/** * Start the authentication process. * * @param scheme scheme * @param request request * @throws Exception on any error */ public static void authenticate(AuthenticationScheme scheme, HttpServletRequest request) throws Exception { AuthenticationModule module = scheme.currentAuthenticationModule(); if (module == null) { throw new Exception("No current authentication module"); } RequestParameterMap params = new RequestParameterMap(new ServletRequestAdapter(request)); User currentUser = scheme.getUser(); LogonStateAndCache logonStateMachine = (LogonStateAndCache) request.getSession().getAttribute(LogonStateAndCache.LOGON_STATE_MACHINE); if (logonStateMachine == null) { logonStateMachine = new LogonStateAndCache(LogonStateAndCache.STATE_STARTED, request.getSession()); } if (logonStateMachine.getState() == LogonStateAndCache.STATE_KNOWN_USERNAME_NO_SCHEME_SPOOF_PASSWORD_ENTRY) { scheme.addCredentials(new PasswordCredentials("", "".toCharArray())); } else if (logonStateMachine.getState() == LogonStateAndCache.STATE_UNKNOWN_USERNAME_PROMPT_FOR_PASSWORD) { Credentials creds = module.authenticate(request, params); if (creds != null) scheme.addCredentials(creds); } else { Credentials creds = module.authenticate(request, params); if (creds != null) { scheme.addCredentials(creds); logonStateMachine.setState(LogonStateAndCache.STATE_VALID_LOGON); } // Check we have a user object if (currentUser == null && scheme.getUser() == null) { throw new Exception("The first authentication did not provide a user."); } } PolicyUtil.checkLogin(scheme.getUser()); }
public ActionForward execute( ActionMapping mapping, ActionForm form, HttpServletRequest request, HttpServletResponse response) throws Exception { ActionMessages msgs = new ActionMessages(); SessionInfo sessionInfo = LogonControllerFactory.getInstance().getSessionInfo(request); if (sessionInfo == null && request.getSession().getAttribute(Constants.SESSION_LOCKED) == null && LogonControllerFactory.getInstance().hasClientLoggedOn(request, response) == LogonController.LOGGED_ON) { if (log.isDebugEnabled()) log.debug(request.getRemoteHost() + " is already authenticated"); return mapping.findForward("success"); } /* * Get the authentication session and module to use to validate this * authentication attempt */ AuthenticationScheme scheme = (AuthenticationScheme) request.getSession().getAttribute(Constants.AUTH_SESSION); LogonStateAndCache logonStateMachine = (LogonStateAndCache) request.getSession().getAttribute(LogonStateAndCache.LOGON_STATE_MACHINE); // there are different users so we need to logon again, clearing the authentication scheme and // logon machine. if (sessionInfo != null && logonStateMachine != null && !sessionInfo.getUser().equals(logonStateMachine.getUser())) { request.getSession().removeAttribute(Constants.AUTH_SESSION); request.getSession().removeAttribute(LogonStateAndCache.LOGON_STATE_MACHINE); LogonControllerFactory.getInstance().logoffSession(request, response); msgs.add( Globals.ERROR_KEY, new ActionMessage("login.logonNotAllowed", "Session no longer valid, logon again.")); saveErrors(request, msgs); return new RedirectWithMessages(mapping.findForward("logon"), request); } if (logonStateMachine == null) { logonStateMachine = new LogonStateAndCache(LogonStateAndCache.STATE_STARTED, request.getSession()); request.getSession().setAttribute(LogonStateAndCache.LOGON_STATE_MACHINE, logonStateMachine); } if (scheme == null) { ActionForward fwd = null; try { fwd = ShowLogonAction.checkAuthSession( null, false, mapping, request, response, logonStateMachine); } catch (CoreException ce) { } catch (Throwable e) { log.error("Logon not allowed.", e); ActionMessages errs = new ActionMessages(); if (e instanceof CoreException) { errs.add(Globals.ERROR_KEY, ((CoreException) e).getBundleActionMessage()); } else { errs.add( Globals.ERROR_KEY, new ActionMessage("login.logonNotAllowed", "Please contact your administrator.")); } saveErrors(request, errs); request.getSession().removeAttribute(Constants.AUTH_SESSION); request.getSession().removeAttribute(LogonStateAndCache.LOGON_STATE_MACHINE); if (form != null) form.reset(mapping, request); return new RedirectWithMessages(mapping.findForward("failed"), request); } if (fwd != null) { scheme = (AuthenticationScheme) request.getSession().getAttribute(Constants.AUTH_SESSION); } } if (scheme != null) { AuthenticationModule module = scheme.currentAuthenticationModule(); if (module == null) { log.error("No authentication module."); request.getSession().removeAttribute(Constants.AUTH_SESSION); return mapping.findForward("logon"); } try { // If there is no user in the scheme then it is an invalid login if (scheme.getUser() == null) { throw new InvalidLoginCredentialsException(); } // Check the account is enabled and not locked if (!PolicyUtil.isEnabled(scheme.getUser())) { throw new AccountLockedException(scheme.getUsername(), "Account disabled.", true, 0); } // Check for locks LogonControllerFactory.getInstance() .checkForAccountLock( scheme.getUsername(), scheme.getUser().getRealm().getResourceName()); // Authenticate authenticate(scheme, request); // Check logon is currently allowed String logonNotAllowedReason = LogonControllerFactory.getInstance().checkLogonAllowed(scheme.getUser()); if (logonNotAllowedReason != null) { log.warn("Logon not allowed because '" + logonNotAllowedReason + "'"); msgs.add( Globals.ERROR_KEY, new ActionMessage("login.logonNotAllowed", logonNotAllowedReason)); saveErrors(request, msgs); return new RedirectWithMessages(mapping.findForward("logon"), request); } // Check for the next authentication modules AuthenticationModule nextModule = scheme.nextAuthenticationModule(); if (nextModule != null && request.getSession().getAttribute(Constants.SESSION_LOCKED) == null) { if (log.isDebugEnabled()) log.debug( "There are more authentication modules to satisfy (current mapping = " + mapping.getPath()); ActionForward fw = new RedirectWithMessages(mapping.findForward("logon"), request); return fw; } return finishAuthentication(scheme, request, response); } catch (InputRequiredException ex) { // The page wants to display or redirect somewhere if (ex.getForward() == null) return mapping.findForward("logon"); else return ex.getForward(); } catch (AccountLockedException ale) { return accountLocked(mapping, request, ale, msgs); } catch (InvalidLoginCredentialsException ex) { log.error("[" + request.getRemoteHost() + "] authentication failed", ex); LogonForm logonForm = (LogonForm) form; CoreServlet.getServlet() .fireCoreEvent( new CoreEvent(this, CoreEventConstants.LOGON, null, null, ex) .addAttribute( CoreAttributeConstants.EVENT_ATTR_IP_ADDRESS, request.getRemoteAddr()) .addAttribute(CoreAttributeConstants.EVENT_ATTR_HOST, request.getRemoteHost()) .addAttribute(CoreAttributeConstants.EVENT_ATTR_SCHEME, scheme.getSchemeName()) .addAttribute( CoreAttributeConstants.EVENT_ATTR_ACCOUNT, logonForm.getUsername())); request.getSession().removeAttribute(LogonStateAndCache.LOGON_STATE_MACHINE); request.getSession().removeAttribute(Constants.AUTH_SESSION); try { scheme.setAccountLock( LogonControllerFactory.getInstance() .logonFailed( ((LogonForm) form).getUsername(), ((LogonForm) form).getRealmName(), scheme.getAccountLock())); } catch (AccountLockedException ale) { return accountLocked(mapping, request, ale, msgs); } msgs.add(Globals.ERROR_KEY, new ActionMessage("login.invalidCredentials")); saveErrors(request, msgs); return new RedirectWithMessages(mapping.findForward("logon"), request); } catch (Exception e) { log.error("Internal error authenticating.", e); msgs.add( Globals.ERROR_KEY, new BundleActionMessage("security", "login.error", e.getMessage())); saveErrors(request, msgs); request.getSession().setAttribute(Constants.EXCEPTION, e); request.getSession().removeAttribute(LogonStateAndCache.LOGON_STATE_MACHINE); request.getSession().removeAttribute(Constants.AUTH_SESSION); return new RedirectWithMessages(mapping.findForward("logon"), request); } } else { ActionMessages errs = new ActionMessages(); errs.add( Globals.MESSAGE_KEY, new BundleActionMessage("security", "login.logonNotAllowed", "No scheme available.")); saveErrors(request, errs); request.getSession().removeAttribute(LogonStateAndCache.LOGON_STATE_MACHINE); request.getSession().removeAttribute(Constants.AUTH_SESSION); if (form != null) form.reset(mapping, request); return new RedirectWithMessages(mapping.findForward("logon"), request); } }
/** * Complete the authentication process. * * @param scheme scheme * @param request request * @param response response * @return forward to * @throws Exception on any error */ public static ActionForward finishAuthentication( AuthenticationScheme scheme, HttpServletRequest request, HttpServletResponse response) throws Exception { // Check we have a user object if (scheme.getUser() == null) { throw new Exception("No authentication module provided a user."); } // now add the policies associated with this scheme to the http session // if the property says so. if (Property.getPropertyBoolean( new SystemConfigKey("security.enforce.policy.resource.access"))) { List signOnPolicies = PolicyDatabaseFactory.getInstance() .getPoliciesAttachedToResource(scheme, scheme.getUser().getRealm()); scheme.getServletSession().setAttribute("auth.scheme.policies", signOnPolicies); } // If the user is a manager, check if there is a new SSL-Explorer // version, or if there any exension updates if (PolicyDatabaseFactory.getInstance() .isAnyAccessRightAllowed(scheme.getUser(), true, true, false)) { if ("false" .equals(Property.getProperty(new ContextKey("webServer.disableCertificateWarning"))) && !KeyStoreManager.getInstance(KeyStoreManager.DEFAULT_KEY_STORE) .isCertificateTrusted(Property.getProperty(new ContextKey("webServer.alias")))) { GlobalWarningManager.getInstance() .addMultipleGlobalWarning( new GlobalWarning( GlobalWarning.MANAGEMENT_USERS, new BundleActionMessage("keystore", "keyStore.untrustedCertificate.warning"), DismissType.DISMISS_FOR_USER)); } } /* * Each authentication module needs to be informed that authentication * is now complete so it may perform any last minute checks */ scheme.authenticationComplete(request, response); // Allow the home page to be redirected. request.getSession().setAttribute(Constants.REDIRECT_HOME, "true"); // Authenitcation sequence complete if (log.isDebugEnabled()) log.debug(scheme.getUsername() + " [" + request.getRemoteHost() + "] has been authenticated"); // Forward control to the specified success URI (possibly from the // initial unautenticated request) String originalRequest = (String) request.getSession().getAttribute(Constants.ORIGINAL_REQUEST); ActionForward forward = null; // Where next? List profiles = (List) request.getSession().getAttribute(Constants.PROFILES); int selectProfileAtLogin = -1; try { selectProfileAtLogin = Property.getPropertyInt( new UserAttributeKey(scheme.getUser(), User.USER_STARTUP_PROFILE)); } catch (NumberFormatException nfe) { } if (selectProfileAtLogin == -1 && profiles != null && profiles.size() > 1) { // Prompt for the profile forward = new ActionForward("/showSelectPropertyProfile.do"); } else { if (null == originalRequest || "/showHome.do".equals(originalRequest) || "".equals(originalRequest)) { boolean admin = LogonControllerFactory.getInstance().isAdministrator(scheme.getUser()); if (admin) { originalRequest = "/showSystemConfiguration.do"; } else { originalRequest = "/showHome.do"; } request.getSession().removeAttribute(Constants.ORIGINAL_REQUEST); } if (Property.getPropertyBoolean( new ProfilePropertyKey( "client.autoStart", LogonControllerFactory.getInstance().getSessionInfo(request)))) { request.getSession().removeAttribute(Constants.ORIGINAL_REQUEST); request.getSession().setAttribute(Constants.REQ_ATTR_LAUNCH_AGENT_REFERER, originalRequest); forward = new ActionForward("/launchAgent.do", false); } else { forward = new ActionForward(originalRequest, true); } } return forward; }