Пример #1
0
 /**
  * Returns the {@link AuthenticationInfo} resulting from a Subject's successful LDAP
  * authentication attempt.
  *
  * <p>This implementation ignores the {@code ldapPrincipal}, {@code ldapCredentials}, and the
  * opened {@code ldapContext} arguments and merely returns an {@code AuthenticationInfo} instance
  * mirroring the submitted token's principal and credentials. This is acceptable because this
  * method is only ever invoked after a successful authentication attempt, which means the provided
  * principal and credentials were correct, and can be used directly to populate the (now verified)
  * {@code AuthenticationInfo}.
  *
  * <p>Subclasses however are free to override this method for more advanced construction logic.
  *
  * @param token the submitted {@code AuthenticationToken} that resulted in a successful
  *     authentication
  * @param ldapPrincipal the LDAP principal used when creating the LDAP connection. Unlike the
  *     token's {@link AuthenticationToken#getPrincipal() principal}, this value is usually a
  *     constructed User DN and not a simple username or uid. The exact value is depending on the
  *     configured <a
  *     href="http://download-llnw.oracle.com/javase/tutorial/jndi/ldap/auth_mechs.html">LDAP
  *     authentication mechanism</a> in use.
  * @param ldapCredentials the LDAP credentials used when creating the LDAP connection.
  * @param ldapContext the LdapContext created that resulted in a successful authentication. It can
  *     be used further by subclasses for more complex operations. It does not need to be closed -
  *     it will be closed automatically after this method returns.
  * @return the {@link AuthenticationInfo} resulting from a Subject's successful LDAP
  *     authentication attempt.
  * @throws NamingException if there was any problem using the {@code LdapContext}
  */
 @SuppressWarnings({"UnusedDeclaration"})
 protected AuthenticationInfo createAuthenticationInfo(
     AuthenticationToken token,
     Object ldapPrincipal,
     Object ldapCredentials,
     LdapContext ldapContext)
     throws NamingException {
   return new SimpleAuthenticationInfo(token.getPrincipal(), token.getCredentials(), getName());
 }
Пример #2
0
 @Override
 protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token)
     throws AuthenticationException {
   CustomerLogin login = queryService.findCustomerLoginByLoginId(token.getPrincipal());
   if (login == null || login.getCustomer().isDeleted()) {
     throw new UnknownAccountException("No account found for user [" + token.getPrincipal() + "]");
   }
   return new SimpleAuthenticationInfo(token.getPrincipal(), login.getLoginPassword(), getName());
 }
Пример #3
0
 // 登录信息和用户验证信息验证
 protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token)
     throws AuthenticationException {
   String username = (String) token.getPrincipal(); // 得到用户名
   String password = new String((char[]) token.getCredentials()); // 得到密码
   if (null != username && null != password) {
     return new SimpleAuthenticationInfo(username, password, getName());
   } else {
     return null;
   }
 }
Пример #4
0
 @Override
 public AuthenticationInfo getAuthenticationInfo(AuthenticationToken token)
     throws AuthenticationException {
   String username = (String) token.getPrincipal(); // 得到用户名
   String password = new String((char[]) token.getCredentials()); // 得到用户密码
   if (!"zhang".equals(username)) {
     throw new UnknownAccountException(); // 如果用户名不对
   }
   if (!"123456".equals(password)) {
     throw new IncorrectCredentialsException();
   }
   // 如果身份认证成功,返回AuthenticationInfo实现
   return new SimpleAuthenticationInfo(username, password, getName());
 }
Пример #5
0
 @Override
 protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token)
     throws AuthenticationException {
   String username = (String) token.getPrincipal(); // 得到用户名
   String password = new String((char[]) token.getCredentials()); // 得到密码
   if (!"zhang".equals(username)) {
     throw new UnknownAccountException(); // 如果用户名错误
   }
   if (!"123".equals(password)) {
     throw new IncorrectCredentialsException(); // 如果密码错误
   }
   // 如果身份认证验证成功,返回一个AuthenticationInfo实现;
   return new SimpleAuthenticationInfo(username, password, getName());
 }
Пример #6
0
  /**
   * Retrieves authentication data from an implementation-specific datasource (RDBMS, LDAP, etc) for
   * the given authentication token.
   *
   * @param token the authentication token containing the user's principal and credentials.
   * @return an AuthenticationInfo object containing account data resulting from the authentication
   *     ONLY if the lookup is successful (i.e. account exists and is valid, etc.)
   * @throws AuthenticationException if there is an error acquiring data or performing
   *     realm-specific authentication logic for the specified token
   */
  protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token)
      throws AuthenticationException {
    String username = (String) token.getPrincipal();

    AuthorizationUser user = _authorizationUserService.loadUserByUsername(username);

    if (Boolean.TRUE.equals(user.getLocked())) {
      throw new LockedAccountException(); // account locked
    }

    // call CredentialsMatcher to match password
    // if need, can do this yourself
    SimpleAuthenticationInfo info =
        new SimpleAuthenticationInfo(
            user.getUsername(),
            user.getPassword(),
            ByteSource.Util.bytes(user.getCredentialsSalt()),
            getName());

    if (_logger.isDebugEnabled()) {
      _logger.debug("call doGetAuthenticationInfo.. salt=" + user.getCredentialsSalt());
    }

    return info;
  }
Пример #7
0
  @Override
  protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token)
      throws AuthenticationException {
    String username = (String) token.getPrincipal();
    log.info("MysqlRealm收到认证请求,用户名为:{}", username);
    SysUser user = null;
    try {
      user = getUserService().findByUsername(username);
    } catch (Exception e) {
      // 这里先改为无法获取账户
      user = null;
      // log.info("MysqlRealm获取用户信息出错:{}", e.toString());
      // throw e;
    }

    if (user == null) {
      throw new UnknownAccountException(); // 没找到帐号
    }
    log.info("MysqlRealm找到指定用户,用户ID:%d,用户名:%s,用户密码:%s", username, user.getPassword(), user.getId());

    if (Boolean.TRUE.equals(user.getLocked())) {
      throw new LockedAccountException(); // 帐号锁定
    }

    // 交给AuthenticatingRealm使用CredentialsMatcher进行密码匹配,如果觉得人家的不好可以自定义实现
    SimpleAuthenticationInfo authenticationInfo =
        new SimpleAuthenticationInfo(
            user.getUsername(), // 用户名
            user.getPassword(), // 密码
            ByteSource.Util.bytes(user.getUsername() + user.getSalt()),
            // ByteSource.Util.bytes(user.getCredentialsSalt()),//salt=username+salt
            getName() // realm name
            );
    return authenticationInfo;
  }
  @Override
  protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken)
      throws AuthenticationException {
    if (!(authenticationToken instanceof UsernamePasswordToken)) {
      throw new UnsupportedTokenException(
          "Token of type "
              + authenticationToken.getClass().getName()
              + " is not supported.  A "
              + UsernamePasswordToken.class.getName()
              + " is required.");
    }
    UsernamePasswordToken token = (UsernamePasswordToken) authenticationToken;

    String password = new String(token.getPassword());

    try {
      crowdClientHolder.getAuthenticationManager().authenticate(token.getUsername(), password);
      return new SimpleAuthenticationInfo(token.getPrincipal(), token.getCredentials(), getName());
    } catch (RemoteException e) {
      throw new AuthenticationException(DEFAULT_MESSAGE, e);
    } catch (com.atlassian.crowd.exception.InactiveAccountException e) {
      throw new AuthenticationException(DEFAULT_MESSAGE, e);
    } catch (com.atlassian.crowd.exception.ExpiredCredentialException e) {
      throw new AuthenticationException(DEFAULT_MESSAGE, e);
    } catch (com.atlassian.crowd.exception.InvalidAuthenticationException e) {
      throw new AuthenticationException(DEFAULT_MESSAGE, e);
    } catch (com.atlassian.crowd.exception.InvalidAuthorizationTokenException e) {
      throw new AuthenticationException(DEFAULT_MESSAGE, e);
    } catch (com.atlassian.crowd.exception.ApplicationAccessDeniedException e) {
      throw new AuthenticationException(DEFAULT_MESSAGE, e);
    }
  }
Пример #9
0
 /**
  * Returns the principal to use when creating the LDAP connection for an authentication attempt.
  *
  * <p>This implementation uses a heuristic: it checks to see if the specified token's {@link
  * AuthenticationToken#getPrincipal() principal} is a {@code String}, and if so, {@link
  * #getUserDn(String) converts it} from what is assumed to be a raw uid or username {@code String}
  * into a User DN {@code String}. Almost all LDAP directories expect the authentication connection
  * to present a User DN and not an unqualified username or uid.
  *
  * <p>If the token's {@code principal} is not a String, it is assumed to already be in the format
  * supported by the underlying {@link LdapContextFactory} implementation and the raw principal is
  * returned directly.
  *
  * @param token the {@link AuthenticationToken} submitted during the authentication process
  * @return the User DN or raw principal to use to acquire the LdapContext.
  * @see LdapContextFactory#getLdapContext(Object, Object)
  */
 protected Object getLdapPrincipal(AuthenticationToken token) {
   Object principal = token.getPrincipal();
   if (principal instanceof String) {
     String sPrincipal = (String) principal;
     return getUserDn(sPrincipal);
   }
   return principal;
 }
Пример #10
0
  // 验证用户
  @Override
  protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token)
      throws AuthenticationException {
    String loginName = (String) token.getPrincipal(); // 得到用户名
    String password = new String((char[]) token.getCredentials()); // 得到密码

    User user = new User();
    user.setLoginName(loginName);
    user.setPassword(password);
    User loginUser = adminUserDao.login(user.getLoginName(), user.getPassword());
    if (loginUser == null || loginUser.getId() <= 0) {
      throw new IncorrectCredentialsException("用户名或密码不正确!");
    }

    // 如果身份认证验证成功,返回一个 AuthenticationInfo 实现;
    return new SimpleAuthenticationInfo(loginName, password, getName());
  }
Пример #11
0
  @Override
  protected AuthenticationInfo queryForAuthenticationInfo(
      AuthenticationToken token, LdapContextFactory contextFactory) throws NamingException {

    logger.debug(
        "queryForAuthenticationInfo, principal: {}, credentials: *****", token.getPrincipal());
    logger.debug("contextFactory : {}", contextFactory);

    try {
      if (token == null || token.getPrincipal() == null) {
        logger.info("No authentication token provided, will not try to authenticate..");
        return null;
      }

      LdapContext sysCtx = contextFactory.getSystemLdapContext();

      String objClsFilter = createObjectClassFilter(objectClasses);
      String userIdFilter = createAttributeFilter(userIdAttribute, token.getPrincipal().toString());

      String filter = mergeFiltersAND(objClsFilter, userIdFilter);

      NamingEnumeration<?> namingEnumeration =
          sysCtx.search(config.getUserLdapBaseDn(), filter, getSimpleSearchControls());

      while (namingEnumeration.hasMore()) {

        SearchResult result = (SearchResult) namingEnumeration.next();

        String dn = result.getNameInNamespace();

        try {
          contextFactory.getLdapContext(dn, token.getCredentials());

          return new SimpleAuthenticationInfo(dn, token.getCredentials(), "StaticRealm");

        } catch (Exception e) {
          logger.error(e.getMessage(), e);
        }
      }
    } catch (Exception e) {
      logger.error(e.getMessage(), e);
    }

    return null;
  }
Пример #12
0
  @Override
  protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token)
      throws AuthenticationException {
    User user = (User) token.getPrincipal();

    if (user == null) {
      throw new UnknownAccountException(
          ConstantsUtility.ERROR_MESSAGES.getString("userDoesNotExist"));
    } else if (!user.isActive()) {
      throw new LockedAccountException(ConstantsUtility.ERROR_MESSAGES.getString("userInactive"));
    } else if (user.isLocked()) {
      throw new LockedAccountException(ConstantsUtility.ERROR_MESSAGES.getString("userLocked"));
    }

    SimplePrincipalCollection principles = new SimplePrincipalCollection();
    principles.add(user, ConstantsUtility.OAUTH_REALM_NAME);
    return new SimpleAuthenticationInfo(principles, token.getCredentials());
  }
Пример #13
0
  /**
   * This implementation opens an LDAP connection using the token's {@link
   * #getLdapPrincipal(org.apache.shiro.authc.AuthenticationToken) discovered principal} and
   * provided {@link AuthenticationToken#getCredentials() credentials}. If the connection opens
   * successfully, the authentication attempt is immediately considered successful and a new {@link
   * AuthenticationInfo} instance is {@link
   * #createAuthenticationInfo(org.apache.shiro.authc.AuthenticationToken, Object, Object,
   * javax.naming.ldap.LdapContext) created} and returned. If the connection cannot be opened,
   * either because LDAP authentication failed or some other JNDI problem, an {@link
   * NamingException} will be thrown.
   *
   * @param token the submitted authentication token that triggered the authentication attempt.
   * @param ldapContextFactory factory used to retrieve LDAP connections.
   * @return an {@link AuthenticationInfo} instance representing the authenticated user's
   *     information.
   * @throws NamingException if any LDAP errors occur.
   */
  protected AuthenticationInfo queryForAuthenticationInfo(
      AuthenticationToken token, LdapContextFactory ldapContextFactory) throws NamingException {

    Object principal = token.getPrincipal();
    Object credentials = token.getCredentials();

    log.debug("Authenticating user '{}' through LDAP", principal);

    principal = getLdapPrincipal(token);

    LdapContext ctx = null;
    try {
      ctx = ldapContextFactory.getLdapContext(principal, credentials);
      // context was opened successfully, which means their credentials were valid.  Return the
      // AuthenticationInfo:
      return createAuthenticationInfo(token, principal, credentials, ctx);
    } finally {
      LdapUtils.closeContext(ctx);
    }
  }
Пример #14
0
  @Override
  protected AuthenticationToken createToken(ServletRequest request, ServletResponse response) {
    String authorizationHeader = getAuthzHeader(request);
    if (authorizationHeader == null || authorizationHeader.length() == 0) {
      // Create an empty authentication token since there is no
      // Authorization header.
      return createToken("", "", request, response);
    }

    if (log.isDebugEnabled()) {
      log.debug("Attempting to execute login with headers [" + authorizationHeader + "]");
    }

    String[] prinCred = getPrincipalsAndCredentials(authorizationHeader, request);
    if (prinCred == null || prinCred.length < 2) {
      // Create an authentication token with an empty password,
      // since one hasn't been provided in the request.
      String username = prinCred == null || prinCred.length == 0 ? "" : prinCred[0];
      return createToken(username, "", request, response);
    }

    String username = prinCred[0];
    String password = prinCred[1];
    String sf = SF.replace("{0}", username);
    try {
      AuthenticationToken at =
          new UsernamePasswordToken(MessagingServletConfig.ldapUser, MessagingServletConfig.ldapPw);
      InitialLdapContext ctx =
          (InitialLdapContext) jlc.getLdapContext(at.getPrincipal(), at.getCredentials());
      SearchResult result = searchUnique(sf, ctx);
      Attributes attrs = result.getAttributes();
      username =
          "******" + attrs.get("cn").get(0) + ",ou=gateways," + MessagingServletConfig.ldapBaseDn;
      ctx.close();
    } catch (IllegalStateException | NamingException e) {
      e.printStackTrace();
      log.warn(username + "not found in directory");
    }
    return createToken(username, password, request, response);
  }
Пример #15
0
  @Override
  protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token)
      throws AuthenticationException {
    String username = (String) token.getPrincipal();

    User user = userService.getUser(username);
    if (user == null) {
      throw new UnknownAccountException();
    }

    return new SimpleAuthenticationInfo(
        user.getUsername(), user.getPassword(), ByteSource.Util.bytes(user.getSalt()), getName());
  }
Пример #16
0
  @Override
  protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authToken)
      throws AuthenticationException {

    String userName = (String) authToken.getPrincipal();
    if ("bush".equals(userName)) {
      return new SimpleAuthenticationInfo("bush", "president", getName());
    } else if ("ban ki-moon".equals(userName)) {
      return new SimpleAuthenticationInfo("ban ki-moon", "nato", getName());
    } else if ("balkenende".equals(userName)) {
      return new SimpleAuthenticationInfo("balkenende", "h.potter", getName());
    }

    throw new AuthenticationException();
  }
Пример #17
0
  @Override
  protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token)
      throws AuthenticationException {
    // hack
    UserBusiness userBusiness = ((UserNamePasswordTokenEx) token).getUserBussines();

    User user = userBusiness.findByLogin(String.valueOf(token.getPrincipal()));

    if (user == null) {
      throw new UnknownAccountException();
    }
    AuthenticationInfo authenticationInfo =
        new SimpleAccount(user.getLogin(), user.getPassword(), /*user.getPasswdHash()*/ USER_REALM);
    return authenticationInfo;
  }
 /*
  * 用户验证。
  * @see org.apache.shiro.realm.AuthenticatingRealm#doGetAuthenticationInfo(org.apache.shiro.authc.AuthenticationToken)
  */
 @Override
 protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token)
     throws AuthenticationException {
   logger.debug(String.format("token:[%s]", token.getClass()));
   UsernamePasswordToken usernamePasswordToken = (UsernamePasswordToken) token;
   String username = usernamePasswordToken.getUsername(),
       pwd =
           new SimpleHash(
                   "md5",
                   new String(usernamePasswordToken.getPassword()),
                   ByteSource.Util.bytes(username),
                   2)
               .toHex();
   // 交给AuthenticatingRealm使用CredentialsMatcher进行密码匹配。
   return new SimpleAuthenticationInfo(
       username, pwd, ByteSource.Util.bytes(username), this.getName());
 }
  @Override
  public boolean doCredentialsMatch(AuthenticationToken token, AuthenticationInfo info) {
    String username = (String) token.getPrincipal();
    AtomicInteger retryCount = passwordRetryCache.get(username);
    if (retryCount == null) {
      retryCount = new AtomicInteger(0);
      passwordRetryCache.put(username, retryCount);
    }
    if (retryCount.incrementAndGet() > 10) {
      throw new ExcessiveAttemptsException(String.valueOf(retryCount.get()));
    }

    boolean matches = super.doCredentialsMatch(token, info);
    if (matches) {
      passwordRetryCache.remove(username);
    }
    return matches;
  }
 @Override
 public boolean doCredentialsMatch(AuthenticationToken token, AuthenticationInfo info) {
   String username = token.getPrincipal().toString();
   Element element = passwordRetryCache.get("username");
   if (element == null) {
     element = new Element(username, new AtomicInteger(0));
     passwordRetryCache.put(element);
   }
   AtomicInteger retryCount = (AtomicInteger) element.getObjectValue();
   if (retryCount.incrementAndGet() > 5) {
     throw new ExcessiveAttemptsException();
   }
   boolean match = super.doCredentialsMatch(token, info);
   if (match) {
     passwordRetryCache.remove(username);
   }
   return match;
 }
Пример #21
0
 /*��ȡ�˺���Ϣ*/
 @Override
 protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token)
     throws AuthenticationException {
   // TODO Auto-generated method stub
   String username = (String) token.getPrincipal();
   String role = ((JxjsToken) token).getRole();
   SimpleAuthenticationInfo authenticationInfo = null;
   if ("jianyu".equals(role)) {
     TUser user = ud.findUsername(username);
     if (user == null) {
       throw new UnknownAccountException(); // û�ҵ��ʺ�
     }
     authenticationInfo =
         new SimpleAuthenticationInfo(user.getUsername(), user.getPassword(), "jianyu");
   } else if ("fayuan".equals(role)) {
     //
     PubXtglYhb yhb = yhbDao.getPubXtglYhbByYhdm(username);
     if (yhb == null) {
       throw new UnknownAccountException(); // û�ҵ��ʺ�
     }
     authenticationInfo = new SimpleAuthenticationInfo(yhb.getYhdm(), yhb.getYhkl(), "fayuan");
   }
   return authenticationInfo;
 }
Пример #22
0
  @Override
  protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token)
      throws AuthenticationException {
    String username = (String) token.getPrincipal();
    User user = userService.findByUsername(username);

    if (user == null) {
      throw new UnknownAccountException(); // 没找到帐号
    }

    if (Boolean.TRUE.equals(user.getLocked())) {
      throw new LockedAccountException(); // 帐号锁定
    }

    // 交给AuthenticatingRealm使用CredentialsMatcher进行密码匹配,如果觉得人家的不好可以自定义实现
    SimpleAuthenticationInfo authenticationInfo =
        new SimpleAuthenticationInfo(
            user.getUsername(), // 用户名
            user.getPassword(), // 密码
            ByteSource.Util.bytes("library-salt"),
            getName() // realm name
            );
    return authenticationInfo;
  }
  /* (non-Javadoc)
   * @see org.apache.shiro.authc.credential.CredentialsMatcher#doCredentialsMatch(org.apache.shiro.authc.AuthenticationToken, org.apache.shiro.authc.AuthenticationInfo)
   */
  @Override
  public boolean doCredentialsMatch(AuthenticationToken token, AuthenticationInfo info) {
    if (token instanceof AutologinToken) {
      log.debug("Auto-logging in {}", token.getPrincipal());
      return true;
    }
    if (token.getCredentials() == null) {
      log.warn("Rejecting null token credentials for {}", token.getPrincipal());
      return false;
    }
    if (info.getCredentials() == null) {
      log.warn("Rejecting null stored credentials for {}", info.getPrincipals());
      return false;
    }
    final String host =
        token instanceof HostAuthenticationToken
            ? ((HostAuthenticationToken) token).getHost()
            : null;

    final String passwordToken = String.valueOf((char[]) token.getCredentials());
    final String userPassword = info.getCredentials().toString();
    final Matcher matcher = passwordPattern.matcher(userPassword);
    if (matcher.matches()) {
      final String algorithm = matcher.group(1);
      final String encodedBase64 = matcher.group(2);
      switch (algorithm) {
        case "SSHA":
          final byte[] encoded = Base64.decodeBase64(encodedBase64);
          log.trace("Decoded {} into {} bytes", encodedBase64, encoded.length);
          if (encoded.length < 21) {
            log.error(
                "Encoded length must be at least 21 bytes, 20-byte password and at least 1-byte salt, for {}",
                info.getPrincipals());
            return false;
          }
          final byte[] digest = Arrays.copyOf(encoded, 20);
          final byte[] salt = Arrays.copyOfRange(encoded, 20, encoded.length);
          byte[] digestToken = HashedPasswordUtils.calculateSsha(passwordToken, salt);
          boolean sshaMatches = Arrays.equals(digestToken, digest);
          log.debug(
              "Matching credentials for {} host {} using SSHA: {}",
              token.getPrincipal(),
              host,
              sshaMatches);
          return sshaMatches;
        case "PLAIN":
          boolean plainMatches = encodedBase64.equals(passwordToken);
          log.debug(
              "Matching credentials for {} host {} using PLAIN: {}",
              token.getPrincipal(),
              host,
              plainMatches);
          return plainMatches;
        default:
          log.error("Unknown password algorithm {} for {}", algorithm, info.getPrincipals());
          return false;
      }
    } else if (userPassword.startsWith("$")) {
      final BCryptPasswordService bCryptPasswordService = new BCryptPasswordService();
      return bCryptPasswordService.passwordsMatch(passwordToken, userPassword);
    } else {
      log.error("Unknown password syntax for {}", info.getPrincipals());
      return false;
    }
  }
Пример #24
0
 @Override
 protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authcToken)
     throws AuthenticationException {
   return new SimpleAuthenticationInfo(authcToken.getPrincipal(), "", this.getName());
 }