You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by ro...@apache.org on 2021/05/17 14:25:42 UTC
[sling-org-apache-sling-auth-core] 03/03: SLING-10383 - Do not
check for redirect loops when a login fails due to an expired token
This is an automated email from the ASF dual-hosted git repository.
rombert pushed a commit to branch feature/SLING-10383
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-auth-core.git
commit 3c4a237d5d744a78f78df29ab9bb0bd3453225ff
Author: Robert Munteanu <ro...@apache.org>
AuthorDate: Mon May 17 16:23:54 2021 +0200
SLING-10383 - Do not check for redirect loops when a login fails due to an expired token
- don't attempt to break redirect loops in case of expired tokens
- never return a null reason from getFailureReasonFromException
---
.../sling/auth/core/impl/SlingAuthenticator.java | 32 ++++++++++++++--------
1 file changed, 21 insertions(+), 11 deletions(-)
diff --git a/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java b/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java
index e7143b1..de42c0e 100644
--- a/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java
+++ b/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java
@@ -55,6 +55,7 @@ import org.apache.sling.auth.core.spi.AuthenticationInfoPostProcessor;
import org.apache.sling.auth.core.spi.DefaultAuthenticationFeedbackHandler;
import org.apache.sling.commons.metrics.MetricsService;
import org.apache.sling.commons.metrics.Timer;
+import org.jetbrains.annotations.NotNull;
import org.osgi.framework.BundleContext;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
@@ -917,6 +918,9 @@ public class SlingAuthenticator implements Authenticator,
case PASSWORD_EXPIRED_AND_NEW_PASSWORD_IN_HISTORY:
message = "Password expired and new password found in password history";
break;
+ case EXPIRED_TOKEN:
+ message = "Expired authentication token";
+ break;
case UNKNOWN:
case INVALID_LOGIN:
default:
@@ -954,12 +958,11 @@ public class SlingAuthenticator implements Authenticator,
/**
* Try to determine the failure reason from the thrown exception
*/
- private AuthenticationHandler.FAILURE_REASON_CODES getFailureReasonFromException(final AuthenticationInfo authInfo, Exception reason) {
- AuthenticationHandler.FAILURE_REASON_CODES code = null;
- if (reason.getClass().getName().contains("TooManySessionsException")) {
- // not a login failure just unavailable service
- code = null;
- } else if (reason instanceof LoginException) {
+ @SuppressWarnings("java:S1872")
+ private @NotNull AuthenticationHandler.FAILURE_REASON_CODES getFailureReasonFromException(final AuthenticationInfo authInfo, Exception reason) {
+ // default to invalid login as the reason
+ AuthenticationHandler.FAILURE_REASON_CODES code = AuthenticationHandler.FAILURE_REASON_CODES.INVALID_LOGIN;;
+ if (reason instanceof LoginException) {
if (reason.getCause() instanceof CredentialExpiredException) {
// force failure attribute to be set so handlers can
// react to this special circumstance
@@ -973,11 +976,10 @@ public class SlingAuthenticator implements Authenticator,
code = AuthenticationHandler.FAILURE_REASON_CODES.ACCOUNT_LOCKED;
} else if (reason.getCause() instanceof AccountNotFoundException) {
code = AuthenticationHandler.FAILURE_REASON_CODES.ACCOUNT_NOT_FOUND;
- }
-
- if (code == null) {
- // default to invalid login as the reason
- code = AuthenticationHandler.FAILURE_REASON_CODES.INVALID_LOGIN;
+ // we don't want to strongly bind to Oak class names, so we use the String form here
+ // requires Oak 1.40+ ( https://issues.apache.org/jira/browse/OAK-9433 )
+ } else if (reason.getCause().getClass().getSimpleName().equals("TokenCredentialsExpiredException")) {
+ code = AuthenticationHandler.FAILURE_REASON_CODES.EXPIRED_TOKEN;
}
}
@@ -1093,6 +1095,10 @@ public class SlingAuthenticator implements Authenticator,
AuthUtil.sendInvalid(request, response);
}
+ private boolean isExpiredToken(HttpServletRequest request) {
+ return AuthenticationHandler.FAILURE_REASON_CODES.EXPIRED_TOKEN == request.getAttribute(AuthenticationHandler.FAILURE_REASON_CODE);
+ }
+
/**
* Returns <code>true</code> if the current request was referred to by the
* same URL as the current request has. This is assumed to be caused by a
@@ -1104,6 +1110,10 @@ public class SlingAuthenticator implements Authenticator,
* <code>false</code> otherwise
*/
private boolean isLoginLoop(final HttpServletRequest request) {
+
+ if (isExpiredToken(request))
+ return false;
+
String referer = request.getHeader("Referer");
if (referer != null) {
StringBuffer sb = request.getRequestURL();