Author: asanso Date: Wed Oct 14 08:13:03 2015 New Revision: 1708557 URL: http://svn.apache.org/viewvc?rev=1708557&view=rev Log: SLING-5141 - Expose Oak's Login Failures in Authenticator Reason (applied patch from Dominique Jaeggi thanks!)
Modified: sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/spi/AuthenticationHandler.java Modified: sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java URL: http://svn.apache.org/viewvc/sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java?rev=1708557&r1=1708556&r2=1708557&view=diff ============================================================================== --- sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java (original) +++ sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java Wed Oct 14 08:13:03 2015 @@ -29,6 +29,8 @@ import java.util.List; import java.util.Map; import javax.jcr.SimpleCredentials; +import javax.security.auth.login.AccountLockedException; +import javax.security.auth.login.AccountNotFoundException; import javax.security.auth.login.CredentialExpiredException; import javax.servlet.ServletRequest; import javax.servlet.ServletRequestEvent; @@ -958,30 +960,32 @@ public class SlingAuthenticator implemen // request authentication information and send 403 (Forbidden) // if no handler can request authentication information. + AuthenticationHandler.FAILURE_REASON_CODES code = AuthenticationHandler.FAILURE_REASON_CODES.INVALID_LOGIN; + String message = "User name and password do not match"; + if (reason.getCause() instanceof CredentialExpiredException) { // force failure attribute to be set so handlers can // react to this special circumstance - - AuthenticationHandler.FAILURE_REASON_CODES code = AuthenticationHandler.FAILURE_REASON_CODES.PASSWORD_EXPIRED; - String message = "Password expired"; - Object creds = authInfo.get("user.jcr.credentials"); if (creds instanceof SimpleCredentials && ((SimpleCredentials) creds).getAttribute("PasswordHistoryException") != null) { code = AuthenticationHandler.FAILURE_REASON_CODES.PASSWORD_EXPIRED_AND_NEW_PASSWORD_IN_HISTORY; message = "Password expired and new password found in password history"; + } else { + code = AuthenticationHandler.FAILURE_REASON_CODES.PASSWORD_EXPIRED; + message = "Password expired"; } - - request.setAttribute(AuthenticationHandler.FAILURE_REASON_CODE, code); - ensureAttribute(request, AuthenticationHandler.FAILURE_REASON, message); - - } else { - // preset a reason for the login failure (if not done already) - request.setAttribute(AuthenticationHandler.FAILURE_REASON_CODE, - AuthenticationHandler.FAILURE_REASON_CODES.INVALID_LOGIN); - ensureAttribute(request, AuthenticationHandler.FAILURE_REASON, - "User name and password do not match"); + } else if (reason.getCause() instanceof AccountLockedException) { + code = AuthenticationHandler.FAILURE_REASON_CODES.ACCOUNT_LOCKED; + message = "Account is locked"; + } else if (reason.getCause() instanceof AccountNotFoundException) { + code = AuthenticationHandler.FAILURE_REASON_CODES.ACCOUNT_NOT_FOUND; + message = "Account was not found"; } + // preset a reason for the login failure + request.setAttribute(AuthenticationHandler.FAILURE_REASON_CODE, code); + ensureAttribute(request, AuthenticationHandler.FAILURE_REASON, message); + doLogin(request, response); } Modified: sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/spi/AuthenticationHandler.java URL: http://svn.apache.org/viewvc/sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/spi/AuthenticationHandler.java?rev=1708557&r1=1708556&r2=1708557&view=diff ============================================================================== --- sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/spi/AuthenticationHandler.java (original) +++ sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/spi/AuthenticationHandler.java Wed Oct 14 08:13:03 2015 @@ -109,18 +109,21 @@ public interface AuthenticationHandler { /** * This enum indicates the supported detailed login failure reason codes: * <ul> - * <li><code>invalid_login</code>:</li> indicates username/password mismatch. - * <li><code>password_expired</code>:</li> indicates password has expired or was never set and - * change initial password is enabled - * <li><code>unknown</code>:</li> an unknown reason for the login failure was encountered. + * <li><code>invalid_login</code>: indicates username/password mismatch.</li> + * <li><code>password_expired</code>: indicates password has expired or was never set and + * change initial password is enabled</li> + * <li><code>account_locked</code>: the account was disabled or locked</li> + * <li><code>account_not_found</code>: the account was not found (not the same as username password mismatch)</li> * </ul> * @since 1.1.0 */ - static enum FAILURE_REASON_CODES { + enum FAILURE_REASON_CODES { INVALID_LOGIN, PASSWORD_EXPIRED, PASSWORD_EXPIRED_AND_NEW_PASSWORD_IN_HISTORY, - UNKNOWN; + UNKNOWN, + ACCOUNT_LOCKED, + ACCOUNT_NOT_FOUND; @Override public String toString() {