Java tutorial
/* * [y] hybris Platform * * Copyright (c) 2017 SAP SE or an SAP affiliate company. All rights reserved. * * This software is the confidential and proprietary information of SAP * ("Confidential Information"). You shall not disclose such Confidential * Information and shall use it only in accordance with the terms of the * license agreement you entered into with SAP. */ package de.hybris.platform.acceleratorstorefrontcommons.security; import de.hybris.platform.core.model.user.UserModel; import de.hybris.platform.servicelayer.exceptions.UnknownIdentifierException; import de.hybris.platform.servicelayer.model.ModelService; import de.hybris.platform.servicelayer.user.UserService; import de.hybris.platform.spring.security.CoreAuthenticationProvider; import org.apache.commons.lang.StringUtils; import org.apache.log4j.Logger; import org.springframework.beans.factory.annotation.Required; import org.springframework.security.authentication.AbstractAuthenticationToken; import org.springframework.security.authentication.BadCredentialsException; import org.springframework.security.core.Authentication; import org.springframework.security.core.AuthenticationException; import org.springframework.security.core.userdetails.UserDetails; /** * Derived authentication provider supporting additional authentication checks. See * {@link de.hybris.platform.spring.security.RejectUserPreAuthenticationChecks}. * * <ul> * <li>prevent login without password for users created via CSCockpit</li> * <li>prevent login as user in group admingroup</li> * </ul> * * any login as admin disables SearchRestrictions and therefore no page can be viewed correctly */ public abstract class AbstractAcceleratorAuthenticationProvider extends CoreAuthenticationProvider { private static final Logger LOG = Logger.getLogger(AbstractAcceleratorAuthenticationProvider.class); private BruteForceAttackCounter bruteForceAttackCounter; private UserService userService; private ModelService modelService; @Override public Authentication authenticate(final Authentication authentication) throws AuthenticationException { final String username = (authentication.getPrincipal() == null) ? "NONE_PROVIDED" : authentication.getName(); if (getBruteForceAttackCounter().isAttack(username)) { try { final UserModel userModel = getUserService().getUserForUID(StringUtils.lowerCase(username)); userModel.setLoginDisabled(true); getModelService().save(userModel); bruteForceAttackCounter.resetUserCounter(userModel.getUid()); } catch (final UnknownIdentifierException e) { LOG.warn("Brute force attack attempt for non existing user name " + username); } throw new BadCredentialsException( messages.getMessage("CoreAuthenticationProvider.badCredentials", "Bad credentials")); } return super.authenticate(authentication); } /** * @see de.hybris.platform.spring.security.CoreAuthenticationProvider#additionalAuthenticationChecks(org.springframework.security.core.userdetails.UserDetails, * org.springframework.security.authentication.AbstractAuthenticationToken) */ @Override protected void additionalAuthenticationChecks(final UserDetails details, final AbstractAuthenticationToken authentication) throws AuthenticationException { super.additionalAuthenticationChecks(details, authentication); // Check if user has supplied no password if (StringUtils.isEmpty((String) authentication.getCredentials())) { throw new BadCredentialsException("Login without password"); } } protected BruteForceAttackCounter getBruteForceAttackCounter() { return bruteForceAttackCounter; } @Required public void setBruteForceAttackCounter(final BruteForceAttackCounter bruteForceAttackCounter) { this.bruteForceAttackCounter = bruteForceAttackCounter; } protected UserService getUserService() { return userService; } @Required public void setUserService(final UserService userService) { this.userService = userService; } protected ModelService getModelService() { return modelService; } @Required public void setModelService(final ModelService modelService) { this.modelService = modelService; } }