Examples with Authentication org.olat.basesecurity.Authentication used on opensource projects

Example 16 with Authentication

use of org.olat.basesecurity.Authentication in project OpenOLAT by OpenOLAT.

the class UserModule method isPwdChangeAllowed.

/**
 * checks whether the given identity is allowed to change it's own password.
 * default settings (olat.properties) :
 * <ul>
 *  <li>LDAP-user are not allowed to change their pw</li>
 *  <li>other users are allowed to change their pw</li>
 * </ul>
 *
 * @param id
 * @return
 */
public boolean isPwdChangeAllowed(Identity id) {
    if (id == null) {
        return isAnyPasswordChangeAllowed();
    }
    // if this is set to false, nobody can change their password
    if (!pwdchangeallowed) {
        return false;
    }
    // call to CoreSpringFactory to break dependencies cycles
    // (the method will only be called with a running application)
    // check if the user has an OLAT provider token, otherwise a password change makes no sense
    Authentication auth = CoreSpringFactory.getImpl(BaseSecurity.class).findAuthentication(id, BaseSecurityModule.getDefaultAuthProviderIdentifier());
    if (auth == null && !pwdChangeWithoutAuthenticationAllowed) {
        return false;
    }
    LDAPLoginManager ldapLoginManager = CoreSpringFactory.getImpl(LDAPLoginManager.class);
    if (ldapLoginManager.isIdentityInLDAPSecGroup(id)) {
        // it's an ldap-user
        return CoreSpringFactory.getImpl(LDAPLoginModule.class).isPropagatePasswordChangedOnLdapServer();
    }
    return pwdchangeallowed;
}

Example 17 with Authentication

use of org.olat.basesecurity.Authentication in project OpenOLAT by OpenOLAT.

the class LDAPLoginManagerImpl method findIdentityByLdapAuthentication.

/**
 * Searches for Identity in OLAT.
 *
 * @param uid Name of Identity
 * @param errors LDAPError Object if user exits but not member of
 *          LDAPSecurityGroup
 *
 * @return Identity if it's found and member of LDAPSecurityGroup, null
 *         otherwise (if user exists but not managed by LDAP, error Object is
 *         modified)
 */
@Override
public Identity findIdentityByLdapAuthentication(Attributes attrs, LDAPError errors) {
    if (attrs == null) {
        errors.insert("findIdentyByLdapAuthentication: attrs::null");
        return null;
    }
    String uid = getAttributeValue(attrs.get(syncConfiguration.getOlatPropertyToLdapAttribute(LDAPConstants.LDAP_USER_IDENTIFYER)));
    String token = getAttributeValue(attrs.get(syncConfiguration.getLdapUserLoginAttribute()));
    Identity identity = securityManager.findIdentityByNameCaseInsensitive(uid);
    if (identity == null) {
        return null;
    } else {
        SecurityGroup ldapGroup = securityManager.findSecurityGroupByName(LDAPConstants.SECURITY_GROUP_LDAP);
        if (ldapGroup == null) {
            log.error("Error getting user from OLAT security group '" + LDAPConstants.SECURITY_GROUP_LDAP + "' : group does not exist", null);
            return null;
        }
        boolean inSecurityGroup = securityManager.isIdentityInSecurityGroup(identity, ldapGroup);
        if (inSecurityGroup) {
            Authentication ldapAuth = securityManager.findAuthentication(identity, LDAPAuthenticationController.PROVIDER_LDAP);
            if (ldapAuth == null) {
                // BUG Fixe: update the user and test if it has a ldap provider
                securityManager.createAndPersistAuthentication(identity, LDAPAuthenticationController.PROVIDER_LDAP, token, null, null);
            } else if (StringHelper.containsNonWhitespace(token) && !token.equals(ldapAuth.getAuthusername())) {
                ldapAuth.setAuthusername(token);
                ldapAuth = securityManager.updateAuthentication(ldapAuth);
            }
            return identity;
        } else if (ldapLoginModule.isConvertExistingLocalUsersToLDAPUsers()) {
            // Add user to LDAP security group and add the ldap provider
            securityManager.createAndPersistAuthentication(identity, LDAPAuthenticationController.PROVIDER_LDAP, token, null, null);
            securityManager.addIdentityToSecurityGroup(identity, ldapGroup);
            log.info("Found identity by LDAP username that was not yet in LDAP security group. Converted user::" + uid + " to be an LDAP managed user");
            return identity;
        } else {
            errors.insert("findIdentyByLdapAuthentication: User with username::" + uid + " exist but not Managed by LDAP");
            return null;
        }
    }
}

Example 18 with Authentication

use of org.olat.basesecurity.Authentication in project OpenOLAT by OpenOLAT.

the class LDAPLoginManagerImpl method removeFallBackAuthentications.

/**
 * remove all cached authentications for fallback-login. useful if users logged in first with a default pw and changed it outside in AD/LDAP, but OLAT doesn't know about.
 * removing fallback-auths means login is only possible by AD/LDAP and if server is reachable!
 * see FXOLAT-284
 */
@Override
public void removeFallBackAuthentications() {
    if (ldapLoginModule.isCacheLDAPPwdAsOLATPwdOnLogin()) {
        SecurityGroup ldapGroup = securityManager.findSecurityGroupByName(LDAPConstants.SECURITY_GROUP_LDAP);
        if (ldapGroup == null) {
            log.error("Cannot get user from OLAT security group '" + LDAPConstants.SECURITY_GROUP_LDAP + "' : group does not exist", null);
        }
        List<Identity> ldapIdents = securityManager.getIdentitiesOfSecurityGroup(ldapGroup);
        log.info("found " + ldapIdents.size() + " identies in ldap security group");
        int count = 0;
        for (Identity identity : ldapIdents) {
            Authentication auth = securityManager.findAuthentication(identity, BaseSecurityModule.getDefaultAuthProviderIdentifier());
            if (auth != null) {
                securityManager.deleteAuthentication(auth);
                count++;
            }
            if (count % 20 == 0) {
                dbInstance.intermediateCommit();
            }
        }
        log.info("removed cached authentications (fallback login provider: " + BaseSecurityModule.getDefaultAuthProviderIdentifier() + ") for " + count + " users.");
    }
}

Example 19 with Authentication

use of org.olat.basesecurity.Authentication in project OpenOLAT by OpenOLAT.

the class OLATAuthManager method changePassword.

/**
 * Change the password of an identity. if the given identity is a LDAP-User,
 * the pw-change is propagated to LDAP (according to config) NOTE: caller of
 * this method should check if identity is allowed to change it's own pw [
 * UserModule.isPwdchangeallowed(Identity ident) ], applies only if doer
 * equals identity
 *
 * @param doer
 *            Identity who is changing the password
 * @param identity
 *            Identity who's password is beeing changed.
 * @param newPwd
 *            New password.
 * @return True upon success.
 */
public boolean changePassword(Identity doer, Identity identity, String newPwd) {
    if (doer == null)
        throw new AssertException("password changing identity cannot be undefined!");
    if (identity.getKey() == null)
        throw new AssertException("cannot change password on a nonpersisted identity");
    // o_clusterREVIEW
    identity = securityManager.loadIdentityByKey(identity.getKey());
    boolean allOk = false;
    Authentication ldapAuth = securityManager.findAuthentication(identity, LDAPAuthenticationController.PROVIDER_LDAP);
    if (ldapAuth != null) {
        if (ldapLoginModule.isPropagatePasswordChangedOnLdapServer()) {
            LDAPError ldapError = new LDAPError();
            ldapLoginManager.changePassword(identity, newPwd, ldapError);
            log.audit(doer.getName() + " change the password on the LDAP server for identity: " + identity.getName());
            allOk = ldapError.isEmpty();
            if (allOk && ldapLoginModule.isCacheLDAPPwdAsOLATPwdOnLogin()) {
                allOk &= changeOlatPassword(doer, identity, identity.getName(), newPwd);
            }
        }
    } else {
        allOk = changeOlatPassword(doer, identity, identity.getName(), newPwd);
    }
    if (allOk) {
        sendConfirmationEmail(doer, identity);
        // remove
        try {
            loginModule.clearFailedLoginAttempts(identity.getName());
            loginModule.clearFailedLoginAttempts(identity.getUser().getEmail());
        } catch (Exception e) {
            log.error("", e);
        }
    }
    return allOk;
}

Example 20 with Authentication

use of org.olat.basesecurity.Authentication in project OpenOLAT by OpenOLAT.

the class OLATAuthManager method authenticate.

/**
 * @param identity
 * @param password
 * @param provider
 * @return
 */
@Override
public Identity authenticate(Identity ident, String login, String password) {
    Authentication authentication;
    if (ident == null) {
        // check for email instead of username if ident is null
        if (loginModule.isAllowLoginUsingEmail()) {
            if (MailHelper.isValidEmailAddress(login)) {
                List<Identity> identities = userManager.findIdentitiesByEmail(Collections.singletonList(login));
                // check for email changed with verification workflow
                if (identities.size() == 1) {
                    ident = identities.get(0);
                } else if (identities.size() > 1) {
                    logError("more than one identity found with email::" + login, null);
                }
                if (ident == null) {
                    ident = findIdentInChangingEmailWorkflow(login);
                }
            }
        }
        if (ident == null) {
            authentication = securityManager.findAuthenticationByAuthusername(login, "OLAT");
        } else {
            authentication = securityManager.findAuthentication(ident, "OLAT");
        }
    } else {
        authentication = securityManager.findAuthentication(ident, "OLAT");
    }
    if (authentication == null) {
        log.audit("Cannot authenticate user " + login + " via provider OLAT", OLATAuthenticationController.class.getName());
        return null;
    }
    // find OLAT authentication provider
    if (securityManager.checkCredentials(authentication, password)) {
        Algorithm algorithm = Algorithm.find(authentication.getAlgorithm());
        if (Algorithm.md5.equals(algorithm)) {
            Algorithm defAlgorithm = loginModule.getDefaultHashAlgorithm();
            authentication = securityManager.updateCredentials(authentication, password, defAlgorithm);
        }
        Identity identity = authentication.getIdentity();
        if (identity != null && webDAVAuthManager != null) {
            webDAVAuthManager.upgradePassword(identity, login, password);
        }
        return identity;
    }
    log.audit("Cannot authenticate user " + login + " via provider OLAT", OLATAuthenticationController.class.getName());
    return null;
}