View Javadoc
1   /*
2    * Copyright (c) 2002-2022, City of Paris
3    * All rights reserved.
4    *
5    * Redistribution and use in source and binary forms, with or without
6    * modification, are permitted provided that the following conditions
7    * are met:
8    *
9    *  1. Redistributions of source code must retain the above copyright notice
10   *     and the following disclaimer.
11   *
12   *  2. Redistributions in binary form must reproduce the above copyright notice
13   *     and the following disclaimer in the documentation and/or other materials
14   *     provided with the distribution.
15   *
16   *  3. Neither the name of 'Mairie de Paris' nor 'Lutece' nor the names of its
17   *     contributors may be used to endorse or promote products derived from
18   *     this software without specific prior written permission.
19   *
20   * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21   * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22   * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23   * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE
24   * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
25   * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
26   * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
27   * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
28   * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29   * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
30   * POSSIBILITY OF SUCH DAMAGE.
31   *
32   * License 1.0
33   */
34  package fr.paris.lutece.portal.business.user.authentication;
35  
36  import fr.paris.lutece.portal.business.user.AdminUser;
37  import fr.paris.lutece.portal.business.user.log.UserLog;
38  import fr.paris.lutece.portal.business.user.log.UserLogHome;
39  import fr.paris.lutece.portal.service.admin.AdminUserService;
40  import fr.paris.lutece.util.http.SecurityUtil;
41  import fr.paris.lutece.util.password.IPassword;
42  import fr.paris.lutece.util.password.IPasswordFactory;
43  
44  import java.util.Collection;
45  
46  import javax.inject.Inject;
47  import javax.security.auth.login.FailedLoginException;
48  import javax.security.auth.login.LoginException;
49  
50  import javax.servlet.http.HttpServletRequest;
51  
52  /**
53   * Default authentication module for admin authentication
54   */
55  public class LuteceDefaultAdminAuthentication implements AdminAuthentication
56  {
57      private static final String CONSTANT_LOST_PASSWORD_URL = "jsp/admin/AdminForgotPassword.jsp";
58      private static final String CONSTANT_LOST_LOGIN_URL = "jsp/admin/AdminForgotLogin.jsp";
59      private ILuteceDefaultAdminUserDAO _dao;
60  
61      @Inject
62      private IPasswordFactory _passwordFactory;
63  
64      /**
65       * Setter used by Spring IoC
66       * 
67       * @param dao
68       *            The DAO (defined in the Spring context)
69       */
70      public void setDao( ILuteceDefaultAdminUserDAO dao )
71      {
72          _dao = dao;
73      }
74  
75      /**
76       * {@inheritDoc}
77       */
78      @Override
79      public String getAuthServiceName( )
80      {
81          return "LUTECE DEFAULT AUTHENTICATION";
82      }
83  
84      /**
85       * {@inheritDoc}
86       */
87      @Override
88      public String getAuthType( HttpServletRequest request )
89      {
90          return HttpServletRequest.BASIC_AUTH;
91      }
92  
93      /**
94       * {@inheritDoc}
95       */
96      @Override
97      public AdminUser login( String strAccessCode, String strUserPassword, HttpServletRequest request ) throws LoginException
98      {
99          // Test the number of errors during an interval of minutes
100         int nMaxFailed = AdminUserService.getIntegerSecurityParameter( AdminUserService.DSKEY_ACCES_FAILURES_MAX );
101         int nIntervalMinutes = AdminUserService.getIntegerSecurityParameter( AdminUserService.DSKEY_ACCES_FAILURES_INTERVAL );
102 
103         if ( ( nMaxFailed > 0 ) && ( nIntervalMinutes > 0 ) )
104         {
105             // Creating a record of connections log
106             UserLogl/business/user/log/UserLog.html#UserLog">UserLog userLog = new UserLog( );
107             userLog.setAccessCode( strAccessCode );
108             userLog.setIpAddress( SecurityUtil.getRealIp( request ) );
109             userLog.setDateLogin( new java.sql.Timestamp( new java.util.Date( ).getTime( ) ) );
110 
111             int nNbFailed = UserLogHome.getLoginErrors( userLog, nIntervalMinutes );
112 
113             if ( nNbFailed > nMaxFailed )
114             {
115                 throw new FailedLoginException( );
116             }
117         }
118 
119         IPassword pasword = _dao.loadPassword( strAccessCode );
120 
121         if ( !pasword.check( strUserPassword ) )
122         {
123             throw new FailedLoginException( );
124         }
125 
126         if ( pasword.isLegacy( ) )
127         {
128             // upgrade password storage
129             IPassword upgradedPassword = _passwordFactory.getPasswordFromCleartext( strUserPassword );
130             _dao.store( strAccessCode, upgradedPassword );
131         }
132 
133         LuteceDefaultAdminUser user = _dao.load( strAccessCode, this );
134 
135         if ( ( user.getPasswordMaxValidDate( ) != null ) && ( user.getPasswordMaxValidDate( ).getTime( ) < new java.util.Date( ).getTime( ) ) )
136         {
137             _dao.updateResetPassword( user, Boolean.TRUE );
138         }
139 
140         AdminUserService.updateUserExpirationDate( user );
141 
142         return user;
143     }
144 
145     /**
146      * {@inheritDoc}
147      */
148     @Override
149     public void logout( AdminUser user )
150     {
151         // Nothing
152     }
153 
154     /**
155      * {@inheritDoc}
156      */
157     @Override
158     public AdminUser getAnonymousUser( )
159     {
160         return null;
161     }
162 
163     /**
164      * {@inheritDoc}
165      */
166     @Override
167     public boolean isExternalAuthentication( )
168     {
169         return false;
170     }
171 
172     /**
173      * {@inheritDoc}
174      */
175     @Override
176     public AdminUser getHttpAuthenticatedUser( HttpServletRequest request )
177     {
178         return null;
179     }
180 
181     /**
182      * {@inheritDoc}
183      */
184     @Override
185     public String getLoginPageUrl( )
186     {
187         return "jsp/admin/AdminLogin.jsp";
188     }
189 
190     /**
191      * {@inheritDoc}
192      */
193     @Override
194     public String getChangePasswordPageUrl( )
195     {
196         return "jsp/admin/user/ModifyDefaultUserPassword.jsp";
197     }
198 
199     /**
200      * {@inheritDoc}
201      */
202     @Override
203     public String getDoLoginUrl( )
204     {
205         return null;
206     }
207 
208     /**
209      * {@inheritDoc}
210      */
211     @Override
212     public String getDoLogoutUrl( )
213     {
214         return null;
215     }
216 
217     /**
218      * {@inheritDoc}
219      */
220     @Override
221     public String getNewAccountPageUrl( )
222     {
223         return null;
224     }
225 
226     /**
227      * {@inheritDoc}
228      */
229     @Override
230     public String getViewAccountPageUrl( )
231     {
232         return null;
233     }
234 
235     /**
236      * {@inheritDoc}
237      */
238     @Override
239     public String getLostPasswordPageUrl( )
240     {
241         return CONSTANT_LOST_PASSWORD_URL;
242     }
243 
244     /**
245      * {@inheritDoc}
246      */
247     @Override
248     public String getLostLoginPageUrl( )
249     {
250         return CONSTANT_LOST_LOGIN_URL;
251     }
252 
253     /**
254      * Not used - Return null always for this module
255      * 
256      * @param strLastName
257      *            The last name
258      * @param strFirstName
259      *            The first name
260      * @param strEmail
261      *            The email
262      * @see fr.paris.lutece.portal.business.user.authentication.AdminAuthentication#getUserList(String strLastName, String strFirstName, String strEmail )
263      * @return null
264      */
265     @Override
266     public Collection<AdminUser> getUserList( String strLastName, String strFirstName, String strEmail )
267     {
268         return null;
269     }
270 
271     /**
272      * Not used - Return null always for this module
273      * 
274      * @param strLogin
275      *            The login
276      * @see fr.paris.lutece.portal.business.user.authentication.AdminAuthentication#getUserPublicData(java.lang.String)
277      * @return null
278      */
279     @Override
280     public AdminUser getUserPublicData( String strLogin )
281     {
282         return null;
283     }
284 }