use of org.alfresco.repo.security.authentication.AuthenticationException in project alfresco-remote-api by Alfresco.
the class ChangePasswordPost method executeImpl.
/* (non-Javadoc)
* @see org.alfresco.web.scripts.DeclarativeWebScript#executeImpl(org.alfresco.web.scripts.WebScriptRequest, org.alfresco.web.scripts.Status)
*/
@Override
protected Map<String, Object> executeImpl(WebScriptRequest req, Status status) {
// Extract user name from the URL - cannot be null or webscript desc would not match
String userName = req.getExtensionPath();
// Extract old and new password details from JSON POST
Content c = req.getContent();
if (c == null) {
throw new WebScriptException(Status.STATUS_INTERNAL_SERVER_ERROR, "Missing POST body.");
}
JSONObject json;
try {
json = new JSONObject(c.getContent());
String oldPassword = null;
String newPassword;
// admin users can change/set a password without knowing the old one
boolean isAdmin = authorityService.hasAdminAuthority();
if (!isAdmin || (userName.equalsIgnoreCase(authenticationService.getCurrentUserName()))) {
if (!json.has(PARAM_OLDPW) || json.getString(PARAM_OLDPW).length() == 0) {
throw new WebScriptException(Status.STATUS_BAD_REQUEST, "Old password 'oldpw' is a required POST parameter.");
}
oldPassword = json.getString(PARAM_OLDPW);
}
if (!json.has(PARAM_NEWPW) || json.getString(PARAM_NEWPW).length() == 0) {
throw new WebScriptException(Status.STATUS_BAD_REQUEST, "New password 'newpw' is a required POST parameter.");
}
newPassword = json.getString(PARAM_NEWPW);
// an Admin user can update without knowing the original pass - but must know their own!
if (!isAdmin || (userName.equalsIgnoreCase(authenticationService.getCurrentUserName()))) {
authenticationService.updateAuthentication(userName, oldPassword.toCharArray(), newPassword.toCharArray());
} else {
authenticationService.setAuthentication(userName, newPassword.toCharArray());
}
} catch (AuthenticationException err) {
throw new WebScriptException(Status.STATUS_UNAUTHORIZED, "Do not have appropriate auth or wrong auth details provided.");
} catch (JSONException jErr) {
throw new WebScriptException(Status.STATUS_INTERNAL_SERVER_ERROR, "Unable to parse JSON POST body: " + jErr.getMessage());
} catch (IOException ioErr) {
throw new WebScriptException(Status.STATUS_INTERNAL_SERVER_ERROR, "Unable to retrieve POST body: " + ioErr.getMessage());
}
Map<String, Object> model = new HashMap<String, Object>(1, 1.0f);
model.put("success", Boolean.TRUE);
return model;
}
use of org.alfresco.repo.security.authentication.AuthenticationException in project alfresco-remote-api by Alfresco.
the class BaseAuthenticationFilter method handleLoginForm.
/**
* Handles the login form directly, allowing management of the session user.
*
* @param req
* the request
* @param res
* the response
* @throws IOException
* Signals that an I/O exception has occurred.
* @throws ServletException
* on error
*/
protected boolean handleLoginForm(HttpServletRequest req, HttpServletResponse res) throws IOException, ServletException {
if (getLogger().isDebugEnabled())
getLogger().debug("Handling the login form.");
// Invalidate current session
HttpSession session = req.getSession(false);
if (session != null) {
session.invalidate();
}
StringBuilder out = new StringBuilder(1024);
Reader in = req.getReader();
char[] buff = new char[1024];
int charsRead;
while ((charsRead = in.read(buff)) != -1) {
out.append(buff, 0, charsRead);
}
in.close();
try {
JSONObject json = new JSONObject(out.toString());
String username = json.getString("username");
String password = json.getString("password");
if (username == null || username.length() == 0) {
if (getLogger().isDebugEnabled())
getLogger().debug("Username not specified in the login form.");
res.sendError(HttpServletResponse.SC_BAD_REQUEST, "Username not specified");
return false;
}
if (password == null) {
if (getLogger().isDebugEnabled())
getLogger().debug("Password not specified in the login form.");
res.sendError(HttpServletResponse.SC_BAD_REQUEST, "Password not specified");
return false;
}
authenticationService.authenticate(username, password.toCharArray());
session = req.getSession();
createUserEnvironment(session, username, authenticationService.getCurrentTicket(), false);
res.setStatus(HttpServletResponse.SC_NO_CONTENT);
return true;
} catch (AuthenticationException e) {
if (getLogger().isDebugEnabled())
getLogger().debug("Login failed", e);
res.sendError(HttpServletResponse.SC_FORBIDDEN, "Login failed");
} catch (JSONException jErr) {
if (getLogger().isDebugEnabled())
getLogger().debug("Unable to parse JSON POST body", jErr);
res.sendError(HttpServletResponse.SC_BAD_REQUEST, "Unable to parse JSON POST body: " + jErr.getMessage());
}
return false;
}
use of org.alfresco.repo.security.authentication.AuthenticationException in project alfresco-remote-api by Alfresco.
the class BaseKerberosAuthenticationFilter method doKerberosLogon.
/**
* Perform a Kerberos login and return an SPNEGO response
*
* @param negToken NegTokenInit
* @param req HttpServletRequest
* @param resp HttpServletResponse
* @param httpSess HttpSession
* @return NegTokenTarg
*/
private final NegTokenTarg doKerberosLogon(NegTokenInit negToken, HttpServletRequest req, HttpServletResponse resp, HttpSession httpSess) {
// Authenticate the user
KerberosDetails krbDetails = null;
String userName = null;
NegTokenTarg negTokenTarg = null;
try {
// Run the session setup as a privileged action
SessionSetupPrivilegedAction sessSetupAction = new SessionSetupPrivilegedAction(m_accountName, negToken.getMechtoken());
Object result = Subject.doAs(m_loginContext.getSubject(), sessSetupAction);
if (result != null) {
// Access the Kerberos response
krbDetails = (KerberosDetails) result;
userName = m_stripKerberosUsernameSuffix ? krbDetails.getUserName() : krbDetails.getSourceName();
// Create the NegTokenTarg response blob
negTokenTarg = new NegTokenTarg(SPNEGO.AcceptCompleted, OID.KERBEROS5, krbDetails.getResponseToken());
if (negTokenTarg != null) {
// Create and store the user authentication context
SessionUser user = createUserEnvironment(httpSess, userName);
if (getLogger().isDebugEnabled())
getLogger().debug("User " + user.getUserName() + " logged on via Kerberos");
}
} else {
if (getLogger().isDebugEnabled())
getLogger().debug("No SPNEGO response, Kerberos logon failed");
}
} catch (AuthenticationException ex) {
// Pass on validation failures
if (getLogger().isDebugEnabled())
getLogger().debug("Failed to validate user " + userName, ex);
throw ex;
} catch (Exception ex) {
if (getLogger().isDebugEnabled())
getLogger().debug("Kerberos logon error", ex);
}
return negTokenTarg;
}
use of org.alfresco.repo.security.authentication.AuthenticationException in project alfresco-remote-api by Alfresco.
the class BaseSSOAuthenticationFilter method checkForTicketParameter.
/**
* Check if the request has specified a ticket parameter to bypass the standard authentication.
*
* @param servletContext
* the servlet context
* @param req
* the request
* @param resp
* the response
* @return boolean
*/
protected boolean checkForTicketParameter(ServletContext servletContext, HttpServletRequest req, HttpServletResponse resp) {
// Check if the request includes an authentication ticket
boolean ticketValid = false;
String ticket = req.getParameter(ARG_TICKET);
if (ticket != null && ticket.length() != 0) {
if (getLogger().isDebugEnabled())
getLogger().debug("Logon via ticket from " + req.getRemoteHost() + " (" + req.getRemoteAddr() + ":" + req.getRemotePort() + ")" + " ticket=" + ticket);
UserTransaction tx = null;
try {
// Get a cached user with a valid ticket
SessionUser user = getSessionUser(servletContext, req, resp, true);
// If this isn't the same ticket, invalidate the session
if (user != null && !ticket.equals(user.getTicket())) {
if (getLogger().isDebugEnabled())
getLogger().debug("The ticket doesn't match, invalidate the session.");
invalidateSession(req);
user = null;
}
// If we don't yet have a valid cached user, validate the ticket and create one
if (user == null) {
if (getLogger().isDebugEnabled())
getLogger().debug("There is no valid cached user, validate the ticket and create one.");
authenticationService.validate(ticket);
user = createUserEnvironment(req.getSession(), authenticationService.getCurrentUserName(), authenticationService.getCurrentTicket(), true);
}
// Indicate the ticket parameter was specified, and valid
ticketValid = true;
} catch (AuthenticationException authErr) {
if (getLogger().isDebugEnabled())
getLogger().debug("Failed to authenticate user ticket: " + authErr.getMessage(), authErr);
} catch (Throwable e) {
if (getLogger().isDebugEnabled())
getLogger().debug("Error during ticket validation and user creation: " + e.getMessage(), e);
} finally {
try {
if (tx != null) {
tx.rollback();
}
} catch (Exception tex) {
}
}
}
return ticketValid;
}
use of org.alfresco.repo.security.authentication.AuthenticationException in project alfresco-remote-api by Alfresco.
the class AuthenticationsImpl method createTicket.
@Override
public LoginTicketResponse createTicket(LoginTicket loginRequest, Parameters parameters) {
validateLoginRequest(loginRequest);
try {
// get ticket
authenticationService.authenticate(loginRequest.getUserId(), loginRequest.getPassword().toCharArray());
LoginTicketResponse response = new LoginTicketResponse();
response.setUserId(loginRequest.getUserId());
response.setId(authenticationService.getCurrentTicket());
return response;
} catch (AuthenticationException e) {
throw new PermissionDeniedException("Login failed");
} finally {
AuthenticationUtil.clearCurrentSecurityContext();
}
}
Aggregations