You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by ro...@apache.org on 2021/05/17 14:25:39 UTC
[sling-org-apache-sling-auth-core] branch feature/SLING-10383
created (now 3c4a237)
This is an automated email from the ASF dual-hosted git repository.
rombert pushed a change to branch feature/SLING-10383
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-auth-core.git.
at 3c4a237 SLING-10383 - Do not check for redirect loops when a login fails due to an expired token
This branch includes the following new commits:
new 06e533f SLING-10383 - Do not check for redirect loops when a login fails due to an expired token
new daf40c2 SLING-10383 - Do not check for redirect loops when a login fails due to an expired token
new 3c4a237 SLING-10383 - Do not check for redirect loops when a login fails due to an expired token
The 3 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
[sling-org-apache-sling-auth-core] 02/03: SLING-10383 - Do not
check for redirect loops when a login fails due to an expired token
Posted by ro...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
rombert pushed a commit to branch feature/SLING-10383
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-auth-core.git
commit daf40c2fe96293c9e6e54aed10e6736e7bb14c34
Author: Robert Munteanu <ro...@apache.org>
AuthorDate: Mon May 17 16:22:12 2021 +0200
SLING-10383 - Do not check for redirect loops when a login fails due to an expired token
Expose a new failure reason for expired tokens.
---
pom.xml | 6 ++++++
.../org/apache/sling/auth/core/spi/AuthenticationHandler.java | 10 +++++++++-
src/main/java/org/apache/sling/auth/core/spi/package-info.java | 4 ++--
3 files changed, 17 insertions(+), 3 deletions(-)
diff --git a/pom.xml b/pom.xml
index c8bd88b..59ed2c6 100644
--- a/pom.xml
+++ b/pom.xml
@@ -73,6 +73,12 @@
<artifactId>org.osgi.service.component</artifactId>
</dependency>
<dependency>
+ <groupId>biz.aQute.bnd</groupId>
+ <artifactId>biz.aQute.bnd.annotation</artifactId>
+ <version>5.3.0</version>
+ <scope>provided</scope>
+ </dependency>
+ <dependency>
<groupId>org.apache.sling</groupId>
<artifactId>org.apache.sling.api</artifactId>
<version>2.20.0</version>
diff --git a/src/main/java/org/apache/sling/auth/core/spi/AuthenticationHandler.java b/src/main/java/org/apache/sling/auth/core/spi/AuthenticationHandler.java
index 35a5ab4..2816110 100644
--- a/src/main/java/org/apache/sling/auth/core/spi/AuthenticationHandler.java
+++ b/src/main/java/org/apache/sling/auth/core/spi/AuthenticationHandler.java
@@ -25,6 +25,8 @@ import javax.servlet.http.HttpServletResponse;
import org.osgi.annotation.versioning.ConsumerType;
+import aQute.bnd.annotation.baseline.BaselineIgnore;
+
/**
* The <code>AuthenticationHandler</code> interface defines the service API used
* by the authentication implementation to support plugin various ways of
@@ -116,16 +118,22 @@ public interface AuthenticationHandler {
* change initial password is enabled</li>
* <li><code>account_locked</code>: the account was disabled or locked</li>
* <li><code>account_not_found</code>: the account was not found (not the same as username password mismatch)</li>
+ * <li><code>expired_token</code>: the token credentials used have expired</li>
* </ul>
* @since 1.1.0
*/
+ // When adding a new field to the enum bnd will require a minor version bump
+ // That's unfortunately too much for an SPI package and should really have no impact
+ // on implementors since the enum values are not exposed from any public API
+ @BaselineIgnore("1.2.3")
enum FAILURE_REASON_CODES {
INVALID_LOGIN,
PASSWORD_EXPIRED,
PASSWORD_EXPIRED_AND_NEW_PASSWORD_IN_HISTORY,
UNKNOWN,
ACCOUNT_LOCKED,
- ACCOUNT_NOT_FOUND;
+ ACCOUNT_NOT_FOUND,
+ EXPIRED_TOKEN;
@Override
public String toString() {
diff --git a/src/main/java/org/apache/sling/auth/core/spi/package-info.java b/src/main/java/org/apache/sling/auth/core/spi/package-info.java
index b6428ba..7171d7f 100755
--- a/src/main/java/org/apache/sling/auth/core/spi/package-info.java
+++ b/src/main/java/org/apache/sling/auth/core/spi/package-info.java
@@ -26,9 +26,9 @@
* being an abstract base implementation from which concrete
* implementations may inherit.
*
- * @version 1.2.2
+ * @version 1.2.3
*/
-@org.osgi.annotation.versioning.Version("1.2.2")
+@org.osgi.annotation.versioning.Version("1.2.3")
package org.apache.sling.auth.core.spi;
[sling-org-apache-sling-auth-core] 01/03: SLING-10383 - Do not
check for redirect loops when a login fails due to an expired token
Posted by ro...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
rombert pushed a commit to branch feature/SLING-10383
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-auth-core.git
commit 06e533ff0405829f53c8601310648838445af403
Author: Robert Munteanu <ro...@apache.org>
AuthorDate: Mon May 17 16:15:12 2021 +0200
SLING-10383 - Do not check for redirect loops when a login fails due to an expired token
Minor code cleanups
---
.../java/org/apache/sling/auth/core/impl/SlingAuthenticator.java | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java b/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java
index d075e61..e7143b1 100644
--- a/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java
+++ b/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java
@@ -370,7 +370,7 @@ public class SlingAuthenticator implements Authenticator,
/**
* Get the configuration for the http auth
* @param config The configuration
- * @return The http auth
+ * @return The http auth
*/
public static String getHttpAuth(final Config config) {
final String http;
@@ -1177,7 +1177,7 @@ public class SlingAuthenticator implements Authenticator,
* and who is now impersonating as <i>user</i>.
*/
private void sendSudoCookie(
- HttpServletRequest request,
+ HttpServletRequest request,
HttpServletResponse response,
final String user, final int maxAge, final String path,
final String owner) {
@@ -1405,7 +1405,7 @@ public class SlingAuthenticator implements Authenticator,
}
private void postLoginEvent(final AuthenticationInfo authInfo) {
- final Dictionary<String, Object> properties = new Hashtable<String, Object>();
+ final Dictionary<String, Object> properties = new Hashtable<>();
properties.put(SlingConstants.PROPERTY_USERID, authInfo.getUser());
properties.put(AuthenticationInfo.AUTH_TYPE, authInfo.getAuthType());
@@ -1424,7 +1424,7 @@ public class SlingAuthenticator implements Authenticator,
AuthenticationHandler.FAILURE_REASON_CODES reason_code = getFailureReasonFromException(authInfo, reason);
//if reason_code is null, it is problem some non-login related failure, so don't send the event
if (reason_code != null) {
- final Dictionary<String, Object> properties = new Hashtable<String, Object>();
+ final Dictionary<String, Object> properties = new Hashtable<>();
if (authInfo.getUser() != null) {
properties.put(SlingConstants.PROPERTY_USERID, authInfo.getUser());
}
[sling-org-apache-sling-auth-core] 03/03: SLING-10383 - Do not
check for redirect loops when a login fails due to an expired token
Posted by ro...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
rombert pushed a commit to branch feature/SLING-10383
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-auth-core.git
commit 3c4a237d5d744a78f78df29ab9bb0bd3453225ff
Author: Robert Munteanu <ro...@apache.org>
AuthorDate: Mon May 17 16:23:54 2021 +0200
SLING-10383 - Do not check for redirect loops when a login fails due to an expired token
- don't attempt to break redirect loops in case of expired tokens
- never return a null reason from getFailureReasonFromException
---
.../sling/auth/core/impl/SlingAuthenticator.java | 32 ++++++++++++++--------
1 file changed, 21 insertions(+), 11 deletions(-)
diff --git a/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java b/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java
index e7143b1..de42c0e 100644
--- a/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java
+++ b/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java
@@ -55,6 +55,7 @@ import org.apache.sling.auth.core.spi.AuthenticationInfoPostProcessor;
import org.apache.sling.auth.core.spi.DefaultAuthenticationFeedbackHandler;
import org.apache.sling.commons.metrics.MetricsService;
import org.apache.sling.commons.metrics.Timer;
+import org.jetbrains.annotations.NotNull;
import org.osgi.framework.BundleContext;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
@@ -917,6 +918,9 @@ public class SlingAuthenticator implements Authenticator,
case PASSWORD_EXPIRED_AND_NEW_PASSWORD_IN_HISTORY:
message = "Password expired and new password found in password history";
break;
+ case EXPIRED_TOKEN:
+ message = "Expired authentication token";
+ break;
case UNKNOWN:
case INVALID_LOGIN:
default:
@@ -954,12 +958,11 @@ public class SlingAuthenticator implements Authenticator,
/**
* Try to determine the failure reason from the thrown exception
*/
- private AuthenticationHandler.FAILURE_REASON_CODES getFailureReasonFromException(final AuthenticationInfo authInfo, Exception reason) {
- AuthenticationHandler.FAILURE_REASON_CODES code = null;
- if (reason.getClass().getName().contains("TooManySessionsException")) {
- // not a login failure just unavailable service
- code = null;
- } else if (reason instanceof LoginException) {
+ @SuppressWarnings("java:S1872")
+ private @NotNull AuthenticationHandler.FAILURE_REASON_CODES getFailureReasonFromException(final AuthenticationInfo authInfo, Exception reason) {
+ // default to invalid login as the reason
+ AuthenticationHandler.FAILURE_REASON_CODES code = AuthenticationHandler.FAILURE_REASON_CODES.INVALID_LOGIN;;
+ if (reason instanceof LoginException) {
if (reason.getCause() instanceof CredentialExpiredException) {
// force failure attribute to be set so handlers can
// react to this special circumstance
@@ -973,11 +976,10 @@ public class SlingAuthenticator implements Authenticator,
code = AuthenticationHandler.FAILURE_REASON_CODES.ACCOUNT_LOCKED;
} else if (reason.getCause() instanceof AccountNotFoundException) {
code = AuthenticationHandler.FAILURE_REASON_CODES.ACCOUNT_NOT_FOUND;
- }
-
- if (code == null) {
- // default to invalid login as the reason
- code = AuthenticationHandler.FAILURE_REASON_CODES.INVALID_LOGIN;
+ // we don't want to strongly bind to Oak class names, so we use the String form here
+ // requires Oak 1.40+ ( https://issues.apache.org/jira/browse/OAK-9433 )
+ } else if (reason.getCause().getClass().getSimpleName().equals("TokenCredentialsExpiredException")) {
+ code = AuthenticationHandler.FAILURE_REASON_CODES.EXPIRED_TOKEN;
}
}
@@ -1093,6 +1095,10 @@ public class SlingAuthenticator implements Authenticator,
AuthUtil.sendInvalid(request, response);
}
+ private boolean isExpiredToken(HttpServletRequest request) {
+ return AuthenticationHandler.FAILURE_REASON_CODES.EXPIRED_TOKEN == request.getAttribute(AuthenticationHandler.FAILURE_REASON_CODE);
+ }
+
/**
* Returns <code>true</code> if the current request was referred to by the
* same URL as the current request has. This is assumed to be caused by a
@@ -1104,6 +1110,10 @@ public class SlingAuthenticator implements Authenticator,
* <code>false</code> otherwise
*/
private boolean isLoginLoop(final HttpServletRequest request) {
+
+ if (isExpiredToken(request))
+ return false;
+
String referer = request.getHeader("Referer");
if (referer != null) {
StringBuffer sb = request.getRequestURL();