use of org.apache.shiro.authc.ExcessiveAttemptsException in project neo4j by neo4j.
the class MultiRealmAuthManager method login.
@Override
public EnterpriseSecurityContext login(Map<String, Object> authToken) throws InvalidAuthTokenException {
EnterpriseSecurityContext securityContext;
ShiroAuthToken token = new ShiroAuthToken(authToken);
assertValidScheme(token);
try {
securityContext = new StandardEnterpriseSecurityContext(this, (ShiroSubject) securityManager.login(null, token));
if (logSuccessfulLogin) {
securityLog.info(securityContext, "logged in");
}
} catch (UnsupportedTokenException e) {
securityLog.error("Unknown user failed to log in: %s", e.getMessage());
Throwable cause = e.getCause();
if (cause != null && cause instanceof InvalidAuthTokenException) {
throw new InvalidAuthTokenException(cause.getMessage() + ": " + token);
}
throw invalidToken(": " + token);
} catch (ExcessiveAttemptsException e) {
// NOTE: We only get this with single (internal) realm authentication
securityContext = new StandardEnterpriseSecurityContext(this, new ShiroSubject(securityManager, AuthenticationResult.TOO_MANY_ATTEMPTS));
securityLog.error("[%s]: failed to log in: too many failed attempts", escape(token.getPrincipal().toString()));
} catch (AuthenticationException e) {
if (e.getCause() != null && e.getCause() instanceof AuthProviderTimeoutException) {
securityLog.error("[%s]: failed to log in: auth server timeout", escape(token.getPrincipal().toString()));
throw new AuthProviderTimeoutException(e.getCause().getMessage(), e.getCause());
}
securityContext = new StandardEnterpriseSecurityContext(this, new ShiroSubject(securityManager, AuthenticationResult.FAILURE));
securityLog.error("[%s]: failed to log in: invalid principal or credentials", escape(token.getPrincipal().toString()));
}
return securityContext;
}
use of org.apache.shiro.authc.ExcessiveAttemptsException in project wechat by dllwh.
the class ShiroHelper method login.
/**
* ----------------------------------------------------- Fields end
*/
public static AjaxJson login(String userName, String passWord) {
// 用户名密码令牌
UsernamePasswordToken token = new UsernamePasswordToken(userName, passWord);
token.setRememberMe(false);
String logMsg = "", resultMsg = "";
AjaxJson ajaxJson = new AjaxJson();
boolean suc = false;
// 获得当前登录用户对象Subject,现在状态为 “未认证”
Subject subject = SecurityUtils.getSubject();
try {
subject.login(token);
} catch (UnknownAccountException uae) {
logMsg = "对用户[" + userName + "]进行登录验证..验证未通过,未知账户";
resultMsg = MessageConstant.LOGIN_USER_UNKNOWN;
} catch (IncorrectCredentialsException ice) {
logMsg = "对用户[" + userName + "]进行登录验证..验证未通过,错误的凭证";
resultMsg = MessageConstant.LOGIN_USER_REEOE;
} catch (LockedAccountException lae) {
logMsg = "对用户[" + userName + "]进行登录验证..验证未通过,账户已锁定";
resultMsg = MessageConstant.LOGIN_USER_LOCK;
} catch (DisabledAccountException dae) {
logMsg = "对用户[" + userName + "]进行登录验证..验证未通过,帐号已被禁用";
resultMsg = MessageConstant.LOGIN_USER_DISABLED;
} catch (ExpiredCredentialsException ece) {
logMsg = "对用户[" + userName + "]进行登录验证..验证未通过,帐号已过期";
resultMsg = MessageConstant.LOGIN_USER_EXPIRED;
} catch (ExcessiveAttemptsException eae) {
logMsg = "对用户[" + userName + "]进行登录验证..验证未通过,用户名或密码错误次数过多";
resultMsg = MessageConstant.LOGIN_USER_MORE;
} catch (UnauthorizedException e) {
logMsg = "对用户[" + userName + "]进行登录验证..验证未通过,您没有得到相应的授权!";
resultMsg = MessageConstant.LOGIN_USER_UNAUTHORIZED;
} catch (AuthenticationException ae) {
logMsg = "对用户[" + userName + "]进行登录验证..验证未通过," + ae.getMessage();
resultMsg = MessageConstant.LOGIN_ERROR;
}
if (subject.isAuthenticated()) {
logMsg = "对用户[" + userName + "]进行登录验证..验证通过";
suc = true;
} else {
token.clear();
}
ajaxJson.setSuccess(suc);
ajaxJson.setMsg(resultMsg);
ajaxJson.setObj(logMsg);
return ajaxJson;
}
use of org.apache.shiro.authc.ExcessiveAttemptsException in project wechat by dllwh.
the class ShiroRealm method doGetAuthenticationInfo.
/**
* @方法描述: 验证当前登录的Subject
* @说明: 该方法的调用时机为LoginController.login()方法中执行Subject.login()时
* @param token
* @return
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authtoken) throws AuthenticationException {
UsernamePasswordToken token = (UsernamePasswordToken) authtoken;
// ① 获取当前登录的用户名
String currentUsername = token.getUsername();
String passWord = String.valueOf(token.getPassword());
SysUser sysUser = new SysUser();
SysUser currentUser = null;
SimpleAuthenticationInfo authcInfo = null;
try {
sysUser.setUserName(currentUsername);
int userCount = userService.getCountForJdbcParam(sysUser);
if (userCount <= 0) {
throw new UnknownAccountException();
}
currentUser = userService.checkUserExits(currentUsername, passWord);
} catch (Exception e) {
throw new UnknownAccountException();
}
if (currentUser != null) {
// 账号未通过审核
if (currentUser.getIfEnabled() != 1) {
throw new DisabledAccountException();
}
// 账号未通过审核
if (currentUser.getIfVisible() != 1) {
throw new DisabledAccountException("账号未通过审核");
}
// 账号不允许登录
if (currentUser.getLoginFlag() != 1) {
throw new AuthenticationException("账号不允许登录");
}
// 账号被锁定
if (currentUser.getIfLocked() != 1) {
throw new ExcessiveAttemptsException("账号被锁定");
}
WebUtilHelper.setCurrentLoginUser(currentUser);
authcInfo = new SimpleAuthenticationInfo(currentUser, currentUser.getPassword(), getName());
} else {
throw new LockedAccountException("用户名或密码错误");
}
return authcInfo;
}
use of org.apache.shiro.authc.ExcessiveAttemptsException in project neo4j by neo4j.
the class InternalFlatFileRealm method doGetAuthenticationInfo.
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
if (!authenticationEnabled) {
return null;
}
ShiroAuthToken shiroAuthToken = (ShiroAuthToken) token;
String username;
String password;
try {
username = AuthToken.safeCast(AuthToken.PRINCIPAL, shiroAuthToken.getAuthTokenMap());
password = AuthToken.safeCast(AuthToken.CREDENTIALS, shiroAuthToken.getAuthTokenMap());
} catch (InvalidAuthTokenException e) {
throw new UnsupportedTokenException(e);
}
User user = userRepository.getUserByName(username);
if (user == null) {
throw new UnknownAccountException();
}
AuthenticationResult result = authenticationStrategy.authenticate(user, password);
switch(result) {
case FAILURE:
throw new IncorrectCredentialsException();
case TOO_MANY_ATTEMPTS:
throw new ExcessiveAttemptsException();
default:
break;
}
if (user.hasFlag(InternalFlatFileRealm.IS_SUSPENDED)) {
throw new DisabledAccountException("User '" + user.name() + "' is suspended.");
}
if (user.passwordChangeRequired()) {
result = AuthenticationResult.PASSWORD_CHANGE_REQUIRED;
}
// and we do not need to store hashed credentials in the AuthenticationInfo.
return new ShiroAuthenticationInfo(user.name(), getName(), result);
}
use of org.apache.shiro.authc.ExcessiveAttemptsException in project cas by apereo.
the class ShiroAuthenticationHandler method authenticateUsernamePasswordInternal.
@Override
protected AuthenticationHandlerExecutionResult authenticateUsernamePasswordInternal(final UsernamePasswordCredential transformedCredential, final String originalPassword) throws GeneralSecurityException {
try {
final UsernamePasswordToken token = new UsernamePasswordToken(transformedCredential.getUsername(), transformedCredential.getPassword());
if (transformedCredential instanceof RememberMeUsernamePasswordCredential) {
token.setRememberMe(RememberMeUsernamePasswordCredential.class.cast(transformedCredential).isRememberMe());
}
final Subject currentUser = getCurrentExecutingSubject();
currentUser.login(token);
checkSubjectRolesAndPermissions(currentUser);
return createAuthenticatedSubjectResult(transformedCredential, currentUser);
} catch (final UnknownAccountException uae) {
throw new AccountNotFoundException(uae.getMessage());
} catch (final IncorrectCredentialsException ice) {
throw new FailedLoginException(ice.getMessage());
} catch (final LockedAccountException | ExcessiveAttemptsException lae) {
throw new AccountLockedException(lae.getMessage());
} catch (final ExpiredCredentialsException eae) {
throw new CredentialExpiredException(eae.getMessage());
} catch (final DisabledAccountException eae) {
throw new AccountDisabledException(eae.getMessage());
} catch (final AuthenticationException e) {
throw new FailedLoginException(e.getMessage());
}
}
Aggregations