Search in sources :

Example 1 with AccountPasswordMustChangeException

use of org.apereo.cas.authentication.exceptions.AccountPasswordMustChangeException in project cas by apereo.

the class SyncopeAuthenticationHandler method authenticateUsernamePasswordInternal.

@Override
protected AuthenticationHandlerExecutionResult authenticateUsernamePasswordInternal(final UsernamePasswordCredential c, final String originalPassword) throws GeneralSecurityException {
    try {
        final String syncopeUrl = StringUtils.appendIfMissing(this.syncopeUrl, "/rest/users/self");
        final HttpResponse response = HttpUtils.executeGet(syncopeUrl, c.getUsername(), c.getPassword(), new HashMap<>(), CollectionUtils.wrap("X-Syncope-Domain", this.syncopeDomain));
        LOGGER.debug("Received http response status as [{}]", response.getStatusLine());
        if (response != null && response.getStatusLine().getStatusCode() == HttpStatus.SC_OK) {
            final String result = IOUtils.toString(response.getEntity().getContent(), StandardCharsets.UTF_8);
            LOGGER.debug("Received user object as [{}]", result);
            final UserTO user = this.objectMapper.readValue(result, UserTO.class);
            if (user.isSuspended()) {
                throw new AccountDisabledException("Could not authenticate forbidden account for " + c.getUsername());
            }
            if (user.isMustChangePassword()) {
                throw new AccountPasswordMustChangeException("Account password must change for " + c.getUsername());
            }
            final Principal principal = this.principalFactory.createPrincipal(user.getUsername(), buildSyncopeUserAttributes(user));
            return createHandlerResult(c, principal, new ArrayList<>());
        }
    } catch (final Exception e) {
        LOGGER.error(e.getMessage(), e);
    }
    throw new FailedLoginException("Could not authenticate account for " + c.getUsername());
}
Also used : FailedLoginException(javax.security.auth.login.FailedLoginException) UserTO(org.apache.syncope.common.lib.to.UserTO) HttpResponse(org.apache.http.HttpResponse) AccountPasswordMustChangeException(org.apereo.cas.authentication.exceptions.AccountPasswordMustChangeException) AccountDisabledException(org.apereo.cas.authentication.exceptions.AccountDisabledException) Principal(org.apereo.cas.authentication.principal.Principal) GeneralSecurityException(java.security.GeneralSecurityException) FailedLoginException(javax.security.auth.login.FailedLoginException) AccountDisabledException(org.apereo.cas.authentication.exceptions.AccountDisabledException) AccountPasswordMustChangeException(org.apereo.cas.authentication.exceptions.AccountPasswordMustChangeException)

Example 2 with AccountPasswordMustChangeException

use of org.apereo.cas.authentication.exceptions.AccountPasswordMustChangeException in project cas by apereo.

the class RestAuthenticationHandler method authenticateUsernamePasswordInternal.

@Override
protected AuthenticationHandlerExecutionResult authenticateUsernamePasswordInternal(final UsernamePasswordCredential credential, final String originalPassword) throws GeneralSecurityException {
    var response = (HttpResponse) null;
    try {
        val exec = HttpUtils.HttpExecutionRequest.builder().basicAuthUsername(credential.getUsername()).basicAuthPassword(credential.getPassword()).method(HttpMethod.POST).url(properties.getUri()).build();
        response = HttpUtils.execute(exec);
        val status = HttpStatus.resolve(Objects.requireNonNull(response).getStatusLine().getStatusCode());
        switch(Objects.requireNonNull(status)) {
            case OK:
                return buildPrincipalFromResponse(credential, response);
            case FORBIDDEN:
                throw new AccountDisabledException("Could not authenticate forbidden account for " + credential.getUsername());
            case UNAUTHORIZED:
                throw new FailedLoginException("Could not authenticate account for " + credential.getUsername());
            case NOT_FOUND:
                throw new AccountNotFoundException("Could not locate account for " + credential.getUsername());
            case LOCKED:
                throw new AccountLockedException("Could not authenticate locked account for " + credential.getUsername());
            case PRECONDITION_FAILED:
                throw new AccountExpiredException("Could not authenticate expired account for " + credential.getUsername());
            case PRECONDITION_REQUIRED:
                throw new AccountPasswordMustChangeException("Account password must change for " + credential.getUsername());
            default:
                throw new FailedLoginException("Rest endpoint returned an unknown status code " + status + " for " + credential.getUsername());
        }
    } finally {
        HttpUtils.close(response);
    }
}
Also used : lombok.val(lombok.val) AccountLockedException(javax.security.auth.login.AccountLockedException) FailedLoginException(javax.security.auth.login.FailedLoginException) AccountExpiredException(javax.security.auth.login.AccountExpiredException) HttpResponse(org.apache.http.HttpResponse) AccountPasswordMustChangeException(org.apereo.cas.authentication.exceptions.AccountPasswordMustChangeException) AccountNotFoundException(javax.security.auth.login.AccountNotFoundException) AccountDisabledException(org.apereo.cas.authentication.exceptions.AccountDisabledException)

Example 3 with AccountPasswordMustChangeException

use of org.apereo.cas.authentication.exceptions.AccountPasswordMustChangeException in project cas by apereo.

the class QueryDatabaseAuthenticationHandler method authenticateUsernamePasswordInternal.

@Override
protected AuthenticationHandlerExecutionResult authenticateUsernamePasswordInternal(final UsernamePasswordCredential credential, final String originalPassword) throws GeneralSecurityException, PreventedException {
    val attributes = Maps.<String, List<Object>>newHashMapWithExpectedSize(this.principalAttributeMap.size());
    val username = credential.getUsername();
    val password = credential.getPassword();
    try {
        val dbFields = query(credential);
        if (dbFields.containsKey(properties.getFieldPassword())) {
            val dbPassword = (String) dbFields.get(properties.getFieldPassword());
            val originalPasswordMatchFails = StringUtils.isNotBlank(originalPassword) && !matches(originalPassword, dbPassword);
            val originalPasswordEquals = StringUtils.isBlank(originalPassword) && !StringUtils.equals(password, dbPassword);
            if (originalPasswordMatchFails || originalPasswordEquals) {
                throw new FailedLoginException("Password does not match value on record.");
            }
        } else {
            LOGGER.debug("Password field is not found in the query results. Checking for result count...");
            if (!dbFields.containsKey("total")) {
                throw new FailedLoginException("Missing field 'total' from the query results for " + username);
            }
            val count = dbFields.get("total");
            if (count == null || !NumberUtils.isCreatable(count.toString())) {
                throw new FailedLoginException("Missing field value 'total' from the query results for " + username + " or value not parseable as a number");
            }
            val number = NumberUtils.createNumber(count.toString());
            if (number.longValue() != 1) {
                throw new FailedLoginException("No records found for user " + username);
            }
        }
        if (StringUtils.isNotBlank(properties.getFieldDisabled()) && dbFields.containsKey(properties.getFieldDisabled())) {
            val dbDisabled = dbFields.get(properties.getFieldDisabled()).toString();
            if (BooleanUtils.toBoolean(dbDisabled) || "1".equals(dbDisabled)) {
                throw new AccountDisabledException("Account has been disabled");
            }
        }
        if (StringUtils.isNotBlank(properties.getFieldExpired()) && dbFields.containsKey(properties.getFieldExpired())) {
            val dbExpired = dbFields.get(properties.getFieldExpired()).toString();
            if (BooleanUtils.toBoolean(dbExpired) || "1".equals(dbExpired)) {
                throw new AccountPasswordMustChangeException("Password has expired");
            }
        }
        collectPrincipalAttributes(attributes, dbFields);
    } catch (final IncorrectResultSizeDataAccessException e) {
        if (e.getActualSize() == 0) {
            throw new AccountNotFoundException(username + " not found with SQL query");
        }
        throw new FailedLoginException("Multiple records found for " + username);
    } catch (final DataAccessException e) {
        throw new PreventedException(e);
    }
    val principal = this.principalFactory.createPrincipal(username, attributes);
    return createHandlerResult(credential, principal, new ArrayList<>(0));
}
Also used : lombok.val(lombok.val) FailedLoginException(javax.security.auth.login.FailedLoginException) IncorrectResultSizeDataAccessException(org.springframework.dao.IncorrectResultSizeDataAccessException) ArrayList(java.util.ArrayList) List(java.util.List) PreventedException(org.apereo.cas.authentication.PreventedException) AccountPasswordMustChangeException(org.apereo.cas.authentication.exceptions.AccountPasswordMustChangeException) AccountNotFoundException(javax.security.auth.login.AccountNotFoundException) AccountDisabledException(org.apereo.cas.authentication.exceptions.AccountDisabledException) DataAccessException(org.springframework.dao.DataAccessException) IncorrectResultSizeDataAccessException(org.springframework.dao.IncorrectResultSizeDataAccessException)

Example 4 with AccountPasswordMustChangeException

use of org.apereo.cas.authentication.exceptions.AccountPasswordMustChangeException in project cas by apereo.

the class SoapAuthenticationHandler method authenticateUsernamePasswordInternal.

@Override
protected AuthenticationHandlerExecutionResult authenticateUsernamePasswordInternal(final UsernamePasswordCredential credential, final String originalPassword) throws GeneralSecurityException {
    soapAuthenticationClient.setCredentials(credential);
    val request = new ObjectFactory().createGetSoapAuthenticationRequest();
    request.setUsername(credential.getUsername());
    val response = soapAuthenticationClient.sendRequest(request);
    if (response.getStatus() == HttpStatus.OK.value()) {
        val attributes = new LinkedHashMap<String, List<Object>>();
        response.getAttributes().forEach(item -> attributes.put(item.getKey().toString(), CollectionUtils.toCollection(item.getValue(), ArrayList.class)));
        val principal = principalFactory.createPrincipal(response.getUsername(), attributes);
        return createHandlerResult(credential, principal, new ArrayList<>(0));
    }
    val httpStatus = HttpStatus.valueOf(response.getStatus());
    if (httpStatus.equals(HttpStatus.FORBIDDEN)) {
        throw new AccountDisabledException("Could not authenticate forbidden account for " + credential.getUsername());
    }
    if (httpStatus.equals(HttpStatus.UNAUTHORIZED)) {
        throw new FailedLoginException("Could not authenticate account for " + credential.getUsername());
    }
    if (httpStatus.equals(HttpStatus.NOT_FOUND)) {
        throw new AccountNotFoundException("Could not locate account for " + credential.getUsername());
    }
    if (httpStatus.equals(HttpStatus.LOCKED)) {
        throw new AccountLockedException("Could not authenticate locked account for " + credential.getUsername());
    }
    if (httpStatus.equals(HttpStatus.PRECONDITION_FAILED)) {
        throw new AccountExpiredException("Could not authenticate expired account for " + credential.getUsername());
    }
    if (httpStatus.equals(HttpStatus.PRECONDITION_REQUIRED)) {
        throw new AccountPasswordMustChangeException("Account password must change for " + credential.getUsername());
    }
    throw new FailedLoginException("SOAP endpoint returned an unknown status code " + httpStatus + " for " + credential.getUsername());
}
Also used : lombok.val(lombok.val) AccountLockedException(javax.security.auth.login.AccountLockedException) FailedLoginException(javax.security.auth.login.FailedLoginException) ObjectFactory(org.apereo.cas.authentication.soap.generated.ObjectFactory) AccountExpiredException(javax.security.auth.login.AccountExpiredException) AccountPasswordMustChangeException(org.apereo.cas.authentication.exceptions.AccountPasswordMustChangeException) AccountNotFoundException(javax.security.auth.login.AccountNotFoundException) AccountDisabledException(org.apereo.cas.authentication.exceptions.AccountDisabledException) LinkedHashMap(java.util.LinkedHashMap)

Example 5 with AccountPasswordMustChangeException

use of org.apereo.cas.authentication.exceptions.AccountPasswordMustChangeException in project cas by apereo.

the class RedisAuthenticationHandler method authenticateUsernamePasswordInternal.

@Override
protected AuthenticationHandlerExecutionResult authenticateUsernamePasswordInternal(final UsernamePasswordCredential credential, final String originalPassword) throws GeneralSecurityException {
    val account = (RedisUserAccount) redisTemplate.opsForValue().get(credential.getUsername());
    if (account == null) {
        throw new AccountNotFoundException();
    }
    if (!getPasswordEncoder().matches(originalPassword, account.getPassword())) {
        LOGGER.warn("Account password on record for [{}] does not match the given/encoded password", credential.getId());
        throw new FailedLoginException();
    }
    switch(account.getStatus()) {
        case DISABLED:
            throw new AccountDisabledException();
        case EXPIRED:
            throw new AccountExpiredException();
        case LOCKED:
            throw new AccountLockedException();
        case MUST_CHANGE_PASSWORD:
            throw new AccountPasswordMustChangeException();
        case OK:
        default:
            LOGGER.debug("Account status is OK");
    }
    val principal = principalFactory.createPrincipal(account.getUsername(), account.getAttributes());
    return createHandlerResult(credential, principal, new ArrayList<>(0));
}
Also used : lombok.val(lombok.val) AccountLockedException(javax.security.auth.login.AccountLockedException) FailedLoginException(javax.security.auth.login.FailedLoginException) AccountExpiredException(javax.security.auth.login.AccountExpiredException) AccountPasswordMustChangeException(org.apereo.cas.authentication.exceptions.AccountPasswordMustChangeException) AccountNotFoundException(javax.security.auth.login.AccountNotFoundException) AccountDisabledException(org.apereo.cas.authentication.exceptions.AccountDisabledException)

Aggregations

FailedLoginException (javax.security.auth.login.FailedLoginException)9 AccountDisabledException (org.apereo.cas.authentication.exceptions.AccountDisabledException)9 AccountPasswordMustChangeException (org.apereo.cas.authentication.exceptions.AccountPasswordMustChangeException)9 lombok.val (lombok.val)8 AccountNotFoundException (javax.security.auth.login.AccountNotFoundException)7 AccountExpiredException (javax.security.auth.login.AccountExpiredException)5 AccountLockedException (javax.security.auth.login.AccountLockedException)4 GeneralSecurityException (java.security.GeneralSecurityException)3 ArrayList (java.util.ArrayList)2 LinkedHashMap (java.util.LinkedHashMap)2 HttpResponse (org.apache.http.HttpResponse)2 PreventedException (org.apereo.cas.authentication.PreventedException)2 DataAccessException (org.springframework.dao.DataAccessException)2 IncorrectResultSizeDataAccessException (org.springframework.dao.IncorrectResultSizeDataAccessException)2 SimpleSecurityContext (com.nimbusds.jose.proc.SimpleSecurityContext)1 Serializable (java.io.Serializable)1 HashMap (java.util.HashMap)1 List (java.util.List)1 CredentialExpiredException (javax.security.auth.login.CredentialExpiredException)1 SneakyThrows (lombok.SneakyThrows)1