Search in sources :

Example 6 with AccountDisabledException

use of org.apereo.cas.authentication.exceptions.AccountDisabledException in project cas by apereo.

the class JsonResourceAuthenticationHandler method authenticateUsernamePasswordInternal.

@Override
protected AuthenticationHandlerExecutionResult authenticateUsernamePasswordInternal(final UsernamePasswordCredential credential, final String originalPassword) throws GeneralSecurityException, PreventedException {
    val map = readAccountsFromResource();
    val username = credential.getUsername();
    val password = credential.getPassword();
    if (!map.containsKey(username)) {
        throw new AccountNotFoundException();
    }
    val account = map.get(username);
    if (matches(password, account.getPassword())) {
        switch(account.getStatus()) {
            case DISABLED:
                throw new AccountDisabledException();
            case EXPIRED:
                throw new AccountExpiredException();
            case LOCKED:
                throw new AccountLockedException();
            case MUST_CHANGE_PASSWORD:
                throw new AccountPasswordMustChangeException();
            case OK:
            default:
                LOGGER.debug("Account status is OK");
        }
        val clientInfo = ClientInfoHolder.getClientInfo();
        if (clientInfo != null && StringUtils.isNotBlank(account.getLocation()) && !RegexUtils.find(account.getLocation(), clientInfo.getClientIpAddress())) {
            throw new InvalidLoginLocationException("Unable to login from this location");
        }
        if (StringUtils.isNotBlank(account.getAvailability())) {
            val range = Splitter.on("~").splitToList(account.getAvailability());
            val startDate = DateTimeUtils.convertToZonedDateTime(range.get(0));
            val endDate = DateTimeUtils.convertToZonedDateTime(range.get(1));
            val now = ZonedDateTime.now(Clock.systemUTC());
            if (now.isBefore(startDate) || now.isAfter(endDate)) {
                throw new InvalidLoginTimeException("Unable to login at this time");
            }
        }
        val warnings = new ArrayList<MessageDescriptor>();
        if (account.getExpirationDate() != null) {
            val now = LocalDate.now(ZoneOffset.UTC);
            if (now.isEqual(account.getExpirationDate()) || now.isAfter(account.getExpirationDate())) {
                throw new AccountExpiredException();
            }
            if (getPasswordPolicyConfiguration() != null) {
                val warningPeriod = account.getExpirationDate().minusDays(getPasswordPolicyConfiguration().getPasswordWarningNumberOfDays());
                if (now.isAfter(warningPeriod) || now.isEqual(warningPeriod)) {
                    val daysRemaining = ChronoUnit.DAYS.between(now, account.getExpirationDate());
                    warnings.add(new DefaultMessageDescriptor("password.expiration.loginsRemaining", "You have {0} logins remaining before you MUST change your password.", new Serializable[] { daysRemaining }));
                }
            }
        }
        account.getWarnings().forEach(warning -> warnings.add(new DefaultMessageDescriptor(warning, warning, new Serializable[] { username })));
        val principal = this.principalFactory.createPrincipal(username, account.getAttributes());
        return createHandlerResult(credential, principal, warnings);
    }
    throw new FailedLoginException();
}
Also used : lombok.val(lombok.val) AccountLockedException(javax.security.auth.login.AccountLockedException) Serializable(java.io.Serializable) FailedLoginException(javax.security.auth.login.FailedLoginException) AccountExpiredException(javax.security.auth.login.AccountExpiredException) InvalidLoginLocationException(org.apereo.cas.authentication.exceptions.InvalidLoginLocationException) DefaultMessageDescriptor(org.apereo.cas.DefaultMessageDescriptor) InvalidLoginTimeException(org.apereo.cas.authentication.exceptions.InvalidLoginTimeException) ArrayList(java.util.ArrayList) AccountPasswordMustChangeException(org.apereo.cas.authentication.exceptions.AccountPasswordMustChangeException) AccountNotFoundException(javax.security.auth.login.AccountNotFoundException) AccountDisabledException(org.apereo.cas.authentication.exceptions.AccountDisabledException)

Example 7 with AccountDisabledException

use of org.apereo.cas.authentication.exceptions.AccountDisabledException in project cas by apereo.

the class AmazonCognitoAuthenticationAuthenticationHandler method authenticateUsernamePasswordInternal.

@Override
protected AuthenticationHandlerExecutionResult authenticateUsernamePasswordInternal(final UsernamePasswordCredential credential, final String originalPassword) throws GeneralSecurityException {
    try {
        val authParams = new HashMap<String, String>();
        authParams.put("USERNAME", credential.getUsername());
        authParams.put("PASSWORD", credential.getPassword());
        val authRequest = AdminInitiateAuthRequest.builder();
        val request = authRequest.authFlow(AuthFlowType.ADMIN_NO_SRP_AUTH).clientId(properties.getClientId()).userPoolId(properties.getUserPoolId()).authParameters(authParams).build();
        val result = cognitoIdentityProvider.adminInitiateAuth(request);
        if ("NEW_PASSWORD_REQUIRED".equalsIgnoreCase(result.challengeNameAsString())) {
            throw new CredentialExpiredException();
        }
        val authenticationResult = result.authenticationResult();
        val claims = jwtProcessor.process(authenticationResult.idToken(), new SimpleSecurityContext());
        if (StringUtils.isBlank(claims.getSubject())) {
            throw new FailedLoginException("Unable to accept the id token with an invalid [sub] claim");
        }
        val userResult = cognitoIdentityProvider.adminGetUser(AdminGetUserRequest.builder().userPoolId(properties.getUserPoolId()).username(credential.getUsername()).build());
        val attributes = new LinkedHashMap<String, List<Object>>();
        attributes.put("userStatus", CollectionUtils.wrap(userResult.userStatusAsString()));
        attributes.put("userCreatedDate", CollectionUtils.wrap(userResult.userCreateDate().toEpochMilli()));
        attributes.put("userModifiedDate", CollectionUtils.wrap(userResult.userLastModifiedDate().toEpochMilli()));
        val userAttributes = userResult.userAttributes();
        userAttributes.forEach(attr -> {
            if (!properties.getMappedAttributes().isEmpty() && properties.getMappedAttributes().containsKey(attr.name())) {
                val newName = properties.getMappedAttributes().get(attr.name());
                attributes.put(newName, CollectionUtils.wrap(attr.value()));
            } else {
                attributes.put(attr.name(), CollectionUtils.wrap(attr.value()));
            }
        });
        val principal = principalFactory.createPrincipal(userResult.username(), attributes);
        return createHandlerResult(credential, principal, new ArrayList<>(0));
    } catch (final NotAuthorizedException e) {
        val message = e.getMessage();
        if (message.contains("expired")) {
            throw new AccountExpiredException(message);
        }
        if (message.contains("disabled")) {
            throw new AccountDisabledException(message);
        }
        throw new FailedLoginException(e.getMessage());
    } catch (final UserNotFoundException e) {
        throw new AccountNotFoundException(e.getMessage());
    } catch (final CredentialExpiredException e) {
        throw new AccountPasswordMustChangeException(e.getMessage());
    } catch (final InvalidPasswordException e) {
        throw new AccountPasswordMustChangeException(e.getMessage());
    } catch (final Exception e) {
        throw new FailedLoginException(e.getMessage());
    }
}
Also used : lombok.val(lombok.val) UserNotFoundException(software.amazon.awssdk.services.cognitoidentityprovider.model.UserNotFoundException) HashMap(java.util.HashMap) LinkedHashMap(java.util.LinkedHashMap) NotAuthorizedException(software.amazon.awssdk.services.cognitoidentityprovider.model.NotAuthorizedException) UserNotFoundException(software.amazon.awssdk.services.cognitoidentityprovider.model.UserNotFoundException) AccountExpiredException(javax.security.auth.login.AccountExpiredException) CredentialExpiredException(javax.security.auth.login.CredentialExpiredException) GeneralSecurityException(java.security.GeneralSecurityException) FailedLoginException(javax.security.auth.login.FailedLoginException) InvalidPasswordException(software.amazon.awssdk.services.cognitoidentityprovider.model.InvalidPasswordException) NotAuthorizedException(software.amazon.awssdk.services.cognitoidentityprovider.model.NotAuthorizedException) AccountDisabledException(org.apereo.cas.authentication.exceptions.AccountDisabledException) AccountNotFoundException(javax.security.auth.login.AccountNotFoundException) AccountPasswordMustChangeException(org.apereo.cas.authentication.exceptions.AccountPasswordMustChangeException) LinkedHashMap(java.util.LinkedHashMap) FailedLoginException(javax.security.auth.login.FailedLoginException) AccountExpiredException(javax.security.auth.login.AccountExpiredException) SimpleSecurityContext(com.nimbusds.jose.proc.SimpleSecurityContext) InvalidPasswordException(software.amazon.awssdk.services.cognitoidentityprovider.model.InvalidPasswordException) AccountPasswordMustChangeException(org.apereo.cas.authentication.exceptions.AccountPasswordMustChangeException) CredentialExpiredException(javax.security.auth.login.CredentialExpiredException) AccountNotFoundException(javax.security.auth.login.AccountNotFoundException) AccountDisabledException(org.apereo.cas.authentication.exceptions.AccountDisabledException)

Example 8 with AccountDisabledException

use of org.apereo.cas.authentication.exceptions.AccountDisabledException in project cas by apereo.

the class QueryAndEncodeDatabaseAuthenticationHandler method authenticateUsernamePasswordInternal.

@Override
protected AuthenticationHandlerExecutionResult authenticateUsernamePasswordInternal(final UsernamePasswordCredential transformedCredential, final String originalPassword) throws GeneralSecurityException, PreventedException {
    if (StringUtils.isBlank(properties.getSql()) || StringUtils.isBlank(properties.getAlgorithmName()) || getJdbcTemplate() == null) {
        throw new GeneralSecurityException("Authentication handler is not configured correctly");
    }
    val username = transformedCredential.getUsername();
    try {
        val values = getJdbcTemplate().queryForMap(properties.getSql(), username);
        val digestedPassword = digestEncodedPassword(transformedCredential.getPassword(), values);
        if (!values.get(properties.getPasswordFieldName()).equals(digestedPassword)) {
            throw new FailedLoginException("Password does not match value on record.");
        }
        if (StringUtils.isNotBlank(properties.getExpiredFieldName()) && values.containsKey(properties.getExpiredFieldName())) {
            val dbExpired = values.get(properties.getExpiredFieldName()).toString();
            if (BooleanUtils.toBoolean(dbExpired) || "1".equals(dbExpired)) {
                throw new AccountPasswordMustChangeException("Password has expired");
            }
        }
        if (StringUtils.isNotBlank(properties.getDisabledFieldName()) && values.containsKey(properties.getDisabledFieldName())) {
            val dbDisabled = values.get(properties.getDisabledFieldName()).toString();
            if (BooleanUtils.toBoolean(dbDisabled) || "1".equals(dbDisabled)) {
                throw new AccountDisabledException("Account has been disabled");
            }
        }
        return createHandlerResult(transformedCredential, this.principalFactory.createPrincipal(username), new ArrayList<>(0));
    } catch (final IncorrectResultSizeDataAccessException e) {
        if (e.getActualSize() == 0) {
            throw new AccountNotFoundException(username + " not found with SQL query");
        }
        throw new FailedLoginException("Multiple records found for " + username);
    } catch (final DataAccessException e) {
        throw new PreventedException(e);
    }
}
Also used : lombok.val(lombok.val) FailedLoginException(javax.security.auth.login.FailedLoginException) IncorrectResultSizeDataAccessException(org.springframework.dao.IncorrectResultSizeDataAccessException) GeneralSecurityException(java.security.GeneralSecurityException) PreventedException(org.apereo.cas.authentication.PreventedException) AccountPasswordMustChangeException(org.apereo.cas.authentication.exceptions.AccountPasswordMustChangeException) AccountNotFoundException(javax.security.auth.login.AccountNotFoundException) AccountDisabledException(org.apereo.cas.authentication.exceptions.AccountDisabledException) DataAccessException(org.springframework.dao.DataAccessException) IncorrectResultSizeDataAccessException(org.springframework.dao.IncorrectResultSizeDataAccessException)

Example 9 with AccountDisabledException

use of org.apereo.cas.authentication.exceptions.AccountDisabledException in project cas by apereo.

the class ShiroAuthenticationHandler method authenticateUsernamePasswordInternal.

@Override
protected AuthenticationHandlerExecutionResult authenticateUsernamePasswordInternal(final UsernamePasswordCredential transformedCredential, final String originalPassword) throws GeneralSecurityException {
    try {
        val token = new UsernamePasswordToken(transformedCredential.getUsername(), transformedCredential.getPassword());
        if (transformedCredential instanceof RememberMeUsernamePasswordCredential) {
            token.setRememberMe(RememberMeUsernamePasswordCredential.class.cast(transformedCredential).isRememberMe());
        }
        val currentUser = getCurrentExecutingSubject();
        currentUser.login(token);
        checkSubjectRolesAndPermissions(currentUser);
        val strategy = getPasswordPolicyHandlingStrategy();
        val messageList = new ArrayList<MessageDescriptor>();
        if (strategy != null) {
            LOGGER.debug("Attempting to examine and handle password policy via [{}]", strategy.getClass().getSimpleName());
            val principal = this.principalFactory.createPrincipal(token.getUsername());
            messageList.addAll(strategy.handle(principal, getPasswordPolicyConfiguration()));
        }
        return createAuthenticatedSubjectResult(transformedCredential, currentUser, messageList);
    } catch (final UnknownAccountException uae) {
        throw new AccountNotFoundException(uae.getMessage());
    } catch (final LockedAccountException | ExcessiveAttemptsException lae) {
        throw new AccountLockedException(lae.getMessage());
    } catch (final ExpiredCredentialsException eae) {
        throw new CredentialExpiredException(eae.getMessage());
    } catch (final DisabledAccountException eae) {
        throw new AccountDisabledException(eae.getMessage());
    } catch (final AuthenticationException ice) {
        throw new FailedLoginException(ice.getMessage());
    }
}
Also used : lombok.val(lombok.val) DisabledAccountException(org.apache.shiro.authc.DisabledAccountException) AccountLockedException(javax.security.auth.login.AccountLockedException) AuthenticationException(org.apache.shiro.authc.AuthenticationException) UnknownAccountException(org.apache.shiro.authc.UnknownAccountException) ArrayList(java.util.ArrayList) ExcessiveAttemptsException(org.apache.shiro.authc.ExcessiveAttemptsException) ExpiredCredentialsException(org.apache.shiro.authc.ExpiredCredentialsException) UsernamePasswordToken(org.apache.shiro.authc.UsernamePasswordToken) FailedLoginException(javax.security.auth.login.FailedLoginException) AccountNotFoundException(javax.security.auth.login.AccountNotFoundException) CredentialExpiredException(javax.security.auth.login.CredentialExpiredException) RememberMeUsernamePasswordCredential(org.apereo.cas.authentication.credential.RememberMeUsernamePasswordCredential) LockedAccountException(org.apache.shiro.authc.LockedAccountException) AccountDisabledException(org.apereo.cas.authentication.exceptions.AccountDisabledException)

Example 10 with AccountDisabledException

use of org.apereo.cas.authentication.exceptions.AccountDisabledException in project cas by apereo.

the class SyncopeAuthenticationHandler method authenticateUsernamePasswordInternal.

@Override
@SneakyThrows
protected AuthenticationHandlerExecutionResult authenticateUsernamePasswordInternal(final UsernamePasswordCredential credential, final String originalPassword) {
    val result = authenticateSyncopeUser(credential);
    if (result.isPresent()) {
        val user = result.get();
        LOGGER.debug("Received user object as [{}]", user);
        if (user.has("suspended") && user.get("suspended").asBoolean()) {
            throw new AccountDisabledException("Could not authenticate forbidden account for " + credential.getUsername());
        }
        if (user.has("mustChangePassword") && user.get("mustChangePassword").asBoolean()) {
            throw new AccountPasswordMustChangeException("Account password must change for " + credential.getUsername());
        }
        val principal = this.principalFactory.createPrincipal(user.get("username").asText(), SyncopeUserTOConverterUtils.convert(user));
        return createHandlerResult(credential, principal, new ArrayList<>(0));
    }
    throw new FailedLoginException("Could not authenticate account for " + credential.getUsername());
}
Also used : lombok.val(lombok.val) FailedLoginException(javax.security.auth.login.FailedLoginException) AccountPasswordMustChangeException(org.apereo.cas.authentication.exceptions.AccountPasswordMustChangeException) AccountDisabledException(org.apereo.cas.authentication.exceptions.AccountDisabledException) SneakyThrows(lombok.SneakyThrows)

Aggregations

FailedLoginException (javax.security.auth.login.FailedLoginException)10 AccountDisabledException (org.apereo.cas.authentication.exceptions.AccountDisabledException)10 lombok.val (lombok.val)9 AccountPasswordMustChangeException (org.apereo.cas.authentication.exceptions.AccountPasswordMustChangeException)9 AccountNotFoundException (javax.security.auth.login.AccountNotFoundException)8 AccountExpiredException (javax.security.auth.login.AccountExpiredException)5 AccountLockedException (javax.security.auth.login.AccountLockedException)5 GeneralSecurityException (java.security.GeneralSecurityException)3 ArrayList (java.util.ArrayList)3 LinkedHashMap (java.util.LinkedHashMap)2 CredentialExpiredException (javax.security.auth.login.CredentialExpiredException)2 HttpResponse (org.apache.http.HttpResponse)2 PreventedException (org.apereo.cas.authentication.PreventedException)2 DataAccessException (org.springframework.dao.DataAccessException)2 IncorrectResultSizeDataAccessException (org.springframework.dao.IncorrectResultSizeDataAccessException)2 SimpleSecurityContext (com.nimbusds.jose.proc.SimpleSecurityContext)1 Serializable (java.io.Serializable)1 HashMap (java.util.HashMap)1 List (java.util.List)1 SneakyThrows (lombok.SneakyThrows)1