Changeset 7539
- Timestamp:
- Nov 28, 2018, 4:02:32 PM (4 years ago)
- Location:
- trunk/src/core/net/sf/basedb/core
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/src/core/net/sf/basedb/core/SessionControl.java
r7513 r7539 451 451 tx = HibernateUtil.newTransaction(session); 452 452 453 authUser = verifyUserExternal(session, loginRequest); 453 List<AuthenticationManager> externalManagers = new ArrayList<>(); 454 authUser = verifyUserExternal(session, loginRequest, externalManagers); 454 455 if (authUser == null) 455 456 { 456 457 // If no user was found, use internal authentication 457 458 authUser = verifyUserInternal(session, loginRequest); 459 } 460 461 // The login seems to be ok, but we need to let external manages to throw in a veto 462 user = HibernateUtil.loadData(session, UserData.class, authUser.getInternalId()); 463 try 464 { 465 for (AuthenticationManager external : externalManagers) 466 { 467 external.vetoAuthenticatedUser(user, authUser); 468 } 469 } 470 catch (net.sf.basedb.core.authentication.AuthenticationException ex) 471 { 472 throw new LoginException(ex.getMessage(), ex); 458 473 } 459 474 460 475 // The login was ok so far... check device verification 461 476 device = verifyDevice(session, loginRequest, authUser); 462 user = HibernateUtil.loadData(session, UserData.class, authUser.getInternalId());463 477 464 478 // A null value means that either device verification is disabled … … 683 697 */ 684 698 @SuppressWarnings("unchecked") 685 private AuthenticatedUser verifyUserExternal(org.hibernate.Session session, LoginRequest loginRequest )699 private AuthenticatedUser verifyUserExternal(org.hibernate.Session session, LoginRequest loginRequest, List<AuthenticationManager> authManagers) 686 700 { 687 701 AuthenticationContext context = new AuthenticationContext(this, session, loginRequest); … … 694 708 try 695 709 { 696 // Load all installed authentication managers and iterate until 697 // someone returns an info object or throws an exception 710 // Load all installed authentication managers 711 // Call authenticate() until one returns an 'AuthenticatedUser' 712 // All others are saved in the authManagers list for later calling vetoAuthenticatedUser() 713 // If some manager is throwing an exception the login fails 698 714 for (AuthenticationManager auth : invoker) 699 715 { 700 authUser = auth.authenticate();701 if (authUser != null)716 boolean add = true; 717 if (authUser == null) 702 718 { 703 // Found a valid login704 break;719 authUser = auth.authenticate(); 720 if (authUser != null) add = false; 705 721 } 722 if (add) authManagers.add(auth); 706 723 } 707 724 } -
trunk/src/core/net/sf/basedb/core/authentication/AuthenticationManager.java
r6880 r7539 23 23 24 24 import net.sf.basedb.core.AuthenticationContext; 25 import net.sf.basedb.core.data.UserData; 25 26 import net.sf.basedb.util.extensions.Action; 26 27 import net.sf.basedb.util.extensions.InvokationContext; … … 62 63 public AuthenticatedUser authenticate(); 63 64 65 /** 66 This method is called if there are multiple installed external authentication 67 managers and at least one of them accepted the user in the {@link #authenticate()} 68 method. If so, all other authentication managers will get a chance to throw in 69 a veto. For example, an administrator account may be protected with a special 70 authentication manager (for example, YubiKey) while regular users by a simpler 71 method (for example, OTP). If the administrator tries to login with the OTP method 72 then the Yubikey authentication manager may veto this by throwing an 73 {@link AuthenticationException} from this method. 74 75 Note that this method is NOT called on the authentication manager that authenticated 76 a user by returning information from the {@link #authenticate()} method. 77 78 To provide backwards compatibility with existing authentication managers this 79 method has a default implementation that doesn't do anything. 80 81 @param user The user that is trying to login 82 @param auth Information about the authentication 83 @since 3.14 84 */ 85 public default void vetoAuthenticatedUser(UserData user, AuthenticatedUser auth) 86 {} 64 87 65 88 }
Note: See TracChangeset
for help on using the changeset viewer.