You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by bp...@apache.org on 2022/03/24 12:53:25 UTC

[ranger] branch ranger-2.3 updated: RANGER-3672: Show better error messages during failed login

This is an automated email from the ASF dual-hosted git repository.

bpatel pushed a commit to branch ranger-2.3
in repository https://gitbox.apache.org/repos/asf/ranger.git


The following commit(s) were added to refs/heads/ranger-2.3 by this push:
     new 7a40478  RANGER-3672: Show better error messages during failed login
7a40478 is described below

commit 7a40478526f982c51e6264ee1db8171dcb006cb9
Author: Bhavik Patel <bh...@gmail.com>
AuthorDate: Thu Mar 24 09:41:38 2022 +0530

    RANGER-3672: Show better error messages during failed login
---
 .../ranger/security/handler/RangerAuthenticationProvider.java    | 5 ++++-
 .../org/apache/ranger/security/listener/SpringEventListener.java | 2 +-
 .../security/web/authentication/RangerAuthFailureHandler.java    | 9 ++++++---
 3 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java b/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java
index efd5417..7c21c1f 100644
--- a/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java
+++ b/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java
@@ -36,6 +36,7 @@ import org.apache.ranger.common.PropertiesUtil;
 import org.apache.ranger.util.Pbkdf2PasswordEncoderCust;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import org.springframework.context.support.MessageSourceAccessor;
 import org.springframework.ldap.core.support.DefaultTlsDirContextAuthenticationStrategy;
 import org.springframework.ldap.core.support.LdapContextSource;
 import org.springframework.security.authentication.AuthenticationProvider;
@@ -48,6 +49,7 @@ import org.springframework.security.authentication.jaas.memory.InMemoryConfigura
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.SpringSecurityMessageSource;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
@@ -87,6 +89,7 @@ public class RangerAuthenticationProvider implements AuthenticationProvider {
 
 	private boolean ssoEnabled = false;
 	private final boolean isFipsEnabled;
+	protected MessageSourceAccessor messages = SpringSecurityMessageSource.getAccessor();
 
 	public RangerAuthenticationProvider() {
 		this.isFipsEnabled = RangerAdminConfig.getInstance().isFipsEnabled();
@@ -149,7 +152,7 @@ public class RangerAuthenticationProvider implements AuthenticationProvider {
 			if (sessionMgr.isLoginIdLocked(authentication.getName())) {
 				logger.debug("Failed to authenticate since user account is locked");
 
-				throw new LockedException(String.format("User account {} is locked", authentication.getName()));
+				throw new LockedException(messages.getMessage("AbstractUserDetailsAuthenticationProvider.locked", "User account is locked"));
 			}
 
 			if (this.isFipsEnabled) {
diff --git a/security-admin/src/main/java/org/apache/ranger/security/listener/SpringEventListener.java b/security-admin/src/main/java/org/apache/ranger/security/listener/SpringEventListener.java
index 9b048a0..8f46af9 100644
--- a/security-admin/src/main/java/org/apache/ranger/security/listener/SpringEventListener.java
+++ b/security-admin/src/main/java/org/apache/ranger/security/listener/SpringEventListener.java
@@ -102,7 +102,7 @@ public class SpringEventListener implements
 		String                   remoteAddress = details != null ? details.getRemoteAddress() : "";
 		String                   sessionId     = details != null ? details.getSessionId() : "";
 
-		logger.info("Login Unsuccessful:" + auth.getName() + " | Ip Address:" + remoteAddress + " | User Locked");
+		logger.info("Login Unsuccessful:" + auth.getName() + " | Ip Address:" + remoteAddress + " | User account is locked");
 
 		sessionMgr.processFailureLogin(XXAuthSession.AUTH_STATUS_LOCKED, XXAuthSession.AUTH_TYPE_PASSWORD, auth.getName(), remoteAddress, sessionId);
 	}
diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthFailureHandler.java b/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthFailureHandler.java
index 680fe58..091918d 100644
--- a/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthFailureHandler.java
+++ b/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthFailureHandler.java
@@ -85,9 +85,9 @@ ExceptionMappingAuthenticationFailureHandler {
 			VXResponse vXResponse = new VXResponse();
 			if (msg != null && !msg.isEmpty()) {
 				if (CLIUtil.getMessage("AbstractUserDetailsAuthenticationProvider.badCredentials",request).equalsIgnoreCase(msg)) {
-				vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
-				vXResponse.setMsgDesc("The username or password you entered is incorrect.");
-				logger.info("Error Message : " + msg);
+					vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
+					vXResponse.setMsgDesc("The username or password you entered is incorrect.");
+					logger.info("Error Message : " + msg);
 				} else if (msg.contains("Could not get JDBC Connection; nested exception is java.sql.SQLException: Connections could not be acquired from the underlying database!")) {
 					vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
 					vXResponse.setMsgDesc("Unable to connect to DB.");
@@ -97,6 +97,9 @@ ExceptionMappingAuthenticationFailureHandler {
 				} else if (CLIUtil.getMessage("AbstractUserDetailsAuthenticationProvider.disabled",request).equalsIgnoreCase(msg)) {
 					vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
 					vXResponse.setMsgDesc("The username or password you entered is disabled.");
+				} else if (CLIUtil.getMessage("AbstractUserDetailsAuthenticationProvider.locked",request).equalsIgnoreCase(msg)) {
+					vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
+					vXResponse.setMsgDesc("The user account is locked.");
 				}
 			}
 			jsonResp = jsonUtil.writeObjectAsString(vXResponse);