for security reasons prevent displaying messages such "Password is Invalid for user admin"

git-svn-id: https://svn.apache.org/repos/asf/archiva/redback/redback-core/trunk@1423699 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Olivier Lamy 2012-12-18 22:43:52 +00:00
parent ceba9d2afe
commit 856e7d19ba
6 changed files with 118 additions and 31 deletions

View File

@ -27,21 +27,21 @@ public class AuthenticationConstants
{
// for User Manager Authenticator
public static final String AUTHN_NO_SUCH_USER = "1";
public static final int AUTHN_NO_SUCH_USER = 1;
/**
* @since 2.1
*/
public static final String AUTHN_RUNTIME_EXCEPTION = "2";
public static final int AUTHN_RUNTIME_EXCEPTION = 2;
/**
* @since 2.1
*/
public static final String AUTHN_LOCKED_USER_EXCEPTION = "3";
public static final int AUTHN_LOCKED_USER_EXCEPTION = 3;
/**
* @since 2.1
*/
public static final String AUTHN_MUST_CHANGE_PASSWORD_EXCEPTION = "4";
public static final int AUTHN_MUST_CHANGE_PASSWORD_EXCEPTION = 4;
}

View File

@ -0,0 +1,68 @@
package org.apache.archiva.redback.authentication;
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
/**
* detail on possible authentication failure.
* @author Olivier Lamy
* @since 1.4-M4
*/
public class AuthenticationFailureCause
{
private int cause;
private String message;
public AuthenticationFailureCause( int cause, String message )
{
this.cause = cause;
this.message = message;
}
public int getCause()
{
return cause;
}
public void setCause( int cause )
{
this.cause = cause;
}
public String getMessage()
{
return message;
}
public void setMessage( String message )
{
this.message = message;
}
@Override
public String toString()
{
final StringBuilder sb = new StringBuilder();
sb.append( "AuthenticationFailureCause" );
sb.append( "{cause=" ).append( cause );
sb.append( ", message='" ).append( message ).append( '\'' );
sb.append( '}' );
return sb.toString();
}
}

View File

@ -23,6 +23,7 @@ import org.apache.archiva.redback.users.User;
import java.io.Serializable;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
/**
@ -50,7 +51,7 @@ public class AuthenticationResult
// TODO: why aren't these just thrown from the authenticate() method?
private Exception exception;
private Map<String, String> exceptionsMap;
private List<AuthenticationFailureCause> authenticationFailureCauses;
public AuthenticationResult()
{
@ -67,12 +68,12 @@ public class AuthenticationResult
}
public AuthenticationResult( boolean authenticated, String principal, Exception exception,
Map<String, String> exceptionsMap )
List<AuthenticationFailureCause> authenticationFailureCauses )
{
isAuthenticated = authenticated;
this.principal = principal;
this.exception = exception;
this.exceptionsMap = exceptionsMap;
this.authenticationFailureCauses = authenticationFailureCauses;
}
public boolean isAuthenticated()
@ -90,9 +91,9 @@ public class AuthenticationResult
return exception;
}
public Map<String, String> getExceptionsMap()
public List<AuthenticationFailureCause> getAuthenticationFailureCauses()
{
return exceptionsMap;
return authenticationFailureCauses;
}
/**

View File

@ -77,29 +77,31 @@ public class DefaultAuthenticationManager
}
// put AuthenticationResult exceptions in a map
Map<String, String> authnResultExceptionsMap = new HashMap<String, String>();
List<AuthenticationFailureCause> authnResultErrors = new ArrayList<AuthenticationFailureCause>();
for ( Authenticator authenticator : authenticators )
{
if ( authenticator.supportsDataSource( source ) )
{
AuthenticationResult authResult = authenticator.authenticate( source );
Map<String, String> exceptionsMap = authResult.getExceptionsMap();
List<AuthenticationFailureCause> authenticationFailureCauses =
authResult.getAuthenticationFailureCauses();
if ( authResult.isAuthenticated() )
{
return authResult;
}
if ( exceptionsMap != null )
if ( authenticationFailureCauses != null )
{
authnResultExceptionsMap.putAll( exceptionsMap );
authnResultErrors.addAll( authenticationFailureCauses );
}
else
{
if ( authResult.getException() != null )
{
authnResultExceptionsMap.put( AuthenticationConstants.AUTHN_RUNTIME_EXCEPTION,
authResult.getException().getMessage() );
authnResultErrors.add(
new AuthenticationFailureCause( AuthenticationConstants.AUTHN_RUNTIME_EXCEPTION,
authResult.getException().getMessage() ) );
}
}
@ -108,7 +110,7 @@ public class DefaultAuthenticationManager
}
return ( new AuthenticationResult( false, null, new AuthenticationException(
"authentication failed on authenticators: " + knownAuthenticators() ), authnResultExceptionsMap ) );
"authentication failed on authenticators: " + knownAuthenticators() ), authnResultErrors ) );
}
public List<Authenticator> getAuthenticators()

View File

@ -23,6 +23,7 @@ import org.apache.archiva.redback.authentication.AbstractAuthenticator;
import org.apache.archiva.redback.authentication.AuthenticationConstants;
import org.apache.archiva.redback.authentication.AuthenticationDataSource;
import org.apache.archiva.redback.authentication.AuthenticationException;
import org.apache.archiva.redback.authentication.AuthenticationFailureCause;
import org.apache.archiva.redback.authentication.AuthenticationResult;
import org.apache.archiva.redback.authentication.Authenticator;
import org.apache.archiva.redback.authentication.PasswordBasedAuthenticationDataSource;
@ -41,7 +42,9 @@ import org.springframework.stereotype.Service;
import javax.inject.Inject;
import javax.inject.Named;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
/**
@ -84,7 +87,7 @@ public class UserManagerAuthenticator
String username = null;
Exception resultException = null;
PasswordBasedAuthenticationDataSource source = (PasswordBasedAuthenticationDataSource) ds;
Map<String, String> authnResultExceptionsMap = new HashMap<String, String>();
List<AuthenticationFailureCause> authenticationFailureCauses = new ArrayList<AuthenticationFailureCause>();
try
{
@ -134,8 +137,9 @@ public class UserManagerAuthenticator
else
{
log.warn( "Password is Invalid for user {}.", source.getPrincipal() );
authnResultExceptionsMap.put( AuthenticationConstants.AUTHN_NO_SUCH_USER,
"Password is Invalid for user " + source.getPrincipal() + "." );
authenticationFailureCauses.add(
new AuthenticationFailureCause( AuthenticationConstants.AUTHN_NO_SUCH_USER,
"Password is Invalid for user " + source.getPrincipal() + "." ) );
try
{
@ -146,26 +150,29 @@ public class UserManagerAuthenticator
userManager.updateUser( user );
}
return new AuthenticationResult( false, source.getPrincipal(), null, authnResultExceptionsMap );
return new AuthenticationResult( false, source.getPrincipal(), null, authenticationFailureCauses );
}
}
catch ( UserNotFoundException e )
{
log.warn( "Login for user {} failed. user not found.", source.getPrincipal() );
resultException = e;
authnResultExceptionsMap.put( AuthenticationConstants.AUTHN_NO_SUCH_USER,
"Login for user " + source.getPrincipal() + " failed. user not found." );
authenticationFailureCauses.add( new AuthenticationFailureCause( AuthenticationConstants.AUTHN_NO_SUCH_USER,
"Login for user " + source.getPrincipal()
+ " failed. user not found." ) );
}
catch ( UserManagerException e )
{
log.warn( "Login for user {} failed, message: {}", source.getPrincipal(), e.getMessage() );
resultException = e;
authnResultExceptionsMap.put( AuthenticationConstants.AUTHN_RUNTIME_EXCEPTION,
authenticationFailureCauses.add(
new AuthenticationFailureCause( AuthenticationConstants.AUTHN_RUNTIME_EXCEPTION,
"Login for user " + source.getPrincipal() + " failed, message: "
+ e.getMessage() );
+ e.getMessage() ) );
}
return new AuthenticationResult( authenticationSuccess, username, resultException, authnResultExceptionsMap );
return new AuthenticationResult( authenticationSuccess, username, resultException,
authenticationFailureCauses );
}
/**

View File

@ -19,7 +19,9 @@ package org.apache.archiva.redback.rest.services;
* under the License.
*/
import org.apache.archiva.redback.authentication.AuthenticationConstants;
import org.apache.archiva.redback.authentication.AuthenticationException;
import org.apache.archiva.redback.authentication.AuthenticationFailureCause;
import org.apache.archiva.redback.authentication.PasswordBasedAuthenticationDataSource;
import org.apache.archiva.redback.integration.filter.authentication.HttpAuthenticator;
import org.apache.archiva.redback.keys.AuthenticationKey;
@ -59,7 +61,7 @@ import java.util.TimeZone;
* @author Olivier Lamy
* @since 1.3
*/
@Service( "loginService#rest" )
@Service("loginService#rest")
public class DefaultLoginService
implements LoginService
{
@ -75,7 +77,7 @@ public class DefaultLoginService
@Inject
public DefaultLoginService( SecuritySystem securitySystem,
@Named( "httpAuthenticator#basic" ) HttpAuthenticator httpAuthenticator )
@Named("httpAuthenticator#basic") HttpAuthenticator httpAuthenticator )
{
this.securitySystem = securitySystem;
this.httpAuthenticator = httpAuthenticator;
@ -152,12 +154,19 @@ public class DefaultLoginService
return restUser;
}
if ( securitySession.getAuthenticationResult() != null
&& securitySession.getAuthenticationResult().getExceptionsMap() != null )
&& securitySession.getAuthenticationResult().getAuthenticationFailureCauses() != null )
{
List<ErrorMessage> errorMessages = new ArrayList<ErrorMessage>();
for ( Map.Entry<String, String> entry : securitySession.getAuthenticationResult().getExceptionsMap().entrySet() )
for ( AuthenticationFailureCause authenticationFailureCause : securitySession.getAuthenticationResult().getAuthenticationFailureCauses() )
{
errorMessages.add( new ErrorMessage().message( entry.getValue() ) );
if ( authenticationFailureCause.getCause() == AuthenticationConstants.AUTHN_NO_SUCH_USER )
{
errorMessages.add( new ErrorMessage( "incorrect.username.password" ) );
}
else
{
errorMessages.add( new ErrorMessage().message( authenticationFailureCause.getMessage() ) );
}
}
throw new RedbackServiceException( errorMessages );