use of org.apache.shiro.authc.AuthenticationException in project killbill by killbill.
the class TestKillBillJdbcRealm method testAuthentication.
@Test(groups = "slow")
public void testAuthentication() throws SecurityApiException {
final String username = "toto";
final String password = "supperCompli43cated";
securityApi.addRoleDefinition("root", ImmutableList.of("*"), callContext);
securityApi.addUserRoles(username, password, ImmutableList.of("root"), callContext);
final DelegatingSubject subject = new DelegatingSubject(securityManager);
final AuthenticationToken goodToken = new UsernamePasswordToken(username, password);
securityManager.login(subject, goodToken);
Assert.assertTrue(true);
try {
final AuthenticationToken badToken = new UsernamePasswordToken(username, "somethingelse");
securityManager.login(subject, badToken);
Assert.assertTrue(true);
securityManager.logout(subject);
securityManager.login(subject, badToken);
Assert.fail("Should not succeed to login with an incorrect password");
} catch (final AuthenticationException e) {
}
// Update password and try again
final String newPassword = "suppersimple";
securityApi.updateUserPassword(username, newPassword, callContext);
try {
final AuthenticationToken notGoodTokenAnyLonger = goodToken;
securityManager.login(subject, notGoodTokenAnyLonger);
Assert.fail("Should not succeed to login with an incorrect password");
} catch (final AuthenticationException e) {
}
final AuthenticationToken newGoodToken = new UsernamePasswordToken(username, newPassword);
securityManager.login(subject, newGoodToken);
Assert.assertTrue(true);
securityManager.logout(subject);
securityApi.invalidateUser(username, callContext);
try {
final AuthenticationToken notGoodTokenAnyLonger = goodToken;
securityManager.login(subject, notGoodTokenAnyLonger);
Assert.fail("Should not succeed to login with an incorrect password");
} catch (final AuthenticationException e) {
}
}
use of org.apache.shiro.authc.AuthenticationException in project killbill by killbill.
the class KillBillJndiLdapRealm method findLDAPGroupsForUser.
private Set<String> findLDAPGroupsForUser(final PrincipalCollection principals, final LdapContextFactory ldapContextFactory) throws NamingException {
final String username = (String) getAvailablePrincipal(principals);
LdapContext systemLdapCtx = null;
try {
systemLdapCtx = ldapContextFactory.getSystemLdapContext();
return findLDAPGroupsForUser(username, systemLdapCtx);
} catch (AuthenticationException ex) {
log.info("LDAP authentication exception='{}'", ex.getLocalizedMessage());
return ImmutableSet.<String>of();
} finally {
LdapUtils.closeContext(systemLdapCtx);
}
}
use of org.apache.shiro.authc.AuthenticationException in project graylog2-server by Graylog2.
the class ShiroAuthenticationFilter method filter.
@Override
public void filter(ContainerRequestContext requestContext) throws IOException {
final SecurityContext securityContext = requestContext.getSecurityContext();
if (securityContext instanceof ShiroSecurityContext) {
final ShiroSecurityContext context = (ShiroSecurityContext) securityContext;
final Subject subject = context.getSubject();
LOG.trace("Authenticating... {}", subject);
if (!subject.isAuthenticated()) {
try {
LOG.trace("Logging in {}", subject);
context.loginSubject();
} catch (LockedAccountException e) {
LOG.debug("Unable to authenticate user, account is locked.", e);
throw new NotAuthorizedException(e, "Basic realm=\"Graylog Server\"");
} catch (AuthenticationException e) {
LOG.debug("Unable to authenticate user.", e);
throw new NotAuthorizedException(e, "Basic realm=\"Graylog Server\"");
}
}
} else {
throw new NotAuthorizedException("Basic realm=\"Graylog Server\"");
}
}
use of org.apache.shiro.authc.AuthenticationException in project graylog2-server by Graylog2.
the class SessionsResource method newSession.
@POST
@ApiOperation(value = "Create a new session", notes = "This request creates a new session for a user or reactivates an existing session: the equivalent of logging in.")
@NoAuditEvent("dispatches audit events in the method body")
public SessionResponse newSession(@Context ContainerRequestContext requestContext, @ApiParam(name = "Login request", value = "Username and credentials", required = true) @Valid @NotNull SessionCreateRequest createRequest) {
final SecurityContext securityContext = requestContext.getSecurityContext();
if (!(securityContext instanceof ShiroSecurityContext)) {
throw new InternalServerErrorException("Unsupported SecurityContext class, this is a bug!");
}
final ShiroSecurityContext shiroSecurityContext = (ShiroSecurityContext) securityContext;
// we treat the BASIC auth username as the sessionid
final String sessionId = shiroSecurityContext.getUsername();
// pretend that we had session id before
Serializable id = null;
if (sessionId != null && !sessionId.isEmpty()) {
id = sessionId;
}
final String remoteAddrFromRequest = RestTools.getRemoteAddrFromRequest(grizzlyRequest, trustedSubnets);
final Subject subject = new Subject.Builder().sessionId(id).host(remoteAddrFromRequest).buildSubject();
ThreadContext.bind(subject);
final Session s = subject.getSession();
try {
subject.login(new UsernamePasswordToken(createRequest.username(), createRequest.password()));
final User user = userService.load(createRequest.username());
if (user != null) {
long timeoutInMillis = user.getSessionTimeoutMs();
s.setTimeout(timeoutInMillis);
} else {
// set a sane default. really we should be able to load the user from above.
s.setTimeout(TimeUnit.HOURS.toMillis(8));
}
s.touch();
// save subject in session, otherwise we can't get the username back in subsequent requests.
((DefaultSecurityManager) SecurityUtils.getSecurityManager()).getSubjectDAO().save(subject);
} catch (AuthenticationException e) {
LOG.info("Invalid username or password for user \"{}\"", createRequest.username());
} catch (UnknownSessionException e) {
subject.logout();
}
if (subject.isAuthenticated()) {
id = s.getId();
final Map<String, Object> auditEventContext = ImmutableMap.of("session_id", id, "remote_address", remoteAddrFromRequest);
auditEventSender.success(AuditActor.user(createRequest.username()), SESSION_CREATE, auditEventContext);
// TODO is the validUntil attribute even used by anyone yet?
return SessionResponse.create(new DateTime(s.getLastAccessTime(), DateTimeZone.UTC).plus(s.getTimeout()).toDate(), id.toString());
} else {
final Map<String, Object> auditEventContext = ImmutableMap.of("remote_address", remoteAddrFromRequest);
auditEventSender.failure(AuditActor.user(createRequest.username()), SESSION_CREATE, auditEventContext);
throw new NotAuthorizedException("Invalid username or password", "Basic realm=\"Graylog Server session\"");
}
}
use of org.apache.shiro.authc.AuthenticationException in project bamboobsc by billchen198318.
the class GreenStepBaseFormAuthenticationFilter method executeLogin.
protected boolean executeLogin(ServletRequest request, ServletResponse response) throws Exception {
GreenStepBaseUsernamePasswordToken token = (GreenStepBaseUsernamePasswordToken) this.createToken(request, response);
try {
this.doCaptchaValidate((HttpServletRequest) request, token);
AccountVO account = this.queryUser(token.getUsername());
this.userValidate(account);
Subject subject = this.getSubject(request, response);
subject.login(token);
// set session
this.setUserSession((HttpServletRequest) request, (HttpServletResponse) response, account);
return this.onLoginSuccess(token, subject, request, response);
} catch (AuthenticationException e) {
// clear session
UserAccountHttpSessionSupport.remove((HttpServletRequest) request);
this.getSubject(request, response).logout();
return this.onLoginFailure(token, e, request, response);
}
}
Aggregations