Examples with AccountPasswordMustChangeException org.apereo.cas.authentication.exceptions.AccountPasswordMustChangeException used on opensource projects

Example 1 with AccountPasswordMustChangeException

use of org.apereo.cas.authentication.exceptions.AccountPasswordMustChangeException in project cas by apereo.

the class SyncopeAuthenticationHandler method authenticateUsernamePasswordInternal.

@Override
protected AuthenticationHandlerExecutionResult authenticateUsernamePasswordInternal(final UsernamePasswordCredential c, final String originalPassword) throws GeneralSecurityException {
    try {
        final String syncopeUrl = StringUtils.appendIfMissing(this.syncopeUrl, "/rest/users/self");
        final HttpResponse response = HttpUtils.executeGet(syncopeUrl, c.getUsername(), c.getPassword(), new HashMap<>(), CollectionUtils.wrap("X-Syncope-Domain", this.syncopeDomain));
        LOGGER.debug("Received http response status as [{}]", response.getStatusLine());
        if (response != null && response.getStatusLine().getStatusCode() == HttpStatus.SC_OK) {
            final String result = IOUtils.toString(response.getEntity().getContent(), StandardCharsets.UTF_8);
            LOGGER.debug("Received user object as [{}]", result);
            final UserTO user = this.objectMapper.readValue(result, UserTO.class);
            if (user.isSuspended()) {
                throw new AccountDisabledException("Could not authenticate forbidden account for " + c.getUsername());
            }
            if (user.isMustChangePassword()) {
                throw new AccountPasswordMustChangeException("Account password must change for " + c.getUsername());
            }
            final Principal principal = this.principalFactory.createPrincipal(user.getUsername(), buildSyncopeUserAttributes(user));
            return createHandlerResult(c, principal, new ArrayList<>());
        }
    } catch (final Exception e) {
        LOGGER.error(e.getMessage(), e);
    }
    throw new FailedLoginException("Could not authenticate account for " + c.getUsername());
}

Example 2 with AccountPasswordMustChangeException

use of org.apereo.cas.authentication.exceptions.AccountPasswordMustChangeException in project cas by apereo.

the class RestAuthenticationHandler method authenticateUsernamePasswordInternal.

@Override
protected AuthenticationHandlerExecutionResult authenticateUsernamePasswordInternal(final UsernamePasswordCredential credential, final String originalPassword) throws GeneralSecurityException {
    var response = (HttpResponse) null;
    try {
        val exec = HttpUtils.HttpExecutionRequest.builder().basicAuthUsername(credential.getUsername()).basicAuthPassword(credential.getPassword()).method(HttpMethod.POST).url(properties.getUri()).build();
        response = HttpUtils.execute(exec);
        val status = HttpStatus.resolve(Objects.requireNonNull(response).getStatusLine().getStatusCode());
        switch(Objects.requireNonNull(status)) {
            case OK:
                return buildPrincipalFromResponse(credential, response);
            case FORBIDDEN:
                throw new AccountDisabledException("Could not authenticate forbidden account for " + credential.getUsername());
            case UNAUTHORIZED:
                throw new FailedLoginException("Could not authenticate account for " + credential.getUsername());
            case NOT_FOUND:
                throw new AccountNotFoundException("Could not locate account for " + credential.getUsername());
            case LOCKED:
                throw new AccountLockedException("Could not authenticate locked account for " + credential.getUsername());
            case PRECONDITION_FAILED:
                throw new AccountExpiredException("Could not authenticate expired account for " + credential.getUsername());
            case PRECONDITION_REQUIRED:
                throw new AccountPasswordMustChangeException("Account password must change for " + credential.getUsername());
            default:
                throw new FailedLoginException("Rest endpoint returned an unknown status code " + status + " for " + credential.getUsername());
        }
    } finally {
        HttpUtils.close(response);
    }
}

Example 3 with AccountPasswordMustChangeException

use of org.apereo.cas.authentication.exceptions.AccountPasswordMustChangeException in project cas by apereo.

the class QueryDatabaseAuthenticationHandler method authenticateUsernamePasswordInternal.

@Override
protected AuthenticationHandlerExecutionResult authenticateUsernamePasswordInternal(final UsernamePasswordCredential credential, final String originalPassword) throws GeneralSecurityException, PreventedException {
    val attributes = Maps.<String, List<Object>>newHashMapWithExpectedSize(this.principalAttributeMap.size());
    val username = credential.getUsername();
    val password = credential.getPassword();
    try {
        val dbFields = query(credential);
        if (dbFields.containsKey(properties.getFieldPassword())) {
            val dbPassword = (String) dbFields.get(properties.getFieldPassword());
            val originalPasswordMatchFails = StringUtils.isNotBlank(originalPassword) && !matches(originalPassword, dbPassword);
            val originalPasswordEquals = StringUtils.isBlank(originalPassword) && !StringUtils.equals(password, dbPassword);
            if (originalPasswordMatchFails || originalPasswordEquals) {
                throw new FailedLoginException("Password does not match value on record.");
            }
        } else {
            LOGGER.debug("Password field is not found in the query results. Checking for result count...");
            if (!dbFields.containsKey("total")) {
                throw new FailedLoginException("Missing field 'total' from the query results for " + username);
            }
            val count = dbFields.get("total");
            if (count == null || !NumberUtils.isCreatable(count.toString())) {
                throw new FailedLoginException("Missing field value 'total' from the query results for " + username + " or value not parseable as a number");
            }
            val number = NumberUtils.createNumber(count.toString());
            if (number.longValue() != 1) {
                throw new FailedLoginException("No records found for user " + username);
            }
        }
        if (StringUtils.isNotBlank(properties.getFieldDisabled()) && dbFields.containsKey(properties.getFieldDisabled())) {
            val dbDisabled = dbFields.get(properties.getFieldDisabled()).toString();
            if (BooleanUtils.toBoolean(dbDisabled) || "1".equals(dbDisabled)) {
                throw new AccountDisabledException("Account has been disabled");
            }
        }
        if (StringUtils.isNotBlank(properties.getFieldExpired()) && dbFields.containsKey(properties.getFieldExpired())) {
            val dbExpired = dbFields.get(properties.getFieldExpired()).toString();
            if (BooleanUtils.toBoolean(dbExpired) || "1".equals(dbExpired)) {
                throw new AccountPasswordMustChangeException("Password has expired");
            }
        }
        collectPrincipalAttributes(attributes, dbFields);
    } catch (final IncorrectResultSizeDataAccessException e) {
        if (e.getActualSize() == 0) {
            throw new AccountNotFoundException(username + " not found with SQL query");
        }
        throw new FailedLoginException("Multiple records found for " + username);
    } catch (final DataAccessException e) {
        throw new PreventedException(e);
    }
    val principal = this.principalFactory.createPrincipal(username, attributes);
    return createHandlerResult(credential, principal, new ArrayList<>(0));
}

Example 4 with AccountPasswordMustChangeException

use of org.apereo.cas.authentication.exceptions.AccountPasswordMustChangeException in project cas by apereo.

the class SoapAuthenticationHandler method authenticateUsernamePasswordInternal.

@Override
protected AuthenticationHandlerExecutionResult authenticateUsernamePasswordInternal(final UsernamePasswordCredential credential, final String originalPassword) throws GeneralSecurityException {
    soapAuthenticationClient.setCredentials(credential);
    val request = new ObjectFactory().createGetSoapAuthenticationRequest();
    request.setUsername(credential.getUsername());
    val response = soapAuthenticationClient.sendRequest(request);
    if (response.getStatus() == HttpStatus.OK.value()) {
        val attributes = new LinkedHashMap<String, List<Object>>();
        response.getAttributes().forEach(item -> attributes.put(item.getKey().toString(), CollectionUtils.toCollection(item.getValue(), ArrayList.class)));
        val principal = principalFactory.createPrincipal(response.getUsername(), attributes);
        return createHandlerResult(credential, principal, new ArrayList<>(0));
    }
    val httpStatus = HttpStatus.valueOf(response.getStatus());
    if (httpStatus.equals(HttpStatus.FORBIDDEN)) {
        throw new AccountDisabledException("Could not authenticate forbidden account for " + credential.getUsername());
    }
    if (httpStatus.equals(HttpStatus.UNAUTHORIZED)) {
        throw new FailedLoginException("Could not authenticate account for " + credential.getUsername());
    }
    if (httpStatus.equals(HttpStatus.NOT_FOUND)) {
        throw new AccountNotFoundException("Could not locate account for " + credential.getUsername());
    }
    if (httpStatus.equals(HttpStatus.LOCKED)) {
        throw new AccountLockedException("Could not authenticate locked account for " + credential.getUsername());
    }
    if (httpStatus.equals(HttpStatus.PRECONDITION_FAILED)) {
        throw new AccountExpiredException("Could not authenticate expired account for " + credential.getUsername());
    }
    if (httpStatus.equals(HttpStatus.PRECONDITION_REQUIRED)) {
        throw new AccountPasswordMustChangeException("Account password must change for " + credential.getUsername());
    }
    throw new FailedLoginException("SOAP endpoint returned an unknown status code " + httpStatus + " for " + credential.getUsername());
}

Example 5 with AccountPasswordMustChangeException

use of org.apereo.cas.authentication.exceptions.AccountPasswordMustChangeException in project cas by apereo.

the class RedisAuthenticationHandler method authenticateUsernamePasswordInternal.

@Override
protected AuthenticationHandlerExecutionResult authenticateUsernamePasswordInternal(final UsernamePasswordCredential credential, final String originalPassword) throws GeneralSecurityException {
    val account = (RedisUserAccount) redisTemplate.opsForValue().get(credential.getUsername());
    if (account == null) {
        throw new AccountNotFoundException();
    }
    if (!getPasswordEncoder().matches(originalPassword, account.getPassword())) {
        LOGGER.warn("Account password on record for [{}] does not match the given/encoded password", credential.getId());
        throw new FailedLoginException();
    }
    switch(account.getStatus()) {
        case DISABLED:
            throw new AccountDisabledException();
        case EXPIRED:
            throw new AccountExpiredException();
        case LOCKED:
            throw new AccountLockedException();
        case MUST_CHANGE_PASSWORD:
            throw new AccountPasswordMustChangeException();
        case OK:
        default:
            LOGGER.debug("Account status is OK");
    }
    val principal = principalFactory.createPrincipal(account.getUsername(), account.getAttributes());
    return createHandlerResult(credential, principal, new ArrayList<>(0));
}