]> source.dussan.org Git - archiva.git/blob
ea6fade897dbddf7852984a56683e95231bc499d
[archiva.git] /
1 package org.apache.archiva.redback.struts2.action;
2
3 /*
4  * Licensed to the Apache Software Foundation (ASF) under one
5  * or more contributor license agreements.  See the NOTICE file
6  * distributed with this work for additional information
7  * regarding copyright ownership.  The ASF licenses this file
8  * to you under the Apache License, Version 2.0 (the
9  * "License"); you may not use this file except in compliance
10  * with the License.  You may obtain a copy of the License at
11  *
12  * http://www.apache.org/licenses/LICENSE-2.0
13  *
14  * Unless required by applicable law or agreed to in writing,
15  * software distributed under the License is distributed on an
16  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
17  * KIND, either express or implied.  See the License for the
18  * specific language governing permissions and limitations
19  * under the License.
20  */
21
22 import org.apache.archiva.redback.keys.AuthenticationKey;
23 import org.apache.archiva.redback.policy.AccountLockedException;
24 import org.apache.archiva.redback.users.User;
25 import org.apache.struts2.ServletActionContext;
26 import org.apache.archiva.redback.authentication.AuthenticationConstants;
27 import org.apache.archiva.redback.authentication.AuthenticationDataSource;
28 import org.apache.archiva.redback.authentication.AuthenticationException;
29 import org.apache.archiva.redback.authentication.AuthenticationResult;
30 import org.apache.archiva.redback.authentication.PasswordBasedAuthenticationDataSource;
31 import org.apache.archiva.redback.authentication.TokenBasedAuthenticationDataSource;
32 import org.apache.archiva.redback.configuration.UserConfiguration;
33 import org.apache.archiva.redback.keys.KeyManagerException;
34 import org.apache.archiva.redback.keys.KeyNotFoundException;
35 import org.apache.archiva.redback.policy.MustChangePasswordException;
36 import org.apache.archiva.redback.system.SecuritySession;
37 import org.apache.archiva.redback.system.SecuritySystem;
38 import org.apache.archiva.redback.users.UserNotFoundException;
39 import org.codehaus.plexus.util.StringUtils;
40 import org.apache.archiva.redback.integration.interceptor.SecureActionBundle;
41 import org.apache.archiva.redback.integration.interceptor.SecureActionException;
42 import org.apache.archiva.redback.integration.util.AutoLoginCookies;
43 import org.springframework.context.annotation.Scope;
44 import org.springframework.stereotype.Controller;
45
46 import javax.inject.Inject;
47 import java.util.Arrays;
48 import java.util.Date;
49
50 /**
51  * LoginAction
52  *
53  * @author Jesse McConnell <jmcconnell@apache.org>
54  * @author <a href="mailto:joakim@erdfelt.com">Joakim Erdfelt</a>
55  *
56  */
57 @Controller( "redback-login" )
58 @Scope( "prototype" )
59 public class LoginAction
60     extends AbstractSecurityAction
61     implements CancellableAction
62 {
63     private static final String LOGIN_SUCCESS = "security-login-success";
64
65     private static final String PASSWORD_CHANGE = "security-must-change-password";
66
67     private static final String ACCOUNT_LOCKED = "security-login-locked";
68
69     // ------------------------------------------------------------------
70     //  Component Requirements
71     // ------------------------------------------------------------------
72
73     /**
74      *
75      */
76     @Inject
77     protected SecuritySystem securitySystem;
78
79     private String username;
80
81     private String password;
82
83     private String validateMe;
84
85     private String resetPassword;
86
87     private boolean rememberMe;
88
89     /**
90      *
91      */
92     @Inject
93     private AutoLoginCookies autologinCookies;
94
95     /**
96      *
97      */
98     @Inject
99     private UserConfiguration config;
100
101     // ------------------------------------------------------------------
102     // Action Entry Points - (aka Names)
103     // ------------------------------------------------------------------
104
105     public String show()
106     {
107         return INPUT;
108     }
109
110     /**
111      * 1) check if this is a validation authentication action
112      * 2) check if this is a reset password authentication action
113      * 3) sets up a password based authentication and passes on to webLogin()
114      *
115      * @return
116      */
117     public String login()
118     {
119         if ( StringUtils.isNotEmpty( validateMe ) )
120         {
121             // Process a login / validate request.
122             return validated();
123         }
124
125         if ( StringUtils.isNotEmpty( resetPassword ) )
126         {
127             // Process a login / reset password request.
128             return resetPassword();
129         }
130
131         if ( StringUtils.isEmpty( username ) )
132         {
133             addFieldError( "username", getText( "username.required" ) );
134             return ERROR;
135         }
136
137         PasswordBasedAuthenticationDataSource authdatasource = new PasswordBasedAuthenticationDataSource();
138         authdatasource.setPrincipal( username );
139         authdatasource.setPassword( password );
140
141         return webLogin( authdatasource, rememberMe );
142     }
143
144     /**
145      * 1) sets up a token based authentication
146      * 2) forces a password change requirement to the user
147      * 3) passes on to webLogin()
148      *
149      * @return
150      */
151     public String resetPassword()
152     {
153         if ( StringUtils.isEmpty( resetPassword ) )
154         {
155             addActionError( getText( "reset.password.missing" ) );
156             return ERROR;
157         }
158
159         try
160         {
161             AuthenticationKey authkey = securitySystem.getKeyManager().findKey( resetPassword );
162
163             User user = securitySystem.getUserManager().findUser( authkey.getForPrincipal() );
164
165             user.setPasswordChangeRequired( true );
166             user.setEncodedPassword( "" );
167
168             TokenBasedAuthenticationDataSource authsource = new TokenBasedAuthenticationDataSource();
169             authsource.setPrincipal( user.getPrincipal().toString() );
170             authsource.setToken( authkey.getKey() );
171             authsource.setEnforcePasswordChange( false );
172
173             securitySystem.getUserManager().updateUser( user );
174
175             AuditEvent event = new AuditEvent( getText( "log.password.change" ) );
176             event.setAffectedUser( username );
177             event.log();
178
179             return webLogin( authsource, false );
180         }
181         catch ( KeyNotFoundException e )
182         {
183             log.info( "Invalid key requested: {}", resetPassword );
184             addActionError( getText( "cannot.find.key" ) );
185             return ERROR;
186         }
187         catch ( KeyManagerException e )
188         {
189             addActionError( getText( "cannot.find.key.at.the.moment" ) );
190             log.warn( "Key Manager error: ", e );
191             return ERROR;
192         }
193         catch ( UserNotFoundException e )
194         {
195             addActionError( getText( "cannot.find.user" ) );
196             return ERROR;
197         }
198     }
199
200     /**
201      * 1) sets up a token based authentication
202      * 2) forces a password change requirement to the user
203      * 3) passes on to webLogin()
204      *
205      * @return
206      */
207     public String validated()
208     {
209         if ( StringUtils.isEmpty( validateMe ) )
210         {
211             addActionError( getText( "validation.failure.key.missing" ) );
212             return ERROR;
213         }
214
215         try
216         {
217             AuthenticationKey authkey = securitySystem.getKeyManager().findKey( validateMe );
218
219             User user = securitySystem.getUserManager().findUser( authkey.getForPrincipal() );
220
221             user.setValidated( true );
222             user.setLocked( false );
223             user.setPasswordChangeRequired( true );
224             user.setEncodedPassword( "" );
225
226             TokenBasedAuthenticationDataSource authsource = new TokenBasedAuthenticationDataSource();
227             authsource.setPrincipal( user.getPrincipal().toString() );
228             authsource.setToken( authkey.getKey() );
229             authsource.setEnforcePasswordChange( false );
230
231             securitySystem.getUserManager().updateUser( user );
232             String currentUser = getCurrentUser();
233
234             AuditEvent event = new AuditEvent( getText( "log.account.validation" ) );
235             event.setAffectedUser( username );
236             event.setCurrentUser( currentUser );
237             event.log();
238
239             return webLogin( authsource, false );
240         }
241         catch ( KeyNotFoundException e )
242         {
243             log.info( "Invalid key requested: {}", validateMe );
244             addActionError( getText( "cannot.find.key" ) );
245             return ERROR;
246         }
247         catch ( KeyManagerException e )
248         {
249             addActionError( getText( "cannot.find.key.at.the.momment" ) );
250             return ERROR;
251         }
252         catch ( UserNotFoundException e )
253         {
254             addActionError( getText( "cannot.find.user" ) );
255             return ERROR;
256         }
257     }
258
259     public String cancel()
260     {
261         return CANCEL;
262     }
263
264     public String getUsername()
265     {
266         return username;
267     }
268
269     public void setUsername( String username )
270     {
271         this.username = username;
272     }
273
274     public String getPassword()
275     {
276         return password;
277     }
278
279     public void setPassword( String password )
280     {
281         this.password = password;
282     }
283
284     public String getValidateMe()
285     {
286         return validateMe;
287     }
288
289     public void setValidateMe( String validateMe )
290     {
291         this.validateMe = validateMe;
292     }
293
294     public SecureActionBundle initSecureActionBundle()
295         throws SecureActionException
296     {
297         return SecureActionBundle.OPEN;
298     }
299
300     public String getResetPassword()
301     {
302         return resetPassword;
303     }
304
305     public void setResetPassword( String resetPassword )
306     {
307         this.resetPassword = resetPassword;
308     }
309
310     public boolean isRememberMe()
311     {
312         return rememberMe;
313     }
314
315     public void setRememberMe( boolean rememberMe )
316     {
317         this.rememberMe = rememberMe;
318     }
319
320
321     /**
322      * 1) attempts to authentication based on the passed in data source
323      * 2) if successful sets cookies and returns LOGIN_SUCCESS
324      * 3) if failure then check what kinda failure and return error
325      *
326      * @param authdatasource
327      * @param rememberMe
328      * @return
329      */
330     private String webLogin( AuthenticationDataSource authdatasource, boolean rememberMe )
331     {
332         // An attempt should log out your authentication tokens first!
333         setAuthTokens( null );
334
335         clearErrorsAndMessages();
336
337         // TODO: share this section with AutoLoginInterceptor
338         try
339         {
340             SecuritySession securitySession = securitySystem.authenticate( authdatasource );
341
342             if ( securitySession.isAuthenticated() )
343             {
344                 // Success!  Create tokens.
345                 setAuthTokens( securitySession );
346
347                 if ( securitySystem.getPolicy().getUserValidationSettings().isEmailValidationRequired() )
348                 {
349                     if ( !securitySession.getUser().getUsername().equals(
350                         config.getString( "redback.default.admin" ) ) )
351                     {
352                         if ( !securitySession.getUser().isValidated() )
353                         {
354                             setAuthTokens( null );
355                             // NOTE: this text is the same as incorrect.username.password to avoid exposing actual account existence
356                             addActionError( getText( "account.validation.required" ) );
357                             return ERROR;
358                         }
359                     }
360                 }
361
362                 setCookies( authdatasource, rememberMe );
363
364                 AuditEvent event = new AuditEvent( getText( "log.login.success" ) );
365                 event.setAffectedUser( username );
366                 event.log();
367
368                 User user = securitySession.getUser();
369                 user.setLastLoginDate( new Date() );
370                 securitySystem.getUserManager().updateUser( user );
371
372                 if ( StringUtils.isNotEmpty( validateMe ) )
373                 {
374                     try
375                     {
376                         //REDBACK-146: delete key after validating so user won't be able to use it the second time around
377                         securitySystem.getKeyManager().deleteKey( validateMe );
378                     }
379                     catch ( KeyManagerException e )
380                     {
381                         addActionError( getText( "cannot.find.key.at.the.momment" ) );
382                         return ERROR;
383                     }
384                 }
385
386                 return LOGIN_SUCCESS;
387             }
388             else
389             {
390                 log.debug( "Login Action failed against principal : {}",
391                            securitySession.getAuthenticationResult().getPrincipal(),
392                            securitySession.getAuthenticationResult().getException() );
393
394                 AuthenticationResult result = securitySession.getAuthenticationResult();
395                 if ( result.getExceptionsMap() != null && !result.getExceptionsMap().isEmpty() )
396                 {
397                     if ( result.getExceptionsMap().get( AuthenticationConstants.AUTHN_NO_SUCH_USER ) != null )
398                     {
399                         addActionError( getText( "incorrect.username.password" ) );
400                     }
401                     else
402                     {
403                         addActionError( getText( "authentication.failed" ) );
404                     }
405                 }
406                 else
407                 {
408                     addActionError( getText( "authentication.failed" ) );
409                 }
410
411                 AuditEvent event = new AuditEvent( getText( "log.login.fail" ) );
412                 event.setAffectedUser( username );
413                 event.log();
414
415                 return ERROR;
416             }
417         }
418         catch ( AuthenticationException ae )
419         {
420             addActionError( getText( "authentication.exception", Arrays.asList( (Object) ae.getMessage() ) ) );
421             return ERROR;
422         }
423         catch ( UserNotFoundException ue )
424         {
425             addActionError(
426                 getText( "user.not.found.exception", Arrays.asList( (Object) username, ue.getMessage() ) ) );
427
428             AuditEvent event = new AuditEvent( getText( "log.login.fail" ) );
429             event.setAffectedUser( username );
430             event.log();
431             return ERROR;
432         }
433         catch ( AccountLockedException e )
434         {
435             addActionError( getText( "account.locked" ) );
436
437             AuditEvent event = new AuditEvent( getText( "log.login.fail.locked" ) );
438             event.setAffectedUser( username );
439             event.log();
440             return ACCOUNT_LOCKED;
441         }
442         catch ( MustChangePasswordException e )
443         {
444             // TODO: preferably we would not set the cookies for this "partial" login state
445             setCookies( authdatasource, rememberMe );
446
447             AuditEvent event = new AuditEvent( getText( "log.login.fail.locked" ) );
448             event.setAffectedUser( username );
449             event.log();
450             return PASSWORD_CHANGE;
451         }
452     }
453
454     private void setCookies( AuthenticationDataSource authdatasource, boolean rememberMe )
455     {
456         if ( rememberMe )
457         {
458             autologinCookies.setRememberMeCookie( authdatasource.getPrincipal(), ServletActionContext.getResponse(),
459                                                   ServletActionContext.getRequest() );
460         }
461         autologinCookies.setSignonCookie( authdatasource.getPrincipal(), ServletActionContext.getResponse(),
462                                           ServletActionContext.getRequest() );
463     }
464 }