Example 1 with AccountExpiredException
use of javax.security.auth.login.AccountExpiredException in project cas by apereo.
the class RestAuthenticationHandler method authenticateUsernamePasswordInternal.
@Override
protected AuthenticationHandlerExecutionResult authenticateUsernamePasswordInternal(final UsernamePasswordCredential credential, final String originalPassword) throws GeneralSecurityException {
var response = (HttpResponse) null;
try {
val exec = HttpUtils.HttpExecutionRequest.builder().basicAuthUsername(credential.getUsername()).basicAuthPassword(credential.getPassword()).method(HttpMethod.POST).url(properties.getUri()).build();
response = HttpUtils.execute(exec);
val status = HttpStatus.resolve(Objects.requireNonNull(response).getStatusLine().getStatusCode());
switch(Objects.requireNonNull(status)) {
case OK:
return buildPrincipalFromResponse(credential, response);
case FORBIDDEN:
throw new AccountDisabledException("Could not authenticate forbidden account for " + credential.getUsername());
case UNAUTHORIZED:
throw new FailedLoginException("Could not authenticate account for " + credential.getUsername());
case NOT_FOUND:
throw new AccountNotFoundException("Could not locate account for " + credential.getUsername());
case LOCKED:
throw new AccountLockedException("Could not authenticate locked account for " + credential.getUsername());
case PRECONDITION_FAILED:
throw new AccountExpiredException("Could not authenticate expired account for " + credential.getUsername());
case PRECONDITION_REQUIRED:
throw new AccountPasswordMustChangeException("Account password must change for " + credential.getUsername());
default:
throw new FailedLoginException("Rest endpoint returned an unknown status code " + status + " for " + credential.getUsername());
}
} finally {
HttpUtils.close(response);
}
}
Also used :
lombok.val(lombok.val)
AccountLockedException(javax.security.auth.login.AccountLockedException)
FailedLoginException(javax.security.auth.login.FailedLoginException)
AccountExpiredException(javax.security.auth.login.AccountExpiredException)
HttpResponse(org.apache.http.HttpResponse)
AccountPasswordMustChangeException(org.apereo.cas.authentication.exceptions.AccountPasswordMustChangeException)
AccountNotFoundException(javax.security.auth.login.AccountNotFoundException)
AccountDisabledException(org.apereo.cas.authentication.exceptions.AccountDisabledException)
Example 2 with AccountExpiredException
use of javax.security.auth.login.AccountExpiredException in project cas by apereo.
the class RedisAuthenticationHandler method authenticateUsernamePasswordInternal.
@Override
protected AuthenticationHandlerExecutionResult authenticateUsernamePasswordInternal(final UsernamePasswordCredential credential, final String originalPassword) throws GeneralSecurityException {
val account = (RedisUserAccount) redisTemplate.opsForValue().get(credential.getUsername());
if (account == null) {
throw new AccountNotFoundException();
}
if (!getPasswordEncoder().matches(originalPassword, account.getPassword())) {
LOGGER.warn("Account password on record for [{}] does not match the given/encoded password", credential.getId());
throw new FailedLoginException();
}
switch(account.getStatus()) {
case DISABLED:
throw new AccountDisabledException();
case EXPIRED:
throw new AccountExpiredException();
case LOCKED:
throw new AccountLockedException();
case MUST_CHANGE_PASSWORD:
throw new AccountPasswordMustChangeException();
case OK:
default:
LOGGER.debug("Account status is OK");
}
val principal = principalFactory.createPrincipal(account.getUsername(), account.getAttributes());
return createHandlerResult(credential, principal, new ArrayList<>(0));
}
Also used :
lombok.val(lombok.val)
AccountLockedException(javax.security.auth.login.AccountLockedException)
FailedLoginException(javax.security.auth.login.FailedLoginException)
AccountExpiredException(javax.security.auth.login.AccountExpiredException)
AccountPasswordMustChangeException(org.apereo.cas.authentication.exceptions.AccountPasswordMustChangeException)
AccountNotFoundException(javax.security.auth.login.AccountNotFoundException)
AccountDisabledException(org.apereo.cas.authentication.exceptions.AccountDisabledException)
Example 3 with AccountExpiredException
use of javax.security.auth.login.AccountExpiredException in project cas by apereo.
the class SoapAuthenticationHandler method authenticateUsernamePasswordInternal.
@Override
protected AuthenticationHandlerExecutionResult authenticateUsernamePasswordInternal(final UsernamePasswordCredential credential, final String originalPassword) throws GeneralSecurityException {
soapAuthenticationClient.setCredentials(credential);
val request = new ObjectFactory().createGetSoapAuthenticationRequest();
request.setUsername(credential.getUsername());
val response = soapAuthenticationClient.sendRequest(request);
if (response.getStatus() == HttpStatus.OK.value()) {
val attributes = new LinkedHashMap<String, List<Object>>();
response.getAttributes().forEach(item -> attributes.put(item.getKey().toString(), CollectionUtils.toCollection(item.getValue(), ArrayList.class)));
val principal = principalFactory.createPrincipal(response.getUsername(), attributes);
return createHandlerResult(credential, principal, new ArrayList<>(0));
}
val httpStatus = HttpStatus.valueOf(response.getStatus());
if (httpStatus.equals(HttpStatus.FORBIDDEN)) {
throw new AccountDisabledException("Could not authenticate forbidden account for " + credential.getUsername());
}
if (httpStatus.equals(HttpStatus.UNAUTHORIZED)) {
throw new FailedLoginException("Could not authenticate account for " + credential.getUsername());
}
if (httpStatus.equals(HttpStatus.NOT_FOUND)) {
throw new AccountNotFoundException("Could not locate account for " + credential.getUsername());
}
if (httpStatus.equals(HttpStatus.LOCKED)) {
throw new AccountLockedException("Could not authenticate locked account for " + credential.getUsername());
}
if (httpStatus.equals(HttpStatus.PRECONDITION_FAILED)) {
throw new AccountExpiredException("Could not authenticate expired account for " + credential.getUsername());
}
if (httpStatus.equals(HttpStatus.PRECONDITION_REQUIRED)) {
throw new AccountPasswordMustChangeException("Account password must change for " + credential.getUsername());
}
throw new FailedLoginException("SOAP endpoint returned an unknown status code " + httpStatus + " for " + credential.getUsername());
}
Also used :
lombok.val(lombok.val)
AccountLockedException(javax.security.auth.login.AccountLockedException)
FailedLoginException(javax.security.auth.login.FailedLoginException)
ObjectFactory(org.apereo.cas.authentication.soap.generated.ObjectFactory)
AccountExpiredException(javax.security.auth.login.AccountExpiredException)
AccountPasswordMustChangeException(org.apereo.cas.authentication.exceptions.AccountPasswordMustChangeException)
AccountNotFoundException(javax.security.auth.login.AccountNotFoundException)
AccountDisabledException(org.apereo.cas.authentication.exceptions.AccountDisabledException)
LinkedHashMap(java.util.LinkedHashMap)
Example 4 with AccountExpiredException
use of javax.security.auth.login.AccountExpiredException in project cas by apereo.
the class GenericCasWebflowExceptionHandlerTests method verifyOperation.
@Test
public void verifyOperation() {
val errors = new LinkedHashSet<Class<? extends Throwable>>();
errors.add(AccountLockedException.class);
errors.add(CredentialExpiredException.class);
errors.add(AccountExpiredException.class);
val catalog = new DefaultCasWebflowExceptionCatalog();
catalog.registerExceptions(errors);
val request = new MockHttpServletRequest();
val response = new MockHttpServletResponse();
val context = mock(RequestContext.class);
when(context.getMessageContext()).thenReturn(mock(MessageContext.class));
when(context.getRequestParameters()).thenReturn(new MockParameterMap());
when(context.getExternalContext()).thenReturn(new ServletExternalContext(new MockServletContext(), request, response));
val handler = new GenericCasWebflowExceptionHandler(catalog, MessageBundleProperties.DEFAULT_BUNDLE_PREFIX_AUTHN_FAILURE);
assertTrue(handler.supports(new AccountExpiredException(), context));
val event = handler.handle(new CredentialExpiredException(), context);
assertNotNull(event);
assertEquals(CasWebflowExceptionHandler.UNKNOWN, event.getId());
}
Also used :
lombok.val(lombok.val)
LinkedHashSet(java.util.LinkedHashSet)
MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest)
ServletExternalContext(org.springframework.webflow.context.servlet.ServletExternalContext)
AccountExpiredException(javax.security.auth.login.AccountExpiredException)
MockParameterMap(org.springframework.webflow.test.MockParameterMap)
MessageContext(org.springframework.binding.message.MessageContext)
CredentialExpiredException(javax.security.auth.login.CredentialExpiredException)
MockHttpServletResponse(org.springframework.mock.web.MockHttpServletResponse)
MockServletContext(org.springframework.mock.web.MockServletContext)
Test(org.junit.jupiter.api.Test)
Example 5 with AccountExpiredException
use of javax.security.auth.login.AccountExpiredException in project tomcat by apache.
the class JAASRealm method authenticate.
// -------------------------------------------------------- Package Methods
// ------------------------------------------------------ Protected Methods
/**
* Perform the actual JAAS authentication.
* @param username The user name
* @param callbackHandler The callback handler
* @return the associated principal, or <code>null</code> if there is none.
*/
protected Principal authenticate(String username, CallbackHandler callbackHandler) {
// Establish a LoginContext to use for authentication
try {
LoginContext loginContext = null;
if (appName == null) {
appName = "Tomcat";
}
if (log.isDebugEnabled()) {
log.debug(sm.getString("jaasRealm.beginLogin", username, appName));
}
// What if the LoginModule is in the container class loader ?
ClassLoader ocl = null;
if (!isUseContextClassLoader()) {
ocl = Thread.currentThread().getContextClassLoader();
Thread.currentThread().setContextClassLoader(this.getClass().getClassLoader());
}
try {
Configuration config = getConfig();
loginContext = new LoginContext(appName, null, callbackHandler, config);
} catch (Throwable e) {
ExceptionUtils.handleThrowable(e);
log.error(sm.getString("jaasRealm.unexpectedError"), e);
// There is configuration issue with JAAS so mark the realm as
// unavailable
invocationSuccess = false;
return null;
} finally {
if (!isUseContextClassLoader()) {
Thread.currentThread().setContextClassLoader(ocl);
}
}
if (log.isDebugEnabled()) {
log.debug("Login context created " + username);
}
// Negotiate a login via this LoginContext
Subject subject = null;
try {
loginContext.login();
subject = loginContext.getSubject();
// We were able to perform login successfully so mark JAAS realm as
// available as it could have been set to false in prior attempts.
// Change invocationSuccess variable only when we know the outcome
// of the JAAS operation to keep variable consistent.
invocationSuccess = true;
if (subject == null) {
if (log.isDebugEnabled()) {
log.debug(sm.getString("jaasRealm.failedLogin", username));
}
return null;
}
} catch (AccountExpiredException e) {
if (log.isDebugEnabled()) {
log.debug(sm.getString("jaasRealm.accountExpired", username));
}
// JAAS checked LoginExceptions are successful authentication
// invocations so mark JAAS realm as available
invocationSuccess = true;
return null;
} catch (CredentialExpiredException e) {
if (log.isDebugEnabled()) {
log.debug(sm.getString("jaasRealm.credentialExpired", username));
}
// JAAS checked LoginExceptions are successful authentication
// invocations so mark JAAS realm as available
invocationSuccess = true;
return null;
} catch (FailedLoginException e) {
if (log.isDebugEnabled()) {
log.debug(sm.getString("jaasRealm.failedLogin", username));
}
// JAAS checked LoginExceptions are successful authentication
// invocations so mark JAAS realm as available
invocationSuccess = true;
return null;
} catch (LoginException e) {
log.warn(sm.getString("jaasRealm.loginException", username), e);
// JAAS checked LoginExceptions are successful authentication
// invocations so mark JAAS realm as available
invocationSuccess = true;
return null;
} catch (Throwable e) {
ExceptionUtils.handleThrowable(e);
log.error(sm.getString("jaasRealm.unexpectedError"), e);
// JAAS throws exception different than LoginException so mark the
// realm as unavailable
invocationSuccess = false;
return null;
}
if (log.isDebugEnabled()) {
log.debug(sm.getString("jaasRealm.loginContextCreated", username));
}
// Return the appropriate Principal for this authenticated Subject
Principal principal = createPrincipal(username, subject, loginContext);
if (principal == null) {
log.debug(sm.getString("jaasRealm.authenticateFailure", username));
return null;
}
if (log.isDebugEnabled()) {
log.debug(sm.getString("jaasRealm.authenticateSuccess", username, principal));
}
return principal;
} catch (Throwable t) {
log.error("error ", t);
// JAAS throws exception different than LoginException so mark the realm as unavailable
invocationSuccess = false;
return null;
}
}
Also used :
LoginContext(javax.security.auth.login.LoginContext)
FailedLoginException(javax.security.auth.login.FailedLoginException)
Configuration(javax.security.auth.login.Configuration)
AccountExpiredException(javax.security.auth.login.AccountExpiredException)
LoginException(javax.security.auth.login.LoginException)
FailedLoginException(javax.security.auth.login.FailedLoginException)
CredentialExpiredException(javax.security.auth.login.CredentialExpiredException)
Subject(javax.security.auth.Subject)
Principal(java.security.Principal)
Aggregations
AccountExpiredException (javax.security.auth.login.AccountExpiredException)11
FailedLoginException (javax.security.auth.login.FailedLoginException)9
AccountNotFoundException (javax.security.auth.login.AccountNotFoundException)8
lombok.val (lombok.val)8
AccountLockedException (javax.security.auth.login.AccountLockedException)5
AccountDisabledException (org.apereo.cas.authentication.exceptions.AccountDisabledException)5
AccountPasswordMustChangeException (org.apereo.cas.authentication.exceptions.AccountPasswordMustChangeException)5
CredentialExpiredException (javax.security.auth.login.CredentialExpiredException)4
GeneralSecurityException (java.security.GeneralSecurityException)3
Principal (java.security.Principal)2
LinkedHashMap (java.util.LinkedHashMap)2
Subject (javax.security.auth.Subject)2
Configuration (javax.security.auth.login.Configuration)2
LoginContext (javax.security.auth.login.LoginContext)2
LoginException (javax.security.auth.login.LoginException)2
HttpResponse (org.apache.http.HttpResponse)2
Authentication (org.apereo.cas.authentication.Authentication)2
PreventedException (org.apereo.cas.authentication.PreventedException)2
SimpleSecurityContext (com.nimbusds.jose.proc.SimpleSecurityContext)1
IGoogleAuthenticator (com.warrenstrange.googleauth.IGoogleAuthenticator)1
