View Javadoc
1   /*
2    * Copyright (c) 2002-2015, Mairie de Paris
3    * All rights reserved.
4    *
5    * Redistribution and use in source and binary forms, with or without
6    * modification, are permitted provided that the following conditions
7    * are met:
8    *
9    *  1. Redistributions of source code must retain the above copyright notice
10   *     and the following disclaimer.
11   *
12   *  2. Redistributions in binary form must reproduce the above copyright notice
13   *     and the following disclaimer in the documentation and/or other materials
14   *     provided with the distribution.
15   *
16   *  3. Neither the name of 'Mairie de Paris' nor 'Lutece' nor the names of its
17   *     contributors may be used to endorse or promote products derived from
18   *     this software without specific prior written permission.
19   *
20   * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21   * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22   * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23   * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE
24   * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
25   * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
26   * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
27   * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
28   * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29   * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
30   * POSSIBILITY OF SUCH DAMAGE.
31   *
32   * License 1.0
33   */
34  package fr.paris.lutece.portal.business.user.authentication;
35  
36  import fr.paris.lutece.portal.business.user.AdminUser;
37  import fr.paris.lutece.portal.business.user.log.UserLog;
38  import fr.paris.lutece.portal.business.user.log.UserLogHome;
39  import fr.paris.lutece.portal.service.admin.AdminUserService;
40  import fr.paris.lutece.util.http.SecurityUtil;
41  import fr.paris.lutece.util.password.IPassword;
42  import fr.paris.lutece.util.password.IPasswordFactory;
43  
44  import java.util.Collection;
45  
46  import javax.inject.Inject;
47  import javax.security.auth.login.FailedLoginException;
48  import javax.security.auth.login.LoginException;
49  
50  import javax.servlet.http.HttpServletRequest;
51  
52  
53  /**
54   * Default authentication module for admin authentication
55   */
56  public class LuteceDefaultAdminAuthentication implements AdminAuthentication
57  {
58      private static final String CONSTANT_LOST_PASSWORD_URL = "jsp/admin/AdminForgotPassword.jsp";
59      private static final String CONSTANT_LOST_LOGIN_URL = "jsp/admin/AdminForgotLogin.jsp";
60      private static final String PROPERTY_MAX_ACCESS_FAILED = "access_failures_max";
61      private static final String PROPERTY_INTERVAL_MINUTES = "access_failures_interval";
62      private ILuteceDefaultAdminUserDAO _dao;
63  
64      @Inject
65      private IPasswordFactory _passwordFactory;
66  
67      /**
68       * Setter used by Spring IoC
69       * @param dao The DAO (defined in the Spring context)
70       */
71      public void setDao( ILuteceDefaultAdminUserDAO dao )
72      {
73          _dao = dao;
74      }
75  
76      /**
77       * {@inheritDoc}
78       */
79      @Override
80      public String getAuthServiceName(  )
81      {
82          return "LUTECE DEFAULT AUTHENTICATION";
83      }
84  
85      /**
86       * {@inheritDoc}
87       */
88      @Override
89      public String getAuthType( HttpServletRequest request )
90      {
91          return HttpServletRequest.BASIC_AUTH;
92      }
93  
94      /**
95       * {@inheritDoc}
96       */
97      @Override
98      public AdminUser login( String strAccessCode, String strUserPassword, HttpServletRequest request )
99          throws LoginException
100     {
101         // Test the number of errors during an interval of minutes
102         int nMaxFailed = AdminUserService.getIntegerSecurityParameter( PROPERTY_MAX_ACCESS_FAILED );
103         int nIntervalMinutes = AdminUserService.getIntegerSecurityParameter( PROPERTY_INTERVAL_MINUTES );
104 
105         if ( ( nMaxFailed > 0 ) && ( nIntervalMinutes > 0 ) )
106         {
107             // Creating a record of connections log
108             UserLog userLog = new UserLog(  );
109             userLog.setAccessCode( strAccessCode );
110             userLog.setIpAddress( SecurityUtil.getRealIp( request ) );
111             userLog.setDateLogin( new java.sql.Timestamp( new java.util.Date(  ).getTime(  ) ) );
112 
113             int nNbFailed = UserLogHome.getLoginErrors( userLog, nIntervalMinutes );
114 
115             if ( nNbFailed > nMaxFailed )
116             {
117                 throw new FailedLoginException(  );
118             }
119         }
120 
121         IPassword pasword = _dao.loadPassword( strAccessCode );
122 
123         if ( !pasword.check( strUserPassword ) )
124         {
125             throw new FailedLoginException(  );
126         }
127 
128         if ( pasword.isLegacy( ) )
129         {
130             // upgrade password storage
131             IPassword upgradedPassword = _passwordFactory.getPasswordFromCleartext( strUserPassword );
132             _dao.store( strAccessCode, upgradedPassword );
133         }
134 
135         LuteceDefaultAdminUser user = _dao.load( strAccessCode, this );
136 
137         if ( ( user.getPasswordMaxValidDate(  ) != null ) &&
138                 ( user.getPasswordMaxValidDate(  ).getTime(  ) < new java.util.Date(  ).getTime(  ) ) )
139         {
140             _dao.updateResetPassword( user, Boolean.TRUE );
141         }
142 
143         AdminUserService.updateUserExpirationDate( user );
144 
145         return user;
146     }
147 
148     /**
149      * {@inheritDoc}
150      */
151     @Override
152     public void logout( AdminUser user )
153     {
154         // TODO Auto-generated method stub
155     }
156 
157     /**
158      * {@inheritDoc}
159      */
160     @Override
161     public AdminUser getAnonymousUser(  )
162     {
163         // TODO Auto-generated method stub
164         return null;
165     }
166 
167     /**
168      * {@inheritDoc}
169      */
170     @Override
171     public boolean isExternalAuthentication(  )
172     {
173         return false;
174     }
175 
176     /**
177      * {@inheritDoc}
178      */
179     @Override
180     public AdminUser getHttpAuthenticatedUser( HttpServletRequest request )
181     {
182         return null;
183     }
184 
185     /**
186      * {@inheritDoc}
187      */
188     @Override
189     public String getLoginPageUrl(  )
190     {
191         return "jsp/admin/AdminLogin.jsp";
192     }
193 
194     /**
195      * {@inheritDoc}
196      */
197     @Override
198     public String getChangePasswordPageUrl(  )
199     {
200         return "jsp/admin/user/ModifyDefaultUserPassword.jsp";
201     }
202 
203     /**
204      * {@inheritDoc}
205      */
206     @Override
207     public String getDoLoginUrl(  )
208     {
209         // TODO Auto-generated method stub
210         return null;
211     }
212 
213     /**
214      * {@inheritDoc}
215      */
216     @Override
217     public String getDoLogoutUrl(  )
218     {
219         // TODO Auto-generated method stub
220         return null;
221     }
222 
223     /**
224      * {@inheritDoc}
225      */
226     @Override
227     public String getNewAccountPageUrl(  )
228     {
229         // TODO Auto-generated method stub
230         return null;
231     }
232 
233     /**
234      * {@inheritDoc}
235      */
236     @Override
237     public String getViewAccountPageUrl(  )
238     {
239         // TODO Auto-generated method stub
240         return null;
241     }
242 
243     /**
244      * {@inheritDoc}
245      */
246     @Override
247     public String getLostPasswordPageUrl(  )
248     {
249         return CONSTANT_LOST_PASSWORD_URL;
250     }
251 
252     /**
253      * {@inheritDoc}
254      */
255     @Override
256     public String getLostLoginPageUrl(  )
257     {
258         return CONSTANT_LOST_LOGIN_URL;
259     }
260 
261     /**
262      * Not used - Return null always for this module
263      * @param strLastName The last name
264      * @param strFirstName The first name
265      * @param strEmail The email
266      * @see fr.paris.lutece.portal.business.user.authentication.AdminAuthentication#getUserList()
267      * @return null
268      */
269     @Override
270     public Collection<AdminUser> getUserList( String strLastName, String strFirstName, String strEmail )
271     {
272         return null;
273     }
274 
275     /**
276      * Not used - Return null always for this module
277      * @param strLogin The login
278      * @see fr.paris.lutece.portal.business.user.authentication.AdminAuthentication#getUserPublicData(java.lang.String)
279      * @return null
280      */
281     @Override
282     public AdminUser getUserPublicData( String strLogin )
283     {
284         return null;
285     }
286 }