Examples with InvalidAuthTokenException org.neo4j.kernel.api.security.exception.InvalidAuthTokenException used on opensource projects

Example 1 with InvalidAuthTokenException

use of org.neo4j.kernel.api.security.exception.InvalidAuthTokenException in project neo4j by neo4j.

the class BasicAuthentication method update.

private AuthenticationResult update(Map<String, Object> authToken, boolean requiresPasswordChange) throws AuthenticationException {
    try {
        SecurityContext securityContext = authManager.login(authToken);
        switch(securityContext.subject().getAuthenticationResult()) {
            case SUCCESS:
            case PASSWORD_CHANGE_REQUIRED:
                String newPassword = AuthToken.safeCast(NEW_CREDENTIALS, authToken);
                String username = AuthToken.safeCast(PRINCIPAL, authToken);
                userManagerSupplier.getUserManager(securityContext).setUserPassword(username, newPassword, requiresPasswordChange);
                securityContext.subject().setPasswordChangeNoLongerRequired();
                break;
            default:
                throw new AuthenticationException(Status.Security.Unauthorized);
        }
        return new BasicAuthenticationResult(securityContext);
    } catch (AuthorizationViolationException | InvalidArgumentsException | InvalidAuthTokenException e) {
        throw new AuthenticationException(e.status(), e.getMessage(), e);
    } catch (IOException e) {
        throw new AuthenticationException(Status.Security.Unauthorized, e.getMessage(), e);
    }
}

Example 2 with InvalidAuthTokenException

use of org.neo4j.kernel.api.security.exception.InvalidAuthTokenException in project neo4j by neo4j.

the class MultiRealmAuthManager method login.

@Override
public EnterpriseSecurityContext login(Map<String, Object> authToken) throws InvalidAuthTokenException {
    EnterpriseSecurityContext securityContext;
    ShiroAuthToken token = new ShiroAuthToken(authToken);
    assertValidScheme(token);
    try {
        securityContext = new StandardEnterpriseSecurityContext(this, (ShiroSubject) securityManager.login(null, token));
        if (logSuccessfulLogin) {
            securityLog.info(securityContext, "logged in");
        }
    } catch (UnsupportedTokenException e) {
        securityLog.error("Unknown user failed to log in: %s", e.getMessage());
        Throwable cause = e.getCause();
        if (cause != null && cause instanceof InvalidAuthTokenException) {
            throw new InvalidAuthTokenException(cause.getMessage() + ": " + token);
        }
        throw invalidToken(": " + token);
    } catch (ExcessiveAttemptsException e) {
        // NOTE: We only get this with single (internal) realm authentication
        securityContext = new StandardEnterpriseSecurityContext(this, new ShiroSubject(securityManager, AuthenticationResult.TOO_MANY_ATTEMPTS));
        securityLog.error("[%s]: failed to log in: too many failed attempts", escape(token.getPrincipal().toString()));
    } catch (AuthenticationException e) {
        if (e.getCause() != null && e.getCause() instanceof AuthProviderTimeoutException) {
            securityLog.error("[%s]: failed to log in: auth server timeout", escape(token.getPrincipal().toString()));
            throw new AuthProviderTimeoutException(e.getCause().getMessage(), e.getCause());
        }
        securityContext = new StandardEnterpriseSecurityContext(this, new ShiroSubject(securityManager, AuthenticationResult.FAILURE));
        securityLog.error("[%s]: failed to log in: invalid principal or credentials", escape(token.getPrincipal().toString()));
    }
    return securityContext;
}

Example 3 with InvalidAuthTokenException

use of org.neo4j.kernel.api.security.exception.InvalidAuthTokenException in project neo4j by neo4j.

the class PluginRealm method doGetAuthenticationInfo.

@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
    if (token instanceof ShiroAuthToken) {
        try {
            AuthToken pluginAuthToken = PluginApiAuthToken.createFromMap(((ShiroAuthToken) token).getAuthTokenMap());
            if (authPlugin != null) {
                AuthInfo authInfo = authPlugin.authenticateAndAuthorize(pluginAuthToken);
                if (authInfo != null) {
                    PluginAuthInfo pluginAuthInfo = PluginAuthInfo.createCacheable(authInfo, getName(), secureHasher);
                    cacheAuthorizationInfo(pluginAuthInfo);
                    return pluginAuthInfo;
                }
            } else if (authenticationPlugin != null) {
                org.neo4j.server.security.enterprise.auth.plugin.spi.AuthenticationInfo authenticationInfo = authenticationPlugin.authenticate(pluginAuthToken);
                if (authenticationInfo != null) {
                    return PluginAuthenticationInfo.createCacheable(authenticationInfo, getName(), secureHasher);
                }
            }
        } catch (org.neo4j.server.security.enterprise.auth.plugin.api.AuthenticationException | InvalidAuthTokenException e) {
            throw new AuthenticationException(e.getMessage(), e.getCause());
        }
    }
    return null;
}

Example 4 with InvalidAuthTokenException

use of org.neo4j.kernel.api.security.exception.InvalidAuthTokenException in project neo4j by neo4j.

the class InternalFlatFileRealm method doGetAuthenticationInfo.

@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
    if (!authenticationEnabled) {
        return null;
    }
    ShiroAuthToken shiroAuthToken = (ShiroAuthToken) token;
    String username;
    String password;
    try {
        username = AuthToken.safeCast(AuthToken.PRINCIPAL, shiroAuthToken.getAuthTokenMap());
        password = AuthToken.safeCast(AuthToken.CREDENTIALS, shiroAuthToken.getAuthTokenMap());
    } catch (InvalidAuthTokenException e) {
        throw new UnsupportedTokenException(e);
    }
    User user = userRepository.getUserByName(username);
    if (user == null) {
        throw new UnknownAccountException();
    }
    AuthenticationResult result = authenticationStrategy.authenticate(user, password);
    switch(result) {
        case FAILURE:
            throw new IncorrectCredentialsException();
        case TOO_MANY_ATTEMPTS:
            throw new ExcessiveAttemptsException();
        default:
            break;
    }
    if (user.hasFlag(InternalFlatFileRealm.IS_SUSPENDED)) {
        throw new DisabledAccountException("User '" + user.name() + "' is suspended.");
    }
    if (user.passwordChangeRequired()) {
        result = AuthenticationResult.PASSWORD_CHANGE_REQUIRED;
    }
    // and we do not need to store hashed credentials in the AuthenticationInfo.
    return new ShiroAuthenticationInfo(user.name(), getName(), result);
}

Example 5 with InvalidAuthTokenException

use of org.neo4j.kernel.api.security.exception.InvalidAuthTokenException in project neo4j by neo4j.

the class AuthorizationEnabledFilter method doFilter.

@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
    validateRequestType(servletRequest);
    validateResponseType(servletResponse);
    final HttpServletRequest request = (HttpServletRequest) servletRequest;
    final HttpServletResponse response = (HttpServletResponse) servletResponse;
    String userAgent = request.getHeader(HttpHeaders.USER_AGENT);
    // username is only known after authentication, make connection aware of the user-agent
    JettyHttpConnection.updateUserForCurrentConnection(null, userAgent);
    final String path = request.getContextPath() + (request.getPathInfo() == null ? "" : request.getPathInfo());
    if (request.getMethod().equals("OPTIONS") || whitelisted(path)) {
        // NOTE: If starting transactions with access mode on whitelisted uris should be possible we need to
        // wrap servletRequest in an AuthorizedRequestWrapper here
        filterChain.doFilter(servletRequest, servletResponse);
        return;
    }
    final String header = request.getHeader(HttpHeaders.AUTHORIZATION);
    if (header == null) {
        requestAuthentication(request, noHeader).accept(response);
        return;
    }
    final String[] usernameAndPassword = extractCredential(header);
    if (usernameAndPassword == null) {
        badHeader.accept(response);
        return;
    }
    final String username = usernameAndPassword[0];
    final String password = usernameAndPassword[1];
    try {
        ClientConnectionInfo connectionInfo = HttpConnectionInfoFactory.create(request);
        LoginContext securityContext = authenticate(username, password, connectionInfo);
        // username is now known, make connection aware of both username and user-agent
        JettyHttpConnection.updateUserForCurrentConnection(username, userAgent);
        switch(securityContext.subject().getAuthenticationResult()) {
            case PASSWORD_CHANGE_REQUIRED:
            // from the server side if you try to do anything else than changing you own password.
            case SUCCESS:
                try {
                    filterChain.doFilter(new AuthorizedRequestWrapper(BASIC_AUTH, username, request, securityContext), servletResponse);
                } catch (AuthorizationViolationException e) {
                    unauthorizedAccess(e.getMessage()).accept(response);
                }
                return;
            case TOO_MANY_ATTEMPTS:
                tooManyAttempts.accept(response);
                return;
            default:
                log.warn("Failed authentication attempt for '%s' from %s", username, request.getRemoteAddr());
                requestAuthentication(request, invalidCredential).accept(response);
        }
    } catch (InvalidAuthTokenException e) {
        requestAuthentication(request, invalidAuthToken(e.getMessage())).accept(response);
    } catch (AuthProviderTimeoutException e) {
        authProviderTimeout.accept(response);
    } catch (AuthProviderFailedException e) {
        authProviderFailed.accept(response);
    }
}