthentication(authentication);
// Set logged user to workflow engine
workflowIdentityService.setAuthenticatedUserId(idmJwtAuthentication.getCurrentUsername());
// set authentication
securityService.setAuthentication(idmJwtAuthentication);
//
return idmJwtAuthentication;
}
use of eu.bcvsolutions.idm.core.security.api.exception.IdmAuthenticationException in project CzechIdMng by bcvsolutions.
the class DefaultAccMultipleSystemAuthenticatorIntegrationTest method login.
/**
* Process authentication against {@link AuthenticationManager} - IdM and all available system.
*
* @param identity
* @param password
* @param failed
* @return
*/
private LoginDto login(IdmIdentityDto identity, String password, boolean failed, String module) {
LoginDto loginDto = new LoginDto();
loginDto.setUsername(identity.getUsername());
loginDto.setPassword(new GuardedString(password));
LoginDto authenticate = null;
try {
authenticate = authenticationManager.authenticate(loginDto);
} catch (IdmAuthenticationException e) {
authenticate = null;
}
if (failed) {
assertNull(authenticate);
} else {
assertNotNull(authenticate);
assertEquals(module, authenticate.getAuthenticationModule());
}
return authenticate;
}
use of eu.bcvsolutions.idm.core.security.api.exception.IdmAuthenticationException in project CzechIdMng by bcvsolutions.
the class PasswordChangeController method passwordChange.
/**
* Changes identity password. Could be public, because previous password is required.
*
* @param identityId
* @param passwordChangeDto
* @return
*/
@ResponseBody
@ResponseStatus(code = HttpStatus.OK)
@RequestMapping(value = BaseController.BASE_PATH + "/public/identities/{backendId}/password-change", method = RequestMethod.PUT)
@ApiOperation(value = "Change identity's password", nickname = "passwordChange", tags = { PasswordChangeController.TAG })
public List<OperationResult> passwordChange(@ApiParam(value = "Identity's uuid identifier or username.", required = true) @PathVariable String backendId, @RequestBody @Valid PasswordChangeDto passwordChangeDto) {
IdmIdentityDto identity = (IdmIdentityDto) entityLookupService.lookupDto(IdmIdentityDto.class, backendId);
if (identity == null) {
// we don't result not found by security reasons, it public endpoint
throw new ResultCodeException(CoreResultCode.PASSWORD_CHANGE_CURRENT_FAILED_IDM);
}
// we need to login as identity, if no one is logged in
try {
if (!securityService.isAuthenticated()) {
LoginDto loginDto = new LoginDto();
// we are changing password => skip check
loginDto.setSkipMustChange(true);
loginDto.setUsername(identity.getUsername());
loginDto.setPassword(passwordChangeDto.getOldPassword());
loginDto = authenticationManager.authenticate(loginDto);
//
// public password change password for all system including idm
passwordChangeDto.setAll(true);
// check if is allowed change password trough IdM, otherwise leave value as it is
passwordChangeDto.setIdm(identityConfiguration.isAllowedPublicChangePasswordForIdm());
}
} catch (IdmAuthenticationException ex) {
throw new ResultCodeException(CoreResultCode.PASSWORD_CHANGE_CURRENT_FAILED_IDM, ex);
}
//
// check permission for password change
identityService.checkAccess(identity, IdentityBasePermission.PASSWORDCHANGE);
//
return identityService.passwordChange(identity, passwordChangeDto);
}
use of eu.bcvsolutions.idm.core.security.api.exception.IdmAuthenticationException in project CzechIdMng by bcvsolutions.
the class SsoIdmAuthenticationFilter method authorize.
@Override
public boolean authorize(String token, HttpServletRequest request, HttpServletResponse response) {
try {
LOG.debug("Starting SSO filter authorization, value of the SSO header is: [{}]", token);
if (Strings.isNullOrEmpty(token)) {
return false;
}
// Remove suffix from the token - typically the domain
String userName = removeUidSuffix(token);
// Check forbidden uids
if (isForbiddenUid(userName)) {
LOG.info("The uid [{}] is forbidden for SSO authentication.", userName);
return false;
}
// Find the corresponding identity
IdmIdentityDto identity = (IdmIdentityDto) lookupService.lookupDto(IdmIdentityDto.class, userName);
if (identity == null) {
throw new IdentityNotFoundException(MessageFormat.format("Check identity can login: The identity [{0}] either doesn't exist or is deleted.", userName));
}
// identity is valid
if (identity.isDisabled()) {
throw new IdentityDisabledException(MessageFormat.format("Check identity can login: The identity [{0}] is disabled.", userName));
}
// Check forbidden identity - identity can be found by different attribute than id / username - depends on registered lookup
if (isForbidden(identity)) {
LOG.info("The uid [{}] is forbidden for SSO authentication.", userName);
return false;
}
// Check that the identity can authenticate by SSO
if (isSsoDisabledForIdentity(identity)) {
LOG.info("The user [{}] can't be authenticated by SSO due to security reasons.", userName);
return false;
}
// Authenticate the user
LOG.info("User [{}] will be authenticated by SSO.", userName);
LoginDto loginDto = createLoginDto(userName);
LoginDto fullLoginDto = jwtAuthenticationService.createJwtAuthenticationAndAuthenticate(loginDto, identity, CoreModuleDescriptor.MODULE_ID);
//
return fullLoginDto != null;
} catch (IdmAuthenticationException e) {
LOG.warn("Authentication exception raised during SSO authentication: [{}].", e.getMessage());
}
return false;
}
Aggregations