use of javax.security.auth.login.AccountLockedException in project jackrabbit-oak by apache.
the class UserAuthentication method authenticate.
// -----------------------------------------------------< Authentication >---
@Override
public boolean authenticate(@Nullable Credentials credentials) throws LoginException {
if (credentials == null || loginId == null) {
return false;
}
boolean success = false;
try {
UserManager userManager = config.getUserManager(root, NamePathMapper.DEFAULT);
Authorizable authorizable = userManager.getAuthorizable(loginId);
if (authorizable == null) {
return false;
}
if (authorizable.isGroup()) {
throw new AccountNotFoundException("Not a user " + loginId);
}
User user = (User) authorizable;
if (user.isDisabled()) {
throw new AccountLockedException("User with ID " + loginId + " has been disabled: " + user.getDisabledReason());
}
if (credentials instanceof SimpleCredentials) {
SimpleCredentials creds = (SimpleCredentials) credentials;
Credentials userCreds = user.getCredentials();
if (loginId.equals(creds.getUserID()) && userCreds instanceof CredentialsImpl) {
success = PasswordUtil.isSame(((CredentialsImpl) userCreds).getPasswordHash(), creds.getPassword());
}
checkSuccess(success, "UserId/Password mismatch.");
if (isPasswordExpired(user)) {
// UserConstants.CREDENTIALS_ATTRIBUTE_NEWPASSWORD attribute set
if (!changePassword(user, creds)) {
throw new CredentialExpiredException("User password has expired");
}
}
} else if (credentials instanceof ImpersonationCredentials) {
ImpersonationCredentials ipCreds = (ImpersonationCredentials) credentials;
AuthInfo info = ipCreds.getImpersonatorInfo();
success = equalUserId(ipCreds, loginId) && impersonate(info, user);
checkSuccess(success, "Impersonation not allowed.");
} else {
// guest login is allowed if an anonymous user exists in the content (see get user above)
success = (credentials instanceof GuestCredentials) || credentials == PreAuthenticatedLogin.PRE_AUTHENTICATED;
}
userId = user.getID();
principal = user.getPrincipal();
} catch (RepositoryException e) {
throw new LoginException(e.getMessage());
}
return success;
}
use of javax.security.auth.login.AccountLockedException in project cas by apereo.
the class RestAuthenticationHandler method authenticateUsernamePasswordInternal.
@Override
protected AuthenticationHandlerExecutionResult authenticateUsernamePasswordInternal(final UsernamePasswordCredential credential, final String originalPassword) throws GeneralSecurityException {
var response = (HttpResponse) null;
try {
val exec = HttpUtils.HttpExecutionRequest.builder().basicAuthUsername(credential.getUsername()).basicAuthPassword(credential.getPassword()).method(HttpMethod.POST).url(properties.getUri()).build();
response = HttpUtils.execute(exec);
val status = HttpStatus.resolve(Objects.requireNonNull(response).getStatusLine().getStatusCode());
switch(Objects.requireNonNull(status)) {
case OK:
return buildPrincipalFromResponse(credential, response);
case FORBIDDEN:
throw new AccountDisabledException("Could not authenticate forbidden account for " + credential.getUsername());
case UNAUTHORIZED:
throw new FailedLoginException("Could not authenticate account for " + credential.getUsername());
case NOT_FOUND:
throw new AccountNotFoundException("Could not locate account for " + credential.getUsername());
case LOCKED:
throw new AccountLockedException("Could not authenticate locked account for " + credential.getUsername());
case PRECONDITION_FAILED:
throw new AccountExpiredException("Could not authenticate expired account for " + credential.getUsername());
case PRECONDITION_REQUIRED:
throw new AccountPasswordMustChangeException("Account password must change for " + credential.getUsername());
default:
throw new FailedLoginException("Rest endpoint returned an unknown status code " + status + " for " + credential.getUsername());
}
} finally {
HttpUtils.close(response);
}
}
use of javax.security.auth.login.AccountLockedException in project cas by apereo.
the class RedisAuthenticationHandler method authenticateUsernamePasswordInternal.
@Override
protected AuthenticationHandlerExecutionResult authenticateUsernamePasswordInternal(final UsernamePasswordCredential credential, final String originalPassword) throws GeneralSecurityException {
val account = (RedisUserAccount) redisTemplate.opsForValue().get(credential.getUsername());
if (account == null) {
throw new AccountNotFoundException();
}
if (!getPasswordEncoder().matches(originalPassword, account.getPassword())) {
LOGGER.warn("Account password on record for [{}] does not match the given/encoded password", credential.getId());
throw new FailedLoginException();
}
switch(account.getStatus()) {
case DISABLED:
throw new AccountDisabledException();
case EXPIRED:
throw new AccountExpiredException();
case LOCKED:
throw new AccountLockedException();
case MUST_CHANGE_PASSWORD:
throw new AccountPasswordMustChangeException();
case OK:
default:
LOGGER.debug("Account status is OK");
}
val principal = principalFactory.createPrincipal(account.getUsername(), account.getAttributes());
return createHandlerResult(credential, principal, new ArrayList<>(0));
}
use of javax.security.auth.login.AccountLockedException in project cas by apereo.
the class SoapAuthenticationHandler method authenticateUsernamePasswordInternal.
@Override
protected AuthenticationHandlerExecutionResult authenticateUsernamePasswordInternal(final UsernamePasswordCredential credential, final String originalPassword) throws GeneralSecurityException {
soapAuthenticationClient.setCredentials(credential);
val request = new ObjectFactory().createGetSoapAuthenticationRequest();
request.setUsername(credential.getUsername());
val response = soapAuthenticationClient.sendRequest(request);
if (response.getStatus() == HttpStatus.OK.value()) {
val attributes = new LinkedHashMap<String, List<Object>>();
response.getAttributes().forEach(item -> attributes.put(item.getKey().toString(), CollectionUtils.toCollection(item.getValue(), ArrayList.class)));
val principal = principalFactory.createPrincipal(response.getUsername(), attributes);
return createHandlerResult(credential, principal, new ArrayList<>(0));
}
val httpStatus = HttpStatus.valueOf(response.getStatus());
if (httpStatus.equals(HttpStatus.FORBIDDEN)) {
throw new AccountDisabledException("Could not authenticate forbidden account for " + credential.getUsername());
}
if (httpStatus.equals(HttpStatus.UNAUTHORIZED)) {
throw new FailedLoginException("Could not authenticate account for " + credential.getUsername());
}
if (httpStatus.equals(HttpStatus.NOT_FOUND)) {
throw new AccountNotFoundException("Could not locate account for " + credential.getUsername());
}
if (httpStatus.equals(HttpStatus.LOCKED)) {
throw new AccountLockedException("Could not authenticate locked account for " + credential.getUsername());
}
if (httpStatus.equals(HttpStatus.PRECONDITION_FAILED)) {
throw new AccountExpiredException("Could not authenticate expired account for " + credential.getUsername());
}
if (httpStatus.equals(HttpStatus.PRECONDITION_REQUIRED)) {
throw new AccountPasswordMustChangeException("Account password must change for " + credential.getUsername());
}
throw new FailedLoginException("SOAP endpoint returned an unknown status code " + httpStatus + " for " + credential.getUsername());
}
use of javax.security.auth.login.AccountLockedException in project jackrabbit-oak by apache.
the class UserAuthenticationTest method testAuthenticateResolvesToDisabledUser.
@Test
public void testAuthenticateResolvesToDisabledUser() throws Exception {
User testUser = getTestUser();
SimpleCredentials sc = new SimpleCredentials(testUser.getID(), testUser.getID().toCharArray());
Authentication a = new UserAuthentication(getUserConfiguration(), root, sc.getUserID());
try {
getTestUser().disable("disabled");
root.commit();
a.authenticate(sc);
fail("Authenticating disabled user should fail");
} catch (LoginException e) {
// success
assertTrue(e instanceof AccountLockedException);
} finally {
getTestUser().disable(null);
root.commit();
}
}
Aggregations