Example 1 with CredentialExpiredException
use of javax.security.auth.login.CredentialExpiredException in project tomcat by apache.
the class JAASRealm method authenticate.
// -------------------------------------------------------- Package Methods
// ------------------------------------------------------ Protected Methods
/**
* Perform the actual JAAS authentication.
* @param username The user name
* @param callbackHandler The callback handler
* @return the associated principal, or <code>null</code> if there is none.
*/
protected Principal authenticate(String username, CallbackHandler callbackHandler) {
// Establish a LoginContext to use for authentication
try {
LoginContext loginContext = null;
if (appName == null)
appName = "Tomcat";
if (log.isDebugEnabled())
log.debug(sm.getString("jaasRealm.beginLogin", username, appName));
// What if the LoginModule is in the container class loader ?
ClassLoader ocl = null;
if (!isUseContextClassLoader()) {
ocl = Thread.currentThread().getContextClassLoader();
Thread.currentThread().setContextClassLoader(this.getClass().getClassLoader());
}
try {
Configuration config = getConfig();
loginContext = new LoginContext(appName, null, callbackHandler, config);
} catch (Throwable e) {
ExceptionUtils.handleThrowable(e);
log.error(sm.getString("jaasRealm.unexpectedError"), e);
return (null);
} finally {
if (!isUseContextClassLoader()) {
Thread.currentThread().setContextClassLoader(ocl);
}
}
if (log.isDebugEnabled())
log.debug("Login context created " + username);
// Negotiate a login via this LoginContext
Subject subject = null;
try {
loginContext.login();
subject = loginContext.getSubject();
if (subject == null) {
if (log.isDebugEnabled())
log.debug(sm.getString("jaasRealm.failedLogin", username));
return (null);
}
} catch (AccountExpiredException e) {
if (log.isDebugEnabled())
log.debug(sm.getString("jaasRealm.accountExpired", username));
return (null);
} catch (CredentialExpiredException e) {
if (log.isDebugEnabled())
log.debug(sm.getString("jaasRealm.credentialExpired", username));
return (null);
} catch (FailedLoginException e) {
if (log.isDebugEnabled())
log.debug(sm.getString("jaasRealm.failedLogin", username));
return (null);
} catch (LoginException e) {
log.warn(sm.getString("jaasRealm.loginException", username), e);
return (null);
} catch (Throwable e) {
ExceptionUtils.handleThrowable(e);
log.error(sm.getString("jaasRealm.unexpectedError"), e);
return (null);
}
if (log.isDebugEnabled())
log.debug(sm.getString("jaasRealm.loginContextCreated", username));
// Return the appropriate Principal for this authenticated Subject
Principal principal = createPrincipal(username, subject, loginContext);
if (principal == null) {
log.debug(sm.getString("jaasRealm.authenticateFailure", username));
return (null);
}
if (log.isDebugEnabled()) {
log.debug(sm.getString("jaasRealm.authenticateSuccess", username));
}
return (principal);
} catch (Throwable t) {
log.error("error ", t);
return null;
}
}
Also used :
LoginContext(javax.security.auth.login.LoginContext)
FailedLoginException(javax.security.auth.login.FailedLoginException)
Configuration(javax.security.auth.login.Configuration)
AccountExpiredException(javax.security.auth.login.AccountExpiredException)
LoginException(javax.security.auth.login.LoginException)
FailedLoginException(javax.security.auth.login.FailedLoginException)
CredentialExpiredException(javax.security.auth.login.CredentialExpiredException)
Subject(javax.security.auth.Subject)
Principal(java.security.Principal)
Example 2 with CredentialExpiredException
use of javax.security.auth.login.CredentialExpiredException in project jackrabbit-oak by apache.
the class UserAuthentication method authenticate.
//-----------------------------------------------------< Authentication >---
@Override
public boolean authenticate(@Nullable Credentials credentials) throws LoginException {
if (credentials == null || loginId == null) {
return false;
}
boolean success = false;
try {
UserManager userManager = config.getUserManager(root, NamePathMapper.DEFAULT);
Authorizable authorizable = userManager.getAuthorizable(loginId);
if (authorizable == null) {
return false;
}
if (authorizable.isGroup()) {
throw new AccountNotFoundException("Not a user " + loginId);
}
User user = (User) authorizable;
if (user.isDisabled()) {
throw new AccountLockedException("User with ID " + loginId + " has been disabled: " + user.getDisabledReason());
}
if (credentials instanceof SimpleCredentials) {
SimpleCredentials creds = (SimpleCredentials) credentials;
Credentials userCreds = user.getCredentials();
if (loginId.equals(creds.getUserID()) && userCreds instanceof CredentialsImpl) {
success = PasswordUtil.isSame(((CredentialsImpl) userCreds).getPasswordHash(), creds.getPassword());
}
checkSuccess(success, "UserId/Password mismatch.");
if (isPasswordExpired(user)) {
// UserConstants.CREDENTIALS_ATTRIBUTE_NEWPASSWORD attribute set
if (!changePassword(user, creds)) {
throw new CredentialExpiredException("User password has expired");
}
}
} else if (credentials instanceof ImpersonationCredentials) {
ImpersonationCredentials ipCreds = (ImpersonationCredentials) credentials;
AuthInfo info = ipCreds.getImpersonatorInfo();
success = equalUserId(ipCreds, loginId) && impersonate(info, user);
checkSuccess(success, "Impersonation not allowed.");
} else {
// guest login is allowed if an anonymous user exists in the content (see get user above)
success = (credentials instanceof GuestCredentials) || credentials == PreAuthenticatedLogin.PRE_AUTHENTICATED;
}
userId = user.getID();
principal = user.getPrincipal();
} catch (RepositoryException e) {
throw new LoginException(e.getMessage());
}
return success;
}
Also used :
AccountLockedException(javax.security.auth.login.AccountLockedException)
AuthInfo(org.apache.jackrabbit.oak.api.AuthInfo)
User(org.apache.jackrabbit.api.security.user.User)
RepositoryException(javax.jcr.RepositoryException)
SimpleCredentials(javax.jcr.SimpleCredentials)
ImpersonationCredentials(org.apache.jackrabbit.oak.spi.security.authentication.ImpersonationCredentials)
UserManager(org.apache.jackrabbit.api.security.user.UserManager)
Authorizable(org.apache.jackrabbit.api.security.user.Authorizable)
LoginException(javax.security.auth.login.LoginException)
FailedLoginException(javax.security.auth.login.FailedLoginException)
AccountNotFoundException(javax.security.auth.login.AccountNotFoundException)
CredentialExpiredException(javax.security.auth.login.CredentialExpiredException)
GuestCredentials(javax.jcr.GuestCredentials)
ImpersonationCredentials(org.apache.jackrabbit.oak.spi.security.authentication.ImpersonationCredentials)
SimpleCredentials(javax.jcr.SimpleCredentials)
Credentials(javax.jcr.Credentials)
GuestCredentials(javax.jcr.GuestCredentials)
Example 3 with CredentialExpiredException
use of javax.security.auth.login.CredentialExpiredException in project jackrabbit-oak by apache.
the class PasswordExpiryHistoryTest method testAuthenticatePasswordExpiredAndInHistory.
@Test
public void testAuthenticatePasswordExpiredAndInHistory() throws Exception {
User user = getTestUser();
user.changePassword("pw12345678");
Authentication a = new UserAuthentication(getUserConfiguration(), root, userId);
// set password last modified to beginning of epoch
root.getTree(user.getPath()).getChild(UserConstants.REP_PWD).setProperty(UserConstants.REP_PASSWORD_LAST_MODIFIED, 0);
root.commit();
try {
a.authenticate(new SimpleCredentials(userId, "pw12345678".toCharArray()));
fail("Credentials should be expired");
} catch (CredentialExpiredException e) {
// success, credentials are expired
// try to change password to the same one, this should fail due pw history
SimpleCredentials pwChangeCreds = new SimpleCredentials(userId, "pw12345678".toCharArray());
try {
pwChangeCreds.setAttribute(UserConstants.CREDENTIALS_ATTRIBUTE_NEWPASSWORD, user.getID());
a.authenticate(pwChangeCreds);
fail("User password changed in spite of enabled pw history");
} catch (CredentialExpiredException c) {
// success, pw found in history
Object attr = pwChangeCreds.getAttribute(PasswordHistoryException.class.getSimpleName());
assertEquals("credentials should contain pw change failure reason", "New password was found in password history.", attr);
}
}
}
Also used :
SimpleCredentials(javax.jcr.SimpleCredentials)
User(org.apache.jackrabbit.api.security.user.User)
Authentication(org.apache.jackrabbit.oak.spi.security.authentication.Authentication)
CredentialExpiredException(javax.security.auth.login.CredentialExpiredException)
AbstractSecurityTest(org.apache.jackrabbit.oak.AbstractSecurityTest)
Test(org.junit.Test)
Example 4 with CredentialExpiredException
use of javax.security.auth.login.CredentialExpiredException in project jackrabbit-oak by apache.
the class PasswordForceInitialPasswordChangeTest method testAuthenticateMustChangePassword.
@Test
public void testAuthenticateMustChangePassword() throws Exception {
Authentication a = new UserAuthentication(getUserConfiguration(), root, userId);
try {
a.authenticate(new SimpleCredentials(userId, userId.toCharArray()));
fail("Credentials should be expired");
} catch (CredentialExpiredException e) {
// success
}
}
Also used :
SimpleCredentials(javax.jcr.SimpleCredentials)
Authentication(org.apache.jackrabbit.oak.spi.security.authentication.Authentication)
CredentialExpiredException(javax.security.auth.login.CredentialExpiredException)
AbstractSecurityTest(org.apache.jackrabbit.oak.AbstractSecurityTest)
Test(org.junit.Test)
Example 5 with CredentialExpiredException
use of javax.security.auth.login.CredentialExpiredException in project jackrabbit-oak by apache.
the class PasswordExpiryTest method testAuthenticatePasswordExpired.
@Test
public void testAuthenticatePasswordExpired() throws Exception {
Authentication a = new UserAuthentication(getUserConfiguration(), root, userId);
// set password last modified to beginning of epoch
root.getTree(getTestUser().getPath()).getChild(UserConstants.REP_PWD).setProperty(UserConstants.REP_PASSWORD_LAST_MODIFIED, 0);
root.commit();
try {
a.authenticate(new SimpleCredentials(userId, userId.toCharArray()));
fail("Credentials should be expired");
} catch (CredentialExpiredException e) {
// success
}
}
Also used :
SimpleCredentials(javax.jcr.SimpleCredentials)
Authentication(org.apache.jackrabbit.oak.spi.security.authentication.Authentication)
CredentialExpiredException(javax.security.auth.login.CredentialExpiredException)
AbstractSecurityTest(org.apache.jackrabbit.oak.AbstractSecurityTest)
Test(org.junit.Test)
Aggregations
CredentialExpiredException (javax.security.auth.login.CredentialExpiredException)12
SimpleCredentials (javax.jcr.SimpleCredentials)9
AbstractSecurityTest (org.apache.jackrabbit.oak.AbstractSecurityTest)8
Test (org.junit.Test)8
Authentication (org.apache.jackrabbit.oak.spi.security.authentication.Authentication)7
User (org.apache.jackrabbit.api.security.user.User)4
AccountLockedException (javax.security.auth.login.AccountLockedException)3
AccountNotFoundException (javax.security.auth.login.AccountNotFoundException)3
FailedLoginException (javax.security.auth.login.FailedLoginException)3
LoginException (javax.security.auth.login.LoginException)3
IOException (java.io.IOException)1
Principal (java.security.Principal)1
Credentials (javax.jcr.Credentials)1
GuestCredentials (javax.jcr.GuestCredentials)1
RepositoryException (javax.jcr.RepositoryException)1
Subject (javax.security.auth.Subject)1
AccountExpiredException (javax.security.auth.login.AccountExpiredException)1
Configuration (javax.security.auth.login.Configuration)1
LoginContext (javax.security.auth.login.LoginContext)1
Authorizable (org.apache.jackrabbit.api.security.user.Authorizable)1
