Example 1 with AuthProviderTimeoutException
use of org.neo4j.graphdb.security.AuthProviderTimeoutException in project neo4j by neo4j.
the class LdapRealm method doGetAuthorizationInfo.
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
try {
AuthorizationInfo info = super.doGetAuthorizationInfo(principals);
securityLog.debug(withRealm("Queried for authorization info for user '%s'", principals.getPrimaryPrincipal()));
return info;
} catch (AuthorizationException e) {
securityLog.error(withRealm("Failed to get authorization info: '%s' caused by '%s'", e.getMessage(), e.getCause().getMessage()));
if (isAuthorizationExceptionAnLdapReadTimeout(e)) {
throw new AuthProviderTimeoutException(LDAP_READ_TIMEOUT_CLIENT_MESSAGE, e);
}
throw new AuthProviderFailedException(LDAP_AUTHORIZATION_FAILURE_CLIENT_MESSAGE, e);
}
}
Also used :
AuthorizationException(org.apache.shiro.authz.AuthorizationException)
AuthProviderFailedException(org.neo4j.graphdb.security.AuthProviderFailedException)
AuthProviderTimeoutException(org.neo4j.graphdb.security.AuthProviderTimeoutException)
AuthorizationInfo(org.apache.shiro.authz.AuthorizationInfo)
SimpleAuthorizationInfo(org.apache.shiro.authz.SimpleAuthorizationInfo)
Example 2 with AuthProviderTimeoutException
use of org.neo4j.graphdb.security.AuthProviderTimeoutException in project neo4j by neo4j.
the class MultiRealmAuthManager method login.
@Override
public EnterpriseSecurityContext login(Map<String, Object> authToken) throws InvalidAuthTokenException {
EnterpriseSecurityContext securityContext;
ShiroAuthToken token = new ShiroAuthToken(authToken);
assertValidScheme(token);
try {
securityContext = new StandardEnterpriseSecurityContext(this, (ShiroSubject) securityManager.login(null, token));
if (logSuccessfulLogin) {
securityLog.info(securityContext, "logged in");
}
} catch (UnsupportedTokenException e) {
securityLog.error("Unknown user failed to log in: %s", e.getMessage());
Throwable cause = e.getCause();
if (cause != null && cause instanceof InvalidAuthTokenException) {
throw new InvalidAuthTokenException(cause.getMessage() + ": " + token);
}
throw invalidToken(": " + token);
} catch (ExcessiveAttemptsException e) {
// NOTE: We only get this with single (internal) realm authentication
securityContext = new StandardEnterpriseSecurityContext(this, new ShiroSubject(securityManager, AuthenticationResult.TOO_MANY_ATTEMPTS));
securityLog.error("[%s]: failed to log in: too many failed attempts", escape(token.getPrincipal().toString()));
} catch (AuthenticationException e) {
if (e.getCause() != null && e.getCause() instanceof AuthProviderTimeoutException) {
securityLog.error("[%s]: failed to log in: auth server timeout", escape(token.getPrincipal().toString()));
throw new AuthProviderTimeoutException(e.getCause().getMessage(), e.getCause());
}
securityContext = new StandardEnterpriseSecurityContext(this, new ShiroSubject(securityManager, AuthenticationResult.FAILURE));
securityLog.error("[%s]: failed to log in: invalid principal or credentials", escape(token.getPrincipal().toString()));
}
return securityContext;
}
Also used :
EnterpriseSecurityContext(org.neo4j.kernel.enterprise.api.security.EnterpriseSecurityContext)
AuthenticationException(org.apache.shiro.authc.AuthenticationException)
ExcessiveAttemptsException(org.apache.shiro.authc.ExcessiveAttemptsException)
AuthProviderTimeoutException(org.neo4j.graphdb.security.AuthProviderTimeoutException)
UnsupportedTokenException(org.apache.shiro.authc.pam.UnsupportedTokenException)
InvalidAuthTokenException(org.neo4j.kernel.api.security.exception.InvalidAuthTokenException)
Example 3 with AuthProviderTimeoutException
use of org.neo4j.graphdb.security.AuthProviderTimeoutException in project neo4j by neo4j.
the class LdapRealm method queryForAuthenticationInfo.
@Override
protected AuthenticationInfo queryForAuthenticationInfo(AuthenticationToken token, LdapContextFactory ldapContextFactory) throws NamingException {
if (authenticationEnabled) {
String serverString = server((JndiLdapContextFactory) ldapContextFactory);
try {
AuthenticationInfo info = useStartTls ? queryForAuthenticationInfoUsingStartTls(token, ldapContextFactory) : super.queryForAuthenticationInfo(token, ldapContextFactory);
securityLog.debug(withRealm("Authenticated user '%s' against %s", token.getPrincipal(), serverString));
return info;
} catch (Exception e) {
securityLog.error(withRealm("Failed to authenticate user '%s' against %s: %s", token.getPrincipal(), serverString, e.getMessage()));
if (isExceptionAnLdapConnectionTimeout(e)) {
securityLog.error(withRealm("LDAP connection to %s timed out.", serverString));
throw new AuthProviderTimeoutException(LDAP_CONNECTION_TIMEOUT_CLIENT_MESSAGE, e);
} else if (isExceptionAnLdapReadTimeout(e)) {
securityLog.error(withRealm("LDAP response from %s timed out.", serverString));
throw new AuthProviderTimeoutException(LDAP_READ_TIMEOUT_CLIENT_MESSAGE, e);
}
// This exception will be caught and rethrown by Shiro, and then by us, so we do not need to wrap it here
throw e;
}
} else {
return null;
}
}
Also used :
AuthProviderTimeoutException(org.neo4j.graphdb.security.AuthProviderTimeoutException)
AuthenticationInfo(org.apache.shiro.authc.AuthenticationInfo)
NamingException(javax.naming.NamingException)
InvalidAuthTokenException(org.neo4j.kernel.api.security.exception.InvalidAuthTokenException)
AuthorizationExpiredException(org.neo4j.graphdb.security.AuthorizationExpiredException)
SocketTimeoutException(java.net.SocketTimeoutException)
AuthProviderTimeoutException(org.neo4j.graphdb.security.AuthProviderTimeoutException)
IOException(java.io.IOException)
AuthProviderFailedException(org.neo4j.graphdb.security.AuthProviderFailedException)
AuthorizationException(org.apache.shiro.authz.AuthorizationException)
CommunicationException(javax.naming.CommunicationException)
Example 4 with AuthProviderTimeoutException
use of org.neo4j.graphdb.security.AuthProviderTimeoutException in project neo4j by neo4j.
the class AuthorizationEnabledFilter method doFilter.
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
validateRequestType(servletRequest);
validateResponseType(servletResponse);
final HttpServletRequest request = (HttpServletRequest) servletRequest;
final HttpServletResponse response = (HttpServletResponse) servletResponse;
final String path = request.getContextPath() + (request.getPathInfo() == null ? "" : request.getPathInfo());
if (request.getMethod().equals("OPTIONS") || whitelisted(path)) {
// NOTE: If starting transactions with access mode on whitelisted uris should be possible we need to
// wrap servletRequest in an AuthorizedRequestWarpper here
filterChain.doFilter(servletRequest, servletResponse);
return;
}
final String header = request.getHeader(HttpHeaders.AUTHORIZATION);
if (header == null) {
requestAuthentication(request, noHeader).accept(response);
return;
}
final String[] usernameAndPassword = extractCredential(header);
if (usernameAndPassword == null) {
badHeader.accept(response);
return;
}
final String username = usernameAndPassword[0];
final String password = usernameAndPassword[1];
try {
SecurityContext securityContext = authenticate(username, password);
switch(securityContext.subject().getAuthenticationResult()) {
case PASSWORD_CHANGE_REQUIRED:
if (!PASSWORD_CHANGE_WHITELIST.matcher(path).matches()) {
passwordChangeRequired(username, baseURL(request)).accept(response);
return;
}
// fall through
case SUCCESS:
try {
filterChain.doFilter(new AuthorizedRequestWrapper(BASIC_AUTH, username, request, securityContext), servletResponse);
} catch (AuthorizationViolationException e) {
unauthorizedAccess(e.getMessage()).accept(response);
}
return;
case TOO_MANY_ATTEMPTS:
tooManyAttempts.accept(response);
return;
default:
log.warn("Failed authentication attempt for '%s' from %s", username, request.getRemoteAddr());
requestAuthentication(request, invalidCredential).accept(response);
}
} catch (InvalidAuthTokenException e) {
requestAuthentication(request, invalidAuthToken(e.getMessage())).accept(response);
} catch (AuthProviderTimeoutException e) {
authProviderTimeout.accept(response);
} catch (AuthProviderFailedException e) {
authProviderFailed.accept(response);
}
}
Also used :
HttpServletRequest(javax.servlet.http.HttpServletRequest)
SecurityContext(org.neo4j.kernel.api.security.SecurityContext)
AuthProviderFailedException(org.neo4j.graphdb.security.AuthProviderFailedException)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
AuthProviderTimeoutException(org.neo4j.graphdb.security.AuthProviderTimeoutException)
AuthorizationViolationException(org.neo4j.graphdb.security.AuthorizationViolationException)
InvalidAuthTokenException(org.neo4j.kernel.api.security.exception.InvalidAuthTokenException)
Aggregations
AuthProviderTimeoutException (org.neo4j.graphdb.security.AuthProviderTimeoutException)4
AuthProviderFailedException (org.neo4j.graphdb.security.AuthProviderFailedException)3
InvalidAuthTokenException (org.neo4j.kernel.api.security.exception.InvalidAuthTokenException)3
AuthorizationException (org.apache.shiro.authz.AuthorizationException)2
IOException (java.io.IOException)1
SocketTimeoutException (java.net.SocketTimeoutException)1
CommunicationException (javax.naming.CommunicationException)1
NamingException (javax.naming.NamingException)1
HttpServletRequest (javax.servlet.http.HttpServletRequest)1
HttpServletResponse (javax.servlet.http.HttpServletResponse)1
AuthenticationException (org.apache.shiro.authc.AuthenticationException)1
AuthenticationInfo (org.apache.shiro.authc.AuthenticationInfo)1
ExcessiveAttemptsException (org.apache.shiro.authc.ExcessiveAttemptsException)1
UnsupportedTokenException (org.apache.shiro.authc.pam.UnsupportedTokenException)1
AuthorizationInfo (org.apache.shiro.authz.AuthorizationInfo)1
SimpleAuthorizationInfo (org.apache.shiro.authz.SimpleAuthorizationInfo)1
AuthorizationExpiredException (org.neo4j.graphdb.security.AuthorizationExpiredException)1
AuthorizationViolationException (org.neo4j.graphdb.security.AuthorizationViolationException)1
SecurityContext (org.neo4j.kernel.api.security.SecurityContext)1
EnterpriseSecurityContext (org.neo4j.kernel.enterprise.api.security.EnterpriseSecurityContext)1
