LuteceDefaultAdminAuthentication.java

  1. /*
  2.  * Copyright (c) 2002-2022, City of Paris
  3.  * All rights reserved.
  4.  *
  5.  * Redistribution and use in source and binary forms, with or without
  6.  * modification, are permitted provided that the following conditions
  7.  * are met:
  8.  *
  9.  *  1. Redistributions of source code must retain the above copyright notice
  10.  *     and the following disclaimer.
  11.  *
  12.  *  2. Redistributions in binary form must reproduce the above copyright notice
  13.  *     and the following disclaimer in the documentation and/or other materials
  14.  *     provided with the distribution.
  15.  *
  16.  *  3. Neither the name of 'Mairie de Paris' nor 'Lutece' nor the names of its
  17.  *     contributors may be used to endorse or promote products derived from
  18.  *     this software without specific prior written permission.
  19.  *
  20.  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
  21.  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  22.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  23.  * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE
  24.  * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
  25.  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
  26.  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
  27.  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
  28.  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  29.  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  30.  * POSSIBILITY OF SUCH DAMAGE.
  31.  *
  32.  * License 1.0
  33.  */
  34. package fr.paris.lutece.portal.business.user.authentication;

  35. import fr.paris.lutece.portal.business.user.AdminUser;
  36. import fr.paris.lutece.portal.business.user.log.UserLog;
  37. import fr.paris.lutece.portal.business.user.log.UserLogHome;
  38. import fr.paris.lutece.portal.service.admin.AdminUserService;
  39. import fr.paris.lutece.util.http.SecurityUtil;
  40. import fr.paris.lutece.util.password.IPassword;
  41. import fr.paris.lutece.util.password.IPasswordFactory;

  42. import java.util.Collection;

  43. import javax.inject.Inject;
  44. import javax.security.auth.login.FailedLoginException;
  45. import javax.security.auth.login.LoginException;

  46. import javax.servlet.http.HttpServletRequest;

  47. /**
  48.  * Default authentication module for admin authentication
  49.  */
  50. public class LuteceDefaultAdminAuthentication implements AdminAuthentication
  51. {
  52.     private static final String CONSTANT_LOST_PASSWORD_URL = "jsp/admin/AdminForgotPassword.jsp";
  53.     private static final String CONSTANT_LOST_LOGIN_URL = "jsp/admin/AdminForgotLogin.jsp";
  54.     private ILuteceDefaultAdminUserDAO _dao;

  55.     @Inject
  56.     private IPasswordFactory _passwordFactory;

  57.     /**
  58.      * Setter used by Spring IoC
  59.      *
  60.      * @param dao
  61.      *            The DAO (defined in the Spring context)
  62.      */
  63.     public void setDao( ILuteceDefaultAdminUserDAO dao )
  64.     {
  65.         _dao = dao;
  66.     }

  67.     /**
  68.      * {@inheritDoc}
  69.      */
  70.     @Override
  71.     public String getAuthServiceName( )
  72.     {
  73.         return "LUTECE DEFAULT AUTHENTICATION";
  74.     }

  75.     /**
  76.      * {@inheritDoc}
  77.      */
  78.     @Override
  79.     public String getAuthType( HttpServletRequest request )
  80.     {
  81.         return HttpServletRequest.BASIC_AUTH;
  82.     }

  83.     /**
  84.      * {@inheritDoc}
  85.      */
  86.     @Override
  87.     public AdminUser login( String strAccessCode, String strUserPassword, HttpServletRequest request ) throws LoginException
  88.     {
  89.         // Test the number of errors during an interval of minutes
  90.         int nMaxFailed = AdminUserService.getIntegerSecurityParameter( AdminUserService.DSKEY_ACCES_FAILURES_MAX );
  91.         int nIntervalMinutes = AdminUserService.getIntegerSecurityParameter( AdminUserService.DSKEY_ACCES_FAILURES_INTERVAL );

  92.         if ( ( nMaxFailed > 0 ) && ( nIntervalMinutes > 0 ) )
  93.         {
  94.             // Creating a record of connections log
  95.             UserLog userLog = new UserLog( );
  96.             userLog.setAccessCode( strAccessCode );
  97.             userLog.setIpAddress( SecurityUtil.getRealIp( request ) );
  98.             userLog.setDateLogin( new java.sql.Timestamp( new java.util.Date( ).getTime( ) ) );

  99.             int nNbFailed = UserLogHome.getLoginErrors( userLog, nIntervalMinutes );

  100.             if ( nNbFailed > nMaxFailed )
  101.             {
  102.                 throw new FailedLoginException( );
  103.             }
  104.         }

  105.         IPassword pasword = _dao.loadPassword( strAccessCode );

  106.         if ( !pasword.check( strUserPassword ) )
  107.         {
  108.             throw new FailedLoginException( );
  109.         }

  110.         if ( pasword.isLegacy( ) )
  111.         {
  112.             // upgrade password storage
  113.             IPassword upgradedPassword = _passwordFactory.getPasswordFromCleartext( strUserPassword );
  114.             _dao.store( strAccessCode, upgradedPassword );
  115.         }

  116.         LuteceDefaultAdminUser user = _dao.load( strAccessCode, this );

  117.         if ( ( user.getPasswordMaxValidDate( ) != null ) && ( user.getPasswordMaxValidDate( ).getTime( ) < new java.util.Date( ).getTime( ) ) )
  118.         {
  119.             _dao.updateResetPassword( user, Boolean.TRUE );
  120.         }

  121.         AdminUserService.updateUserExpirationDate( user );

  122.         return user;
  123.     }

  124.     /**
  125.      * {@inheritDoc}
  126.      */
  127.     @Override
  128.     public void logout( AdminUser user )
  129.     {
  130.         // Nothing
  131.     }

  132.     /**
  133.      * {@inheritDoc}
  134.      */
  135.     @Override
  136.     public AdminUser getAnonymousUser( )
  137.     {
  138.         return null;
  139.     }

  140.     /**
  141.      * {@inheritDoc}
  142.      */
  143.     @Override
  144.     public boolean isExternalAuthentication( )
  145.     {
  146.         return false;
  147.     }

  148.     /**
  149.      * {@inheritDoc}
  150.      */
  151.     @Override
  152.     public AdminUser getHttpAuthenticatedUser( HttpServletRequest request )
  153.     {
  154.         return null;
  155.     }

  156.     /**
  157.      * {@inheritDoc}
  158.      */
  159.     @Override
  160.     public String getLoginPageUrl( )
  161.     {
  162.         return "jsp/admin/AdminLogin.jsp";
  163.     }

  164.     /**
  165.      * {@inheritDoc}
  166.      */
  167.     @Override
  168.     public String getChangePasswordPageUrl( )
  169.     {
  170.         return "jsp/admin/user/ModifyDefaultUserPassword.jsp";
  171.     }

  172.     /**
  173.      * {@inheritDoc}
  174.      */
  175.     @Override
  176.     public String getDoLoginUrl( )
  177.     {
  178.         return null;
  179.     }

  180.     /**
  181.      * {@inheritDoc}
  182.      */
  183.     @Override
  184.     public String getDoLogoutUrl( )
  185.     {
  186.         return null;
  187.     }

  188.     /**
  189.      * {@inheritDoc}
  190.      */
  191.     @Override
  192.     public String getNewAccountPageUrl( )
  193.     {
  194.         return null;
  195.     }

  196.     /**
  197.      * {@inheritDoc}
  198.      */
  199.     @Override
  200.     public String getViewAccountPageUrl( )
  201.     {
  202.         return null;
  203.     }

  204.     /**
  205.      * {@inheritDoc}
  206.      */
  207.     @Override
  208.     public String getLostPasswordPageUrl( )
  209.     {
  210.         return CONSTANT_LOST_PASSWORD_URL;
  211.     }

  212.     /**
  213.      * {@inheritDoc}
  214.      */
  215.     @Override
  216.     public String getLostLoginPageUrl( )
  217.     {
  218.         return CONSTANT_LOST_LOGIN_URL;
  219.     }

  220.     /**
  221.      * Not used - Return null always for this module
  222.      *
  223.      * @param strLastName
  224.      *            The last name
  225.      * @param strFirstName
  226.      *            The first name
  227.      * @param strEmail
  228.      *            The email
  229.      * @see fr.paris.lutece.portal.business.user.authentication.AdminAuthentication#getUserList(String strLastName, String strFirstName, String strEmail )
  230.      * @return null
  231.      */
  232.     @Override
  233.     public Collection<AdminUser> getUserList( String strLastName, String strFirstName, String strEmail )
  234.     {
  235.         return null;
  236.     }

  237.     /**
  238.      * Not used - Return null always for this module
  239.      *
  240.      * @param strLogin
  241.      *            The login
  242.      * @see fr.paris.lutece.portal.business.user.authentication.AdminAuthentication#getUserPublicData(java.lang.String)
  243.      * @return null
  244.      */
  245.     @Override
  246.     public AdminUser getUserPublicData( String strLogin )
  247.     {
  248.         return null;
  249.     }
  250. }