This is an automated email from the ASF dual-hosted git repository.
ahuber pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/causeway.git
The following commit(s) were added to refs/heads/master by this push:
new e0c1f84e4d CAUSEWAY-3459: [Secman] AuthenticatorSecman: don't allows
disabled local Users to login
e0c1f84e4d is described below
commit e0c1f84e4d972ba181a74b49708490cd79060da8
Author: Andi Huber <[email protected]>
AuthorDate: Fri May 12 06:58:25 2023 +0200
CAUSEWAY-3459: [Secman] AuthenticatorSecman: don't allows disabled local
Users to login
---
.../authenticator/AuthenticatorSecman.java | 25 ++++++++++++++--------
1 file changed, 16 insertions(+), 9 deletions(-)
diff --git
a/extensions/security/secman/integration/src/main/java/org/apache/causeway/extensions/secman/integration/authenticator/AuthenticatorSecman.java
b/extensions/security/secman/integration/src/main/java/org/apache/causeway/extensions/secman/integration/authenticator/AuthenticatorSecman.java
index 4868259e59..7848751589 100644
---
a/extensions/security/secman/integration/src/main/java/org/apache/causeway/extensions/secman/integration/authenticator/AuthenticatorSecman.java
+++
b/extensions/security/secman/integration/src/main/java/org/apache/causeway/extensions/secman/integration/authenticator/AuthenticatorSecman.java
@@ -33,25 +33,28 @@ import
org.apache.causeway.core.security.authentication.Authenticator;
import org.apache.causeway.extensions.secman.applib.role.dom.ApplicationRole;
import org.apache.causeway.extensions.secman.applib.user.dom.ApplicationUser;
import
org.apache.causeway.extensions.secman.applib.user.dom.ApplicationUserRepository;
+import
org.apache.causeway.extensions.secman.applib.user.dom.ApplicationUserStatus;
import lombok.val;
import lombok.extern.log4j.Log4j2;
/**
- * {@link Authenticator} implementation that authenticates the
- * {@link ApplicationUser}, first that the user exists and secondly that the
- * provided password matches the
- * {@link ApplicationUser#getEncryptedPassword() encrypted password} of the
user.
- *
+ * {@link Authenticator} implementation that authenticates the {@link
ApplicationUser}.
+ * <p>
+ * Verifies that
+ * <ul>
+ * <li>the user exists</li>
+ * <li>the user is UNLOCKED</li>
+ * <li>the user has a persisted {@link ApplicationUser#getEncryptedPassword()
encrypted password}</li>
+ * <li>the provided raw-password, when encrypted, matches the persisted
one</li>
+ * </ul>
* <p>
- * This Authenticator is a fallback and is only used if there is no other
- * implementation available.
- * </p>
+ * This Authenticator is a fallback and is only used if there is no other
+ * implementation available.
*
* @since 2.0 {@index}
*/
@Log4j2
-//@RequiredArgsConstructor(onConstructor_ = {@Inject})
public class AuthenticatorSecman implements Authenticator {
private final ApplicationUserRepository applicationUserRepository;
@@ -81,6 +84,10 @@ public class AuthenticatorSecman implements Authenticator {
}
return applicationUserRepository.findByUsername(username)
+ // if user is LOCKED, then veto
+ .filter(appUser ->
ApplicationUserStatus.isUnlocked(appUser.getStatus()))
+ // if user has no encrypted password persisted, then veto
+ .filter(appUser -> appUser.isHasPassword())
.filter(appUser -> passwordEncoder.matches(rawPassword,
appUser.getEncryptedPassword()))
.map(appUser -> {
val roleNames = Stream.concat(
