Search in sources :

Example 1 with AccountLockedException

use of javax.security.auth.login.AccountLockedException in project jackrabbit-oak by apache.

the class UserAuthentication method authenticate.

// -----------------------------------------------------< Authentication >---
@Override
public boolean authenticate(@Nullable Credentials credentials) throws LoginException {
    if (credentials == null || loginId == null) {
        return false;
    }
    boolean success = false;
    try {
        UserManager userManager = config.getUserManager(root, NamePathMapper.DEFAULT);
        Authorizable authorizable = userManager.getAuthorizable(loginId);
        if (authorizable == null) {
            return false;
        }
        if (authorizable.isGroup()) {
            throw new AccountNotFoundException("Not a user " + loginId);
        }
        User user = (User) authorizable;
        if (user.isDisabled()) {
            throw new AccountLockedException("User with ID " + loginId + " has been disabled: " + user.getDisabledReason());
        }
        if (credentials instanceof SimpleCredentials) {
            SimpleCredentials creds = (SimpleCredentials) credentials;
            Credentials userCreds = user.getCredentials();
            if (loginId.equals(creds.getUserID()) && userCreds instanceof CredentialsImpl) {
                success = PasswordUtil.isSame(((CredentialsImpl) userCreds).getPasswordHash(), creds.getPassword());
            }
            checkSuccess(success, "UserId/Password mismatch.");
            if (isPasswordExpired(user)) {
                // UserConstants.CREDENTIALS_ATTRIBUTE_NEWPASSWORD attribute set
                if (!changePassword(user, creds)) {
                    throw new CredentialExpiredException("User password has expired");
                }
            }
        } else if (credentials instanceof ImpersonationCredentials) {
            ImpersonationCredentials ipCreds = (ImpersonationCredentials) credentials;
            AuthInfo info = ipCreds.getImpersonatorInfo();
            success = equalUserId(ipCreds, loginId) && impersonate(info, user);
            checkSuccess(success, "Impersonation not allowed.");
        } else {
            // guest login is allowed if an anonymous user exists in the content (see get user above)
            success = (credentials instanceof GuestCredentials) || credentials == PreAuthenticatedLogin.PRE_AUTHENTICATED;
        }
        userId = user.getID();
        principal = user.getPrincipal();
    } catch (RepositoryException e) {
        throw new LoginException(e.getMessage());
    }
    return success;
}
Also used : AccountLockedException(javax.security.auth.login.AccountLockedException) AuthInfo(org.apache.jackrabbit.oak.api.AuthInfo) User(org.apache.jackrabbit.api.security.user.User) RepositoryException(javax.jcr.RepositoryException) SimpleCredentials(javax.jcr.SimpleCredentials) ImpersonationCredentials(org.apache.jackrabbit.oak.spi.security.authentication.ImpersonationCredentials) UserManager(org.apache.jackrabbit.api.security.user.UserManager) Authorizable(org.apache.jackrabbit.api.security.user.Authorizable) LoginException(javax.security.auth.login.LoginException) FailedLoginException(javax.security.auth.login.FailedLoginException) AccountNotFoundException(javax.security.auth.login.AccountNotFoundException) CredentialExpiredException(javax.security.auth.login.CredentialExpiredException) GuestCredentials(javax.jcr.GuestCredentials) ImpersonationCredentials(org.apache.jackrabbit.oak.spi.security.authentication.ImpersonationCredentials) SimpleCredentials(javax.jcr.SimpleCredentials) Credentials(javax.jcr.Credentials) GuestCredentials(javax.jcr.GuestCredentials)

Example 2 with AccountLockedException

use of javax.security.auth.login.AccountLockedException in project cas by apereo.

the class RestAuthenticationHandler method authenticateUsernamePasswordInternal.

@Override
protected AuthenticationHandlerExecutionResult authenticateUsernamePasswordInternal(final UsernamePasswordCredential credential, final String originalPassword) throws GeneralSecurityException {
    var response = (HttpResponse) null;
    try {
        val exec = HttpUtils.HttpExecutionRequest.builder().basicAuthUsername(credential.getUsername()).basicAuthPassword(credential.getPassword()).method(HttpMethod.POST).url(properties.getUri()).build();
        response = HttpUtils.execute(exec);
        val status = HttpStatus.resolve(Objects.requireNonNull(response).getStatusLine().getStatusCode());
        switch(Objects.requireNonNull(status)) {
            case OK:
                return buildPrincipalFromResponse(credential, response);
            case FORBIDDEN:
                throw new AccountDisabledException("Could not authenticate forbidden account for " + credential.getUsername());
            case UNAUTHORIZED:
                throw new FailedLoginException("Could not authenticate account for " + credential.getUsername());
            case NOT_FOUND:
                throw new AccountNotFoundException("Could not locate account for " + credential.getUsername());
            case LOCKED:
                throw new AccountLockedException("Could not authenticate locked account for " + credential.getUsername());
            case PRECONDITION_FAILED:
                throw new AccountExpiredException("Could not authenticate expired account for " + credential.getUsername());
            case PRECONDITION_REQUIRED:
                throw new AccountPasswordMustChangeException("Account password must change for " + credential.getUsername());
            default:
                throw new FailedLoginException("Rest endpoint returned an unknown status code " + status + " for " + credential.getUsername());
        }
    } finally {
        HttpUtils.close(response);
    }
}
Also used : lombok.val(lombok.val) AccountLockedException(javax.security.auth.login.AccountLockedException) FailedLoginException(javax.security.auth.login.FailedLoginException) AccountExpiredException(javax.security.auth.login.AccountExpiredException) HttpResponse(org.apache.http.HttpResponse) AccountPasswordMustChangeException(org.apereo.cas.authentication.exceptions.AccountPasswordMustChangeException) AccountNotFoundException(javax.security.auth.login.AccountNotFoundException) AccountDisabledException(org.apereo.cas.authentication.exceptions.AccountDisabledException)

Example 3 with AccountLockedException

use of javax.security.auth.login.AccountLockedException in project cas by apereo.

the class RedisAuthenticationHandler method authenticateUsernamePasswordInternal.

@Override
protected AuthenticationHandlerExecutionResult authenticateUsernamePasswordInternal(final UsernamePasswordCredential credential, final String originalPassword) throws GeneralSecurityException {
    val account = (RedisUserAccount) redisTemplate.opsForValue().get(credential.getUsername());
    if (account == null) {
        throw new AccountNotFoundException();
    }
    if (!getPasswordEncoder().matches(originalPassword, account.getPassword())) {
        LOGGER.warn("Account password on record for [{}] does not match the given/encoded password", credential.getId());
        throw new FailedLoginException();
    }
    switch(account.getStatus()) {
        case DISABLED:
            throw new AccountDisabledException();
        case EXPIRED:
            throw new AccountExpiredException();
        case LOCKED:
            throw new AccountLockedException();
        case MUST_CHANGE_PASSWORD:
            throw new AccountPasswordMustChangeException();
        case OK:
        default:
            LOGGER.debug("Account status is OK");
    }
    val principal = principalFactory.createPrincipal(account.getUsername(), account.getAttributes());
    return createHandlerResult(credential, principal, new ArrayList<>(0));
}
Also used : lombok.val(lombok.val) AccountLockedException(javax.security.auth.login.AccountLockedException) FailedLoginException(javax.security.auth.login.FailedLoginException) AccountExpiredException(javax.security.auth.login.AccountExpiredException) AccountPasswordMustChangeException(org.apereo.cas.authentication.exceptions.AccountPasswordMustChangeException) AccountNotFoundException(javax.security.auth.login.AccountNotFoundException) AccountDisabledException(org.apereo.cas.authentication.exceptions.AccountDisabledException)

Example 4 with AccountLockedException

use of javax.security.auth.login.AccountLockedException in project cas by apereo.

the class SoapAuthenticationHandler method authenticateUsernamePasswordInternal.

@Override
protected AuthenticationHandlerExecutionResult authenticateUsernamePasswordInternal(final UsernamePasswordCredential credential, final String originalPassword) throws GeneralSecurityException {
    soapAuthenticationClient.setCredentials(credential);
    val request = new ObjectFactory().createGetSoapAuthenticationRequest();
    request.setUsername(credential.getUsername());
    val response = soapAuthenticationClient.sendRequest(request);
    if (response.getStatus() == HttpStatus.OK.value()) {
        val attributes = new LinkedHashMap<String, List<Object>>();
        response.getAttributes().forEach(item -> attributes.put(item.getKey().toString(), CollectionUtils.toCollection(item.getValue(), ArrayList.class)));
        val principal = principalFactory.createPrincipal(response.getUsername(), attributes);
        return createHandlerResult(credential, principal, new ArrayList<>(0));
    }
    val httpStatus = HttpStatus.valueOf(response.getStatus());
    if (httpStatus.equals(HttpStatus.FORBIDDEN)) {
        throw new AccountDisabledException("Could not authenticate forbidden account for " + credential.getUsername());
    }
    if (httpStatus.equals(HttpStatus.UNAUTHORIZED)) {
        throw new FailedLoginException("Could not authenticate account for " + credential.getUsername());
    }
    if (httpStatus.equals(HttpStatus.NOT_FOUND)) {
        throw new AccountNotFoundException("Could not locate account for " + credential.getUsername());
    }
    if (httpStatus.equals(HttpStatus.LOCKED)) {
        throw new AccountLockedException("Could not authenticate locked account for " + credential.getUsername());
    }
    if (httpStatus.equals(HttpStatus.PRECONDITION_FAILED)) {
        throw new AccountExpiredException("Could not authenticate expired account for " + credential.getUsername());
    }
    if (httpStatus.equals(HttpStatus.PRECONDITION_REQUIRED)) {
        throw new AccountPasswordMustChangeException("Account password must change for " + credential.getUsername());
    }
    throw new FailedLoginException("SOAP endpoint returned an unknown status code " + httpStatus + " for " + credential.getUsername());
}
Also used : lombok.val(lombok.val) AccountLockedException(javax.security.auth.login.AccountLockedException) FailedLoginException(javax.security.auth.login.FailedLoginException) ObjectFactory(org.apereo.cas.authentication.soap.generated.ObjectFactory) AccountExpiredException(javax.security.auth.login.AccountExpiredException) AccountPasswordMustChangeException(org.apereo.cas.authentication.exceptions.AccountPasswordMustChangeException) AccountNotFoundException(javax.security.auth.login.AccountNotFoundException) AccountDisabledException(org.apereo.cas.authentication.exceptions.AccountDisabledException) LinkedHashMap(java.util.LinkedHashMap)

Example 5 with AccountLockedException

use of javax.security.auth.login.AccountLockedException in project jackrabbit-oak by apache.

the class UserAuthenticationTest method testAuthenticateResolvesToDisabledUser.

@Test
public void testAuthenticateResolvesToDisabledUser() throws Exception {
    User testUser = getTestUser();
    SimpleCredentials sc = new SimpleCredentials(testUser.getID(), testUser.getID().toCharArray());
    Authentication a = new UserAuthentication(getUserConfiguration(), root, sc.getUserID());
    try {
        getTestUser().disable("disabled");
        root.commit();
        a.authenticate(sc);
        fail("Authenticating disabled user should fail");
    } catch (LoginException e) {
        // success
        assertTrue(e instanceof AccountLockedException);
    } finally {
        getTestUser().disable(null);
        root.commit();
    }
}
Also used : SimpleCredentials(javax.jcr.SimpleCredentials) AccountLockedException(javax.security.auth.login.AccountLockedException) User(org.apache.jackrabbit.api.security.user.User) Authentication(org.apache.jackrabbit.oak.spi.security.authentication.Authentication) LoginException(javax.security.auth.login.LoginException) FailedLoginException(javax.security.auth.login.FailedLoginException) AbstractSecurityTest(org.apache.jackrabbit.oak.AbstractSecurityTest) Test(org.junit.Test)

Aggregations

AccountLockedException (javax.security.auth.login.AccountLockedException)11 AccountNotFoundException (javax.security.auth.login.AccountNotFoundException)10 FailedLoginException (javax.security.auth.login.FailedLoginException)9 lombok.val (lombok.val)6 AccountExpiredException (javax.security.auth.login.AccountExpiredException)5 AccountDisabledException (org.apereo.cas.authentication.exceptions.AccountDisabledException)5 AccountPasswordMustChangeException (org.apereo.cas.authentication.exceptions.AccountPasswordMustChangeException)4 SimpleCredentials (javax.jcr.SimpleCredentials)3 CredentialExpiredException (javax.security.auth.login.CredentialExpiredException)3 ArrayList (java.util.ArrayList)2 CredentialException (javax.security.auth.login.CredentialException)2 LoginException (javax.security.auth.login.LoginException)2 HttpResponse (org.apache.http.HttpResponse)2 User (org.apache.jackrabbit.api.security.user.User)2 User (com.thinkbiganalytics.metadata.api.user.User)1 User (com.thinkbiganalytics.security.rest.model.User)1 IOException (java.io.IOException)1 Serializable (java.io.Serializable)1 GeneralSecurityException (java.security.GeneralSecurityException)1 LinkedHashMap (java.util.LinkedHashMap)1