You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by ro...@apache.org on 2021/05/17 14:25:42 UTC

[sling-org-apache-sling-auth-core] 03/03: SLING-10383 - Do not check for redirect loops when a login fails due to an expired token

This is an automated email from the ASF dual-hosted git repository.

rombert pushed a commit to branch feature/SLING-10383
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-auth-core.git

commit 3c4a237d5d744a78f78df29ab9bb0bd3453225ff
Author: Robert Munteanu <ro...@apache.org>
AuthorDate: Mon May 17 16:23:54 2021 +0200

    SLING-10383 - Do not check for redirect loops when a login fails due to an expired token
    
    - don't attempt to break redirect loops in case of expired tokens
    - never return a null reason from getFailureReasonFromException
---
 .../sling/auth/core/impl/SlingAuthenticator.java   | 32 ++++++++++++++--------
 1 file changed, 21 insertions(+), 11 deletions(-)

diff --git a/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java b/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java
index e7143b1..de42c0e 100644
--- a/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java
+++ b/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java
@@ -55,6 +55,7 @@ import org.apache.sling.auth.core.spi.AuthenticationInfoPostProcessor;
 import org.apache.sling.auth.core.spi.DefaultAuthenticationFeedbackHandler;
 import org.apache.sling.commons.metrics.MetricsService;
 import org.apache.sling.commons.metrics.Timer;
+import org.jetbrains.annotations.NotNull;
 import org.osgi.framework.BundleContext;
 import org.osgi.service.component.annotations.Activate;
 import org.osgi.service.component.annotations.Component;
@@ -917,6 +918,9 @@ public class SlingAuthenticator implements Authenticator,
 				case PASSWORD_EXPIRED_AND_NEW_PASSWORD_IN_HISTORY:
                     message = "Password expired and new password found in password history";
 					break;
+				case EXPIRED_TOKEN:
+				    message = "Expired authentication token";
+				    break;
 				case UNKNOWN:
 				case INVALID_LOGIN:
 				default:
@@ -954,12 +958,11 @@ public class SlingAuthenticator implements Authenticator,
     /**
      * Try to determine the failure reason from the thrown exception
      */
-    private AuthenticationHandler.FAILURE_REASON_CODES getFailureReasonFromException(final AuthenticationInfo authInfo, Exception reason) {
-        AuthenticationHandler.FAILURE_REASON_CODES code = null;
-        if (reason.getClass().getName().contains("TooManySessionsException")) {
-        	// not a login failure just unavailable service
-        	code = null;
-        } else if (reason instanceof LoginException) {
+    @SuppressWarnings("java:S1872")
+    private @NotNull AuthenticationHandler.FAILURE_REASON_CODES getFailureReasonFromException(final AuthenticationInfo authInfo, Exception reason) {
+        // default to invalid login as the reason
+        AuthenticationHandler.FAILURE_REASON_CODES code = AuthenticationHandler.FAILURE_REASON_CODES.INVALID_LOGIN;;
+        if (reason instanceof LoginException) {
             if (reason.getCause() instanceof CredentialExpiredException) {
                 // force failure attribute to be set so handlers can
                 // react to this special circumstance
@@ -973,11 +976,10 @@ public class SlingAuthenticator implements Authenticator,
                 code = AuthenticationHandler.FAILURE_REASON_CODES.ACCOUNT_LOCKED;
             } else if (reason.getCause() instanceof AccountNotFoundException) {
                 code = AuthenticationHandler.FAILURE_REASON_CODES.ACCOUNT_NOT_FOUND;
-            }
-
-            if (code == null) {
-            	// default to invalid login as the reason
-            	code = AuthenticationHandler.FAILURE_REASON_CODES.INVALID_LOGIN;
+            // we don't want to strongly bind to Oak class names, so we use the String form here
+            // requires Oak 1.40+ ( https://issues.apache.org/jira/browse/OAK-9433 )
+            } else if (reason.getCause().getClass().getSimpleName().equals("TokenCredentialsExpiredException")) {
+                code = AuthenticationHandler.FAILURE_REASON_CODES.EXPIRED_TOKEN;
             }
         }
 
@@ -1093,6 +1095,10 @@ public class SlingAuthenticator implements Authenticator,
         AuthUtil.sendInvalid(request, response);
     }
 
+    private boolean isExpiredToken(HttpServletRequest request) {
+        return AuthenticationHandler.FAILURE_REASON_CODES.EXPIRED_TOKEN == request.getAttribute(AuthenticationHandler.FAILURE_REASON_CODE);
+    }
+
     /**
      * Returns <code>true</code> if the current request was referred to by the
      * same URL as the current request has. This is assumed to be caused by a
@@ -1104,6 +1110,10 @@ public class SlingAuthenticator implements Authenticator,
      *         <code>false</code> otherwise
      */
     private boolean isLoginLoop(final HttpServletRequest request) {
+
+        if  (isExpiredToken(request))
+            return false;
+
         String referer = request.getHeader("Referer");
         if (referer != null) {
             StringBuffer sb = request.getRequestURL();