Example 1 with PasswordException
use of org.apache.directory.fortress.core.PasswordException in project directory-fortress-core by apache.
the class UserDAO method changePassword.
/**
* @param entity
* @param newPassword
* @return
* @throws UpdateException
* @throws SecurityException
* @throws PasswordException
*/
boolean changePassword(User entity, String newPassword) throws SecurityException {
boolean rc = true;
LdapConnection ld = null;
List<Modification> mods;
String userDn = getDn(entity.getUserId(), entity.getContextId());
try {
// Perform this operation as the end user to allow password policy checking:
ld = getUserConnection();
bind(ld, userDn, entity.getPassword());
mods = new ArrayList<Modification>();
mods.add(new DefaultModification(ModificationOperation.REPLACE_ATTRIBUTE, SchemaConstants.USER_PASSWORD_AT, newPassword));
// This modify changes the password and checks password policies (if enabled)
modify(ld, userDn, mods);
// This modify update audit attributes on the User entry (if enabled):
if (Config.getInstance().isOpenldap() && !Config.getInstance().isAuditDisabled()) {
mods = new ArrayList<>();
modify(ld, userDn, mods, entity);
}
} catch (LdapInvalidAttributeValueException e) {
String warning = User.class.getName() + ".changePassword user [" + entity.getUserId() + "] ";
warning += " constraint violation, ldap rc=" + e.getMessage() + " Fortress rc=" + GlobalErrIds.PSWD_CONST_VIOLATION;
throw new PasswordException(GlobalErrIds.PSWD_CONST_VIOLATION, warning);
} catch (LdapNoPermissionException e) {
String warning = User.class.getName() + ".changePassword user [" + entity.getUserId() + "] ";
warning += " user not authorized to change password, ldap rc=" + e.getMessage() + " Fortress rc=" + GlobalErrIds.USER_PW_MOD_NOT_ALLOWED;
throw new UpdateException(GlobalErrIds.USER_PW_MOD_NOT_ALLOWED, warning);
} catch (LdapException e) {
String warning = User.class.getName() + ".changePassword user [" + entity.getUserId() + "] ";
warning += " caught LDAPException rc=" + e.getMessage();
throw new UpdateException(GlobalErrIds.USER_PW_CHANGE_FAILED, warning, e);
} finally {
closeUserConnection(ld);
}
// apacheds does not remove the pwdreset flag automatically when password is changed:
if (Config.getInstance().isApacheds()) {
deleteResetFlag(entity);
}
return rc;
}
Also used :
DefaultModification(org.apache.directory.api.ldap.model.entry.DefaultModification)
Modification(org.apache.directory.api.ldap.model.entry.Modification)
DefaultModification(org.apache.directory.api.ldap.model.entry.DefaultModification)
LdapInvalidAttributeValueException(org.apache.directory.api.ldap.model.exception.LdapInvalidAttributeValueException)
PasswordException(org.apache.directory.fortress.core.PasswordException)
UpdateException(org.apache.directory.fortress.core.UpdateException)
LdapException(org.apache.directory.api.ldap.model.exception.LdapException)
LdapNoPermissionException(org.apache.directory.api.ldap.model.exception.LdapNoPermissionException)
LdapConnection(org.apache.directory.ldap.client.api.LdapConnection)
Example 2 with PasswordException
use of org.apache.directory.fortress.core.PasswordException in project directory-fortress-core by apache.
the class UserP method authenticate.
/**
* This method performs authentication only. It does not activate RBAC roles in session. It will evaluate
* password policies.
*
* @param user Contains the userid of the user signing on along with password.
* @return Session object will be returned if authentication successful. This will not contain user's roles.
* @throws SecurityException in the event of data validation failure, security policy violation or DAO error.
*/
Session authenticate(User user) throws SecurityException {
Session session;
session = uDao.checkPassword(user);
if (!session.isAuthenticated()) {
String info = "UserP.authenticate failed for userId [" + user.getUserId() + "] reason code [" + session.getErrorId() + "] msg [" + session.getMsg() + "]";
throw new PasswordException(session.getErrorId(), info);
}
VUtil.getInstance().validateConstraints(session, VUtil.ConstraintType.USER, false);
return session;
}
Also used :
PasswordException(org.apache.directory.fortress.core.PasswordException)
Session(org.apache.directory.fortress.core.model.Session)
Example 3 with PasswordException
use of org.apache.directory.fortress.core.PasswordException in project cas by apereo.
the class FortressAuthenticationHandlerTests method verifyUnauthorizedUserLoginIncorrect.
@Test
public void verifyUnauthorizedUserLoginIncorrect() throws Exception {
Mockito.when(accessManager.createSession(Mockito.any(User.class), Mockito.anyBoolean())).thenThrow(new PasswordException(GlobalErrIds.USER_PW_INVLD, "error message"));
this.thrown.expect(FailedLoginException.class);
fortressAuthenticationHandler.authenticateUsernamePasswordInternal(CoreAuthenticationTestUtils.getCredentialsWithSameUsernameAndPassword(), null);
}
Also used :
PasswordException(org.apache.directory.fortress.core.PasswordException)
User(org.apache.directory.fortress.core.model.User)
Test(org.junit.Test)
Example 4 with PasswordException
use of org.apache.directory.fortress.core.PasswordException in project directory-fortress-core by apache.
the class CreateSessionSample method createSession.
/**
* Calls AccessMgr createSession API. Will check to ensure the RBAC Session contains the expected number of Roles
* activated.
*
* @param userId Case insensitive userId.
* @param password Password is case sensitive, clear text but is stored in directory as hashed value.
* @param expectedRoles integer contains the expected number of Roles in the Session.
*/
public static void createSession(String userId, String password, int expectedRoles) {
String szLocation = ".createSession";
try {
// Instantiate the AccessMgr implementation which perform runtime RBAC operations.
AccessMgr accessMgr = AccessMgrFactory.createInstance(TestUtils.getContext());
// The User entity is used to pass data into the createSession API.
User user = new User(userId, password);
// This API will return a Session object that contains the User's activated Roles and other info.
Session session = accessMgr.createSession(user, false);
// createSession will throw SecurityException if fails thus the Session should never be null.
assertNotNull(session);
// Pull the userId from the Session.
String sessUserId = accessMgr.getUserId(session);
assertTrue(szLocation + " failed compare found userId in session [" + sessUserId + "] valid userId [" + userId + "]", userId.equalsIgnoreCase(sessUserId));
// Get the User's activated Roles.
List<UserRole> uRoles = session.getRoles();
// do some validations
assertNotNull(uRoles);
assertEquals(szLocation + " user role check failed list size user [" + user.getUserId() + "]", expectedRoles, uRoles.size());
// now try negative test case:
try {
// this better fail
User userBad = new User(user.getUserId(), "badpw");
// The API will authenticate the User password, evaluate password policies and perform Role activations.
accessMgr.createSession(userBad, false);
fail(szLocation + " userId [" + userId + "] failed negative test");
} catch (PasswordException pe) {
assertTrue(szLocation + " userId [" + userId + "] excep id check", pe.getErrorId() == GlobalErrIds.USER_PW_INVLD);
// pass
} catch (SecurityException se) {
fail(szLocation + " userId [" + userId + "] failed with unexpected errorId" + se.getErrorId() + " msg=" + se.getMessage());
// pass
}
LOG.info(szLocation + " userId [" + userId + "] successful");
} catch (SecurityException ex) {
LOG.error(szLocation + " userId [" + userId + "] caught SecurityException rc=" + ex.getErrorId() + ", msg=" + ex.getMessage(), ex);
fail(ex.getMessage());
}
}
Also used :
PasswordException(org.apache.directory.fortress.core.PasswordException)
User(org.apache.directory.fortress.core.model.User)
AccessMgr(org.apache.directory.fortress.core.AccessMgr)
UserRole(org.apache.directory.fortress.core.model.UserRole)
SecurityException(org.apache.directory.fortress.core.SecurityException)
Session(org.apache.directory.fortress.core.model.Session)
Example 5 with PasswordException
use of org.apache.directory.fortress.core.PasswordException in project directory-fortress-core by apache.
the class UserDAO method checkPassword.
/**
* @param user
* @return
* @throws org.apache.directory.fortress.core.FinderException, org.apache.directory.fortress.core.PasswordException
*/
Session checkPassword(User user) throws FinderException, PasswordException {
Session session = null;
LdapConnection ld = null;
String userDn = getDn(user.getUserId(), user.getContextId());
try {
session = new ObjectFactory().createSession();
session.setAuthenticated(false);
session.setUserId(user.getUserId());
ld = getUserConnection();
BindResponse bindResponse = bind(ld, userDn, user.getPassword());
String info;
if (bindResponse.getLdapResult().getResultCode() != ResultCodeEnum.SUCCESS) {
info = "PASSWORD INVALID for userId [" + user.getUserId() + "], resultCode [" + bindResponse.getLdapResult().getResultCode() + "]";
session.setMsg(info);
session.setErrorId(GlobalErrIds.USER_PW_INVLD);
}
PasswordPolicy respCtrl = getPwdRespCtrl(bindResponse);
if (respCtrl != null) {
// check IETF password policies here
checkPwPolicies(session, respCtrl);
}
if (session.getErrorId() == 0) {
session.setAuthenticated(true);
} else {
// pw invalid or pw policy violation:
throw new PasswordException(session.getErrorId(), session.getMsg());
}
} catch (LdapAuthenticationException e) {
String info = "checkPassword INVALID PASSWORD for userId [" + user.getUserId() + "] exception [" + e + "]";
throw new PasswordException(GlobalErrIds.USER_PW_INVLD, info);
} catch (LdapException e) {
String error = "checkPassword userId [" + user.getUserId() + "] caught LDAPException=" + e.getMessage();
throw new FinderException(GlobalErrIds.USER_READ_FAILED, error, e);
} finally {
closeUserConnection(ld);
}
return session;
}
Also used :
PasswordException(org.apache.directory.fortress.core.PasswordException)
FinderException(org.apache.directory.fortress.core.FinderException)
LdapAuthenticationException(org.apache.directory.api.ldap.model.exception.LdapAuthenticationException)
ObjectFactory(org.apache.directory.fortress.core.model.ObjectFactory)
PasswordPolicy(org.apache.directory.api.ldap.extras.controls.ppolicy.PasswordPolicy)
BindResponse(org.apache.directory.api.ldap.model.message.BindResponse)
LdapException(org.apache.directory.api.ldap.model.exception.LdapException)
Session(org.apache.directory.fortress.core.model.Session)
LdapConnection(org.apache.directory.ldap.client.api.LdapConnection)
Aggregations
PasswordException (org.apache.directory.fortress.core.PasswordException)5
Session (org.apache.directory.fortress.core.model.Session)3
LdapException (org.apache.directory.api.ldap.model.exception.LdapException)2
User (org.apache.directory.fortress.core.model.User)2
LdapConnection (org.apache.directory.ldap.client.api.LdapConnection)2
PasswordPolicy (org.apache.directory.api.ldap.extras.controls.ppolicy.PasswordPolicy)1
DefaultModification (org.apache.directory.api.ldap.model.entry.DefaultModification)1
Modification (org.apache.directory.api.ldap.model.entry.Modification)1
LdapAuthenticationException (org.apache.directory.api.ldap.model.exception.LdapAuthenticationException)1
LdapInvalidAttributeValueException (org.apache.directory.api.ldap.model.exception.LdapInvalidAttributeValueException)1
LdapNoPermissionException (org.apache.directory.api.ldap.model.exception.LdapNoPermissionException)1
BindResponse (org.apache.directory.api.ldap.model.message.BindResponse)1
AccessMgr (org.apache.directory.fortress.core.AccessMgr)1
FinderException (org.apache.directory.fortress.core.FinderException)1
SecurityException (org.apache.directory.fortress.core.SecurityException)1
UpdateException (org.apache.directory.fortress.core.UpdateException)1
ObjectFactory (org.apache.directory.fortress.core.model.ObjectFactory)1
UserRole (org.apache.directory.fortress.core.model.UserRole)1
Test (org.junit.Test)1
