use of password.pwm.error.PwmOperationalException in project pwm by pwm-project.
the class LDAPAuthenticationRequest method authenticateUserImpl.
private AuthenticationResult authenticateUserImpl(final PasswordData password) throws ChaiUnavailableException, PwmUnrecoverableException, PwmOperationalException {
if (startTime == null) {
startTime = new Date();
}
log(PwmLogLevel.DEBUG, "preparing to authenticate user using authenticationType=" + this.requestedAuthType + " using strategy " + this.strategy);
final StatisticsManager statisticsManager = pwmApplication.getStatisticsManager();
final IntruderManager intruderManager = pwmApplication.getIntruderManager();
intruderManager.convenience().checkUserIdentity(userIdentity);
intruderManager.check(RecordType.ADDRESS, sessionLabel.getSrcAddress());
// verify user is not account disabled
AuthenticationUtility.checkIfUserEligibleToAuthentication(pwmApplication, userIdentity);
boolean allowBindAsUser = true;
if (strategy == AuthenticationStrategy.ADMIN_PROXY) {
allowBindAsUser = false;
}
if (allowBindAsUser) {
try {
testCredentials(userIdentity, password);
} catch (PwmOperationalException e) {
boolean permitAuthDespiteError = false;
final DirectoryVendor vendor = pwmApplication.getProxyChaiProvider(userIdentity.getLdapProfileID()).getDirectoryVendor();
if (PwmError.PASSWORD_NEW_PASSWORD_REQUIRED == e.getError()) {
if (vendor == DirectoryVendor.ACTIVE_DIRECTORY) {
if (pwmApplication.getConfig().readSettingAsBoolean(PwmSetting.AD_ALLOW_AUTH_REQUIRE_NEW_PWD)) {
log(PwmLogLevel.INFO, "auth bind failed, but will allow login due to 'must change password on next login AD error', error: " + e.getErrorInformation().toDebugStr());
allowBindAsUser = false;
permitAuthDespiteError = true;
}
} else if (vendor == DirectoryVendor.ORACLE_DS) {
if (pwmApplication.getConfig().readSettingAsBoolean(PwmSetting.ORACLE_DS_ALLOW_AUTH_REQUIRE_NEW_PWD)) {
log(PwmLogLevel.INFO, "auth bind failed, but will allow login due to 'pwdReset' user attribute, error: " + e.getErrorInformation().toDebugStr());
allowBindAsUser = false;
permitAuthDespiteError = true;
}
}
} else if (PwmError.PASSWORD_EXPIRED == e.getError()) {
// handle ad case where password is expired
if (vendor == DirectoryVendor.ACTIVE_DIRECTORY) {
if (pwmApplication.getConfig().readSettingAsBoolean(PwmSetting.AD_ALLOW_AUTH_REQUIRE_NEW_PWD)) {
if (!pwmApplication.getConfig().readSettingAsBoolean(PwmSetting.AD_ALLOW_AUTH_EXPIRED)) {
throw e;
}
log(PwmLogLevel.INFO, "auth bind failed, but will allow login due to 'password expired AD error', error: " + e.getErrorInformation().toDebugStr());
allowBindAsUser = false;
permitAuthDespiteError = true;
}
}
}
if (!permitAuthDespiteError) {
// auth failed, presumably due to wrong password.
statisticsManager.incrementValue(Statistic.AUTHENTICATION_FAILURES);
throw e;
}
}
}
statisticsManager.incrementValue(Statistic.AUTHENTICATIONS);
statisticsManager.updateEps(EpsStatistic.AUTHENTICATION, 1);
statisticsManager.updateAverageValue(Statistic.AVG_AUTHENTICATION_TIME, TimeDuration.fromCurrent(startTime).getTotalMilliseconds());
final AuthenticationType returnAuthType;
if (!allowBindAsUser) {
returnAuthType = AuthenticationType.AUTH_BIND_INHIBIT;
} else {
if (requestedAuthType == null) {
returnAuthType = AuthenticationType.AUTHENTICATED;
} else {
if (requestedAuthType == AuthenticationType.AUTH_WITHOUT_PASSWORD) {
returnAuthType = AuthenticationType.AUTHENTICATED;
} else if (requestedAuthType == AuthenticationType.AUTH_FROM_PUBLIC_MODULE) {
returnAuthType = AuthenticationType.AUTH_FROM_PUBLIC_MODULE;
} else {
returnAuthType = requestedAuthType;
}
}
}
final boolean useProxy = determineIfLdapProxyNeeded(returnAuthType, password);
final ChaiProvider returnProvider = useProxy ? makeProxyProvider() : userProvider;
final AuthenticationResult authenticationResult = new AuthenticationResult(returnProvider, returnAuthType, password);
final StringBuilder debugMsg = new StringBuilder();
debugMsg.append("successful ldap authentication for ").append(userIdentity);
debugMsg.append(" (").append(TimeDuration.fromCurrent(startTime).asCompactString()).append(")");
debugMsg.append(" type: ").append(returnAuthType).append(", using strategy ").append(strategy);
debugMsg.append(", using proxy connection: ").append(useProxy);
debugMsg.append(", returning bind dn: ").append(returnProvider == null ? "none" : returnProvider.getChaiConfiguration().getSetting(ChaiSetting.BIND_DN));
log(PwmLogLevel.INFO, debugMsg);
final MacroMachine macroMachine = MacroMachine.forUser(pwmApplication, PwmConstants.DEFAULT_LOCALE, sessionLabel, userIdentity);
final AuditRecord auditRecord = new AuditRecordFactory(pwmApplication, macroMachine).createUserAuditRecord(AuditEvent.AUTHENTICATE, this.userIdentity, makeAuditLogMessage(returnAuthType), sessionLabel.getSrcAddress(), sessionLabel.getSrcHostname());
pwmApplication.getAuditManager().submit(auditRecord);
pwmApplication.getSessionTrackService().addRecentLogin(userIdentity);
return authenticationResult;
}
use of password.pwm.error.PwmOperationalException in project pwm by pwm-project.
the class LDAPAuthenticationRequest method authUsingUnknownPw.
@Override
public AuthenticationResult authUsingUnknownPw() throws ChaiUnavailableException, PwmUnrecoverableException {
initialize();
log(PwmLogLevel.TRACE, "beginning authentication using unknown password procedure");
PasswordData userPassword = null;
final boolean configAlwaysUseProxy = pwmApplication.getConfig().readSettingAsBoolean(PwmSetting.AD_USE_PROXY_FOR_FORGOTTEN);
if (configAlwaysUseProxy) {
strategy = AuthenticationStrategy.ADMIN_PROXY;
} else {
userPassword = learnUserPassword();
if (userPassword != null) {
strategy = AuthenticationStrategy.READ_THEN_BIND;
} else {
userPassword = setTempUserPassword();
if (userPassword != null) {
strategy = AuthenticationStrategy.WRITE_THEN_BIND;
}
}
if (userPassword == null) {
throw new PwmUnrecoverableException(new ErrorInformation(PwmError.ERROR_UNKNOWN, "no available unknown-pw authentication method"));
}
}
try {
return authenticateUserImpl(userPassword);
} catch (PwmOperationalException e) {
if (strategy == AuthenticationStrategy.READ_THEN_BIND) {
final String errorStr = "unable to authenticate with password read from directory, check proxy rights, ldap logs; error: " + e.getMessage();
throw new PwmUnrecoverableException(new ErrorInformation(PwmError.ERROR_BAD_SESSION_PASSWORD, errorStr));
} else if (strategy == AuthenticationStrategy.WRITE_THEN_BIND) {
final String errorStr = "unable to authenticate with temporary password, check proxy rights, ldap logs; error: " + e.getMessage();
throw new PwmUnrecoverableException(new ErrorInformation(PwmError.ERROR_BAD_SESSION_PASSWORD, errorStr));
}
throw new PwmUnrecoverableException(new ErrorInformation(PwmError.ERROR_UNKNOWN, "unable to authenticate via authWithUnknownPw method: " + e.getMessage()));
}
}
use of password.pwm.error.PwmOperationalException in project pwm by pwm-project.
the class SessionAuthenticator method authUserWithUnknownPassword.
public void authUserWithUnknownPassword(final String username, final AuthenticationType requestedAuthType) throws ImpossiblePasswordPolicyException, PwmUnrecoverableException, PwmOperationalException {
pwmApplication.getIntruderManager().check(RecordType.USERNAME, username);
UserIdentity userIdentity = null;
try {
final UserSearchEngine userSearchEngine = pwmApplication.getUserSearchEngine();
userIdentity = userSearchEngine.resolveUsername(username, null, null, sessionLabel);
final AuthenticationRequest authEngine = LDAPAuthenticationRequest.createLDAPAuthenticationRequest(pwmApplication, sessionLabel, userIdentity, requestedAuthType, authenticationSource);
final AuthenticationResult authResult = authEngine.authUsingUnknownPw();
postAuthenticationSequence(userIdentity, authResult);
} catch (ChaiUnavailableException e) {
throw PwmUnrecoverableException.fromChaiException(e);
} catch (PwmOperationalException e) {
postFailureSequence(e, username, userIdentity);
throw e;
}
}
use of password.pwm.error.PwmOperationalException in project pwm by pwm-project.
the class SessionAuthenticator method searchAndAuthenticateUser.
public void searchAndAuthenticateUser(final String username, final PasswordData password, final String context, final String ldapProfile) throws ChaiUnavailableException, PwmUnrecoverableException, PwmOperationalException {
pwmApplication.getIntruderManager().check(RecordType.USERNAME, username);
UserIdentity userIdentity = null;
try {
final UserSearchEngine userSearchEngine = pwmApplication.getUserSearchEngine();
userIdentity = userSearchEngine.resolveUsername(username, context, ldapProfile, sessionLabel);
final AuthenticationRequest authEngine = LDAPAuthenticationRequest.createLDAPAuthenticationRequest(pwmApplication, sessionLabel, userIdentity, AuthenticationType.AUTHENTICATED, authenticationSource);
final AuthenticationResult authResult = authEngine.authenticateUser(password);
postAuthenticationSequence(userIdentity, authResult);
} catch (PwmOperationalException e) {
postFailureSequence(e, username, userIdentity);
if (readHiddenErrorTypes().contains(e.getError())) {
if (pwmApplication.determineIfDetailErrorMsgShown()) {
LOGGER.debug(pwmSession, "allowing error " + e.getError() + " to be returned though it is configured as a hidden type; " + "app is currently permitting detailed error messages");
} else {
final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_WRONGPASSWORD);
LOGGER.debug(pwmSession, "converting error from ldap " + e.getError() + " to " + PwmError.ERROR_WRONGPASSWORD + " due to app property " + AppProperty.SECURITY_LOGIN_HIDDEN_ERROR_TYPES.getKey());
throw new PwmOperationalException(errorInformation);
}
}
throw e;
}
}
use of password.pwm.error.PwmOperationalException in project pwm by pwm-project.
the class CrService method writeResponses.
public void writeResponses(final UserIdentity userIdentity, final ChaiUser theUser, final String userGUID, final ResponseInfoBean responseInfoBean) throws PwmOperationalException, ChaiUnavailableException, ChaiValidationException {
int attempts = 0;
int successes = 0;
final Map<DataStorageMethod, String> errorMessages = new LinkedHashMap<>();
final Configuration config = pwmApplication.getConfig();
final List<DataStorageMethod> writeMethods = config.helper().getCrWritePreference();
for (final DataStorageMethod loopWriteMethod : writeMethods) {
try {
attempts++;
operatorMap.get(loopWriteMethod).writeResponses(userIdentity, theUser, userGUID, responseInfoBean);
LOGGER.debug("saved responses using storage method " + loopWriteMethod + " for user " + theUser.getEntryDN());
errorMessages.put(loopWriteMethod, "Success");
successes++;
} catch (PwmUnrecoverableException e) {
final String errorMsg = "error saving responses via " + loopWriteMethod + ", error: " + e.getMessage();
errorMessages.put(loopWriteMethod, errorMsg);
LOGGER.error(errorMsg);
}
}
if (attempts == 0) {
final String errorMsg = "no response save methods are available or configured";
final ErrorInformation errorInfo = new ErrorInformation(PwmError.ERROR_WRITING_RESPONSES, errorMsg);
throw new PwmOperationalException(errorInfo);
}
if (attempts != successes) {
final String errorMsg = "response storage only partially successful; attempts=" + attempts + ", successes=" + successes + ", detail=" + JsonUtil.serializeMap(errorMessages);
final ErrorInformation errorInfo = new ErrorInformation(PwmError.ERROR_WRITING_RESPONSES, errorMsg);
throw new PwmOperationalException(errorInfo);
}
}
Aggregations