/**
* Returns the {@link AuthenticationInfo} resulting from a Subject's successful LDAP
* authentication attempt.
*
* <p>This implementation ignores the {@code ldapPrincipal}, {@code ldapCredentials}, and the
* opened {@code ldapContext} arguments and merely returns an {@code AuthenticationInfo} instance
* mirroring the submitted token's principal and credentials. This is acceptable because this
* method is only ever invoked after a successful authentication attempt, which means the provided
* principal and credentials were correct, and can be used directly to populate the (now verified)
* {@code AuthenticationInfo}.
*
* <p>Subclasses however are free to override this method for more advanced construction logic.
*
* @param token the submitted {@code AuthenticationToken} that resulted in a successful
* authentication
* @param ldapPrincipal the LDAP principal used when creating the LDAP connection. Unlike the
* token's {@link AuthenticationToken#getPrincipal() principal}, this value is usually a
* constructed User DN and not a simple username or uid. The exact value is depending on the
* configured <a
* href="http://download-llnw.oracle.com/javase/tutorial/jndi/ldap/auth_mechs.html">LDAP
* authentication mechanism</a> in use.
* @param ldapCredentials the LDAP credentials used when creating the LDAP connection.
* @param ldapContext the LdapContext created that resulted in a successful authentication. It can
* be used further by subclasses for more complex operations. It does not need to be closed -
* it will be closed automatically after this method returns.
* @return the {@link AuthenticationInfo} resulting from a Subject's successful LDAP
* authentication attempt.
* @throws NamingException if there was any problem using the {@code LdapContext}
*/
@SuppressWarnings({"UnusedDeclaration"})
protected AuthenticationInfo createAuthenticationInfo(
AuthenticationToken token,
Object ldapPrincipal,
Object ldapCredentials,
LdapContext ldapContext)
throws NamingException {
return new SimpleAuthenticationInfo(token.getPrincipal(), token.getCredentials(), getName());
}
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token)
throws AuthenticationException {
CustomerLogin login = queryService.findCustomerLoginByLoginId(token.getPrincipal());
if (login == null || login.getCustomer().isDeleted()) {
throw new UnknownAccountException("No account found for user [" + token.getPrincipal() + "]");
}
return new SimpleAuthenticationInfo(token.getPrincipal(), login.getLoginPassword(), getName());
}
// 登录信息和用户验证信息验证
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token)
throws AuthenticationException {
String username = (String) token.getPrincipal(); // 得到用户名
String password = new String((char[]) token.getCredentials()); // 得到密码
if (null != username && null != password) {
return new SimpleAuthenticationInfo(username, password, getName());
} else {
return null;
}
}
@Override
public AuthenticationInfo getAuthenticationInfo(AuthenticationToken token)
throws AuthenticationException {
String username = (String) token.getPrincipal(); // 得到用户名
String password = new String((char[]) token.getCredentials()); // 得到用户密码
if (!"zhang".equals(username)) {
throw new UnknownAccountException(); // 如果用户名不对
}
if (!"123456".equals(password)) {
throw new IncorrectCredentialsException();
}
// 如果身份认证成功,返回AuthenticationInfo实现
return new SimpleAuthenticationInfo(username, password, getName());
}
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token)
throws AuthenticationException {
String username = (String) token.getPrincipal(); // 得到用户名
String password = new String((char[]) token.getCredentials()); // 得到密码
if (!"zhang".equals(username)) {
throw new UnknownAccountException(); // 如果用户名错误
}
if (!"123".equals(password)) {
throw new IncorrectCredentialsException(); // 如果密码错误
}
// 如果身份认证验证成功,返回一个AuthenticationInfo实现;
return new SimpleAuthenticationInfo(username, password, getName());
}
/**
* Retrieves authentication data from an implementation-specific datasource (RDBMS, LDAP, etc) for
* the given authentication token.
*
* @param token the authentication token containing the user's principal and credentials.
* @return an AuthenticationInfo object containing account data resulting from the authentication
* ONLY if the lookup is successful (i.e. account exists and is valid, etc.)
* @throws AuthenticationException if there is an error acquiring data or performing
* realm-specific authentication logic for the specified token
*/
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token)
throws AuthenticationException {
String username = (String) token.getPrincipal();
AuthorizationUser user = _authorizationUserService.loadUserByUsername(username);
if (Boolean.TRUE.equals(user.getLocked())) {
throw new LockedAccountException(); // account locked
}
// call CredentialsMatcher to match password
// if need, can do this yourself
SimpleAuthenticationInfo info =
new SimpleAuthenticationInfo(
user.getUsername(),
user.getPassword(),
ByteSource.Util.bytes(user.getCredentialsSalt()),
getName());
if (_logger.isDebugEnabled()) {
_logger.debug("call doGetAuthenticationInfo.. salt=" + user.getCredentialsSalt());
}
return info;
}
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token)
throws AuthenticationException {
String username = (String) token.getPrincipal();
log.info("MysqlRealm收到认证请求,用户名为:{}", username);
SysUser user = null;
try {
user = getUserService().findByUsername(username);
} catch (Exception e) {
// 这里先改为无法获取账户
user = null;
// log.info("MysqlRealm获取用户信息出错:{}", e.toString());
// throw e;
}
if (user == null) {
throw new UnknownAccountException(); // 没找到帐号
}
log.info("MysqlRealm找到指定用户,用户ID:%d,用户名:%s,用户密码:%s", username, user.getPassword(), user.getId());
if (Boolean.TRUE.equals(user.getLocked())) {
throw new LockedAccountException(); // 帐号锁定
}
// 交给AuthenticatingRealm使用CredentialsMatcher进行密码匹配,如果觉得人家的不好可以自定义实现
SimpleAuthenticationInfo authenticationInfo =
new SimpleAuthenticationInfo(
user.getUsername(), // 用户名
user.getPassword(), // 密码
ByteSource.Util.bytes(user.getUsername() + user.getSalt()),
// ByteSource.Util.bytes(user.getCredentialsSalt()),//salt=username+salt
getName() // realm name
);
return authenticationInfo;
}
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken)
throws AuthenticationException {
if (!(authenticationToken instanceof UsernamePasswordToken)) {
throw new UnsupportedTokenException(
"Token of type "
+ authenticationToken.getClass().getName()
+ " is not supported. A "
+ UsernamePasswordToken.class.getName()
+ " is required.");
}
UsernamePasswordToken token = (UsernamePasswordToken) authenticationToken;
String password = new String(token.getPassword());
try {
crowdClientHolder.getAuthenticationManager().authenticate(token.getUsername(), password);
return new SimpleAuthenticationInfo(token.getPrincipal(), token.getCredentials(), getName());
} catch (RemoteException e) {
throw new AuthenticationException(DEFAULT_MESSAGE, e);
} catch (com.atlassian.crowd.exception.InactiveAccountException e) {
throw new AuthenticationException(DEFAULT_MESSAGE, e);
} catch (com.atlassian.crowd.exception.ExpiredCredentialException e) {
throw new AuthenticationException(DEFAULT_MESSAGE, e);
} catch (com.atlassian.crowd.exception.InvalidAuthenticationException e) {
throw new AuthenticationException(DEFAULT_MESSAGE, e);
} catch (com.atlassian.crowd.exception.InvalidAuthorizationTokenException e) {
throw new AuthenticationException(DEFAULT_MESSAGE, e);
} catch (com.atlassian.crowd.exception.ApplicationAccessDeniedException e) {
throw new AuthenticationException(DEFAULT_MESSAGE, e);
}
}
/**
* Returns the principal to use when creating the LDAP connection for an authentication attempt.
*
* <p>This implementation uses a heuristic: it checks to see if the specified token's {@link
* AuthenticationToken#getPrincipal() principal} is a {@code String}, and if so, {@link
* #getUserDn(String) converts it} from what is assumed to be a raw uid or username {@code String}
* into a User DN {@code String}. Almost all LDAP directories expect the authentication connection
* to present a User DN and not an unqualified username or uid.
*
* <p>If the token's {@code principal} is not a String, it is assumed to already be in the format
* supported by the underlying {@link LdapContextFactory} implementation and the raw principal is
* returned directly.
*
* @param token the {@link AuthenticationToken} submitted during the authentication process
* @return the User DN or raw principal to use to acquire the LdapContext.
* @see LdapContextFactory#getLdapContext(Object, Object)
*/
protected Object getLdapPrincipal(AuthenticationToken token) {
Object principal = token.getPrincipal();
if (principal instanceof String) {
String sPrincipal = (String) principal;
return getUserDn(sPrincipal);
}
return principal;
}
// 验证用户
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token)
throws AuthenticationException {
String loginName = (String) token.getPrincipal(); // 得到用户名
String password = new String((char[]) token.getCredentials()); // 得到密码
User user = new User();
user.setLoginName(loginName);
user.setPassword(password);
User loginUser = adminUserDao.login(user.getLoginName(), user.getPassword());
if (loginUser == null || loginUser.getId() <= 0) {
throw new IncorrectCredentialsException("用户名或密码不正确!");
}
// 如果身份认证验证成功,返回一个 AuthenticationInfo 实现;
return new SimpleAuthenticationInfo(loginName, password, getName());
}
@Override
protected AuthenticationInfo queryForAuthenticationInfo(
AuthenticationToken token, LdapContextFactory contextFactory) throws NamingException {
logger.debug(
"queryForAuthenticationInfo, principal: {}, credentials: *****", token.getPrincipal());
logger.debug("contextFactory : {}", contextFactory);
try {
if (token == null || token.getPrincipal() == null) {
logger.info("No authentication token provided, will not try to authenticate..");
return null;
}
LdapContext sysCtx = contextFactory.getSystemLdapContext();
String objClsFilter = createObjectClassFilter(objectClasses);
String userIdFilter = createAttributeFilter(userIdAttribute, token.getPrincipal().toString());
String filter = mergeFiltersAND(objClsFilter, userIdFilter);
NamingEnumeration<?> namingEnumeration =
sysCtx.search(config.getUserLdapBaseDn(), filter, getSimpleSearchControls());
while (namingEnumeration.hasMore()) {
SearchResult result = (SearchResult) namingEnumeration.next();
String dn = result.getNameInNamespace();
try {
contextFactory.getLdapContext(dn, token.getCredentials());
return new SimpleAuthenticationInfo(dn, token.getCredentials(), "StaticRealm");
} catch (Exception e) {
logger.error(e.getMessage(), e);
}
}
} catch (Exception e) {
logger.error(e.getMessage(), e);
}
return null;
}
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token)
throws AuthenticationException {
User user = (User) token.getPrincipal();
if (user == null) {
throw new UnknownAccountException(
ConstantsUtility.ERROR_MESSAGES.getString("userDoesNotExist"));
} else if (!user.isActive()) {
throw new LockedAccountException(ConstantsUtility.ERROR_MESSAGES.getString("userInactive"));
} else if (user.isLocked()) {
throw new LockedAccountException(ConstantsUtility.ERROR_MESSAGES.getString("userLocked"));
}
SimplePrincipalCollection principles = new SimplePrincipalCollection();
principles.add(user, ConstantsUtility.OAUTH_REALM_NAME);
return new SimpleAuthenticationInfo(principles, token.getCredentials());
}
/**
* This implementation opens an LDAP connection using the token's {@link
* #getLdapPrincipal(org.apache.shiro.authc.AuthenticationToken) discovered principal} and
* provided {@link AuthenticationToken#getCredentials() credentials}. If the connection opens
* successfully, the authentication attempt is immediately considered successful and a new {@link
* AuthenticationInfo} instance is {@link
* #createAuthenticationInfo(org.apache.shiro.authc.AuthenticationToken, Object, Object,
* javax.naming.ldap.LdapContext) created} and returned. If the connection cannot be opened,
* either because LDAP authentication failed or some other JNDI problem, an {@link
* NamingException} will be thrown.
*
* @param token the submitted authentication token that triggered the authentication attempt.
* @param ldapContextFactory factory used to retrieve LDAP connections.
* @return an {@link AuthenticationInfo} instance representing the authenticated user's
* information.
* @throws NamingException if any LDAP errors occur.
*/
protected AuthenticationInfo queryForAuthenticationInfo(
AuthenticationToken token, LdapContextFactory ldapContextFactory) throws NamingException {
Object principal = token.getPrincipal();
Object credentials = token.getCredentials();
log.debug("Authenticating user '{}' through LDAP", principal);
principal = getLdapPrincipal(token);
LdapContext ctx = null;
try {
ctx = ldapContextFactory.getLdapContext(principal, credentials);
// context was opened successfully, which means their credentials were valid. Return the
// AuthenticationInfo:
return createAuthenticationInfo(token, principal, credentials, ctx);
} finally {
LdapUtils.closeContext(ctx);
}
}
@Override
protected AuthenticationToken createToken(ServletRequest request, ServletResponse response) {
String authorizationHeader = getAuthzHeader(request);
if (authorizationHeader == null || authorizationHeader.length() == 0) {
// Create an empty authentication token since there is no
// Authorization header.
return createToken("", "", request, response);
}
if (log.isDebugEnabled()) {
log.debug("Attempting to execute login with headers [" + authorizationHeader + "]");
}
String[] prinCred = getPrincipalsAndCredentials(authorizationHeader, request);
if (prinCred == null || prinCred.length < 2) {
// Create an authentication token with an empty password,
// since one hasn't been provided in the request.
String username = prinCred == null || prinCred.length == 0 ? "" : prinCred[0];
return createToken(username, "", request, response);
}
String username = prinCred[0];
String password = prinCred[1];
String sf = SF.replace("{0}", username);
try {
AuthenticationToken at =
new UsernamePasswordToken(MessagingServletConfig.ldapUser, MessagingServletConfig.ldapPw);
InitialLdapContext ctx =
(InitialLdapContext) jlc.getLdapContext(at.getPrincipal(), at.getCredentials());
SearchResult result = searchUnique(sf, ctx);
Attributes attrs = result.getAttributes();
username =
"******" + attrs.get("cn").get(0) + ",ou=gateways," + MessagingServletConfig.ldapBaseDn;
ctx.close();
} catch (IllegalStateException | NamingException e) {
e.printStackTrace();
log.warn(username + "not found in directory");
}
return createToken(username, password, request, response);
}
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token)
throws AuthenticationException {
String username = (String) token.getPrincipal();
User user = userService.getUser(username);
if (user == null) {
throw new UnknownAccountException();
}
return new SimpleAuthenticationInfo(
user.getUsername(), user.getPassword(), ByteSource.Util.bytes(user.getSalt()), getName());
}
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authToken)
throws AuthenticationException {
String userName = (String) authToken.getPrincipal();
if ("bush".equals(userName)) {
return new SimpleAuthenticationInfo("bush", "president", getName());
} else if ("ban ki-moon".equals(userName)) {
return new SimpleAuthenticationInfo("ban ki-moon", "nato", getName());
} else if ("balkenende".equals(userName)) {
return new SimpleAuthenticationInfo("balkenende", "h.potter", getName());
}
throw new AuthenticationException();
}
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token)
throws AuthenticationException {
// hack
UserBusiness userBusiness = ((UserNamePasswordTokenEx) token).getUserBussines();
User user = userBusiness.findByLogin(String.valueOf(token.getPrincipal()));
if (user == null) {
throw new UnknownAccountException();
}
AuthenticationInfo authenticationInfo =
new SimpleAccount(user.getLogin(), user.getPassword(), /*user.getPasswdHash()*/ USER_REALM);
return authenticationInfo;
}
/*
* 用户验证。
* @see org.apache.shiro.realm.AuthenticatingRealm#doGetAuthenticationInfo(org.apache.shiro.authc.AuthenticationToken)
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token)
throws AuthenticationException {
logger.debug(String.format("token:[%s]", token.getClass()));
UsernamePasswordToken usernamePasswordToken = (UsernamePasswordToken) token;
String username = usernamePasswordToken.getUsername(),
pwd =
new SimpleHash(
"md5",
new String(usernamePasswordToken.getPassword()),
ByteSource.Util.bytes(username),
2)
.toHex();
// 交给AuthenticatingRealm使用CredentialsMatcher进行密码匹配。
return new SimpleAuthenticationInfo(
username, pwd, ByteSource.Util.bytes(username), this.getName());
}
@Override
public boolean doCredentialsMatch(AuthenticationToken token, AuthenticationInfo info) {
String username = (String) token.getPrincipal();
AtomicInteger retryCount = passwordRetryCache.get(username);
if (retryCount == null) {
retryCount = new AtomicInteger(0);
passwordRetryCache.put(username, retryCount);
}
if (retryCount.incrementAndGet() > 10) {
throw new ExcessiveAttemptsException(String.valueOf(retryCount.get()));
}
boolean matches = super.doCredentialsMatch(token, info);
if (matches) {
passwordRetryCache.remove(username);
}
return matches;
}
@Override
public boolean doCredentialsMatch(AuthenticationToken token, AuthenticationInfo info) {
String username = token.getPrincipal().toString();
Element element = passwordRetryCache.get("username");
if (element == null) {
element = new Element(username, new AtomicInteger(0));
passwordRetryCache.put(element);
}
AtomicInteger retryCount = (AtomicInteger) element.getObjectValue();
if (retryCount.incrementAndGet() > 5) {
throw new ExcessiveAttemptsException();
}
boolean match = super.doCredentialsMatch(token, info);
if (match) {
passwordRetryCache.remove(username);
}
return match;
}
/*��ȡ�˺���Ϣ*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token)
throws AuthenticationException {
// TODO Auto-generated method stub
String username = (String) token.getPrincipal();
String role = ((JxjsToken) token).getRole();
SimpleAuthenticationInfo authenticationInfo = null;
if ("jianyu".equals(role)) {
TUser user = ud.findUsername(username);
if (user == null) {
throw new UnknownAccountException(); // û�ҵ��ʺ�
}
authenticationInfo =
new SimpleAuthenticationInfo(user.getUsername(), user.getPassword(), "jianyu");
} else if ("fayuan".equals(role)) {
//
PubXtglYhb yhb = yhbDao.getPubXtglYhbByYhdm(username);
if (yhb == null) {
throw new UnknownAccountException(); // û�ҵ��ʺ�
}
authenticationInfo = new SimpleAuthenticationInfo(yhb.getYhdm(), yhb.getYhkl(), "fayuan");
}
return authenticationInfo;
}
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token)
throws AuthenticationException {
String username = (String) token.getPrincipal();
User user = userService.findByUsername(username);
if (user == null) {
throw new UnknownAccountException(); // 没找到帐号
}
if (Boolean.TRUE.equals(user.getLocked())) {
throw new LockedAccountException(); // 帐号锁定
}
// 交给AuthenticatingRealm使用CredentialsMatcher进行密码匹配,如果觉得人家的不好可以自定义实现
SimpleAuthenticationInfo authenticationInfo =
new SimpleAuthenticationInfo(
user.getUsername(), // 用户名
user.getPassword(), // 密码
ByteSource.Util.bytes("library-salt"),
getName() // realm name
);
return authenticationInfo;
}
/* (non-Javadoc)
* @see org.apache.shiro.authc.credential.CredentialsMatcher#doCredentialsMatch(org.apache.shiro.authc.AuthenticationToken, org.apache.shiro.authc.AuthenticationInfo)
*/
@Override
public boolean doCredentialsMatch(AuthenticationToken token, AuthenticationInfo info) {
if (token instanceof AutologinToken) {
log.debug("Auto-logging in {}", token.getPrincipal());
return true;
}
if (token.getCredentials() == null) {
log.warn("Rejecting null token credentials for {}", token.getPrincipal());
return false;
}
if (info.getCredentials() == null) {
log.warn("Rejecting null stored credentials for {}", info.getPrincipals());
return false;
}
final String host =
token instanceof HostAuthenticationToken
? ((HostAuthenticationToken) token).getHost()
: null;
final String passwordToken = String.valueOf((char[]) token.getCredentials());
final String userPassword = info.getCredentials().toString();
final Matcher matcher = passwordPattern.matcher(userPassword);
if (matcher.matches()) {
final String algorithm = matcher.group(1);
final String encodedBase64 = matcher.group(2);
switch (algorithm) {
case "SSHA":
final byte[] encoded = Base64.decodeBase64(encodedBase64);
log.trace("Decoded {} into {} bytes", encodedBase64, encoded.length);
if (encoded.length < 21) {
log.error(
"Encoded length must be at least 21 bytes, 20-byte password and at least 1-byte salt, for {}",
info.getPrincipals());
return false;
}
final byte[] digest = Arrays.copyOf(encoded, 20);
final byte[] salt = Arrays.copyOfRange(encoded, 20, encoded.length);
byte[] digestToken = HashedPasswordUtils.calculateSsha(passwordToken, salt);
boolean sshaMatches = Arrays.equals(digestToken, digest);
log.debug(
"Matching credentials for {} host {} using SSHA: {}",
token.getPrincipal(),
host,
sshaMatches);
return sshaMatches;
case "PLAIN":
boolean plainMatches = encodedBase64.equals(passwordToken);
log.debug(
"Matching credentials for {} host {} using PLAIN: {}",
token.getPrincipal(),
host,
plainMatches);
return plainMatches;
default:
log.error("Unknown password algorithm {} for {}", algorithm, info.getPrincipals());
return false;
}
} else if (userPassword.startsWith("$")) {
final BCryptPasswordService bCryptPasswordService = new BCryptPasswordService();
return bCryptPasswordService.passwordsMatch(passwordToken, userPassword);
} else {
log.error("Unknown password syntax for {}", info.getPrincipals());
return false;
}
}
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authcToken)
throws AuthenticationException {
return new SimpleAuthenticationInfo(authcToken.getPrincipal(), "", this.getName());
}
