Search in sources :

Example 1 with PasswordExpirationAuthenticationResponseHandler

use of org.ldaptive.auth.ext.PasswordExpirationAuthenticationResponseHandler in project cas by apereo.

the class LdapAuthenticationConfiguration method createLdapPasswordPolicyConfiguration.

private static LdapPasswordPolicyConfiguration createLdapPasswordPolicyConfiguration(final LdapAuthenticationProperties l, final Authenticator authenticator) {
    final LdapPasswordPolicyConfiguration cfg = new LdapPasswordPolicyConfiguration(l.getPasswordPolicy());
    final Set<AuthenticationResponseHandler> handlers = new HashSet<>();
    if (cfg.getPasswordWarningNumberOfDays() > 0) {
        LOGGER.debug("Password policy authentication response handler is set to accommodate directory type: [{}]", l.getPasswordPolicy().getType());
        switch(l.getPasswordPolicy().getType()) {
            case AD:
                handlers.add(new ActiveDirectoryAuthenticationResponseHandler(Period.ofDays(cfg.getPasswordWarningNumberOfDays())));
                break;
            case FreeIPA:
                handlers.add(new FreeIPAAuthenticationResponseHandler(Period.ofDays(cfg.getPasswordWarningNumberOfDays()), cfg.getLoginFailures()));
                break;
            case EDirectory:
                handlers.add(new EDirectoryAuthenticationResponseHandler(Period.ofDays(cfg.getPasswordWarningNumberOfDays())));
                break;
            default:
                handlers.add(new PasswordPolicyAuthenticationResponseHandler());
                handlers.add(new PasswordExpirationAuthenticationResponseHandler());
                break;
        }
    } else {
        LOGGER.debug("Password warning number of days is undefined; LDAP authentication may NOT support " + "EDirectory, AD and FreeIPA to handle password policy authentication responses");
    }
    authenticator.setAuthenticationResponseHandlers((AuthenticationResponseHandler[]) handlers.toArray(new AuthenticationResponseHandler[handlers.size()]));
    LOGGER.debug("LDAP authentication response handlers configured are: [{}]", handlers);
    if (StringUtils.isNotBlank(l.getPasswordPolicy().getWarningAttributeName()) && StringUtils.isNotBlank(l.getPasswordPolicy().getWarningAttributeValue())) {
        LOGGER.debug("Configuring an warning account state handler for LDAP authentication for warning attribute [{}] and value [{}]", l.getPasswordPolicy().getWarningAttributeName(), l.getPasswordPolicy().getWarningAttributeValue());
        final OptionalWarningAccountStateHandler accountHandler = new OptionalWarningAccountStateHandler();
        accountHandler.setDisplayWarningOnMatch(l.getPasswordPolicy().isDisplayWarningOnMatch());
        accountHandler.setWarnAttributeName(l.getPasswordPolicy().getWarningAttributeName());
        accountHandler.setWarningAttributeValue(l.getPasswordPolicy().getWarningAttributeValue());
        accountHandler.setAttributesToErrorMap(l.getPasswordPolicy().getPolicyAttributes());
        cfg.setAccountStateHandler(accountHandler);
    } else {
        final DefaultAccountStateHandler accountHandler = new DefaultAccountStateHandler();
        accountHandler.setAttributesToErrorMap(l.getPasswordPolicy().getPolicyAttributes());
        cfg.setAccountStateHandler(accountHandler);
        LOGGER.debug("Configuring the default account state handler for LDAP authentication");
    }
    return cfg;
}
Also used : EDirectoryAuthenticationResponseHandler(org.ldaptive.auth.ext.EDirectoryAuthenticationResponseHandler) PasswordPolicyAuthenticationResponseHandler(org.ldaptive.auth.ext.PasswordPolicyAuthenticationResponseHandler) FreeIPAAuthenticationResponseHandler(org.ldaptive.auth.ext.FreeIPAAuthenticationResponseHandler) PasswordExpirationAuthenticationResponseHandler(org.ldaptive.auth.ext.PasswordExpirationAuthenticationResponseHandler) ActiveDirectoryAuthenticationResponseHandler(org.ldaptive.auth.ext.ActiveDirectoryAuthenticationResponseHandler) FreeIPAAuthenticationResponseHandler(org.ldaptive.auth.ext.FreeIPAAuthenticationResponseHandler) AuthenticationResponseHandler(org.ldaptive.auth.AuthenticationResponseHandler) PasswordPolicyAuthenticationResponseHandler(org.ldaptive.auth.ext.PasswordPolicyAuthenticationResponseHandler) PasswordExpirationAuthenticationResponseHandler(org.ldaptive.auth.ext.PasswordExpirationAuthenticationResponseHandler) EDirectoryAuthenticationResponseHandler(org.ldaptive.auth.ext.EDirectoryAuthenticationResponseHandler) LdapPasswordPolicyConfiguration(org.apereo.cas.authentication.support.LdapPasswordPolicyConfiguration) ActiveDirectoryAuthenticationResponseHandler(org.ldaptive.auth.ext.ActiveDirectoryAuthenticationResponseHandler) DefaultAccountStateHandler(org.apereo.cas.authentication.support.DefaultAccountStateHandler) HashSet(java.util.HashSet) OptionalWarningAccountStateHandler(org.apereo.cas.authentication.support.OptionalWarningAccountStateHandler)

Example 2 with PasswordExpirationAuthenticationResponseHandler

use of org.ldaptive.auth.ext.PasswordExpirationAuthenticationResponseHandler in project cas by apereo.

the class LdapAuthenticationConfiguration method createLdapPasswordPolicyConfiguration.

private LdapPasswordPolicyConfiguration createLdapPasswordPolicyConfiguration(final LdapAuthenticationProperties l, final Authenticator authenticator, final Multimap<String, Object> attributes) {
    final LdapPasswordPolicyConfiguration cfg = new LdapPasswordPolicyConfiguration(l.getPasswordPolicy());
    final Set<AuthenticationResponseHandler> handlers = new HashSet<>();
    final String customPolicyClass = l.getPasswordPolicy().getCustomPolicyClass();
    if (StringUtils.isNotBlank(customPolicyClass)) {
        try {
            LOGGER.debug("Configuration indicates use of a custom password policy handler [{}]", customPolicyClass);
            final Class<AuthenticationResponseHandler> clazz = (Class<AuthenticationResponseHandler>) Class.forName(customPolicyClass);
            handlers.add(clazz.getDeclaredConstructor().newInstance());
        } catch (final Exception e) {
            LOGGER.warn("Unable to construct an instance of the password policy handler", e);
        }
    }
    LOGGER.debug("Password policy authentication response handler is set to accommodate directory type: [{}]", l.getPasswordPolicy().getType());
    switch(l.getPasswordPolicy().getType()) {
        case AD:
            handlers.add(new ActiveDirectoryAuthenticationResponseHandler(Period.ofDays(cfg.getPasswordWarningNumberOfDays())));
            Arrays.stream(ActiveDirectoryAuthenticationResponseHandler.ATTRIBUTES).forEach(a -> {
                LOGGER.debug("Configuring authentication to retrieve password policy attribute [{}]", a);
                attributes.put(a, a);
            });
            break;
        case FreeIPA:
            Arrays.stream(FreeIPAAuthenticationResponseHandler.ATTRIBUTES).forEach(a -> {
                LOGGER.debug("Configuring authentication to retrieve password policy attribute [{}]", a);
                attributes.put(a, a);
            });
            handlers.add(new FreeIPAAuthenticationResponseHandler(Period.ofDays(cfg.getPasswordWarningNumberOfDays()), cfg.getLoginFailures()));
            break;
        case EDirectory:
            Arrays.stream(EDirectoryAuthenticationResponseHandler.ATTRIBUTES).forEach(a -> {
                LOGGER.debug("Configuring authentication to retrieve password policy attribute [{}]", a);
                attributes.put(a, a);
            });
            handlers.add(new EDirectoryAuthenticationResponseHandler(Period.ofDays(cfg.getPasswordWarningNumberOfDays())));
            break;
        default:
            handlers.add(new PasswordPolicyAuthenticationResponseHandler());
            handlers.add(new PasswordExpirationAuthenticationResponseHandler());
            break;
    }
    authenticator.setAuthenticationResponseHandlers((AuthenticationResponseHandler[]) handlers.toArray(new AuthenticationResponseHandler[handlers.size()]));
    LOGGER.debug("LDAP authentication response handlers configured are: [{}]", handlers);
    if (StringUtils.isNotBlank(l.getPasswordPolicy().getWarningAttributeName()) && StringUtils.isNotBlank(l.getPasswordPolicy().getWarningAttributeValue())) {
        final OptionalWarningLdapLdapAccountStateHandler accountHandler = new OptionalWarningLdapLdapAccountStateHandler();
        accountHandler.setDisplayWarningOnMatch(l.getPasswordPolicy().isDisplayWarningOnMatch());
        accountHandler.setWarnAttributeName(l.getPasswordPolicy().getWarningAttributeName());
        accountHandler.setWarningAttributeValue(l.getPasswordPolicy().getWarningAttributeValue());
        accountHandler.setAttributesToErrorMap(l.getPasswordPolicy().getPolicyAttributes());
        cfg.setAccountStateHandler(accountHandler);
        LOGGER.debug("Configuring an warning account state handler for LDAP authentication for warning attribute [{}] and value [{}]", l.getPasswordPolicy().getWarningAttributeName(), l.getPasswordPolicy().getWarningAttributeValue());
    } else {
        final DefaultLdapLdapAccountStateHandler accountHandler = new DefaultLdapLdapAccountStateHandler();
        accountHandler.setAttributesToErrorMap(l.getPasswordPolicy().getPolicyAttributes());
        cfg.setAccountStateHandler(accountHandler);
        LOGGER.debug("Configuring the default account state handler for LDAP authentication");
    }
    return cfg;
}
Also used : DefaultLdapLdapAccountStateHandler(org.apereo.cas.authentication.support.DefaultLdapLdapAccountStateHandler) PasswordPolicyAuthenticationResponseHandler(org.ldaptive.auth.ext.PasswordPolicyAuthenticationResponseHandler) PasswordExpirationAuthenticationResponseHandler(org.ldaptive.auth.ext.PasswordExpirationAuthenticationResponseHandler) ActiveDirectoryAuthenticationResponseHandler(org.ldaptive.auth.ext.ActiveDirectoryAuthenticationResponseHandler) EDirectoryAuthenticationResponseHandler(org.ldaptive.auth.ext.EDirectoryAuthenticationResponseHandler) FreeIPAAuthenticationResponseHandler(org.ldaptive.auth.ext.FreeIPAAuthenticationResponseHandler) OptionalWarningLdapLdapAccountStateHandler(org.apereo.cas.authentication.support.OptionalWarningLdapLdapAccountStateHandler) ActiveDirectoryAuthenticationResponseHandler(org.ldaptive.auth.ext.ActiveDirectoryAuthenticationResponseHandler) FreeIPAAuthenticationResponseHandler(org.ldaptive.auth.ext.FreeIPAAuthenticationResponseHandler) AuthenticationResponseHandler(org.ldaptive.auth.AuthenticationResponseHandler) PasswordPolicyAuthenticationResponseHandler(org.ldaptive.auth.ext.PasswordPolicyAuthenticationResponseHandler) PasswordExpirationAuthenticationResponseHandler(org.ldaptive.auth.ext.PasswordExpirationAuthenticationResponseHandler) EDirectoryAuthenticationResponseHandler(org.ldaptive.auth.ext.EDirectoryAuthenticationResponseHandler) LdapPasswordPolicyConfiguration(org.apereo.cas.authentication.support.LdapPasswordPolicyConfiguration) HashSet(java.util.HashSet)

Example 3 with PasswordExpirationAuthenticationResponseHandler

use of org.ldaptive.auth.ext.PasswordExpirationAuthenticationResponseHandler in project cas by apereo.

the class LdapUtils method createLdapPasswordPolicyConfiguration.

/**
 * Create ldap password policy configuration.
 *
 * @param passwordPolicy the password policy
 * @param authenticator  the authenticator
 * @param attributes     the attributes
 * @return the password policy context
 */
public static PasswordPolicyContext createLdapPasswordPolicyConfiguration(final LdapPasswordPolicyProperties passwordPolicy, final Authenticator authenticator, final Multimap<String, Object> attributes) {
    val cfg = new PasswordPolicyContext(passwordPolicy);
    val requestHandlers = new HashSet<>();
    val responseHandlers = new HashSet<>();
    val customPolicyClass = passwordPolicy.getCustomPolicyClass();
    if (StringUtils.isNotBlank(customPolicyClass)) {
        try {
            LOGGER.debug("Configuration indicates use of a custom password policy handler [{}]", customPolicyClass);
            val clazz = (Class<AuthenticationResponseHandler>) Class.forName(customPolicyClass);
            responseHandlers.add(clazz.getDeclaredConstructor().newInstance());
        } catch (final Exception e) {
            LoggingUtils.warn(LOGGER, "Unable to construct an instance of the password policy handler", e);
        }
    }
    LOGGER.debug("Password policy authentication response handler is set to accommodate directory type: [{}]", passwordPolicy.getType());
    switch(passwordPolicy.getType()) {
        case AD:
            responseHandlers.add(new ActiveDirectoryAuthenticationResponseHandler(Period.ofDays(cfg.getPasswordWarningNumberOfDays())));
            Arrays.stream(ActiveDirectoryAuthenticationResponseHandler.ATTRIBUTES).forEach(a -> {
                LOGGER.debug("Configuring authentication to retrieve password policy attribute [{}]", a);
                attributes.put(a, a);
            });
            break;
        case FreeIPA:
            Arrays.stream(FreeIPAAuthenticationResponseHandler.ATTRIBUTES).forEach(a -> {
                LOGGER.debug("Configuring authentication to retrieve password policy attribute [{}]", a);
                attributes.put(a, a);
            });
            responseHandlers.add(new FreeIPAAuthenticationResponseHandler(Period.ofDays(cfg.getPasswordWarningNumberOfDays()), cfg.getLoginFailures()));
            break;
        case EDirectory:
            Arrays.stream(EDirectoryAuthenticationResponseHandler.ATTRIBUTES).forEach(a -> {
                LOGGER.debug("Configuring authentication to retrieve password policy attribute [{}]", a);
                attributes.put(a, a);
            });
            responseHandlers.add(new EDirectoryAuthenticationResponseHandler(Period.ofDays(cfg.getPasswordWarningNumberOfDays())));
            break;
        default:
            requestHandlers.add(new PasswordPolicyAuthenticationRequestHandler());
            responseHandlers.add(new PasswordPolicyAuthenticationResponseHandler());
            responseHandlers.add(new PasswordExpirationAuthenticationResponseHandler());
            break;
    }
    if (!requestHandlers.isEmpty()) {
        authenticator.setRequestHandlers(requestHandlers.toArray(AuthenticationRequestHandler[]::new));
    }
    authenticator.setResponseHandlers(responseHandlers.toArray(AuthenticationResponseHandler[]::new));
    LOGGER.debug("LDAP authentication response handlers configured are: [{}]", responseHandlers);
    if (!passwordPolicy.isAccountStateHandlingEnabled()) {
        cfg.setAccountStateHandler((response, configuration) -> new ArrayList<>(0));
        LOGGER.trace("Handling LDAP account states is disabled via CAS configuration");
    } else if (StringUtils.isNotBlank(passwordPolicy.getWarningAttributeName()) && StringUtils.isNotBlank(passwordPolicy.getWarningAttributeValue())) {
        val accountHandler = new OptionalWarningLdapAccountStateHandler();
        accountHandler.setDisplayWarningOnMatch(passwordPolicy.isDisplayWarningOnMatch());
        accountHandler.setWarnAttributeName(passwordPolicy.getWarningAttributeName());
        accountHandler.setWarningAttributeValue(passwordPolicy.getWarningAttributeValue());
        accountHandler.setAttributesToErrorMap(passwordPolicy.getPolicyAttributes());
        cfg.setAccountStateHandler(accountHandler);
        LOGGER.debug("Configuring an warning account state handler for LDAP authentication for warning attribute [{}] and value [{}]", passwordPolicy.getWarningAttributeName(), passwordPolicy.getWarningAttributeValue());
    } else {
        val accountHandler = new DefaultLdapAccountStateHandler();
        accountHandler.setAttributesToErrorMap(passwordPolicy.getPolicyAttributes());
        cfg.setAccountStateHandler(accountHandler);
        LOGGER.debug("Configuring the default account state handler for LDAP authentication");
    }
    return cfg;
}
Also used : lombok.val(lombok.val) OptionalWarningLdapAccountStateHandler(org.apereo.cas.authentication.support.OptionalWarningLdapAccountStateHandler) DefaultLdapAccountStateHandler(org.apereo.cas.authentication.support.DefaultLdapAccountStateHandler) PasswordPolicyAuthenticationRequestHandler(org.ldaptive.auth.ext.PasswordPolicyAuthenticationRequestHandler) PasswordPolicyAuthenticationResponseHandler(org.ldaptive.auth.ext.PasswordPolicyAuthenticationResponseHandler) PasswordPolicyContext(org.apereo.cas.authentication.support.password.PasswordPolicyContext) PasswordExpirationAuthenticationResponseHandler(org.ldaptive.auth.ext.PasswordExpirationAuthenticationResponseHandler) ActiveDirectoryAuthenticationResponseHandler(org.ldaptive.auth.ext.ActiveDirectoryAuthenticationResponseHandler) AccountNotFoundException(javax.security.auth.login.AccountNotFoundException) LdapException(org.ldaptive.LdapException) PasswordPolicyAuthenticationRequestHandler(org.ldaptive.auth.ext.PasswordPolicyAuthenticationRequestHandler) AuthenticationRequestHandler(org.ldaptive.auth.AuthenticationRequestHandler) EDirectoryAuthenticationResponseHandler(org.ldaptive.auth.ext.EDirectoryAuthenticationResponseHandler) FreeIPAAuthenticationResponseHandler(org.ldaptive.auth.ext.FreeIPAAuthenticationResponseHandler) FreeIPAAuthenticationResponseHandler(org.ldaptive.auth.ext.FreeIPAAuthenticationResponseHandler) ActiveDirectoryAuthenticationResponseHandler(org.ldaptive.auth.ext.ActiveDirectoryAuthenticationResponseHandler) PasswordExpirationAuthenticationResponseHandler(org.ldaptive.auth.ext.PasswordExpirationAuthenticationResponseHandler) EDirectoryAuthenticationResponseHandler(org.ldaptive.auth.ext.EDirectoryAuthenticationResponseHandler) AuthenticationResponseHandler(org.ldaptive.auth.AuthenticationResponseHandler) PasswordPolicyAuthenticationResponseHandler(org.ldaptive.auth.ext.PasswordPolicyAuthenticationResponseHandler) UtilityClass(lombok.experimental.UtilityClass) HashSet(java.util.HashSet)

Aggregations

HashSet (java.util.HashSet)3 AuthenticationResponseHandler (org.ldaptive.auth.AuthenticationResponseHandler)3 ActiveDirectoryAuthenticationResponseHandler (org.ldaptive.auth.ext.ActiveDirectoryAuthenticationResponseHandler)3 EDirectoryAuthenticationResponseHandler (org.ldaptive.auth.ext.EDirectoryAuthenticationResponseHandler)3 FreeIPAAuthenticationResponseHandler (org.ldaptive.auth.ext.FreeIPAAuthenticationResponseHandler)3 PasswordExpirationAuthenticationResponseHandler (org.ldaptive.auth.ext.PasswordExpirationAuthenticationResponseHandler)3 PasswordPolicyAuthenticationResponseHandler (org.ldaptive.auth.ext.PasswordPolicyAuthenticationResponseHandler)3 LdapPasswordPolicyConfiguration (org.apereo.cas.authentication.support.LdapPasswordPolicyConfiguration)2 AccountNotFoundException (javax.security.auth.login.AccountNotFoundException)1 UtilityClass (lombok.experimental.UtilityClass)1 lombok.val (lombok.val)1 DefaultAccountStateHandler (org.apereo.cas.authentication.support.DefaultAccountStateHandler)1 DefaultLdapAccountStateHandler (org.apereo.cas.authentication.support.DefaultLdapAccountStateHandler)1 DefaultLdapLdapAccountStateHandler (org.apereo.cas.authentication.support.DefaultLdapLdapAccountStateHandler)1 OptionalWarningAccountStateHandler (org.apereo.cas.authentication.support.OptionalWarningAccountStateHandler)1 OptionalWarningLdapAccountStateHandler (org.apereo.cas.authentication.support.OptionalWarningLdapAccountStateHandler)1 OptionalWarningLdapLdapAccountStateHandler (org.apereo.cas.authentication.support.OptionalWarningLdapLdapAccountStateHandler)1 PasswordPolicyContext (org.apereo.cas.authentication.support.password.PasswordPolicyContext)1 LdapException (org.ldaptive.LdapException)1 AuthenticationRequestHandler (org.ldaptive.auth.AuthenticationRequestHandler)1