Search in sources :

Example 1 with AuthProviderFailedException

use of org.neo4j.graphdb.security.AuthProviderFailedException in project neo4j by neo4j.

the class LdapRealm method doGetAuthorizationInfo.

@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
    try {
        AuthorizationInfo info = super.doGetAuthorizationInfo(principals);
        securityLog.debug(withRealm("Queried for authorization info for user '%s'", principals.getPrimaryPrincipal()));
        return info;
    } catch (AuthorizationException e) {
        securityLog.error(withRealm("Failed to get authorization info: '%s' caused by '%s'", e.getMessage(), e.getCause().getMessage()));
        if (isAuthorizationExceptionAnLdapReadTimeout(e)) {
            throw new AuthProviderTimeoutException(LDAP_READ_TIMEOUT_CLIENT_MESSAGE, e);
        }
        throw new AuthProviderFailedException(LDAP_AUTHORIZATION_FAILURE_CLIENT_MESSAGE, e);
    }
}
Also used : AuthorizationException(org.apache.shiro.authz.AuthorizationException) AuthProviderFailedException(org.neo4j.graphdb.security.AuthProviderFailedException) AuthProviderTimeoutException(org.neo4j.graphdb.security.AuthProviderTimeoutException) AuthorizationInfo(org.apache.shiro.authz.AuthorizationInfo) SimpleAuthorizationInfo(org.apache.shiro.authz.SimpleAuthorizationInfo)

Example 2 with AuthProviderFailedException

use of org.neo4j.graphdb.security.AuthProviderFailedException in project neo4j by neo4j.

the class AuthorizationEnabledFilter method doFilter.

@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
    validateRequestType(servletRequest);
    validateResponseType(servletResponse);
    final HttpServletRequest request = (HttpServletRequest) servletRequest;
    final HttpServletResponse response = (HttpServletResponse) servletResponse;
    final String path = request.getContextPath() + (request.getPathInfo() == null ? "" : request.getPathInfo());
    if (request.getMethod().equals("OPTIONS") || whitelisted(path)) {
        // NOTE: If starting transactions with access mode on whitelisted uris should be possible we need to
        //       wrap servletRequest in an AuthorizedRequestWarpper here
        filterChain.doFilter(servletRequest, servletResponse);
        return;
    }
    final String header = request.getHeader(HttpHeaders.AUTHORIZATION);
    if (header == null) {
        requestAuthentication(request, noHeader).accept(response);
        return;
    }
    final String[] usernameAndPassword = extractCredential(header);
    if (usernameAndPassword == null) {
        badHeader.accept(response);
        return;
    }
    final String username = usernameAndPassword[0];
    final String password = usernameAndPassword[1];
    try {
        SecurityContext securityContext = authenticate(username, password);
        switch(securityContext.subject().getAuthenticationResult()) {
            case PASSWORD_CHANGE_REQUIRED:
                if (!PASSWORD_CHANGE_WHITELIST.matcher(path).matches()) {
                    passwordChangeRequired(username, baseURL(request)).accept(response);
                    return;
                }
            // fall through
            case SUCCESS:
                try {
                    filterChain.doFilter(new AuthorizedRequestWrapper(BASIC_AUTH, username, request, securityContext), servletResponse);
                } catch (AuthorizationViolationException e) {
                    unauthorizedAccess(e.getMessage()).accept(response);
                }
                return;
            case TOO_MANY_ATTEMPTS:
                tooManyAttempts.accept(response);
                return;
            default:
                log.warn("Failed authentication attempt for '%s' from %s", username, request.getRemoteAddr());
                requestAuthentication(request, invalidCredential).accept(response);
        }
    } catch (InvalidAuthTokenException e) {
        requestAuthentication(request, invalidAuthToken(e.getMessage())).accept(response);
    } catch (AuthProviderTimeoutException e) {
        authProviderTimeout.accept(response);
    } catch (AuthProviderFailedException e) {
        authProviderFailed.accept(response);
    }
}
Also used : HttpServletRequest(javax.servlet.http.HttpServletRequest) SecurityContext(org.neo4j.kernel.api.security.SecurityContext) AuthProviderFailedException(org.neo4j.graphdb.security.AuthProviderFailedException) HttpServletResponse(javax.servlet.http.HttpServletResponse) AuthProviderTimeoutException(org.neo4j.graphdb.security.AuthProviderTimeoutException) AuthorizationViolationException(org.neo4j.graphdb.security.AuthorizationViolationException) InvalidAuthTokenException(org.neo4j.kernel.api.security.exception.InvalidAuthTokenException)

Aggregations

AuthProviderFailedException (org.neo4j.graphdb.security.AuthProviderFailedException)2 AuthProviderTimeoutException (org.neo4j.graphdb.security.AuthProviderTimeoutException)2 HttpServletRequest (javax.servlet.http.HttpServletRequest)1 HttpServletResponse (javax.servlet.http.HttpServletResponse)1 AuthorizationException (org.apache.shiro.authz.AuthorizationException)1 AuthorizationInfo (org.apache.shiro.authz.AuthorizationInfo)1 SimpleAuthorizationInfo (org.apache.shiro.authz.SimpleAuthorizationInfo)1 AuthorizationViolationException (org.neo4j.graphdb.security.AuthorizationViolationException)1 SecurityContext (org.neo4j.kernel.api.security.SecurityContext)1 InvalidAuthTokenException (org.neo4j.kernel.api.security.exception.InvalidAuthTokenException)1