directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From kayyag...@apache.org
Subject svn commit: r963806 - in /directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authn: AbstractAuthenticator.java Authenticator.java
Date Tue, 13 Jul 2010 18:32:32 GMT
Author: kayyagari
Date: Tue Jul 13 18:32:32 2010
New Revision: 963806

URL: http://svn.apache.org/viewvc?rev=963806&view=rev
Log:
o added a new method to perform password policy checks before authenticating a user 

Modified:
    directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authn/AbstractAuthenticator.java
    directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authn/Authenticator.java

Modified: directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authn/AbstractAuthenticator.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authn/AbstractAuthenticator.java?rev=963806&r1=963805&r2=963806&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authn/AbstractAuthenticator.java
(original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authn/AbstractAuthenticator.java
Tue Jul 13 18:32:32 2010
@@ -20,14 +20,31 @@
 package org.apache.directory.server.core.authn;
 
 
+import static org.apache.directory.shared.ldap.codec.controls.ppolicy.PasswordPolicyErrorEnum.ACCOUNT_LOCKED;
+import static org.apache.directory.shared.ldap.codec.controls.ppolicy.PasswordPolicyErrorEnum.PASSWORD_EXPIRED;
+import static org.apache.directory.shared.ldap.constants.PasswordPolicySchemaConstants.PWD_ACCOUNT_LOCKED_TIME_AT;
+import static org.apache.directory.shared.ldap.constants.PasswordPolicySchemaConstants.PWD_CHANGED_TIME_AT;
+import static org.apache.directory.shared.ldap.constants.PasswordPolicySchemaConstants.PWD_END_TIME_AT;
+import static org.apache.directory.shared.ldap.constants.PasswordPolicySchemaConstants.PWD_GRACE_USE_TIME_AT;
+import static org.apache.directory.shared.ldap.constants.PasswordPolicySchemaConstants.PWD_LAST_SUCCESS_AT;
+import static org.apache.directory.shared.ldap.constants.PasswordPolicySchemaConstants.PWD_START_TIME_AT;
+
+import java.util.Collections;
+import java.util.Date;
+
 import org.apache.directory.server.core.DirectoryService;
 import org.apache.directory.shared.ldap.constants.AuthenticationLevel;
+import org.apache.directory.shared.ldap.entry.DefaultModification;
+import org.apache.directory.shared.ldap.entry.Entry;
+import org.apache.directory.shared.ldap.entry.EntryAttribute;
+import org.apache.directory.shared.ldap.entry.Modification;
+import org.apache.directory.shared.ldap.entry.ModificationOperation;
 import org.apache.directory.shared.ldap.exception.LdapException;
 import org.apache.directory.shared.ldap.name.DN;
+import org.apache.directory.shared.ldap.util.DateUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-
 /**
  * Base class for all Authenticators.
  *
@@ -44,7 +61,8 @@ public abstract class AbstractAuthentica
     /** authenticator type */
     private final AuthenticationLevel authenticatorType;
 
-
+    private PasswordPolicyConfiguration pPolicyConfig;
+    
     /**
      * Creates a new instance.
      *
@@ -128,4 +146,123 @@ public abstract class AbstractAuthentica
     public void invalidateCache( DN bindDn )
     {
     }
+
+
+    /**
+     * {@inheritDoc}
+     */
+    public void checkPwdPolicy( Entry userEntry ) throws LdapException
+    {
+        if( pPolicyConfig == null )
+        {
+            return;
+        }
+
+        // check for locked out account
+        if( pPolicyConfig.isPwdLockout() )
+        {
+            LOG.debug( "checking if account with the DN {} is locked", userEntry.getDn()
);
+            
+            EntryAttribute accountLockAttr = userEntry.get( PWD_ACCOUNT_LOCKED_TIME_AT );
+            if( accountLockAttr != null )
+            {
+                String lockedTime = accountLockAttr.getString();
+                if( lockedTime.equals( "000001010000Z" ) )
+                {
+                    throw new PasswordPolicyException( "account was permanently locked",
ACCOUNT_LOCKED );
+                }
+                else
+                {
+                    Date lockedDate = DateUtils.getDate( lockedTime );
+                    long time = pPolicyConfig.getPwdLockoutDuration() * 1000;
+                    time += lockedDate.getTime();
+                    
+                    Date unlockedDate = new Date( time );
+                    if( lockedDate.before( unlockedDate ) )
+                    {
+                        throw new PasswordPolicyException( "account will remain locked till
" + unlockedDate, ACCOUNT_LOCKED );
+                    }
+                    else
+                    {
+                        // remove pwdAccountLockedTime attribute
+                        Modification pwdAccountLockMod = new DefaultModification( ModificationOperation.REMOVE_ATTRIBUTE,
 accountLockAttr );
+                        
+                        // DO NOT bypass the interceptor chain, otherwise the changes can't
be replicated
+                        directoryService.getAdminSession().modify( userEntry.getDn(), Collections.singletonList(
pwdAccountLockMod ) );
+                    }
+                }
+            }
+        }
+        
+        EntryAttribute pwdStartTimeAttr = userEntry.get( PWD_START_TIME_AT );
+        if( pwdStartTimeAttr != null )
+        {
+            Date pwdStartTime = DateUtils.getDate( pwdStartTimeAttr.getString() );
+            
+            if( System.currentTimeMillis() < pwdStartTime.getTime() )
+            {
+                throw new PasswordPolicyException( "account is locked, will be activated
after " + pwdStartTime, ACCOUNT_LOCKED ); 
+            }
+        }
+        
+        EntryAttribute pwdEndTimeAttr = userEntry.get( PWD_END_TIME_AT );
+        if( pwdEndTimeAttr != null )
+        {
+            Date pwdEndTime = DateUtils.getDate( pwdEndTimeAttr.getString() );
+            
+            if( System.currentTimeMillis() >= pwdEndTime.getTime() )
+            {
+                throw new PasswordPolicyException( "password end time reached, will be locked
till administrator activates it", ACCOUNT_LOCKED );
+            }
+        }
+        
+        if( pPolicyConfig.getPwdMaxIdle() > 0 )
+        {
+            EntryAttribute pwdLastSuccessTimeAttr = userEntry.get( PWD_LAST_SUCCESS_AT );
+            long time = pPolicyConfig.getPwdMaxIdle() * 1000;
+            time += DateUtils.getDate( pwdLastSuccessTimeAttr.getString() ).getTime();
+            
+            if( System.currentTimeMillis() >= time )
+            {
+                throw new PasswordPolicyException( "account locked due to the max idle time
of the password was exceeded", ACCOUNT_LOCKED );
+            }
+        }
+        
+        if ( pPolicyConfig.getPwdMaxAge() > 0 )
+        {
+            if( pPolicyConfig.getPwdGraceAuthNLimit() > 0 )
+            {
+                EntryAttribute pwdGraceUseAttr = userEntry.get( PWD_GRACE_USE_TIME_AT );
+
+                // check for grace authentication count
+                if( pwdGraceUseAttr != null )
+                {
+                    if( pwdGraceUseAttr.size() >= pPolicyConfig.getPwdGraceAuthNLimit()
)
+                    {
+                        throw new PasswordPolicyException( "paasword expired and max grace
logins were used", PASSWORD_EXPIRED );
+                    }
+                }
+            }
+            else
+            {
+                EntryAttribute pwdChangeTimeAttr = userEntry.get( PWD_CHANGED_TIME_AT );
+                boolean expired = PasswordUtil.isPwdExpired( pwdChangeTimeAttr.getString(),
pPolicyConfig.getPwdMaxAge() );
+                
+                if( expired )
+                {
+                    throw new PasswordPolicyException( "paasword expired", PASSWORD_EXPIRED
);
+                }
+            }
+        }
+    }
+    
+    
+    /**
+     * {@inheritDoc}
+     */
+    public void setPwdPolicyConfig( PasswordPolicyConfiguration pPolicyConfig )
+    {
+        this.pPolicyConfig = pPolicyConfig;
+    }
+    
 }

Modified: directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authn/Authenticator.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authn/Authenticator.java?rev=963806&r1=963805&r2=963806&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authn/Authenticator.java
(original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authn/Authenticator.java
Tue Jul 13 18:32:32 2010
@@ -27,6 +27,7 @@ import org.apache.directory.server.core.
 import org.apache.directory.server.core.interceptor.context.BindOperationContext;
 import org.apache.directory.server.core.partition.DefaultPartitionNexus;
 import org.apache.directory.shared.ldap.constants.AuthenticationLevel;
+import org.apache.directory.shared.ldap.entry.Entry;
 import org.apache.directory.shared.ldap.exception.LdapException;
 import org.apache.directory.shared.ldap.name.DN;
 
@@ -84,4 +85,19 @@ public interface Authenticator
      * Performs authentication and returns the principal if succeeded.
      */
     public LdapPrincipal authenticate( BindOperationContext bindContext ) throws Exception;
+    
+    
+    /**
+     * @param policyConfig the password policy configuration to be used while authenticating
+     */
+    void setPwdPolicyConfig( PasswordPolicyConfiguration pPolicyConfig );
+    
+    
+    /**
+     *  performs checks on the given entry based on the specified password policy configuration
+     *
+     * @param userEntry the user entry to be checked for authentication
+     * @throws PasswordPolicyException
+     */
+    void checkPwdPolicy( Entry userEntry ) throws LdapException;
 }



Mime
View raw message