com.acc.storefront.security.AcceleratorAuthenticationProvider.java Source code

Java tutorial

Introduction

Here is the source code for com.acc.storefront.security.AcceleratorAuthenticationProvider.java

Source

/*
 * [y] hybris Platform
 *
 * Copyright (c) 2000-2013 hybris AG
 * All rights reserved.
 *
 * This software is the confidential and proprietary information of hybris
 * ("Confidential Information"). You shall not disclose such Confidential
 * Information and shall use it only in accordance with the terms of the
 * license agreement you entered into with hybris.
 * 
 *  
 */
package com.acc.storefront.security;

import de.hybris.platform.core.Constants;
import de.hybris.platform.core.model.user.UserModel;
import de.hybris.platform.order.CartService;
import de.hybris.platform.servicelayer.exceptions.UnknownIdentifierException;
import de.hybris.platform.servicelayer.model.ModelService;
import de.hybris.platform.servicelayer.user.UserService;
import de.hybris.platform.spring.security.CoreAuthenticationProvider;

import org.apache.commons.lang.StringUtils;
import org.apache.log4j.Logger;
import org.springframework.beans.factory.annotation.Required;
import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.LockedException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;

/**
 * Derived authentication provider supporting additional authentication checks. See
 * {@link de.hybris.platform.spring.security.RejectUserPreAuthenticationChecks}.
 *
 * <ul>
 * <li>prevent login without password for users created via CSCockpit</li>
 * <li>prevent login as user in group admingroup</li>
 * </ul>
 *
 * any login as admin disables SearchRestrictions and therefore no page can be viewed correctly
 */
public class AcceleratorAuthenticationProvider extends CoreAuthenticationProvider {
    private static final Logger LOG = Logger.getLogger(AcceleratorAuthenticationProvider.class);
    private static final String ROLE_ADMIN_GROUP = "ROLE_" + Constants.USER.ADMIN_USERGROUP.toUpperCase();

    private BruteForceAttackCounter bruteForceAttackCounter;
    private UserService userService;
    private ModelService modelService;
    private GrantedAuthority adminAuthority = new SimpleGrantedAuthority(ROLE_ADMIN_GROUP);
    private CartService cartService;

    @Override
    public Authentication authenticate(final Authentication authentication) throws AuthenticationException {
        final String username = (authentication.getPrincipal() == null) ? "NONE_PROVIDED"
                : authentication.getName();

        if (getBruteForceAttackCounter().isAttack(username)) {
            try {
                final UserModel userModel = getUserService().getUserForUID(StringUtils.lowerCase(username));
                userModel.setLoginDisabled(true);
                getModelService().save(userModel);
                bruteForceAttackCounter.resetUserCounter(userModel.getUid());
            } catch (final UnknownIdentifierException e) {
                LOG.warn("Brute force attack attempt for non existing user name " + username);
            } finally {
                throw new BadCredentialsException(
                        messages.getMessage("CoreAuthenticationProvider.badCredentials", "Bad credentials"));
            }
        }

        checkCartForUser(username);
        return super.authenticate(authentication);

    }

    /**
     *    check if the user of the cart matches the current user and if the user is not anonymous. If otherwise,
     *    remove delete the session cart as it might be stolen / from another user
     * @param username the username of the current user
     */
    public void checkCartForUser(String username) {
        // check if the user of the cart matches the current user and if the
        // user is not anonymous. If otherwise, remove delete the session cart as it might
        // be stolen / from another user
        final String sessionCartUserId = getCartService().getSessionCart().getUser().getUid();

        if (!username.equals(sessionCartUserId)
                && !sessionCartUserId.equals(userService.getAnonymousUser().getUid())) {
            getCartService().setSessionCart(null);
        }
    }

    /**
     * @see de.hybris.platform.spring.security.CoreAuthenticationProvider#additionalAuthenticationChecks(org.springframework.security.core.userdetails.UserDetails,
     *      org.springframework.security.authentication.AbstractAuthenticationToken)
     */
    @Override
    protected void additionalAuthenticationChecks(final UserDetails details,
            final AbstractAuthenticationToken authentication) throws AuthenticationException {
        super.additionalAuthenticationChecks(details, authentication);

        // Check if user has supplied no password
        if (StringUtils.isEmpty((String) authentication.getCredentials())) {
            throw new BadCredentialsException("Login without password");
        }

        // Check if the user is in role admingroup
        if (getAdminAuthority() != null && details.getAuthorities().contains(getAdminAuthority())) {
            throw new LockedException("Login attempt as " + Constants.USER.ADMIN_USERGROUP + " is rejected");
        }
    }

    /**
     * @param adminGroup the adminGroup to set
     */
    public void setAdminGroup(final String adminGroup) {
        if (StringUtils.isBlank(adminGroup)) {
            adminAuthority = null;
        } else {
            adminAuthority = new SimpleGrantedAuthority(adminGroup);
        }
    }

    protected GrantedAuthority getAdminAuthority() {
        return adminAuthority;
    }

    protected BruteForceAttackCounter getBruteForceAttackCounter() {
        return bruteForceAttackCounter;
    }

    @Required
    public void setBruteForceAttackCounter(final BruteForceAttackCounter bruteForceAttackCounter) {
        this.bruteForceAttackCounter = bruteForceAttackCounter;
    }

    protected UserService getUserService() {
        return userService;
    }

    @Required
    public void setUserService(final UserService userService) {
        this.userService = userService;
    }

    protected ModelService getModelService() {
        return modelService;
    }

    @Required
    public void setModelService(final ModelService modelService) {
        this.modelService = modelService;
    }

    public CartService getCartService() {
        return cartService;
    }

    public void setCartService(final CartService cartService) {
        this.cartService = cartService;
    }
}