for security reasons prevent displaying messages such "Password is Invalid for user admin"

git-svn-id: https://svn.apache.org/repos/asf/archiva/redback/redback-core/trunk@1423699 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Olivier Lamy 2012-12-18 22:43:52 +00:00
parent ceba9d2afe
commit 856e7d19ba
6 changed files with 118 additions and 31 deletions

View File

@ -27,21 +27,21 @@ public class AuthenticationConstants
{ {
// for User Manager Authenticator // for User Manager Authenticator
public static final String AUTHN_NO_SUCH_USER = "1"; public static final int AUTHN_NO_SUCH_USER = 1;
/** /**
* @since 2.1 * @since 2.1
*/ */
public static final String AUTHN_RUNTIME_EXCEPTION = "2"; public static final int AUTHN_RUNTIME_EXCEPTION = 2;
/** /**
* @since 2.1 * @since 2.1
*/ */
public static final String AUTHN_LOCKED_USER_EXCEPTION = "3"; public static final int AUTHN_LOCKED_USER_EXCEPTION = 3;
/** /**
* @since 2.1 * @since 2.1
*/ */
public static final String AUTHN_MUST_CHANGE_PASSWORD_EXCEPTION = "4"; public static final int AUTHN_MUST_CHANGE_PASSWORD_EXCEPTION = 4;
} }

View File

@ -0,0 +1,68 @@
package org.apache.archiva.redback.authentication;
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
/**
* detail on possible authentication failure.
* @author Olivier Lamy
* @since 1.4-M4
*/
public class AuthenticationFailureCause
{
private int cause;
private String message;
public AuthenticationFailureCause( int cause, String message )
{
this.cause = cause;
this.message = message;
}
public int getCause()
{
return cause;
}
public void setCause( int cause )
{
this.cause = cause;
}
public String getMessage()
{
return message;
}
public void setMessage( String message )
{
this.message = message;
}
@Override
public String toString()
{
final StringBuilder sb = new StringBuilder();
sb.append( "AuthenticationFailureCause" );
sb.append( "{cause=" ).append( cause );
sb.append( ", message='" ).append( message ).append( '\'' );
sb.append( '}' );
return sb.toString();
}
}

View File

@ -23,6 +23,7 @@ import org.apache.archiva.redback.users.User;
import java.io.Serializable; import java.io.Serializable;
import java.util.HashMap; import java.util.HashMap;
import java.util.List;
import java.util.Map; import java.util.Map;
/** /**
@ -50,7 +51,7 @@ public class AuthenticationResult
// TODO: why aren't these just thrown from the authenticate() method? // TODO: why aren't these just thrown from the authenticate() method?
private Exception exception; private Exception exception;
private Map<String, String> exceptionsMap; private List<AuthenticationFailureCause> authenticationFailureCauses;
public AuthenticationResult() public AuthenticationResult()
{ {
@ -67,12 +68,12 @@ public class AuthenticationResult
} }
public AuthenticationResult( boolean authenticated, String principal, Exception exception, public AuthenticationResult( boolean authenticated, String principal, Exception exception,
Map<String, String> exceptionsMap ) List<AuthenticationFailureCause> authenticationFailureCauses )
{ {
isAuthenticated = authenticated; isAuthenticated = authenticated;
this.principal = principal; this.principal = principal;
this.exception = exception; this.exception = exception;
this.exceptionsMap = exceptionsMap; this.authenticationFailureCauses = authenticationFailureCauses;
} }
public boolean isAuthenticated() public boolean isAuthenticated()
@ -90,9 +91,9 @@ public class AuthenticationResult
return exception; return exception;
} }
public Map<String, String> getExceptionsMap() public List<AuthenticationFailureCause> getAuthenticationFailureCauses()
{ {
return exceptionsMap; return authenticationFailureCauses;
} }
/** /**

View File

@ -77,29 +77,31 @@ public class DefaultAuthenticationManager
} }
// put AuthenticationResult exceptions in a map // put AuthenticationResult exceptions in a map
Map<String, String> authnResultExceptionsMap = new HashMap<String, String>(); List<AuthenticationFailureCause> authnResultErrors = new ArrayList<AuthenticationFailureCause>();
for ( Authenticator authenticator : authenticators ) for ( Authenticator authenticator : authenticators )
{ {
if ( authenticator.supportsDataSource( source ) ) if ( authenticator.supportsDataSource( source ) )
{ {
AuthenticationResult authResult = authenticator.authenticate( source ); AuthenticationResult authResult = authenticator.authenticate( source );
Map<String, String> exceptionsMap = authResult.getExceptionsMap(); List<AuthenticationFailureCause> authenticationFailureCauses =
authResult.getAuthenticationFailureCauses();
if ( authResult.isAuthenticated() ) if ( authResult.isAuthenticated() )
{ {
return authResult; return authResult;
} }
if ( exceptionsMap != null ) if ( authenticationFailureCauses != null )
{ {
authnResultExceptionsMap.putAll( exceptionsMap ); authnResultErrors.addAll( authenticationFailureCauses );
} }
else else
{ {
if ( authResult.getException() != null ) if ( authResult.getException() != null )
{ {
authnResultExceptionsMap.put( AuthenticationConstants.AUTHN_RUNTIME_EXCEPTION, authnResultErrors.add(
authResult.getException().getMessage() ); new AuthenticationFailureCause( AuthenticationConstants.AUTHN_RUNTIME_EXCEPTION,
authResult.getException().getMessage() ) );
} }
} }
@ -108,7 +110,7 @@ public class DefaultAuthenticationManager
} }
return ( new AuthenticationResult( false, null, new AuthenticationException( return ( new AuthenticationResult( false, null, new AuthenticationException(
"authentication failed on authenticators: " + knownAuthenticators() ), authnResultExceptionsMap ) ); "authentication failed on authenticators: " + knownAuthenticators() ), authnResultErrors ) );
} }
public List<Authenticator> getAuthenticators() public List<Authenticator> getAuthenticators()

View File

@ -23,6 +23,7 @@ import org.apache.archiva.redback.authentication.AbstractAuthenticator;
import org.apache.archiva.redback.authentication.AuthenticationConstants; import org.apache.archiva.redback.authentication.AuthenticationConstants;
import org.apache.archiva.redback.authentication.AuthenticationDataSource; import org.apache.archiva.redback.authentication.AuthenticationDataSource;
import org.apache.archiva.redback.authentication.AuthenticationException; import org.apache.archiva.redback.authentication.AuthenticationException;
import org.apache.archiva.redback.authentication.AuthenticationFailureCause;
import org.apache.archiva.redback.authentication.AuthenticationResult; import org.apache.archiva.redback.authentication.AuthenticationResult;
import org.apache.archiva.redback.authentication.Authenticator; import org.apache.archiva.redback.authentication.Authenticator;
import org.apache.archiva.redback.authentication.PasswordBasedAuthenticationDataSource; import org.apache.archiva.redback.authentication.PasswordBasedAuthenticationDataSource;
@ -41,7 +42,9 @@ import org.springframework.stereotype.Service;
import javax.inject.Inject; import javax.inject.Inject;
import javax.inject.Named; import javax.inject.Named;
import java.util.ArrayList;
import java.util.HashMap; import java.util.HashMap;
import java.util.List;
import java.util.Map; import java.util.Map;
/** /**
@ -84,7 +87,7 @@ public class UserManagerAuthenticator
String username = null; String username = null;
Exception resultException = null; Exception resultException = null;
PasswordBasedAuthenticationDataSource source = (PasswordBasedAuthenticationDataSource) ds; PasswordBasedAuthenticationDataSource source = (PasswordBasedAuthenticationDataSource) ds;
Map<String, String> authnResultExceptionsMap = new HashMap<String, String>(); List<AuthenticationFailureCause> authenticationFailureCauses = new ArrayList<AuthenticationFailureCause>();
try try
{ {
@ -134,8 +137,9 @@ public class UserManagerAuthenticator
else else
{ {
log.warn( "Password is Invalid for user {}.", source.getPrincipal() ); log.warn( "Password is Invalid for user {}.", source.getPrincipal() );
authnResultExceptionsMap.put( AuthenticationConstants.AUTHN_NO_SUCH_USER, authenticationFailureCauses.add(
"Password is Invalid for user " + source.getPrincipal() + "." ); new AuthenticationFailureCause( AuthenticationConstants.AUTHN_NO_SUCH_USER,
"Password is Invalid for user " + source.getPrincipal() + "." ) );
try try
{ {
@ -146,26 +150,29 @@ public class UserManagerAuthenticator
userManager.updateUser( user ); userManager.updateUser( user );
} }
return new AuthenticationResult( false, source.getPrincipal(), null, authnResultExceptionsMap ); return new AuthenticationResult( false, source.getPrincipal(), null, authenticationFailureCauses );
} }
} }
catch ( UserNotFoundException e ) catch ( UserNotFoundException e )
{ {
log.warn( "Login for user {} failed. user not found.", source.getPrincipal() ); log.warn( "Login for user {} failed. user not found.", source.getPrincipal() );
resultException = e; resultException = e;
authnResultExceptionsMap.put( AuthenticationConstants.AUTHN_NO_SUCH_USER, authenticationFailureCauses.add( new AuthenticationFailureCause( AuthenticationConstants.AUTHN_NO_SUCH_USER,
"Login for user " + source.getPrincipal() + " failed. user not found." ); "Login for user " + source.getPrincipal()
+ " failed. user not found." ) );
} }
catch ( UserManagerException e ) catch ( UserManagerException e )
{ {
log.warn( "Login for user {} failed, message: {}", source.getPrincipal(), e.getMessage() ); log.warn( "Login for user {} failed, message: {}", source.getPrincipal(), e.getMessage() );
resultException = e; resultException = e;
authnResultExceptionsMap.put( AuthenticationConstants.AUTHN_RUNTIME_EXCEPTION, authenticationFailureCauses.add(
new AuthenticationFailureCause( AuthenticationConstants.AUTHN_RUNTIME_EXCEPTION,
"Login for user " + source.getPrincipal() + " failed, message: " "Login for user " + source.getPrincipal() + " failed, message: "
+ e.getMessage() ); + e.getMessage() ) );
} }
return new AuthenticationResult( authenticationSuccess, username, resultException, authnResultExceptionsMap ); return new AuthenticationResult( authenticationSuccess, username, resultException,
authenticationFailureCauses );
} }
/** /**

View File

@ -19,7 +19,9 @@ package org.apache.archiva.redback.rest.services;
* under the License. * under the License.
*/ */
import org.apache.archiva.redback.authentication.AuthenticationConstants;
import org.apache.archiva.redback.authentication.AuthenticationException; import org.apache.archiva.redback.authentication.AuthenticationException;
import org.apache.archiva.redback.authentication.AuthenticationFailureCause;
import org.apache.archiva.redback.authentication.PasswordBasedAuthenticationDataSource; import org.apache.archiva.redback.authentication.PasswordBasedAuthenticationDataSource;
import org.apache.archiva.redback.integration.filter.authentication.HttpAuthenticator; import org.apache.archiva.redback.integration.filter.authentication.HttpAuthenticator;
import org.apache.archiva.redback.keys.AuthenticationKey; import org.apache.archiva.redback.keys.AuthenticationKey;
@ -59,7 +61,7 @@ import java.util.TimeZone;
* @author Olivier Lamy * @author Olivier Lamy
* @since 1.3 * @since 1.3
*/ */
@Service( "loginService#rest" ) @Service("loginService#rest")
public class DefaultLoginService public class DefaultLoginService
implements LoginService implements LoginService
{ {
@ -75,7 +77,7 @@ public class DefaultLoginService
@Inject @Inject
public DefaultLoginService( SecuritySystem securitySystem, public DefaultLoginService( SecuritySystem securitySystem,
@Named( "httpAuthenticator#basic" ) HttpAuthenticator httpAuthenticator ) @Named("httpAuthenticator#basic") HttpAuthenticator httpAuthenticator )
{ {
this.securitySystem = securitySystem; this.securitySystem = securitySystem;
this.httpAuthenticator = httpAuthenticator; this.httpAuthenticator = httpAuthenticator;
@ -152,12 +154,19 @@ public class DefaultLoginService
return restUser; return restUser;
} }
if ( securitySession.getAuthenticationResult() != null if ( securitySession.getAuthenticationResult() != null
&& securitySession.getAuthenticationResult().getExceptionsMap() != null ) && securitySession.getAuthenticationResult().getAuthenticationFailureCauses() != null )
{ {
List<ErrorMessage> errorMessages = new ArrayList<ErrorMessage>(); List<ErrorMessage> errorMessages = new ArrayList<ErrorMessage>();
for ( Map.Entry<String, String> entry : securitySession.getAuthenticationResult().getExceptionsMap().entrySet() ) for ( AuthenticationFailureCause authenticationFailureCause : securitySession.getAuthenticationResult().getAuthenticationFailureCauses() )
{ {
errorMessages.add( new ErrorMessage().message( entry.getValue() ) ); if ( authenticationFailureCause.getCause() == AuthenticationConstants.AUTHN_NO_SUCH_USER )
{
errorMessages.add( new ErrorMessage( "incorrect.username.password" ) );
}
else
{
errorMessages.add( new ErrorMessage().message( authenticationFailureCause.getMessage() ) );
}
} }
throw new RedbackServiceException( errorMessages ); throw new RedbackServiceException( errorMessages );