Jason, I would recommend you extend the UsernamePasswordCredentials and add an additional methods setGraceLogin(boolean gracelogin) and isGraceLogin() In your AuthenticationHandler, if you get a result of ON_A_GRACE_LOGIN, you can call setGraceLogin(true).
If you then create and register a MetaDataAuthenticationPopulator with the AuthenticationManager, it can read the isGracefulLogin property and add any additional information to the Authentication object (which is then stored with the TicketGrantingTicket). You basically use the MetaDataAuthenticationPopulator to populate the attributes map of an Authenticaion object. Also, you may want to look at the AuthenticationException class: http://developer.ja-sig.org/projects/cas/multiproject/cas-server/apidocs/org/jasig/cas/authentication/handler/AuthenticationException.html If you provide a code in the constructor, you can externalize your messages to a properties file. (i.e. "login.failed.password" or "login.failed.username"). -Scott Jason Tesser wrote: > I am looking through the code and Java doc and am unsure exactly what > to do with the MetaDataAuthenticationPopulator. I see the interface > and it has a method that takes the authentication and credentials. > Here is my AuthHandler > > public class CASAuthProvider extends > AbstractUsernamePasswordAuthenticationHandler { > > static Logger log = Logger.getLogger(CASAuthProvider.class); > > @Override > protected boolean > authenticateUsernamePasswordInternal(UsernamePasswordCredentials > credentials) throws AuthenticationException, GraceLoginException { > HashMap<String, Object> auth = > EdirUtil.authenticate(credentials.getUsername(), > credentials.getPassword()); > int result = ((Integer)auth.get(EdirUtil.LDAP_RESULT_KEY)).intValue(); > > if(result == EdirUtil.SUCCESSFUL_LOGIN){ > return true; > } > else if(result == EdirUtil.ACCOUNT_DISABLED){ > throw new AccountDisabledException(); > } > else if(result == EdirUtil.INVALID_PASSWORD ){ > throw new BadCredentialsAuthenticationException("Login failed. > Please check your credentials and try again."); > } > else if(result == EdirUtil.INVALID_USERNAME){ > throw new BadUsernameOrPasswordAuthenticationException("Login > failed. Please check your credentials and try again."); > } > else if(result == EdirUtil.NO_MORE_GRACE_LOGINS){ > throw new BlockedCredentialsAuthenticationException("Login > failed. You have used all your grace logins. Please contact the IT > Helpdesk at ext. 3880."); > } > else if(result == EdirUtil.ON_A_GRACE_LOGIN){ > throw new GraceLoginException(); > } > else{ > throw new BadCredentialsAuthenticationException(); > } > > } > > } > > From here I find out the user is on a GraceLgin and need to get that > information into the something. I guess if I can get it accessable by > the ticketRegistry that would work. I guess then I could get a new > guy in teh flow that checks teh ticket registry and sees if it is a > grace login or not. Then I dont have to reimplemnt a bunch of core > interfaces. > > So How do I get the information into the Authentication map and how do > I get it out? > > > On 7/18/06, *Jason Tesser* < [EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]>> wrote: > > OK well how do I get the my graceLogin information into the ticket > registry? I have my own AuthenticationHandler which does my login > against ldap and it knows about the the ldap code. How do I get it > to get information into this ticketRegistry? > > > On 7/18/06, *Scott Battaglia* < [EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]>> wrote: > > There are alternatives to re-writing the core interfaces :-) > > After Authentication, CAS returns a Ticket Granting Ticket > Id. Ticket > Granting Tickets along with Authentication information are > stored in a > Ticket Registry. We generally don't recommend accessing the > Ticket > Registry directly, but in your case it may be necessary. > > You can compose an AuthenticationMetaDataPopulator which can > add an > attribute to the Authentication map that specifies your grace > login > information. > > From within an Action in the web flow (I recommend you add to > the web > flow rather than modifying classes directly) you can access > the Ticket > Registry, and using the Ticket Granting Ticket Id retrieve the > Authentication object, which would contain the information you are > looking for. > > Again, generally Authentication information is only supposed to be > exposed on ticket validation (which is why its only returned > when an > Assertion is returned) but it can be accessed outside that as > long as > you have a ticket id. > > -Scott > > > ------------------------------------------------------------------------ > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
