BadCredentialsException is thrown instead of LoginException in case o…

…f invalid credentials; Brute-force checks only react on BadCredentialsException #103
cuba-platform · Jul 15, 2020 · 70c0b2d · 70c0b2d
1 parent ae9dc8f
commit 70c0b2d
Show file tree

Hide file tree

Showing 5 changed files with 50 additions and 16 deletions.
diff --git a/modules/core/src/com/haulmont/cuba/security/auth/AuthenticationManagerBean.java b/modules/core/src/com/haulmont/cuba/security/auth/AuthenticationManagerBean.java
@@ -273,7 +273,7 @@ protected AuthenticationDetails authenticateInternal(Credentials credentials) th
                     log.error("Exception is thrown by authentication provider", re);
 
                     InternalAuthenticationException ie =
-                            new InternalAuthenticationException("Exception is thrown by authentication provider");
+                            new InternalAuthenticationException("Exception is thrown by authentication provider", re);
 
                     // publish auth fail
                     publishAuthenticationFailed(credentials, provider, ie);

diff --git a/...les/core/src/com/haulmont/cuba/security/auth/checks/BruteForceUserCredentialsChecker.java b/...les/core/src/com/haulmont/cuba/security/auth/checks/BruteForceUserCredentialsChecker.java
@@ -24,6 +24,7 @@
 import com.haulmont.cuba.security.auth.UserCredentialsChecker;
 import com.haulmont.cuba.security.auth.events.AuthenticationFailureEvent;
 import com.haulmont.cuba.security.global.AccountLockedException;
+import com.haulmont.cuba.security.global.BadCredentialsException;
 import com.haulmont.cuba.security.global.LoginException;
 import org.springframework.context.event.EventListener;
 import org.springframework.core.Ordered;
@@ -68,21 +69,15 @@ public void check(Credentials credentials) throws LoginException {
     @Order(Events.HIGHEST_PLATFORM_PRECEDENCE + 10)
     @EventListener
     protected void onAuthenticationFailure(AuthenticationFailureEvent event) throws LoginException {
-        if (bruteForceProtectionAPI.isBruteForceProtectionEnabled()) {
+        if (bruteForceProtectionAPI.isBruteForceProtectionEnabled() &&
+                event.getException() instanceof BadCredentialsException) {
             Credentials credentials = event.getCredentials();
             if (credentials instanceof AbstractClientCredentials) {
                 AbstractClientCredentials clientCredentials = (AbstractClientCredentials) credentials;
 
                 if (clientCredentials.isCheckClientPermissions()) {
-                    int loginAttemptsLeft = bruteForceProtectionAPI.registerUnsuccessfulLogin(
+                    bruteForceProtectionAPI.registerUnsuccessfulLogin(
                             clientCredentials.getUserIdentifier(), clientCredentials.getIpAddress());
-                    String message;
-                    if (loginAttemptsLeft <= 0) {
-                        message = messages.formatMessage(MSG_PACK,
-                                "LoginException.loginAttemptsNumberExceeded",
-                                bruteForceProtectionAPI.getBruteForceBlockIntervalSec());
-                        throw new LoginException(message);
-                    }
                 }
             }
         }

diff --git a/...re/src/com/haulmont/cuba/security/auth/providers/LoginPasswordAuthenticationProvider.java b/...re/src/com/haulmont/cuba/security/auth/providers/LoginPasswordAuthenticationProvider.java
@@ -22,6 +22,7 @@
 import com.haulmont.cuba.core.global.PasswordEncryption;
 import com.haulmont.cuba.security.auth.*;
 import com.haulmont.cuba.security.entity.User;
+import com.haulmont.cuba.security.global.BadCredentialsException;
 import com.haulmont.cuba.security.global.LoginException;
 import com.haulmont.cuba.security.global.UserSession;
 import com.haulmont.cuba.security.sys.UserSessionManager;
@@ -61,18 +62,18 @@ public AuthenticationDetails authenticate(Credentials credentials) throws LoginE
 
         if (Strings.isNullOrEmpty(login)) {
             // empty login is not valid
-            throw new LoginException(getInvalidCredentialsMessage(login, credentialsLocale));
+            throw new BadCredentialsException(getInvalidCredentialsMessage(login, credentialsLocale));
         }
 
         checkUserCredentials(credentials);
 
         User user = loadUser(login, params);
         if (user == null) {
-            throw new LoginException(getInvalidCredentialsMessage(login, credentialsLocale));
+            throw new BadCredentialsException(getInvalidCredentialsMessage(login, credentialsLocale));
         }
 
         if (!passwordEncryption.checkPassword(user, loginAndPassword.getPassword())) {
-            throw new LoginException(getInvalidCredentialsMessage(login, credentialsLocale));
+            throw new BadCredentialsException(getInvalidCredentialsMessage(login, credentialsLocale));
         }
 
         Locale userLocale = getUserLocale(loginAndPassword, user);

diff --git a/.../core/src/com/haulmont/cuba/security/auth/providers/RememberMeAuthenticationProvider.java b/.../core/src/com/haulmont/cuba/security/auth/providers/RememberMeAuthenticationProvider.java
@@ -26,6 +26,7 @@
 import com.haulmont.cuba.security.auth.*;
 import com.haulmont.cuba.security.entity.RememberMeToken;
 import com.haulmont.cuba.security.entity.User;
+import com.haulmont.cuba.security.global.BadCredentialsException;
 import com.haulmont.cuba.security.global.LoginException;
 import com.haulmont.cuba.security.global.UserSession;
 import com.haulmont.cuba.security.sys.UserSessionManager;
@@ -66,19 +67,19 @@ public AuthenticationDetails authenticate(Credentials credentials) throws LoginE
 
         if (Strings.isNullOrEmpty(login)) {
             // empty login is not valid
-            throw new LoginException(getInvalidCredentialsMessage(login, credentialsLocale));
+            throw new BadCredentialsException(getInvalidCredentialsMessage(login, credentialsLocale));
         }
 
         checkUserCredentials(credentials);
 
         User user = loadUser(login);
         if (user == null) {
-            throw new LoginException(getInvalidCredentialsMessage(login, credentialsLocale));
+            throw new BadCredentialsException(getInvalidCredentialsMessage(login, credentialsLocale));
         }
 
         RememberMeToken loginToken = loadRememberMeToken(user, rememberMe.getRememberMeToken());
         if (loginToken == null) {
-            throw new LoginException(getInvalidCredentialsMessage(login, credentialsLocale));
+            throw new BadCredentialsException(getInvalidCredentialsMessage(login, credentialsLocale));
         }
 
         if (isTokenExpired(loginToken)) {

diff --git a/modules/global/src/com/haulmont/cuba/security/global/BadCredentialsException.java b/modules/global/src/com/haulmont/cuba/security/global/BadCredentialsException.java
@@ -0,0 +1,37 @@
+/*
+ * Copyright (c) 2008-2017 Haulmont.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.haulmont.cuba.security.global;
+
+import com.haulmont.cuba.core.global.Logging;
+import com.haulmont.cuba.core.global.SupportedByClient;
+
+@SupportedByClient
+@Logging(Logging.Type.BRIEF)
+public class BadCredentialsException extends LoginException {
+
+    public BadCredentialsException(String message) {
+        super(message);
+    }
+
+    public BadCredentialsException(String message, Throwable cause) {
+        super(message, cause);
+    }
+
+    public BadCredentialsException(String template, Object... params) {
+        super(template, params);
+    }
+}