diff --git a/maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/AbstractAuthenticationProvider.java b/maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/AbstractAuthenticationProvider.java index f757c6f91..3ca0168b5 100644 --- a/maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/AbstractAuthenticationProvider.java +++ b/maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/AbstractAuthenticationProvider.java @@ -21,8 +21,10 @@ import java.util.ArrayList; import java.util.HashMap; import org.maxkey.authn.jwt.AuthJwtService; +import org.maxkey.authn.online.OnlineTicket; import org.maxkey.authn.online.OnlineTicketService; import org.maxkey.authn.realm.AbstractAuthenticationRealm; +import org.maxkey.authn.web.AuthorizationUtils; import org.maxkey.configuration.ApplicationConfig; import org.maxkey.constants.ConstsLoginType; import org.maxkey.constants.ConstsStatus; @@ -39,6 +41,7 @@ import org.springframework.security.authentication.UsernamePasswordAuthenticatio import org.springframework.security.core.Authentication; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.authority.SimpleGrantedAuthority; +import org.springframework.security.web.authentication.WebAuthenticationDetails; /** * login Authentication abstract class. * @@ -92,6 +95,7 @@ public abstract class AbstractAuthenticationProvider { public Authentication authenticate(LoginCredential authentication){ if(authentication.getAuthType().equalsIgnoreCase("trusted")) { + //risk remove return null; } AbstractAuthenticationProvider provider = providers.get(authentication.getAuthType() + PROVIDER_SUFFIX); @@ -101,60 +105,64 @@ public abstract class AbstractAuthenticationProvider { public Authentication authenticate(LoginCredential authentication,boolean trusted){ AbstractAuthenticationProvider provider = providers.get(AuthType.TRUSTED + PROVIDER_SUFFIX); - return provider == null ? null : provider.doAuthenticate(authentication); + return provider.doAuthenticate(authentication); } public void addAuthenticationProvider(AbstractAuthenticationProvider provider) { providers.put(provider.getProviderName(), provider); } - /** - * captcha validate . - * - * @param authType String - * @param captcha String - */ - protected void captchaValid(String captcha, String authType) { - // for basic - if (authType.equalsIgnoreCase(AuthType.NORMAL)) { - _logger.info("captcha : " - + WebContext.getSession().getAttribute( - WebConstants.KAPTCHA_SESSION_KEY).toString()); - if (captcha == null || !captcha - .equals(WebContext.getSession().getAttribute( - WebConstants.KAPTCHA_SESSION_KEY).toString())) { - String message = WebContext.getI18nValue("login.error.captcha"); - _logger.debug("login captcha valid error."); - throw new BadCredentialsException(message); - } - } - } /** - * captcha validate. - * - * @param otpCaptcha String - * @param authType String - * @param userInfo UserInfo + * createOnlineSession + * @param credential + * @param userInfo + * @return */ - protected void tftcaptchaValid(String otpCaptcha, String authType, UserInfo userInfo) { - // for one time password 2 factor - if (applicationConfig.getLoginConfig().isMfa() - && authType.equalsIgnoreCase(AuthType.TFA)) { - UserInfo validUserInfo = new UserInfo(); - validUserInfo.setUsername(userInfo.getUsername()); - validUserInfo.setSharedSecret(userInfo.getSharedSecret()); - validUserInfo.setSharedCounter(userInfo.getSharedCounter()); - validUserInfo.setId(userInfo.getId()); - if (otpCaptcha == null || !tfaOtpAuthn.validate(validUserInfo, otpCaptcha)) { - String message = WebContext.getI18nValue("login.error.captcha"); - _logger.debug("login captcha valid error."); - throw new BadCredentialsException(message); + public UsernamePasswordAuthenticationToken createOnlineTicket(LoginCredential credential,UserInfo userInfo) { + //Online Tickit + OnlineTicket onlineTicket = new OnlineTicket(); + + userInfo.setOnlineTicket(onlineTicket.getTicketId()); + + SigninPrincipal principal = new SigninPrincipal(userInfo); + //set OnlineTicket + principal.setOnlineTicket(onlineTicket); + ArrayList grantedAuthoritys = authenticationRealm.grantAuthority(userInfo); + principal.setAuthenticated(true); + + for(GrantedAuthority administratorsAuthority : grantedAdministratorsAuthoritys) { + if(grantedAuthoritys.contains(administratorsAuthority)) { + principal.setRoleAdministrators(true); + _logger.trace("ROLE ADMINISTRATORS Authentication ."); } } + _logger.debug("Granted Authority {}" , grantedAuthoritys); + + principal.setGrantedAuthorityApps(authenticationRealm.queryAuthorizedApps(grantedAuthoritys)); + + UsernamePasswordAuthenticationToken authenticationToken = + new UsernamePasswordAuthenticationToken( + principal, + "PASSWORD", + grantedAuthoritys + ); + + authenticationToken.setDetails( + new WebAuthenticationDetails(WebContext.getRequest())); + + onlineTicket.setAuthentication(authenticationToken); + + //store onlineTicket + this.onlineTicketServices.store(onlineTicket.getTicketId(), onlineTicket); + + /* + * put Authentication to current session context + */ + AuthorizationUtils.setAuthentication(authenticationToken); + + return authenticationToken; } - - /** * login user by j_username and j_cname first query user by j_cname if first * step userinfo is null,query user from system. @@ -255,24 +263,4 @@ public abstract class AbstractAuthenticationProvider { return true; } - public void setApplicationConfig(ApplicationConfig applicationConfig) { - this.applicationConfig = applicationConfig; - } - - public void setAuthenticationRealm(AbstractAuthenticationRealm authenticationRealm) { - this.authenticationRealm = authenticationRealm; - } - - public void setTfaOtpAuthn(AbstractOtpAuthn tfaOtpAuthn) { - this.tfaOtpAuthn = tfaOtpAuthn; - } - - public void setOnlineTicketServices(OnlineTicketService onlineTicketServices) { - this.onlineTicketServices = onlineTicketServices; - } - - public void setOtpAuthnService(OtpAuthnService otpAuthnService) { - this.otpAuthnService = otpAuthnService; - } - } diff --git a/maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/provider/MfaAuthenticationProvider.java b/maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/provider/MfaAuthenticationProvider.java index 5fa91835b..41a0bf420 100644 --- a/maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/provider/MfaAuthenticationProvider.java +++ b/maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/provider/MfaAuthenticationProvider.java @@ -17,16 +17,11 @@ package org.maxkey.authn.provider; -import java.util.ArrayList; - import org.maxkey.authn.AbstractAuthenticationProvider; import org.maxkey.authn.LoginCredential; -import org.maxkey.authn.SigninPrincipal; import org.maxkey.authn.jwt.AuthJwtService; -import org.maxkey.authn.online.OnlineTicket; import org.maxkey.authn.online.OnlineTicketService; import org.maxkey.authn.realm.AbstractAuthenticationRealm; -import org.maxkey.authn.web.AuthorizationUtils; import org.maxkey.configuration.ApplicationConfig; import org.maxkey.constants.ConstsLoginType; import org.maxkey.entity.Institutions; @@ -36,11 +31,10 @@ import org.maxkey.web.WebConstants; import org.maxkey.web.WebContext; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import org.springframework.security.authentication.BadCredentialsException; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.core.Authentication; import org.springframework.security.core.AuthenticationException; -import org.springframework.security.core.GrantedAuthority; -import org.springframework.security.web.authentication.WebAuthenticationDetails; /** @@ -84,10 +78,7 @@ public class MfaAuthenticationProvider extends AbstractAuthenticationProvider { _logger.debug("authentication " + loginCredential); Institutions inst = (Institutions)WebContext.getAttribute(WebConstants.CURRENT_INST); - if(inst.getCaptchaSupport().equalsIgnoreCase("YES")) { - captchaValid(loginCredential.getCaptcha(),loginCredential.getAuthType()); - } - + emptyPasswordValid(loginCredential.getPassword()); UserInfo userInfo = null; @@ -98,7 +89,7 @@ public class MfaAuthenticationProvider extends AbstractAuthenticationProvider { statusValid(loginCredential , userInfo); //mfa - tftcaptchaValid(loginCredential.getOtpCaptcha(),loginCredential.getAuthType(),userInfo); + mfacaptchaValid(loginCredential.getOtpCaptcha(),userInfo); //Validate PasswordPolicy authenticationRealm.getPasswordPolicyValidator().passwordPolicyValid(userInfo); @@ -109,7 +100,7 @@ public class MfaAuthenticationProvider extends AbstractAuthenticationProvider { //apply PasswordSetType and resetBadPasswordCount authenticationRealm.getPasswordPolicyValidator().applyPasswordPolicy(userInfo); - authenticationToken = createOnlineSession(loginCredential,userInfo); + authenticationToken = createOnlineTicket(loginCredential,userInfo); // user authenticated _logger.debug("'{}' authenticated successfully by {}.", loginCredential.getPrincipal(), getProviderName()); @@ -133,50 +124,30 @@ public class MfaAuthenticationProvider extends AbstractAuthenticationProvider { return authenticationToken; } + + - public UsernamePasswordAuthenticationToken createOnlineSession(LoginCredential credential,UserInfo userInfo) { - //Online Tickit - OnlineTicket onlineTicket = new OnlineTicket(); - - userInfo.setOnlineTicket(onlineTicket.getTicketId()); - - SigninPrincipal principal = new SigninPrincipal(userInfo); - //set OnlineTicket - principal.setOnlineTicket(onlineTicket); - ArrayList grantedAuthoritys = authenticationRealm.grantAuthority(userInfo); - principal.setAuthenticated(true); - - for(GrantedAuthority administratorsAuthority : grantedAdministratorsAuthoritys) { - if(grantedAuthoritys.contains(administratorsAuthority)) { - principal.setRoleAdministrators(true); - _logger.trace("ROLE ADMINISTRATORS Authentication ."); + /** + * captcha validate. + * + * @param otpCaptcha String + * @param authType String + * @param userInfo UserInfo + */ + protected void mfacaptchaValid(String otpCaptcha, UserInfo userInfo) { + // for one time password 2 factor + if (applicationConfig.getLoginConfig().isMfa()) { + UserInfo validUserInfo = new UserInfo(); + validUserInfo.setUsername(userInfo.getUsername()); + validUserInfo.setSharedSecret(userInfo.getSharedSecret()); + validUserInfo.setSharedCounter(userInfo.getSharedCounter()); + validUserInfo.setId(userInfo.getId()); + if (otpCaptcha == null || !tfaOtpAuthn.validate(validUserInfo, otpCaptcha)) { + String message = WebContext.getI18nValue("login.error.captcha"); + _logger.debug("login captcha valid error."); + throw new BadCredentialsException(message); } } - _logger.debug("Granted Authority {}" , grantedAuthoritys); - - principal.setGrantedAuthorityApps(authenticationRealm.queryAuthorizedApps(grantedAuthoritys)); - - UsernamePasswordAuthenticationToken authenticationToken = - new UsernamePasswordAuthenticationToken( - principal, - "PASSWORD", - grantedAuthoritys - ); - - authenticationToken.setDetails( - new WebAuthenticationDetails(WebContext.getRequest())); - - onlineTicket.setAuthentication(authenticationToken); - - //store onlineTicket - this.onlineTicketServices.store(onlineTicket.getTicketId(), onlineTicket); - - /* - * put Authentication to current session context - */ - AuthorizationUtils.setAuthentication(authenticationToken); - - return authenticationToken; } - + } diff --git a/maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/provider/MobileAuthenticationProvider.java b/maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/provider/MobileAuthenticationProvider.java index 68e47547e..3d8594057 100644 --- a/maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/provider/MobileAuthenticationProvider.java +++ b/maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/provider/MobileAuthenticationProvider.java @@ -17,6 +17,7 @@ package org.maxkey.authn.provider; +import org.maxkey.authn.AbstractAuthenticationProvider; import org.maxkey.authn.LoginCredential; import org.maxkey.authn.online.OnlineTicketService; import org.maxkey.authn.realm.AbstractAuthenticationRealm; @@ -40,7 +41,7 @@ import org.springframework.security.core.AuthenticationException; * @author Crystal.Sea * */ -public class MobileAuthenticationProvider extends NormalAuthenticationProvider { +public class MobileAuthenticationProvider extends AbstractAuthenticationProvider { private static final Logger _logger = LoggerFactory.getLogger(MobileAuthenticationProvider.class); @@ -67,7 +68,7 @@ public class MobileAuthenticationProvider extends NormalAuthenticationProvider { } @Override - public Authentication authenticate(LoginCredential loginCredential) { + public Authentication doAuthenticate(LoginCredential loginCredential) { UsernamePasswordAuthenticationToken authenticationToken = null; _logger.debug("Trying to authenticate user '{}' via {}", loginCredential.getPrincipal(), getProviderName()); @@ -86,12 +87,12 @@ public class MobileAuthenticationProvider extends NormalAuthenticationProvider { //Validate PasswordPolicy authenticationRealm.getPasswordPolicyValidator().passwordPolicyValid(userInfo); - mobilecaptchaValid(loginCredential.getPassword(),userInfo); + mobileCaptchaValid(loginCredential.getPassword(),userInfo); //apply PasswordSetType and resetBadPasswordCount authenticationRealm.getPasswordPolicyValidator().applyPasswordPolicy(userInfo); - authenticationToken = createOnlineSession(loginCredential,userInfo); + authenticationToken = createOnlineTicket(loginCredential,userInfo); // user authenticated _logger.debug("'{}' authenticated successfully by {}.", loginCredential.getPrincipal(), getProviderName()); @@ -124,7 +125,7 @@ public class MobileAuthenticationProvider extends NormalAuthenticationProvider { * @param authType String * @param userInfo UserInfo */ - protected void mobilecaptchaValid(String password, UserInfo userInfo) { + protected void mobileCaptchaValid(String password, UserInfo userInfo) { // for mobile password if (applicationConfig.getLoginConfig().isMfa()) { UserInfo validUserInfo = new UserInfo(); diff --git a/maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/provider/NormalAuthenticationProvider.java b/maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/provider/NormalAuthenticationProvider.java index db9ad0f78..ade0d21a1 100644 --- a/maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/provider/NormalAuthenticationProvider.java +++ b/maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/provider/NormalAuthenticationProvider.java @@ -17,16 +17,13 @@ package org.maxkey.authn.provider; -import java.util.ArrayList; - +import java.text.ParseException; +import org.apache.commons.lang3.StringUtils; import org.maxkey.authn.AbstractAuthenticationProvider; import org.maxkey.authn.LoginCredential; -import org.maxkey.authn.SigninPrincipal; import org.maxkey.authn.jwt.AuthJwtService; -import org.maxkey.authn.online.OnlineTicket; import org.maxkey.authn.online.OnlineTicketService; import org.maxkey.authn.realm.AbstractAuthenticationRealm; -import org.maxkey.authn.web.AuthorizationUtils; import org.maxkey.configuration.ApplicationConfig; import org.maxkey.constants.ConstsLoginType; import org.maxkey.entity.Institutions; @@ -36,11 +33,11 @@ import org.maxkey.web.WebConstants; import org.maxkey.web.WebContext; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import org.springframework.security.authentication.BadCredentialsException; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.core.Authentication; import org.springframework.security.core.AuthenticationException; -import org.springframework.security.core.GrantedAuthority; -import org.springframework.security.web.authentication.WebAuthenticationDetails; +import com.nimbusds.jwt.JWTClaimsSet; /** @@ -85,7 +82,7 @@ public class NormalAuthenticationProvider extends AbstractAuthenticationProvider Institutions inst = (Institutions)WebContext.getAttribute(WebConstants.CURRENT_INST); if(inst.getCaptchaSupport().equalsIgnoreCase("YES")) { - captchaValid(loginCredential.getCaptcha(),loginCredential.getAuthType()); + captchaValid(loginCredential.getState(),loginCredential.getCaptcha()); } emptyPasswordValid(loginCredential.getPassword()); @@ -105,7 +102,7 @@ public class NormalAuthenticationProvider extends AbstractAuthenticationProvider //apply PasswordSetType and resetBadPasswordCount authenticationRealm.getPasswordPolicyValidator().applyPasswordPolicy(userInfo); - authenticationToken = createOnlineSession(loginCredential,userInfo); + authenticationToken = createOnlineTicket(loginCredential,userInfo); // user authenticated _logger.debug("'{}' authenticated successfully by {}.", loginCredential.getPrincipal(), getProviderName()); @@ -129,50 +126,28 @@ public class NormalAuthenticationProvider extends AbstractAuthenticationProvider return authenticationToken; } - - public UsernamePasswordAuthenticationToken createOnlineSession(LoginCredential credential,UserInfo userInfo) { - //Online Tickit - OnlineTicket onlineTicket = new OnlineTicket(); - - userInfo.setOnlineTicket(onlineTicket.getTicketId()); - - SigninPrincipal principal = new SigninPrincipal(userInfo); - //set OnlineTicket - principal.setOnlineTicket(onlineTicket); - ArrayList grantedAuthoritys = authenticationRealm.grantAuthority(userInfo); - principal.setAuthenticated(true); - - for(GrantedAuthority administratorsAuthority : grantedAdministratorsAuthoritys) { - if(grantedAuthoritys.contains(administratorsAuthority)) { - principal.setRoleAdministrators(true); - _logger.trace("ROLE ADMINISTRATORS Authentication ."); - } + + /** + * captcha validate . + * + * @param authType String + * @param captcha String + * @throws ParseException + */ + protected void captchaValid(String state ,String captcha) throws ParseException { + // for basic + JWTClaimsSet claim = authJwtService.resolve(state); + if(claim == null) { + throw new BadCredentialsException(WebContext.getI18nValue("login.error.captcha")); + } + Object momentaryCaptcha = momentaryService.get("", claim.getJWTID()); + _logger.info("captcha : {} , momentary Captcha : {} " ,captcha, momentaryCaptcha); + if (StringUtils.isBlank(captcha) || !captcha.equals(momentaryCaptcha.toString())) { + _logger.debug("login captcha valid error."); + throw new BadCredentialsException(WebContext.getI18nValue("login.error.captcha")); } - _logger.debug("Granted Authority {}" , grantedAuthoritys); - - principal.setGrantedAuthorityApps(authenticationRealm.queryAuthorizedApps(grantedAuthoritys)); - - UsernamePasswordAuthenticationToken authenticationToken = - new UsernamePasswordAuthenticationToken( - principal, - "PASSWORD", - grantedAuthoritys - ); - - authenticationToken.setDetails( - new WebAuthenticationDetails(WebContext.getRequest())); - - onlineTicket.setAuthentication(authenticationToken); - - //store onlineTicket - this.onlineTicketServices.store(onlineTicket.getTicketId(), onlineTicket); - - /* - * put Authentication to current session context - */ - AuthorizationUtils.setAuthentication(authenticationToken); - - return authenticationToken; } + + } diff --git a/maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/provider/TrustedAuthenticationProvider.java b/maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/provider/TrustedAuthenticationProvider.java index 882b2e5e8..41249165a 100644 --- a/maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/provider/TrustedAuthenticationProvider.java +++ b/maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/provider/TrustedAuthenticationProvider.java @@ -17,6 +17,7 @@ package org.maxkey.authn.provider; +import org.maxkey.authn.AbstractAuthenticationProvider; import org.maxkey.authn.LoginCredential; import org.maxkey.authn.online.OnlineTicketService; import org.maxkey.authn.realm.AbstractAuthenticationRealm; @@ -33,7 +34,7 @@ import org.springframework.security.core.Authentication; * @author Crystal.Sea * */ -public class TrustedAuthenticationProvider extends NormalAuthenticationProvider { +public class TrustedAuthenticationProvider extends AbstractAuthenticationProvider { private static final Logger _logger = LoggerFactory.getLogger(TrustedAuthenticationProvider.class); @@ -63,7 +64,7 @@ public class TrustedAuthenticationProvider extends NormalAuthenticationProvider authenticationRealm.getPasswordPolicyValidator().passwordPolicyValid(loadeduserInfo); //apply PasswordSetType and resetBadPasswordCount authenticationRealm.getPasswordPolicyValidator().applyPasswordPolicy(loadeduserInfo); - Authentication authentication = createOnlineSession(loginCredential,loadeduserInfo); + Authentication authentication = createOnlineTicket(loginCredential,loadeduserInfo); authenticationRealm.insertLoginHistory( loadeduserInfo, loginCredential.getAuthType(),