/**
* Start the authentication process.
*
* @param scheme scheme
* @param request request
* @throws Exception on any error
*/
public static void authenticate(AuthenticationScheme scheme, HttpServletRequest request)
throws Exception {
AuthenticationModule module = scheme.currentAuthenticationModule();
if (module == null) {
throw new Exception("No current authentication module");
}
RequestParameterMap params = new RequestParameterMap(new ServletRequestAdapter(request));
User currentUser = scheme.getUser();
LogonStateAndCache logonStateMachine =
(LogonStateAndCache)
request.getSession().getAttribute(LogonStateAndCache.LOGON_STATE_MACHINE);
if (logonStateMachine == null) {
logonStateMachine =
new LogonStateAndCache(LogonStateAndCache.STATE_STARTED, request.getSession());
}
if (logonStateMachine.getState()
== LogonStateAndCache.STATE_KNOWN_USERNAME_NO_SCHEME_SPOOF_PASSWORD_ENTRY) {
scheme.addCredentials(new PasswordCredentials("", "".toCharArray()));
} else if (logonStateMachine.getState()
== LogonStateAndCache.STATE_UNKNOWN_USERNAME_PROMPT_FOR_PASSWORD) {
Credentials creds = module.authenticate(request, params);
if (creds != null) scheme.addCredentials(creds);
} else {
Credentials creds = module.authenticate(request, params);
if (creds != null) {
scheme.addCredentials(creds);
logonStateMachine.setState(LogonStateAndCache.STATE_VALID_LOGON);
}
// Check we have a user object
if (currentUser == null && scheme.getUser() == null) {
throw new Exception("The first authentication did not provide a user.");
}
}
PolicyUtil.checkLogin(scheme.getUser());
}
public ActionForward execute(
ActionMapping mapping,
ActionForm form,
HttpServletRequest request,
HttpServletResponse response)
throws Exception {
ActionMessages msgs = new ActionMessages();
SessionInfo sessionInfo = LogonControllerFactory.getInstance().getSessionInfo(request);
if (sessionInfo == null
&& request.getSession().getAttribute(Constants.SESSION_LOCKED) == null
&& LogonControllerFactory.getInstance().hasClientLoggedOn(request, response)
== LogonController.LOGGED_ON) {
if (log.isDebugEnabled()) log.debug(request.getRemoteHost() + " is already authenticated");
return mapping.findForward("success");
}
/*
* Get the authentication session and module to use to validate this
* authentication attempt
*/
AuthenticationScheme scheme =
(AuthenticationScheme) request.getSession().getAttribute(Constants.AUTH_SESSION);
LogonStateAndCache logonStateMachine =
(LogonStateAndCache)
request.getSession().getAttribute(LogonStateAndCache.LOGON_STATE_MACHINE);
// there are different users so we need to logon again, clearing the authentication scheme and
// logon machine.
if (sessionInfo != null
&& logonStateMachine != null
&& !sessionInfo.getUser().equals(logonStateMachine.getUser())) {
request.getSession().removeAttribute(Constants.AUTH_SESSION);
request.getSession().removeAttribute(LogonStateAndCache.LOGON_STATE_MACHINE);
LogonControllerFactory.getInstance().logoffSession(request, response);
msgs.add(
Globals.ERROR_KEY,
new ActionMessage("login.logonNotAllowed", "Session no longer valid, logon again."));
saveErrors(request, msgs);
return new RedirectWithMessages(mapping.findForward("logon"), request);
}
if (logonStateMachine == null) {
logonStateMachine =
new LogonStateAndCache(LogonStateAndCache.STATE_STARTED, request.getSession());
request.getSession().setAttribute(LogonStateAndCache.LOGON_STATE_MACHINE, logonStateMachine);
}
if (scheme == null) {
ActionForward fwd = null;
try {
fwd =
ShowLogonAction.checkAuthSession(
null, false, mapping, request, response, logonStateMachine);
} catch (CoreException ce) {
} catch (Throwable e) {
log.error("Logon not allowed.", e);
ActionMessages errs = new ActionMessages();
if (e instanceof CoreException) {
errs.add(Globals.ERROR_KEY, ((CoreException) e).getBundleActionMessage());
} else {
errs.add(
Globals.ERROR_KEY,
new ActionMessage("login.logonNotAllowed", "Please contact your administrator."));
}
saveErrors(request, errs);
request.getSession().removeAttribute(Constants.AUTH_SESSION);
request.getSession().removeAttribute(LogonStateAndCache.LOGON_STATE_MACHINE);
if (form != null) form.reset(mapping, request);
return new RedirectWithMessages(mapping.findForward("failed"), request);
}
if (fwd != null) {
scheme = (AuthenticationScheme) request.getSession().getAttribute(Constants.AUTH_SESSION);
}
}
if (scheme != null) {
AuthenticationModule module = scheme.currentAuthenticationModule();
if (module == null) {
log.error("No authentication module.");
request.getSession().removeAttribute(Constants.AUTH_SESSION);
return mapping.findForward("logon");
}
try {
// If there is no user in the scheme then it is an invalid login
if (scheme.getUser() == null) {
throw new InvalidLoginCredentialsException();
}
// Check the account is enabled and not locked
if (!PolicyUtil.isEnabled(scheme.getUser())) {
throw new AccountLockedException(scheme.getUsername(), "Account disabled.", true, 0);
}
// Check for locks
LogonControllerFactory.getInstance()
.checkForAccountLock(
scheme.getUsername(), scheme.getUser().getRealm().getResourceName());
// Authenticate
authenticate(scheme, request);
// Check logon is currently allowed
String logonNotAllowedReason =
LogonControllerFactory.getInstance().checkLogonAllowed(scheme.getUser());
if (logonNotAllowedReason != null) {
log.warn("Logon not allowed because '" + logonNotAllowedReason + "'");
msgs.add(
Globals.ERROR_KEY, new ActionMessage("login.logonNotAllowed", logonNotAllowedReason));
saveErrors(request, msgs);
return new RedirectWithMessages(mapping.findForward("logon"), request);
}
// Check for the next authentication modules
AuthenticationModule nextModule = scheme.nextAuthenticationModule();
if (nextModule != null
&& request.getSession().getAttribute(Constants.SESSION_LOCKED) == null) {
if (log.isDebugEnabled())
log.debug(
"There are more authentication modules to satisfy (current mapping = "
+ mapping.getPath());
ActionForward fw = new RedirectWithMessages(mapping.findForward("logon"), request);
return fw;
}
return finishAuthentication(scheme, request, response);
} catch (InputRequiredException ex) {
// The page wants to display or redirect somewhere
if (ex.getForward() == null) return mapping.findForward("logon");
else return ex.getForward();
} catch (AccountLockedException ale) {
return accountLocked(mapping, request, ale, msgs);
} catch (InvalidLoginCredentialsException ex) {
log.error("[" + request.getRemoteHost() + "] authentication failed", ex);
LogonForm logonForm = (LogonForm) form;
CoreServlet.getServlet()
.fireCoreEvent(
new CoreEvent(this, CoreEventConstants.LOGON, null, null, ex)
.addAttribute(
CoreAttributeConstants.EVENT_ATTR_IP_ADDRESS, request.getRemoteAddr())
.addAttribute(CoreAttributeConstants.EVENT_ATTR_HOST, request.getRemoteHost())
.addAttribute(CoreAttributeConstants.EVENT_ATTR_SCHEME, scheme.getSchemeName())
.addAttribute(
CoreAttributeConstants.EVENT_ATTR_ACCOUNT, logonForm.getUsername()));
request.getSession().removeAttribute(LogonStateAndCache.LOGON_STATE_MACHINE);
request.getSession().removeAttribute(Constants.AUTH_SESSION);
try {
scheme.setAccountLock(
LogonControllerFactory.getInstance()
.logonFailed(
((LogonForm) form).getUsername(),
((LogonForm) form).getRealmName(),
scheme.getAccountLock()));
} catch (AccountLockedException ale) {
return accountLocked(mapping, request, ale, msgs);
}
msgs.add(Globals.ERROR_KEY, new ActionMessage("login.invalidCredentials"));
saveErrors(request, msgs);
return new RedirectWithMessages(mapping.findForward("logon"), request);
} catch (Exception e) {
log.error("Internal error authenticating.", e);
msgs.add(
Globals.ERROR_KEY, new BundleActionMessage("security", "login.error", e.getMessage()));
saveErrors(request, msgs);
request.getSession().setAttribute(Constants.EXCEPTION, e);
request.getSession().removeAttribute(LogonStateAndCache.LOGON_STATE_MACHINE);
request.getSession().removeAttribute(Constants.AUTH_SESSION);
return new RedirectWithMessages(mapping.findForward("logon"), request);
}
} else {
ActionMessages errs = new ActionMessages();
errs.add(
Globals.MESSAGE_KEY,
new BundleActionMessage("security", "login.logonNotAllowed", "No scheme available."));
saveErrors(request, errs);
request.getSession().removeAttribute(LogonStateAndCache.LOGON_STATE_MACHINE);
request.getSession().removeAttribute(Constants.AUTH_SESSION);
if (form != null) form.reset(mapping, request);
return new RedirectWithMessages(mapping.findForward("logon"), request);
}
}
/**
* Complete the authentication process.
*
* @param scheme scheme
* @param request request
* @param response response
* @return forward to
* @throws Exception on any error
*/
public static ActionForward finishAuthentication(
AuthenticationScheme scheme, HttpServletRequest request, HttpServletResponse response)
throws Exception {
// Check we have a user object
if (scheme.getUser() == null) {
throw new Exception("No authentication module provided a user.");
}
// now add the policies associated with this scheme to the http session
// if the property says so.
if (Property.getPropertyBoolean(
new SystemConfigKey("security.enforce.policy.resource.access"))) {
List signOnPolicies =
PolicyDatabaseFactory.getInstance()
.getPoliciesAttachedToResource(scheme, scheme.getUser().getRealm());
scheme.getServletSession().setAttribute("auth.scheme.policies", signOnPolicies);
}
// If the user is a manager, check if there is a new SSL-Explorer
// version, or if there any exension updates
if (PolicyDatabaseFactory.getInstance()
.isAnyAccessRightAllowed(scheme.getUser(), true, true, false)) {
if ("false"
.equals(Property.getProperty(new ContextKey("webServer.disableCertificateWarning")))
&& !KeyStoreManager.getInstance(KeyStoreManager.DEFAULT_KEY_STORE)
.isCertificateTrusted(Property.getProperty(new ContextKey("webServer.alias")))) {
GlobalWarningManager.getInstance()
.addMultipleGlobalWarning(
new GlobalWarning(
GlobalWarning.MANAGEMENT_USERS,
new BundleActionMessage("keystore", "keyStore.untrustedCertificate.warning"),
DismissType.DISMISS_FOR_USER));
}
}
/*
* Each authentication module needs to be informed that authentication
* is now complete so it may perform any last minute checks
*/
scheme.authenticationComplete(request, response);
// Allow the home page to be redirected.
request.getSession().setAttribute(Constants.REDIRECT_HOME, "true");
// Authenitcation sequence complete
if (log.isDebugEnabled())
log.debug(scheme.getUsername() + " [" + request.getRemoteHost() + "] has been authenticated");
// Forward control to the specified success URI (possibly from the
// initial unautenticated request)
String originalRequest = (String) request.getSession().getAttribute(Constants.ORIGINAL_REQUEST);
ActionForward forward = null;
// Where next?
List profiles = (List) request.getSession().getAttribute(Constants.PROFILES);
int selectProfileAtLogin = -1;
try {
selectProfileAtLogin =
Property.getPropertyInt(
new UserAttributeKey(scheme.getUser(), User.USER_STARTUP_PROFILE));
} catch (NumberFormatException nfe) {
}
if (selectProfileAtLogin == -1 && profiles != null && profiles.size() > 1) {
// Prompt for the profile
forward = new ActionForward("/showSelectPropertyProfile.do");
} else {
if (null == originalRequest
|| "/showHome.do".equals(originalRequest)
|| "".equals(originalRequest)) {
boolean admin = LogonControllerFactory.getInstance().isAdministrator(scheme.getUser());
if (admin) {
originalRequest = "/showSystemConfiguration.do";
} else {
originalRequest = "/showHome.do";
}
request.getSession().removeAttribute(Constants.ORIGINAL_REQUEST);
}
if (Property.getPropertyBoolean(
new ProfilePropertyKey(
"client.autoStart", LogonControllerFactory.getInstance().getSessionInfo(request)))) {
request.getSession().removeAttribute(Constants.ORIGINAL_REQUEST);
request.getSession().setAttribute(Constants.REQ_ATTR_LAUNCH_AGENT_REFERER, originalRequest);
forward = new ActionForward("/launchAgent.do", false);
} else {
forward = new ActionForward(originalRequest, true);
}
}
return forward;
}
