@Override
 protected UserDetails retrieveUser(
     String username, UsernamePasswordAuthenticationToken authentication)
     throws AuthenticationException {
   return MySQLSecurityRealm.this.authenticate(
       username, authentication.getCredentials().toString());
 }
  /**
   * @param authentication null if we are just retrieving the said user, instead of trying to
   *     authenticate.
   */
  private UserDetails retrieveUser(
      String username, UsernamePasswordAuthenticationToken authentication, String domainName)
      throws AuthenticationException {
    // when we use custom socket factory below, every LDAP operations result
    // in a classloading via context classloader, so we need it to resolve.
    ClassLoader ccl = Thread.currentThread().getContextClassLoader();
    Thread.currentThread().setContextClassLoader(getClass().getClassLoader());
    try {
      String password = NO_AUTHENTICATION;
      if (authentication != null) password = (String) authentication.getCredentials();

      return retrieveUser(username, password, domainName, obtainLDAPServers(domainName));
    } finally {
      Thread.currentThread().setContextClassLoader(ccl);
    }
  }
Exemplo n.º 3
0
  /** 具体验证用户登陆的方法 */
  protected void additionalAuthenticationChecks(
      UserDetails userDetails, UsernamePasswordAuthenticationToken authentication)
      throws AuthenticationException {

    this.isVailedSystemAdmin = this.isSystemAdmin(userDetails);
    SecurityMessageInfo smi = new SecurityMessageInfo();

    // add by zhangpengf for sso in 2009-12-15 begin
    if ("SP_SSO".equals(authentication.getCredentials().toString().trim())) {
      String username =
          (authentication.getPrincipal() == null) ? "NONE_PROVIDED" : authentication.getName();
      if ("NONE_PROVIDED".equals(username)) {
        String msg = messages.getMessage("system.security.ssoExpired", "未找到该用户,请检查是否输入正确!");
        smi.setMessage(msg);
        UserContext.setLoginMessage("loginerror", smi);
        throw new BadCredentialsException(msg, userDetails);
      } else if (!username.trim().toLowerCase().equals(userDetails.getUsername().toLowerCase())) {
        String msg = messages.getMessage("system.security.ssoExpired", "未找到该用户,请检查是否输入正确!");
        smi.setMessage(msg);
        UserContext.setLoginMessage("loginerror", smi);
        throw new BadCredentialsException(msg, userDetails);
      }
    } else {
      if (userDetails.isSpecialUser() || !Boolean.valueOf(this.isLdap).booleanValue()) {
        Object salt = null;
        if (this.saltSource != null) {
          salt = this.saltSource.getSalt(userDetails);
        }

        if (!passwordEncoder.isPasswordValid(
            userDetails.getPassword(), authentication.getCredentials().toString(), salt)) {
          String msg =
              messages.getMessage(
                  "system.security.dbExpired", "验证错误,请检查您输入的用户名密码是您在本系统中设定的用户名以及密码!");
          smi.setMessage(msg);
          UserContext.setLoginMessage("loginerror", smi);
          throw new BadCredentialsException(msg, userDetails);
        }
      } else if (Boolean.valueOf(this.isLdap).booleanValue()) {
        try {
          boolean isAuth = false;
          System.out.println(
              "The User Check Type Is : "
                  + this.messages.getMessage("system.security.authtype", "ldap"));

          if ("ldap"
              .equalsIgnoreCase(this.messages.getMessage("system.security.authtype", "ldap"))) {

            isAuth =
                ldap.IsAuthenticatedByLdap(
                    authentication.getName().toLowerCase(),
                    authentication.getCredentials().toString());
          } else if ("notes"
              .equalsIgnoreCase(this.messages.getMessage("system.security.authtype", "ldap"))) {
            isAuth =
                ldap.IsAuthenticated(
                    authentication.getName().toLowerCase(),
                    authentication.getCredentials().toString());
          }
          if (!isAuth) {
            if (isVailedSystemAdmin) {
              Object salt = null;
              if (this.saltSource != null) {
                salt = this.saltSource.getSalt(userDetails);
              }

              if (!passwordEncoder.isPasswordValid(
                  userDetails.getPassword(), authentication.getCredentials().toString(), salt)) {
                String msg =
                    messages.getMessage(
                        "system.security.dbExpired", "验证错误,请检查您输入的用户名密码是您在本系统中设定的用户名以及密码!");
                smi.setMessage(msg);
                UserContext.setLoginMessage("loginerror", smi);
                throw new BadCredentialsException(msg, userDetails);
              }
            } else {
              String msg =
                  messages.getMessage(
                      "system.security.ldapExpired", "Ldap验证错误,请检查您输入的用户名密码是您的Notes用户名以及密码!");
              smi.setMessage(msg);
              UserContext.setLoginMessage("loginerror", smi);
              throw new BadCredentialsException(msg, userDetails);
            }
          }
        } catch (Exception e) {
          String msg = messages.getMessage("system.security.unknowExpired", "登陆验证发生错误,请联系管理员!");
          smi.setMessage(msg);
          UserContext.setLoginMessage("loginerror", smi);
          throw new BadCredentialsException(msg, userDetails);
        }
      }
    }
    // add by zhangpengf for sso in 2009-12-15 end
  }
Exemplo n.º 4
0
  public String create() {
    LOGGER.info("Inside create");

    try {
      Role employeeRole = new Role();
      employeeRole.setName(RoleNames.ROLE_EMPLOYEE.name());
      List<Role> roles = this.roleService.findByExample(employeeRole);
      Set<Role> userRoles = new HashSet<Role>();
      userRoles.addAll(roles);
      user.setRoles(userRoles);

      // user.setAge(ageCalculator(user));
      user.setPassword(encrypt(user.getPassword()));
      System.out.println("dobCheckbox" + dobCheckbox);
      // if(dobCheckbox.equals("true")){
      // user.setCheckDOBYR(true);
      //	}else{
      // user.setCheckDOBYR(false);
      //	}
      this.userManagement.registerUser(user);

      user = employerAccountService.findByUserName(user, user.getEmail());

      try {
        String msg = "Your Account has been created";
        msgingService.sendEmail(
            "*****@*****.**",
            new String[] {user.getEmail()},
            "Registration to MyOwnBriefcase",
            msg);

      } catch (MessagingException e) {
        e.printStackTrace();
      }
      if (this.upload != null && upload.length() > 0) {
        this.userManagement.updateUserPicture(user, this.upload.getAbsolutePath(), uploadFileName);
      }

      // log newUser in automatically

      UsernamePasswordAuthenticationToken auth =
          new UsernamePasswordAuthenticationToken(
              user,
              "user.getPassword()",
              new GrantedAuthority[] {new GrantedAuthorityImpl(RoleNames.ROLE_EMPLOYEE.name())});

      System.out.println("Setting auth details");
      SecurityContext context = SecurityContextHolder.getContext();
      context.setAuthentication(auth);
      System.out.println("auth" + auth.getClass());
      getSession().put("ACEGI_SECURITY_CONTEXT", context);

      /*
       * SwitchUserProcessingFilter filter = new
       * SwitchUserProcessingFilter(); filter.setUserDetailsService(new
       * MockAuthenticationDaoUserJackLord());
       */
      System.out.println("Done");
    } catch (Exception e) {
      e.printStackTrace();
      return "error";
    }
    return Action.SUCCESS;
  }
  public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
      throws IOException, ServletException {
    if (!(request instanceof HttpServletRequest)) {
      throw new ServletException("Can only process HttpServletRequest");
    }

    if (!(response instanceof HttpServletResponse)) {
      throw new ServletException("Can only process HttpServletResponse");
    }

    HttpServletRequest httpRequest = (HttpServletRequest) request;

    String header = httpRequest.getHeader("Authorization");

    if (logger.isDebugEnabled()) {
      logger.debug("Authorization header received from user agent: " + header);
    }

    if ((header != null) && header.startsWith("Digest ")) {
      String section212response = header.substring(7);

      String[] headerEntries = StringSplitUtils.splitIgnoringQuotes(section212response, ',');
      Map headerMap = StringSplitUtils.splitEachArrayElementAndCreateMap(headerEntries, "=", "\"");

      String username = (String) headerMap.get("username");
      String realm = (String) headerMap.get("realm");
      String nonce = (String) headerMap.get("nonce");
      String uri = (String) headerMap.get("uri");
      String responseDigest = (String) headerMap.get("response");
      String qop = (String) headerMap.get("qop"); // RFC 2617 extension
      String nc = (String) headerMap.get("nc"); // RFC 2617 extension
      String cnonce = (String) headerMap.get("cnonce"); // RFC 2617 extension

      // Check all required parameters were supplied (ie RFC 2069)
      if ((username == null)
          || (realm == null)
          || (nonce == null)
          || (uri == null)
          || (response == null)) {
        if (logger.isDebugEnabled()) {
          logger.debug(
              "extracted username: '******'; realm: '"
                  + username
                  + "'; nonce: '"
                  + username
                  + "'; uri: '"
                  + username
                  + "'; response: '"
                  + username
                  + "'");
        }

        fail(
            request,
            response,
            new BadCredentialsException(
                messages.getMessage(
                    "DigestProcessingFilter.missingMandatory",
                    new Object[] {section212response},
                    "Missing mandatory digest value; received header {0}")));

        return;
      }

      // Check all required parameters for an "auth" qop were supplied (ie RFC 2617)
      if ("auth".equals(qop)) {
        if ((nc == null) || (cnonce == null)) {
          if (logger.isDebugEnabled()) {
            logger.debug("extracted nc: '" + nc + "'; cnonce: '" + cnonce + "'");
          }

          fail(
              request,
              response,
              new BadCredentialsException(
                  messages.getMessage(
                      "DigestProcessingFilter.missingAuth",
                      new Object[] {section212response},
                      "Missing mandatory digest value; received header {0}")));

          return;
        }
      }

      // Check realm name equals what we expected
      if (!this.getAuthenticationEntryPoint().getRealmName().equals(realm)) {
        fail(
            request,
            response,
            new BadCredentialsException(
                messages.getMessage(
                    "DigestProcessingFilter.incorrectRealm",
                    new Object[] {realm, this.getAuthenticationEntryPoint().getRealmName()},
                    "Response realm name '{0}' does not match system realm name of '{1}'")));

        return;
      }

      // Check nonce was a Base64 encoded (as sent by DigestProcessingFilterEntryPoint)
      if (!Base64.isArrayByteBase64(nonce.getBytes())) {
        fail(
            request,
            response,
            new BadCredentialsException(
                messages.getMessage(
                    "DigestProcessingFilter.nonceEncoding",
                    new Object[] {nonce},
                    "Nonce is not encoded in Base64; received nonce {0}")));

        return;
      }

      // Decode nonce from Base64
      // format of nonce is:
      //   base64(expirationTime + ":" + md5Hex(expirationTime + ":" + key))
      String nonceAsPlainText = new String(Base64.decodeBase64(nonce.getBytes()));
      String[] nonceTokens = StringUtils.delimitedListToStringArray(nonceAsPlainText, ":");

      if (nonceTokens.length != 2) {
        fail(
            request,
            response,
            new BadCredentialsException(
                messages.getMessage(
                    "DigestProcessingFilter.nonceNotTwoTokens",
                    new Object[] {nonceAsPlainText},
                    "Nonce should have yielded two tokens but was {0}")));

        return;
      }

      // Extract expiry time from nonce
      long nonceExpiryTime;

      try {
        nonceExpiryTime = new Long(nonceTokens[0]).longValue();
      } catch (NumberFormatException nfe) {
        fail(
            request,
            response,
            new BadCredentialsException(
                messages.getMessage(
                    "DigestProcessingFilter.nonceNotNumeric",
                    new Object[] {nonceAsPlainText},
                    "Nonce token should have yielded a numeric first token, but was {0}")));

        return;
      }

      // Check signature of nonce matches this expiry time
      String expectedNonceSignature =
          DigestUtils.md5Hex(nonceExpiryTime + ":" + this.getAuthenticationEntryPoint().getKey());

      if (!expectedNonceSignature.equals(nonceTokens[1])) {
        fail(
            request,
            response,
            new BadCredentialsException(
                messages.getMessage(
                    "DigestProcessingFilter.nonceCompromised",
                    new Object[] {nonceAsPlainText},
                    "Nonce token compromised {0}")));

        return;
      }

      // Lookup password for presented username
      // NB: DAO-provided password MUST be clear text - not encoded/salted
      // (unless this instance's passwordAlreadyEncoded property is 'false')
      boolean loadedFromDao = false;
      UserDetails user = userCache.getUserFromCache(username);

      if (user == null) {
        loadedFromDao = true;

        try {
          user = userDetailsService.loadUserByUsername(username);
        } catch (UsernameNotFoundException notFound) {
          fail(
              request,
              response,
              new BadCredentialsException(
                  messages.getMessage(
                      "DigestProcessingFilter.usernameNotFound",
                      new Object[] {username},
                      "Username {0} not found")));

          return;
        }

        if (user == null) {
          throw new AuthenticationServiceException(
              "AuthenticationDao returned null, which is an interface contract violation");
        }

        userCache.putUserInCache(user);
      }

      // Compute the expected response-digest (will be in hex form)
      String serverDigestMd5;

      // Don't catch IllegalArgumentException (already checked validity)
      serverDigestMd5 =
          generateDigest(
              passwordAlreadyEncoded,
              username,
              realm,
              user.getPassword(),
              ((HttpServletRequest) request).getMethod(),
              uri,
              qop,
              nonce,
              nc,
              cnonce);

      // If digest is incorrect, try refreshing from backend and recomputing
      if (!serverDigestMd5.equals(responseDigest) && !loadedFromDao) {
        if (logger.isDebugEnabled()) {
          logger.debug(
              "Digest comparison failure; trying to refresh user from DAO in case password had changed");
        }

        try {
          user = userDetailsService.loadUserByUsername(username);
        } catch (UsernameNotFoundException notFound) {
          // Would very rarely happen, as user existed earlier
          fail(
              request,
              response,
              new BadCredentialsException(
                  messages.getMessage(
                      "DigestProcessingFilter.usernameNotFound",
                      new Object[] {username},
                      "Username {0} not found")));
        }

        userCache.putUserInCache(user);

        // Don't catch IllegalArgumentException (already checked validity)
        serverDigestMd5 =
            generateDigest(
                passwordAlreadyEncoded,
                username,
                realm,
                user.getPassword(),
                ((HttpServletRequest) request).getMethod(),
                uri,
                qop,
                nonce,
                nc,
                cnonce);
      }

      // If digest is still incorrect, definitely reject authentication attempt
      if (!serverDigestMd5.equals(responseDigest)) {
        if (logger.isDebugEnabled()) {
          logger.debug(
              "Expected response: '"
                  + serverDigestMd5
                  + "' but received: '"
                  + responseDigest
                  + "'; is AuthenticationDao returning clear text passwords?");
        }

        fail(
            request,
            response,
            new BadCredentialsException(
                messages.getMessage(
                    "DigestProcessingFilter.incorrectResponse", "Incorrect response")));

        return;
      }

      // To get this far, the digest must have been valid
      // Check the nonce has not expired
      // We do this last so we can direct the user agent its nonce is stale
      // but the request was otherwise appearing to be valid
      if (nonceExpiryTime < System.currentTimeMillis()) {
        fail(
            request,
            response,
            new NonceExpiredException(
                messages.getMessage(
                    "DigestProcessingFilter.nonceExpired", "Nonce has expired/timed out")));

        return;
      }

      if (logger.isDebugEnabled()) {
        logger.debug(
            "Authentication success for user: '******' with response: '"
                + responseDigest
                + "'");
      }

      // START SIPXECS CUSTOM CODE: XX-8253
      // commented original code
      // UsernamePasswordAuthenticationToken authRequest = new
      // UsernamePasswordAuthenticationToken(user,
      //        user.getPassword());

      // creates digest token to be handled by
      // org.sipfoundry.sipxconfig.security.DaoAuthenticationProvider
      UsernamePasswordAuthenticationToken authRequest =
          new DigestUsernamePasswordAuthenticationToken(user, user.getPassword());
      // END SIPXECS CUSTOM CODE: XX-8253
      authRequest.setDetails(
          authenticationDetailsSource.buildDetails((HttpServletRequest) request));

      SecurityContextHolder.getContext().setAuthentication(authRequest);
    }

    chain.doFilter(request, response);
  }