Java tutorial
/* * [y] hybris Platform * * Copyright (c) 2000-2015 hybris AG * All rights reserved. * * This software is the confidential and proprietary information of hybris * ("Confidential Information"). You shall not disclose such Confidential * Information and shall use it only in accordance with the terms of the * license agreement you entered into with hybris. * * */ package com.epam.training.storefront.security; import de.hybris.platform.core.Constants; import de.hybris.platform.core.model.user.CustomerModel; import de.hybris.platform.core.model.user.UserModel; import de.hybris.platform.servicelayer.exceptions.UnknownIdentifierException; import de.hybris.platform.servicelayer.model.ModelService; import de.hybris.platform.servicelayer.user.UserService; import de.hybris.platform.spring.security.CoreAuthenticationProvider; import org.apache.commons.lang.StringUtils; import org.apache.log4j.Logger; import org.springframework.beans.factory.annotation.Required; import org.springframework.security.authentication.AbstractAuthenticationToken; import org.springframework.security.authentication.BadCredentialsException; import org.springframework.security.authentication.LockedException; import org.springframework.security.core.Authentication; import org.springframework.security.core.AuthenticationException; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.core.userdetails.UserDetails; /** * Derived authentication provider supporting additional authentication checks. See * {@link de.hybris.platform.spring.security.RejectUserPreAuthenticationChecks}. * * <ul> * <li>prevent login without password for users created via CSCockpit</li> * <li>prevent login as user in group admingroup</li> * </ul> * * any login as admin disables SearchRestrictions and therefore no page can be viewed correctly */ public class AcceleratorAuthenticationProvider extends CoreAuthenticationProvider { private static final Logger LOG = Logger.getLogger(AcceleratorAuthenticationProvider.class); private static final String ROLE_ADMIN_GROUP = "ROLE_" + Constants.USER.ADMIN_USERGROUP.toUpperCase(); private BruteForceAttackCounter bruteForceAttackCounter; private UserService userService; private ModelService modelService; private GrantedAuthority adminAuthority = new SimpleGrantedAuthority(ROLE_ADMIN_GROUP); @Override public Authentication authenticate(final Authentication authentication) throws AuthenticationException { final String username = (authentication.getPrincipal() == null) ? "NONE_PROVIDED" : authentication.getName(); CustomerModel userModel = null; try { userModel = (CustomerModel) getUserService().getUserForUID(StringUtils.lowerCase(username)); } catch (final UnknownIdentifierException e) { LOG.warn("Brute force attack attempt for non existing user name " + username); } if (userModel == null) { throw new BadCredentialsException("Bad credentials"); } if (getBruteForceAttackCounter().isAttack(username)) { userModel.setLoginDisabled(true); userModel.setStatus(Boolean.TRUE); userModel.setAttemptCount(0); getModelService().save(userModel); bruteForceAttackCounter.resetUserCounter(userModel.getUid()); throw new LockedException("Locked account"); } else { userModel.setAttemptCount(bruteForceAttackCounter.getUserFailedLogins(username)); getModelService().save(userModel); } return super.authenticate(authentication); } /** * @see de.hybris.platform.spring.security.CoreAuthenticationProvider#additionalAuthenticationChecks(org.springframework.security.core.userdetails.UserDetails, * org.springframework.security.authentication.AbstractAuthenticationToken) */ @Override protected void additionalAuthenticationChecks(final UserDetails details, final AbstractAuthenticationToken authentication) throws AuthenticationException { super.additionalAuthenticationChecks(details, authentication); // Check if user has supplied no password if (StringUtils.isEmpty((String) authentication.getCredentials())) { throw new BadCredentialsException("Login without password"); } // Check if the user is in role admingroup if (getAdminAuthority() != null && details.getAuthorities().contains(getAdminAuthority())) { throw new LockedException("Login attempt as " + Constants.USER.ADMIN_USERGROUP + " is rejected"); } } public void setAdminGroup(final String adminGroup) { if (StringUtils.isBlank(adminGroup)) { adminAuthority = null; } else { adminAuthority = new SimpleGrantedAuthority(adminGroup); } } protected GrantedAuthority getAdminAuthority() { return adminAuthority; } protected BruteForceAttackCounter getBruteForceAttackCounter() { return bruteForceAttackCounter; } @Required public void setBruteForceAttackCounter(final BruteForceAttackCounter bruteForceAttackCounter) { this.bruteForceAttackCounter = bruteForceAttackCounter; } protected UserService getUserService() { return userService; } @Required public void setUserService(final UserService userService) { this.userService = userService; } protected ModelService getModelService() { return modelService; } @Required public void setModelService(final ModelService modelService) { this.modelService = modelService; } }