Example 11 with CredentialExpiredException
use of javax.security.auth.login.CredentialExpiredException in project jackrabbit-oak by apache.
the class PasswordExpiryTest method testAuthenticateBeforePasswordExpired.
@Test
public void testAuthenticateBeforePasswordExpired() throws Exception {
Authentication a = new UserAuthentication(getUserConfiguration(), root, userId);
// set password last modified to beginning of epoch
root.getTree(getTestUser().getPath()).getChild(UserConstants.REP_PWD).setProperty(UserConstants.REP_PASSWORD_LAST_MODIFIED, 0);
root.commit();
try {
a.authenticate(new SimpleCredentials(userId, "wrong".toCharArray()));
} catch (CredentialExpiredException e) {
fail("Login should fail before expiry");
} catch (LoginException e) {
// success - userId/pw mismatch takes precedence over expiry
}
}
Also used :
SimpleCredentials(javax.jcr.SimpleCredentials)
Authentication(org.apache.jackrabbit.oak.spi.security.authentication.Authentication)
LoginException(javax.security.auth.login.LoginException)
CredentialExpiredException(javax.security.auth.login.CredentialExpiredException)
AbstractSecurityTest(org.apache.jackrabbit.oak.AbstractSecurityTest)
Test(org.junit.Test)
Example 12 with CredentialExpiredException
use of javax.security.auth.login.CredentialExpiredException in project sling by apache.
the class SlingAuthenticator method handleLoginFailure.
private boolean handleLoginFailure(final HttpServletRequest request, final HttpServletResponse response, final AuthenticationInfo authInfo, final Exception reason) {
String user = authInfo.getUser();
boolean processRequest = false;
if (reason.getClass().getName().contains("TooManySessionsException")) {
// to many users, send a 503 Service Unavailable
log.info("handleLoginFailure: Too many sessions for {}: {}", user, reason.getMessage());
try {
response.sendError(HttpServletResponse.SC_SERVICE_UNAVAILABLE, "SlingAuthenticator: Too Many Users");
} catch (IOException ioe) {
log.error("handleLoginFailure: Cannot send status 503 to client", ioe);
}
} else if (reason instanceof LoginException) {
log.info("handleLoginFailure: Unable to authenticate {}: {}", user, reason.getMessage());
if (isAnonAllowed(request) && !expectAuthenticationHandler(request) && !AuthUtil.isValidateRequest(request)) {
log.debug("handleLoginFailure: LoginException on an anonymous resource, fallback to getAnonymousResolver");
processRequest = getAnonymousResolver(request, response, new AuthenticationInfo(null));
} else {
// request authentication information and send 403 (Forbidden)
// if no handler can request authentication information.
AuthenticationHandler.FAILURE_REASON_CODES code = AuthenticationHandler.FAILURE_REASON_CODES.INVALID_LOGIN;
String message = "User name and password do not match";
if (reason.getCause() instanceof CredentialExpiredException) {
// force failure attribute to be set so handlers can
// react to this special circumstance
Object creds = authInfo.get("user.jcr.credentials");
if (creds instanceof SimpleCredentials && ((SimpleCredentials) creds).getAttribute("PasswordHistoryException") != null) {
code = AuthenticationHandler.FAILURE_REASON_CODES.PASSWORD_EXPIRED_AND_NEW_PASSWORD_IN_HISTORY;
message = "Password expired and new password found in password history";
} else {
code = AuthenticationHandler.FAILURE_REASON_CODES.PASSWORD_EXPIRED;
message = "Password expired";
}
} else if (reason.getCause() instanceof AccountLockedException) {
code = AuthenticationHandler.FAILURE_REASON_CODES.ACCOUNT_LOCKED;
message = "Account is locked";
} else if (reason.getCause() instanceof AccountNotFoundException) {
code = AuthenticationHandler.FAILURE_REASON_CODES.ACCOUNT_NOT_FOUND;
message = "Account was not found";
}
// preset a reason for the login failure
request.setAttribute(AuthenticationHandler.FAILURE_REASON_CODE, code);
ensureAttribute(request, AuthenticationHandler.FAILURE_REASON, message);
doLogin(request, response);
}
} else {
// general problem, send a 500 Internal Server Error
log.error("handleLoginFailure: Unable to authenticate " + user, reason);
try {
response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "SlingAuthenticator: data access error, reason=" + reason.getClass().getSimpleName());
} catch (IOException ioe) {
log.error("handleLoginFailure: Cannot send status 500 to client", ioe);
}
}
return processRequest;
}
Also used :
SimpleCredentials(javax.jcr.SimpleCredentials)
AccountLockedException(javax.security.auth.login.AccountLockedException)
LoginException(org.apache.sling.api.resource.LoginException)
IOException(java.io.IOException)
CredentialExpiredException(javax.security.auth.login.CredentialExpiredException)
AccountNotFoundException(javax.security.auth.login.AccountNotFoundException)
AuthenticationInfo(org.apache.sling.auth.core.spi.AuthenticationInfo)
Aggregations
CredentialExpiredException (javax.security.auth.login.CredentialExpiredException)12
SimpleCredentials (javax.jcr.SimpleCredentials)9
AbstractSecurityTest (org.apache.jackrabbit.oak.AbstractSecurityTest)8
Test (org.junit.Test)8
Authentication (org.apache.jackrabbit.oak.spi.security.authentication.Authentication)7
User (org.apache.jackrabbit.api.security.user.User)4
AccountLockedException (javax.security.auth.login.AccountLockedException)3
AccountNotFoundException (javax.security.auth.login.AccountNotFoundException)3
FailedLoginException (javax.security.auth.login.FailedLoginException)3
LoginException (javax.security.auth.login.LoginException)3
IOException (java.io.IOException)1
Principal (java.security.Principal)1
Credentials (javax.jcr.Credentials)1
GuestCredentials (javax.jcr.GuestCredentials)1
RepositoryException (javax.jcr.RepositoryException)1
Subject (javax.security.auth.Subject)1
AccountExpiredException (javax.security.auth.login.AccountExpiredException)1
Configuration (javax.security.auth.login.Configuration)1
LoginContext (javax.security.auth.login.LoginContext)1
Authorizable (org.apache.jackrabbit.api.security.user.Authorizable)1
