Search in sources :

Example 6 with PreventedException

use of org.apereo.cas.authentication.PreventedException in project cas by apereo.

the class BindModeSearchDatabaseAuthenticationHandler method authenticateUsernamePasswordInternal.

@Override
protected AuthenticationHandlerExecutionResult authenticateUsernamePasswordInternal(final UsernamePasswordCredential credential, final String originalPassword) throws GeneralSecurityException, PreventedException {
    if (getDataSource() == null) {
        throw new GeneralSecurityException("Authentication handler is not configured correctly");
    }
    Connection connection = null;
    try {
        final String username = credential.getUsername();
        final String password = credential.getPassword();
        connection = this.getDataSource().getConnection(username, password);
        return createHandlerResult(credential, this.principalFactory.createPrincipal(username), new ArrayList<>(0));
    } catch (final SQLException e) {
        throw new FailedLoginException(e.getMessage());
    } catch (final Exception e) {
        throw new PreventedException("Unexpected SQL connection error", e);
    } finally {
        if (connection != null) {
            DataSourceUtils.releaseConnection(connection, this.getDataSource());
        }
    }
}
Also used : FailedLoginException(javax.security.auth.login.FailedLoginException) SQLException(java.sql.SQLException) GeneralSecurityException(java.security.GeneralSecurityException) Connection(java.sql.Connection) PreventedException(org.apereo.cas.authentication.PreventedException) SQLException(java.sql.SQLException) GeneralSecurityException(java.security.GeneralSecurityException) FailedLoginException(javax.security.auth.login.FailedLoginException) PreventedException(org.apereo.cas.authentication.PreventedException)

Example 7 with PreventedException

use of org.apereo.cas.authentication.PreventedException in project cas by apereo.

the class QueryAndEncodeDatabaseAuthenticationHandler method authenticateUsernamePasswordInternal.

@Override
protected AuthenticationHandlerExecutionResult authenticateUsernamePasswordInternal(final UsernamePasswordCredential transformedCredential, final String originalPassword) throws GeneralSecurityException, PreventedException {
    if (StringUtils.isBlank(this.sql) || StringUtils.isBlank(this.algorithmName) || getJdbcTemplate() == null) {
        throw new GeneralSecurityException("Authentication handler is not configured correctly");
    }
    final String username = transformedCredential.getUsername();
    try {
        final Map<String, Object> values = getJdbcTemplate().queryForMap(this.sql, username);
        final String digestedPassword = digestEncodedPassword(transformedCredential.getPassword(), values);
        if (!values.get(this.passwordFieldName).equals(digestedPassword)) {
            throw new FailedLoginException("Password does not match value on record.");
        }
        if (StringUtils.isNotBlank(this.expiredFieldName)) {
            final Object dbExpired = values.get(this.expiredFieldName);
            if (dbExpired != null && (Boolean.TRUE.equals(BooleanUtils.toBoolean(dbExpired.toString())) || dbExpired.equals(Integer.valueOf(1)))) {
                throw new AccountPasswordMustChangeException("Password has expired");
            }
        }
        if (StringUtils.isNotBlank(this.disabledFieldName)) {
            final Object dbDisabled = values.get(this.disabledFieldName);
            if (dbDisabled != null && (Boolean.TRUE.equals(BooleanUtils.toBoolean(dbDisabled.toString())) || dbDisabled.equals(1))) {
                throw new AccountDisabledException("Account has been disabled");
            }
        }
        return createHandlerResult(transformedCredential, this.principalFactory.createPrincipal(username), new ArrayList<>(0));
    } catch (final IncorrectResultSizeDataAccessException e) {
        if (e.getActualSize() == 0) {
            throw new AccountNotFoundException(username + " not found with SQL query");
        }
        throw new FailedLoginException("Multiple records found for " + username);
    } catch (final DataAccessException e) {
        throw new PreventedException("SQL exception while executing query for " + username, e);
    }
}
Also used : FailedLoginException(javax.security.auth.login.FailedLoginException) IncorrectResultSizeDataAccessException(org.springframework.dao.IncorrectResultSizeDataAccessException) GeneralSecurityException(java.security.GeneralSecurityException) PreventedException(org.apereo.cas.authentication.PreventedException) AccountPasswordMustChangeException(org.apereo.cas.authentication.exceptions.AccountPasswordMustChangeException) AccountNotFoundException(javax.security.auth.login.AccountNotFoundException) AccountDisabledException(org.apereo.cas.authentication.exceptions.AccountDisabledException) DataAccessException(org.springframework.dao.DataAccessException) IncorrectResultSizeDataAccessException(org.springframework.dao.IncorrectResultSizeDataAccessException)

Example 8 with PreventedException

use of org.apereo.cas.authentication.PreventedException in project cas by apereo.

the class SearchModeSearchDatabaseAuthenticationHandler method authenticateUsernamePasswordInternal.

@Override
protected AuthenticationHandlerExecutionResult authenticateUsernamePasswordInternal(final UsernamePasswordCredential credential, final String originalPassword) throws GeneralSecurityException, PreventedException {
    String sql = null;
    if (StringUtils.isNotBlank(tableUsers) || StringUtils.isNotBlank(fieldUser) || StringUtils.isNotBlank(fieldPassword)) {
        sql = "SELECT COUNT('x') FROM ".concat(this.tableUsers).concat(" WHERE ").concat(this.fieldUser).concat(" = ? AND ").concat(this.fieldPassword).concat("= ?");
    }
    if (StringUtils.isBlank(sql) || getJdbcTemplate() == null) {
        throw new GeneralSecurityException("Authentication handler is not configured correctly. " + "No SQL statement or JDBC template found");
    }
    final String username = credential.getUsername();
    try {
        LOGGER.debug("Executing SQL query [{}]", sql);
        final int count = getJdbcTemplate().queryForObject(sql, Integer.class, username, credential.getPassword());
        if (count == 0) {
            throw new FailedLoginException(username + " not found with SQL query.");
        }
        return createHandlerResult(credential, this.principalFactory.createPrincipal(username), new ArrayList<>(0));
    } catch (final DataAccessException e) {
        throw new PreventedException("SQL exception while executing query for " + username, e);
    }
}
Also used : FailedLoginException(javax.security.auth.login.FailedLoginException) GeneralSecurityException(java.security.GeneralSecurityException) PreventedException(org.apereo.cas.authentication.PreventedException) DataAccessException(org.springframework.dao.DataAccessException)

Example 9 with PreventedException

use of org.apereo.cas.authentication.PreventedException in project cas by apereo.

the class GoogleAuthenticatorAuthenticationHandler method doAuthentication.

@Override
protected AuthenticationHandlerExecutionResult doAuthentication(final Credential credential) throws GeneralSecurityException, PreventedException {
    final GoogleAuthenticatorTokenCredential tokenCredential = (GoogleAuthenticatorTokenCredential) credential;
    if (!StringUtils.isNumeric(tokenCredential.getToken())) {
        throw new PreventedException("Invalid non-numeric OTP format specified.", new IllegalArgumentException("Invalid token " + tokenCredential.getToken()));
    }
    final int otp = Integer.parseInt(tokenCredential.getToken());
    LOGGER.debug("Received OTP [{}]", otp);
    @NonNull final Authentication authentication = WebUtils.getInProgressAuthentication();
    final String uid = authentication.getPrincipal().getId();
    LOGGER.debug("Received principal id [{}]", uid);
    final OneTimeTokenAccount acct = this.credentialRepository.get(uid);
    if (acct == null || StringUtils.isBlank(acct.getSecretKey())) {
        throw new AccountNotFoundException(uid + " cannot be found in the registry");
    }
    if (this.tokenRepository.exists(uid, otp)) {
        throw new AccountExpiredException(uid + " cannot reuse OTP " + otp + " as it may be expired/invalid");
    }
    boolean isCodeValid = this.googleAuthenticatorInstance.authorize(acct.getSecretKey(), otp);
    if (!isCodeValid && acct.getScratchCodes().contains(otp)) {
        LOGGER.warn("Using scratch code [{}] to authenticate user [{}]. Scratch code will be removed", otp, uid);
        acct.getScratchCodes().removeIf(token -> token == otp);
        this.credentialRepository.update(acct);
        isCodeValid = true;
    }
    if (isCodeValid) {
        this.tokenRepository.store(new GoogleAuthenticatorToken(otp, uid));
        return createHandlerResult(tokenCredential, this.principalFactory.createPrincipal(uid));
    }
    throw new FailedLoginException("Failed to authenticate code " + otp);
}
Also used : OneTimeTokenAccount(org.apereo.cas.otp.repository.credentials.OneTimeTokenAccount) FailedLoginException(javax.security.auth.login.FailedLoginException) Authentication(org.apereo.cas.authentication.Authentication) AccountExpiredException(javax.security.auth.login.AccountExpiredException) NonNull(lombok.NonNull) GoogleAuthenticatorToken(org.apereo.cas.adaptors.gauth.token.GoogleAuthenticatorToken) PreventedException(org.apereo.cas.authentication.PreventedException) AccountNotFoundException(javax.security.auth.login.AccountNotFoundException)

Example 10 with PreventedException

use of org.apereo.cas.authentication.PreventedException in project cas by apereo.

the class FileAuthenticationHandler method authenticateUsernamePasswordInternal.

@Override
protected AuthenticationHandlerExecutionResult authenticateUsernamePasswordInternal(final UsernamePasswordCredential transformedCredential, final String originalPassword) throws GeneralSecurityException, PreventedException {
    try {
        if (this.fileName == null) {
            throw new FileNotFoundException("Filename does not exist");
        }
        final String username = transformedCredential.getUsername();
        final String passwordOnRecord = getPasswordOnRecord(username);
        if (StringUtils.isBlank(passwordOnRecord)) {
            throw new AccountNotFoundException(username + " not found in backing file.");
        }
        if (matches(originalPassword, passwordOnRecord)) {
            return createHandlerResult(transformedCredential, this.principalFactory.createPrincipal(username), new ArrayList<>(0));
        }
    } catch (final IOException e) {
        throw new PreventedException("IO error reading backing file", e);
    }
    throw new FailedLoginException();
}
Also used : FailedLoginException(javax.security.auth.login.FailedLoginException) FileNotFoundException(java.io.FileNotFoundException) IOException(java.io.IOException) PreventedException(org.apereo.cas.authentication.PreventedException) AccountNotFoundException(javax.security.auth.login.AccountNotFoundException)

Aggregations

PreventedException (org.apereo.cas.authentication.PreventedException)12 FailedLoginException (javax.security.auth.login.FailedLoginException)10 GeneralSecurityException (java.security.GeneralSecurityException)7 AccountNotFoundException (javax.security.auth.login.AccountNotFoundException)5 AccountDisabledException (org.apereo.cas.authentication.exceptions.AccountDisabledException)5 AccountLockedException (javax.security.auth.login.AccountLockedException)3 AccountPasswordMustChangeException (org.apereo.cas.authentication.exceptions.AccountPasswordMustChangeException)3 DataAccessException (org.springframework.dao.DataAccessException)3 AccountExpiredException (javax.security.auth.login.AccountExpiredException)2 CredentialExpiredException (javax.security.auth.login.CredentialExpiredException)2 Authentication (org.apereo.cas.authentication.Authentication)2 BasicCredentialMetaData (org.apereo.cas.authentication.BasicCredentialMetaData)2 InvalidLoginLocationException (org.apereo.cas.authentication.exceptions.InvalidLoginLocationException)2 InvalidLoginTimeException (org.apereo.cas.authentication.exceptions.InvalidLoginTimeException)2 Principal (org.apereo.cas.authentication.principal.Principal)2 TypeReference (com.fasterxml.jackson.core.type.TypeReference)1 DeviceRegistration (com.yubico.u2f.data.DeviceRegistration)1 SignRequestData (com.yubico.u2f.data.messages.SignRequestData)1 SignResponse (com.yubico.u2f.data.messages.SignResponse)1 DeviceCompromisedException (com.yubico.u2f.exceptions.DeviceCompromisedException)1