| %line | %branch | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| org.apache.jetspeed.security.spi.impl.MaxPasswordAuthenticationFailuresInterceptor |
|
|
| 1 | /* |
|
| 2 | * Licensed to the Apache Software Foundation (ASF) under one or more |
|
| 3 | * contributor license agreements. See the NOTICE file distributed with |
|
| 4 | * this work for additional information regarding copyright ownership. |
|
| 5 | * The ASF licenses this file to You under the Apache License, Version 2.0 |
|
| 6 | * (the "License"); you may not use this file except in compliance with |
|
| 7 | * the License. You may obtain a copy of the License at |
|
| 8 | * |
|
| 9 | * http://www.apache.org/licenses/LICENSE-2.0 |
|
| 10 | * |
|
| 11 | * Unless required by applicable law or agreed to in writing, software |
|
| 12 | * distributed under the License is distributed on an "AS IS" BASIS, |
|
| 13 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
|
| 14 | * See the License for the specific language governing permissions and |
|
| 15 | * limitations under the License. |
|
| 16 | */ |
|
| 17 | package org.apache.jetspeed.security.spi.impl; |
|
| 18 | ||
| 19 | import java.util.Collection; |
|
| 20 | ||
| 21 | import org.apache.jetspeed.security.SecurityException; |
|
| 22 | import org.apache.jetspeed.security.om.InternalCredential; |
|
| 23 | import org.apache.jetspeed.security.om.InternalUserPrincipal; |
|
| 24 | ||
| 25 | /** |
|
| 26 | * <p> |
|
| 27 | * Enforces a {@link #MaxPasswordAuthenticationFailuresInterceptor(int) maximum number of times} a user may provide an invalid password. |
|
| 28 | * Once the maximum number of invalid authentications is reached, the credential is disabled.</p> |
|
| 29 | * <p> |
|
| 30 | * Note: the current count is <em>not</em> reset on valid authentication by this interceptor. |
|
| 31 | * This is done by the {@link DefaultCredentialHandler} which invokes the interceptor(s) after authentication |
|
| 32 | * and no interceptor {@link #afterAuthenticated(InternalUserPrincipal, String, InternalCredential, boolean) afterAuthenicated} |
|
| 33 | * method returns true.</p> |
|
| 34 | * <p> |
|
| 35 | * But, this interceptor <em>does</em> (re)sets the count on creation and on change of the password.</p> |
|
| 36 | * <p> |
|
| 37 | * |
|
| 38 | * @author <a href="mailto:ate@douma.nu">Ate Douma</a> |
|
| 39 | * @version $Id$ |
|
| 40 | */ |
|
| 41 | public class MaxPasswordAuthenticationFailuresInterceptor extends AbstractInternalPasswordCredentialInterceptorImpl |
|
| 42 | { |
|
| 43 | private int maxNumberOfAuthenticationFailures; |
|
| 44 | ||
| 45 | /** |
|
| 46 | * <p> |
|
| 47 | * Configure the maximum number of invalid authentications allowed in a row.</p> |
|
| 48 | * <p> |
|
| 49 | * A value of zero (0) disables the check</p> |
|
| 50 | */ |
|
| 51 | public MaxPasswordAuthenticationFailuresInterceptor(int maxNumberOfAuthenticationFailures) |
|
| 52 | 0 | { |
| 53 | 0 | this.maxNumberOfAuthenticationFailures = maxNumberOfAuthenticationFailures; |
| 54 | 0 | } |
| 55 | ||
| 56 | /** |
|
| 57 | * Checks the current count of authentication failures when the credential is not expired and authentication failed. |
|
| 58 | * @return true if the maximum number of invalid authentications is reached and the credential is disabled. |
|
| 59 | * @see org.apache.jetspeed.security.spi.InternalPasswordCredentialInterceptor#afterAuthenticated(org.apache.jetspeed.security.om.InternalUserPrincipal, java.lang.String, org.apache.jetspeed.security.om.InternalCredential, boolean) |
|
| 60 | */ |
|
| 61 | public boolean afterAuthenticated(InternalUserPrincipal internalUser, String userName, |
|
| 62 | InternalCredential credential, boolean authenticated) throws SecurityException |
|
| 63 | { |
|
| 64 | 0 | boolean update = false; |
| 65 | 0 | if ( !credential.isExpired() && !authenticated && maxNumberOfAuthenticationFailures > 0 ) |
| 66 | { |
|
| 67 | 0 | int authenticationFailures = credential.getAuthenticationFailures()+1; |
| 68 | 0 | credential.setAuthenticationFailures(authenticationFailures); |
| 69 | 0 | if (authenticationFailures >= maxNumberOfAuthenticationFailures) |
| 70 | { |
|
| 71 | 0 | credential.setEnabled(false); |
| 72 | } |
|
| 73 | 0 | update = true; |
| 74 | } |
|
| 75 | 0 | return update; |
| 76 | } |
|
| 77 | ||
| 78 | /** |
|
| 79 | * Sets the count of invalid authentications to zero (0). |
|
| 80 | * @see org.apache.jetspeed.security.spi.InternalPasswordCredentialInterceptor#beforeCreate(org.apache.jetspeed.security.om.InternalUserPrincipal, java.util.Collection, java.lang.String, InternalCredential, java.lang.String) |
|
| 81 | */ |
|
| 82 | public void beforeCreate(InternalUserPrincipal internalUser, Collection credentials, String userName, |
|
| 83 | InternalCredential credential, String password) throws SecurityException |
|
| 84 | { |
|
| 85 | 0 | credential.setAuthenticationFailures(0); |
| 86 | 0 | } |
| 87 | ||
| 88 | /** |
|
| 89 | * Resets the count of invalid authentications to zero (0). |
|
| 90 | * @see org.apache.jetspeed.security.spi.InternalPasswordCredentialInterceptor#beforeSetPassword(org.apache.jetspeed.security.om.InternalUserPrincipal, java.util.Collection, java.lang.String, org.apache.jetspeed.security.om.InternalCredential, java.lang.String, boolean) |
|
| 91 | */ |
|
| 92 | public void beforeSetPassword(InternalUserPrincipal internalUser, Collection credentials, String userName, |
|
| 93 | InternalCredential credential, String password, boolean authenticated) throws SecurityException |
|
| 94 | { |
|
| 95 | 0 | credential.setAuthenticationFailures(0); |
| 96 | 0 | } |
| 97 | } |
| This report is generated by jcoverage, Maven and Maven JCoverage Plugin. |