Providers

maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/AbstractAuthenticationProvider.java

@@ -21,8 +21,10 @@ import java.util.ArrayList;
 import java.util.HashMap;
 
 import org.maxkey.authn.jwt.AuthJwtService;
+import org.maxkey.authn.online.OnlineTicket;
 import org.maxkey.authn.online.OnlineTicketService;
 import org.maxkey.authn.realm.AbstractAuthenticationRealm;
+import org.maxkey.authn.web.AuthorizationUtils;
 import org.maxkey.configuration.ApplicationConfig;
 import org.maxkey.constants.ConstsLoginType;
 import org.maxkey.constants.ConstsStatus;
@@ -39,6 +41,7 @@ import org.springframework.security.authentication.UsernamePasswordAuthenticatio
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.security.web.authentication.WebAuthenticationDetails;
 /**
  * login Authentication abstract class.
  * 
@@ -92,6 +95,7 @@ public abstract class AbstractAuthenticationProvider {
 
     public Authentication authenticate(LoginCredential authentication){
     	if(authentication.getAuthType().equalsIgnoreCase("trusted")) {
+    		//risk remove
     		return null;
     	}
     	AbstractAuthenticationProvider provider = providers.get(authentication.getAuthType() + PROVIDER_SUFFIX);
@@ -101,60 +105,64 @@ public abstract class AbstractAuthenticationProvider {
     
     public Authentication authenticate(LoginCredential authentication,boolean trusted){
     	AbstractAuthenticationProvider provider = providers.get(AuthType.TRUSTED + PROVIDER_SUFFIX);
-    	return provider == null ? null : provider.doAuthenticate(authentication);
+    	return provider.doAuthenticate(authentication);
     }
     
     public void addAuthenticationProvider(AbstractAuthenticationProvider provider) {
     	providers.put(provider.getProviderName(), provider);
     }
-    /**
-     * captcha validate .
-     * 
-     * @param authType String
-     * @param captcha String
-     */
-    protected void captchaValid(String captcha, String authType) {
-        // for basic
-        if (authType.equalsIgnoreCase(AuthType.NORMAL)) {
-            _logger.info("captcha : "
-                    + WebContext.getSession().getAttribute(
-                            WebConstants.KAPTCHA_SESSION_KEY).toString());
-            if (captcha == null || !captcha
-                    .equals(WebContext.getSession().getAttribute(
-                                    WebConstants.KAPTCHA_SESSION_KEY).toString())) {
-                String message = WebContext.getI18nValue("login.error.captcha");
-                _logger.debug("login captcha valid error.");
-                throw new BadCredentialsException(message);
-            }
-        }
-    }
 
     /**
-     * captcha validate.
-     * 
-     * @param otpCaptcha String
-     * @param authType   String
-     * @param userInfo   UserInfo
+     * createOnlineSession 
+     * @param credential
+     * @param userInfo
+     * @return
      */
-    protected void tftcaptchaValid(String otpCaptcha, String authType, UserInfo userInfo) {
-        // for one time password 2 factor
-        if (applicationConfig.getLoginConfig().isMfa() 
-        		&& authType.equalsIgnoreCase(AuthType.TFA)) {
-            UserInfo validUserInfo = new UserInfo();
-            validUserInfo.setUsername(userInfo.getUsername());
-            validUserInfo.setSharedSecret(userInfo.getSharedSecret());
-            validUserInfo.setSharedCounter(userInfo.getSharedCounter());
-            validUserInfo.setId(userInfo.getId());
-            if (otpCaptcha == null || !tfaOtpAuthn.validate(validUserInfo, otpCaptcha)) {
-                String message = WebContext.getI18nValue("login.error.captcha");
-                _logger.debug("login captcha valid error.");
-                throw new BadCredentialsException(message);
+    public UsernamePasswordAuthenticationToken createOnlineTicket(LoginCredential credential,UserInfo userInfo) {
+        //Online Tickit
+        OnlineTicket onlineTicket = new OnlineTicket();
+
+        userInfo.setOnlineTicket(onlineTicket.getTicketId());
+        
+        SigninPrincipal principal = new SigninPrincipal(userInfo);
+        //set OnlineTicket
+        principal.setOnlineTicket(onlineTicket);
+        ArrayList<GrantedAuthority> grantedAuthoritys = authenticationRealm.grantAuthority(userInfo);
+        principal.setAuthenticated(true);
+        
+        for(GrantedAuthority administratorsAuthority : grantedAdministratorsAuthoritys) {
+            if(grantedAuthoritys.contains(administratorsAuthority)) {
+            	principal.setRoleAdministrators(true);
+                _logger.trace("ROLE ADMINISTRATORS Authentication .");
             }
         }
+        _logger.debug("Granted Authority {}" , grantedAuthoritys);
+        
+        principal.setGrantedAuthorityApps(authenticationRealm.queryAuthorizedApps(grantedAuthoritys));
+        
+        UsernamePasswordAuthenticationToken authenticationToken =
+                new UsernamePasswordAuthenticationToken(
+                		principal, 
+                        "PASSWORD", 
+                        grantedAuthoritys
+                );
+        
+        authenticationToken.setDetails(
+                new WebAuthenticationDetails(WebContext.getRequest()));
+        
+        onlineTicket.setAuthentication(authenticationToken);
+        
+        //store onlineTicket
+        this.onlineTicketServices.store(onlineTicket.getTicketId(), onlineTicket);
+        
+        /*
+         *  put Authentication to current session context
+         */
+        AuthorizationUtils.setAuthentication(authenticationToken);
+     
+        return authenticationToken;
     }
     
-
-
     /**
      * login user by j_username and j_cname first query user by j_cname if first
      * step userinfo is null,query user from system.
@@ -255,24 +263,4 @@ public abstract class AbstractAuthenticationProvider {
         return true;
     }
 
-    public void setApplicationConfig(ApplicationConfig applicationConfig) {
-        this.applicationConfig = applicationConfig;
-    }
-
-    public void setAuthenticationRealm(AbstractAuthenticationRealm authenticationRealm) {
-        this.authenticationRealm = authenticationRealm;
-    }
-
-    public void setTfaOtpAuthn(AbstractOtpAuthn tfaOtpAuthn) {
-        this.tfaOtpAuthn = tfaOtpAuthn;
-    }
-
-    public void setOnlineTicketServices(OnlineTicketService onlineTicketServices) {
-        this.onlineTicketServices = onlineTicketServices;
-    }
-
-	public void setOtpAuthnService(OtpAuthnService otpAuthnService) {
-		this.otpAuthnService = otpAuthnService;
-	}
-
 }

maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/provider/MfaAuthenticationProvider.java

@@ -17,16 +17,11 @@
 
 package org.maxkey.authn.provider;
 
-import java.util.ArrayList;
-
 import org.maxkey.authn.AbstractAuthenticationProvider;
 import org.maxkey.authn.LoginCredential;
-import org.maxkey.authn.SigninPrincipal;
 import org.maxkey.authn.jwt.AuthJwtService;
-import org.maxkey.authn.online.OnlineTicket;
 import org.maxkey.authn.online.OnlineTicketService;
 import org.maxkey.authn.realm.AbstractAuthenticationRealm;
-import org.maxkey.authn.web.AuthorizationUtils;
 import org.maxkey.configuration.ApplicationConfig;
 import org.maxkey.constants.ConstsLoginType;
 import org.maxkey.entity.Institutions;
@@ -36,11 +31,10 @@ import org.maxkey.web.WebConstants;
 import org.maxkey.web.WebContext;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
-import org.springframework.security.core.GrantedAuthority;
-import org.springframework.security.web.authentication.WebAuthenticationDetails;
 
 
 /**
@@ -84,10 +78,7 @@ public class MfaAuthenticationProvider extends AbstractAuthenticationProvider {
 	        _logger.debug("authentication " + loginCredential);
 	        
 	        Institutions inst = (Institutions)WebContext.getAttribute(WebConstants.CURRENT_INST);
-	        if(inst.getCaptchaSupport().equalsIgnoreCase("YES")) {
-	        	captchaValid(loginCredential.getCaptcha(),loginCredential.getAuthType());
-	        }
-	
+
 	        emptyPasswordValid(loginCredential.getPassword());
 	
 	        UserInfo userInfo = null;
@@ -98,7 +89,7 @@ public class MfaAuthenticationProvider extends AbstractAuthenticationProvider {
 	
 	        statusValid(loginCredential , userInfo);
 	        //mfa 
-	        tftcaptchaValid(loginCredential.getOtpCaptcha(),loginCredential.getAuthType(),userInfo);
+	        mfacaptchaValid(loginCredential.getOtpCaptcha(),userInfo);
 	        
 	        //Validate PasswordPolicy
 	        authenticationRealm.getPasswordPolicyValidator().passwordPolicyValid(userInfo);
@@ -109,7 +100,7 @@ public class MfaAuthenticationProvider extends AbstractAuthenticationProvider {
 	        //apply PasswordSetType and resetBadPasswordCount
 	        authenticationRealm.getPasswordPolicyValidator().applyPasswordPolicy(userInfo);
 	        
-	        authenticationToken = createOnlineSession(loginCredential,userInfo);
+	        authenticationToken = createOnlineTicket(loginCredential,userInfo);
 	        // user authenticated
 	        _logger.debug("'{}' authenticated successfully by {}.", 
 	        		loginCredential.getPrincipal(), getProviderName());
@@ -133,50 +124,30 @@ public class MfaAuthenticationProvider extends AbstractAuthenticationProvider {
        
         return  authenticationToken;
     }
+    
+    
 
-    public UsernamePasswordAuthenticationToken createOnlineSession(LoginCredential credential,UserInfo userInfo) {
-        //Online Tickit
-        OnlineTicket onlineTicket = new OnlineTicket();
-
-        userInfo.setOnlineTicket(onlineTicket.getTicketId());
-        
-        SigninPrincipal principal = new SigninPrincipal(userInfo);
-        //set OnlineTicket
-        principal.setOnlineTicket(onlineTicket);
-        ArrayList<GrantedAuthority> grantedAuthoritys = authenticationRealm.grantAuthority(userInfo);
-        principal.setAuthenticated(true);
-        
-        for(GrantedAuthority administratorsAuthority : grantedAdministratorsAuthoritys) {
-            if(grantedAuthoritys.contains(administratorsAuthority)) {
-            	principal.setRoleAdministrators(true);
-                _logger.trace("ROLE ADMINISTRATORS Authentication .");
+    /**
+     * captcha validate.
+     * 
+     * @param otpCaptcha String
+     * @param authType   String
+     * @param userInfo   UserInfo
+     */
+    protected void mfacaptchaValid(String otpCaptcha, UserInfo userInfo) {
+        // for one time password 2 factor
+        if (applicationConfig.getLoginConfig().isMfa()) {
+            UserInfo validUserInfo = new UserInfo();
+            validUserInfo.setUsername(userInfo.getUsername());
+            validUserInfo.setSharedSecret(userInfo.getSharedSecret());
+            validUserInfo.setSharedCounter(userInfo.getSharedCounter());
+            validUserInfo.setId(userInfo.getId());
+            if (otpCaptcha == null || !tfaOtpAuthn.validate(validUserInfo, otpCaptcha)) {
+                String message = WebContext.getI18nValue("login.error.captcha");
+                _logger.debug("login captcha valid error.");
+                throw new BadCredentialsException(message);
             }
         }
-        _logger.debug("Granted Authority {}" , grantedAuthoritys);
-        
-        principal.setGrantedAuthorityApps(authenticationRealm.queryAuthorizedApps(grantedAuthoritys));
-        
-        UsernamePasswordAuthenticationToken authenticationToken =
-                new UsernamePasswordAuthenticationToken(
-                		principal, 
-                        "PASSWORD", 
-                        grantedAuthoritys
-                );
-        
-        authenticationToken.setDetails(
-                new WebAuthenticationDetails(WebContext.getRequest()));
-        
-        onlineTicket.setAuthentication(authenticationToken);
-        
-        //store onlineTicket
-        this.onlineTicketServices.store(onlineTicket.getTicketId(), onlineTicket);
-        
-        /*
-         *  put Authentication to current session context
-         */
-        AuthorizationUtils.setAuthentication(authenticationToken);
-     
-        return authenticationToken;
     }
-  
+
 }

maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/provider/MobileAuthenticationProvider.java

@@ -17,6 +17,7 @@
 
 package org.maxkey.authn.provider;
 
+import org.maxkey.authn.AbstractAuthenticationProvider;
 import org.maxkey.authn.LoginCredential;
 import org.maxkey.authn.online.OnlineTicketService;
 import org.maxkey.authn.realm.AbstractAuthenticationRealm;
@@ -40,7 +41,7 @@ import org.springframework.security.core.AuthenticationException;
  * @author Crystal.Sea
  *
  */
-public class MobileAuthenticationProvider extends NormalAuthenticationProvider {
+public class MobileAuthenticationProvider extends AbstractAuthenticationProvider {
 	
     private static final Logger _logger =
             LoggerFactory.getLogger(MobileAuthenticationProvider.class);
@@ -67,7 +68,7 @@ public class MobileAuthenticationProvider extends NormalAuthenticationProvider {
 	}
 
     @Override
-	public Authentication authenticate(LoginCredential loginCredential) {
+	public Authentication doAuthenticate(LoginCredential loginCredential) {
 		UsernamePasswordAuthenticationToken authenticationToken = null;
 		_logger.debug("Trying to authenticate user '{}' via {}", 
                 loginCredential.getPrincipal(), getProviderName());
@@ -86,12 +87,12 @@ public class MobileAuthenticationProvider extends NormalAuthenticationProvider {
 	        //Validate PasswordPolicy
 	        authenticationRealm.getPasswordPolicyValidator().passwordPolicyValid(userInfo);
 	        
-	        mobilecaptchaValid(loginCredential.getPassword(),userInfo);
+	        mobileCaptchaValid(loginCredential.getPassword(),userInfo);
 
 	        //apply PasswordSetType and resetBadPasswordCount
 	        authenticationRealm.getPasswordPolicyValidator().applyPasswordPolicy(userInfo);
 	        
-	        authenticationToken = createOnlineSession(loginCredential,userInfo);
+	        authenticationToken = createOnlineTicket(loginCredential,userInfo);
 	        // user authenticated
 	        _logger.debug("'{}' authenticated successfully by {}.", 
 	        		loginCredential.getPrincipal(), getProviderName());
@@ -124,7 +125,7 @@ public class MobileAuthenticationProvider extends NormalAuthenticationProvider {
      * @param authType   String
      * @param userInfo   UserInfo
      */
-    protected void mobilecaptchaValid(String password, UserInfo userInfo) {
+    protected void mobileCaptchaValid(String password, UserInfo userInfo) {
         // for mobile password
         if (applicationConfig.getLoginConfig().isMfa()) {
             UserInfo validUserInfo = new UserInfo();

maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/provider/NormalAuthenticationProvider.java

@@ -17,16 +17,13 @@
 
 package org.maxkey.authn.provider;
 
-import java.util.ArrayList;
-
+import java.text.ParseException;
+import org.apache.commons.lang3.StringUtils;
 import org.maxkey.authn.AbstractAuthenticationProvider;
 import org.maxkey.authn.LoginCredential;
-import org.maxkey.authn.SigninPrincipal;
 import org.maxkey.authn.jwt.AuthJwtService;
-import org.maxkey.authn.online.OnlineTicket;
 import org.maxkey.authn.online.OnlineTicketService;
 import org.maxkey.authn.realm.AbstractAuthenticationRealm;
-import org.maxkey.authn.web.AuthorizationUtils;
 import org.maxkey.configuration.ApplicationConfig;
 import org.maxkey.constants.ConstsLoginType;
 import org.maxkey.entity.Institutions;
@@ -36,11 +33,11 @@ import org.maxkey.web.WebConstants;
 import org.maxkey.web.WebContext;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
-import org.springframework.security.core.GrantedAuthority;
-import org.springframework.security.web.authentication.WebAuthenticationDetails;
+import com.nimbusds.jwt.JWTClaimsSet;
 
 
 /**
@@ -85,7 +82,7 @@ public class NormalAuthenticationProvider extends AbstractAuthenticationProvider
 	        
 	        Institutions inst = (Institutions)WebContext.getAttribute(WebConstants.CURRENT_INST);
 	        if(inst.getCaptchaSupport().equalsIgnoreCase("YES")) {
-	        	captchaValid(loginCredential.getCaptcha(),loginCredential.getAuthType());
+	        	captchaValid(loginCredential.getState(),loginCredential.getCaptcha());
 	        }
 	
 	        emptyPasswordValid(loginCredential.getPassword());
@@ -105,7 +102,7 @@ public class NormalAuthenticationProvider extends AbstractAuthenticationProvider
 	        //apply PasswordSetType and resetBadPasswordCount
 	        authenticationRealm.getPasswordPolicyValidator().applyPasswordPolicy(userInfo);
 	        
-	        authenticationToken = createOnlineSession(loginCredential,userInfo);
+	        authenticationToken = createOnlineTicket(loginCredential,userInfo);
 	        // user authenticated
 	        _logger.debug("'{}' authenticated successfully by {}.", 
 	        		loginCredential.getPrincipal(), getProviderName());
@@ -129,50 +126,28 @@ public class NormalAuthenticationProvider extends AbstractAuthenticationProvider
        
         return  authenticationToken;
     }
-
-    public UsernamePasswordAuthenticationToken createOnlineSession(LoginCredential credential,UserInfo userInfo) {
-        //Online Tickit
-        OnlineTicket onlineTicket = new OnlineTicket();
-
-        userInfo.setOnlineTicket(onlineTicket.getTicketId());
-        
-        SigninPrincipal principal = new SigninPrincipal(userInfo);
-        //set OnlineTicket
-        principal.setOnlineTicket(onlineTicket);
-        ArrayList<GrantedAuthority> grantedAuthoritys = authenticationRealm.grantAuthority(userInfo);
-        principal.setAuthenticated(true);
-        
-        for(GrantedAuthority administratorsAuthority : grantedAdministratorsAuthoritys) {
-            if(grantedAuthoritys.contains(administratorsAuthority)) {
-            	principal.setRoleAdministrators(true);
-                _logger.trace("ROLE ADMINISTRATORS Authentication .");
-            }
+    
+    /**
+     * captcha validate .
+     * 
+     * @param authType String
+     * @param captcha String
+     * @throws ParseException 
+     */
+    protected void captchaValid(String state ,String captcha) throws ParseException {
+        // for basic
+    	JWTClaimsSet claim = authJwtService.resolve(state);
+    	if(claim == null) {
+    		throw new BadCredentialsException(WebContext.getI18nValue("login.error.captcha"));
+    	}
+    	Object momentaryCaptcha = momentaryService.get("", claim.getJWTID());
+        _logger.info("captcha : {} , momentary Captcha : {} " ,captcha, momentaryCaptcha);
+        if (StringUtils.isBlank(captcha) || !captcha.equals(momentaryCaptcha.toString())) {
+            _logger.debug("login captcha valid error.");
+            throw new BadCredentialsException(WebContext.getI18nValue("login.error.captcha"));
         }
-        _logger.debug("Granted Authority {}" , grantedAuthoritys);
-        
-        principal.setGrantedAuthorityApps(authenticationRealm.queryAuthorizedApps(grantedAuthoritys));
-        
-        UsernamePasswordAuthenticationToken authenticationToken =
-                new UsernamePasswordAuthenticationToken(
-                		principal, 
-                        "PASSWORD", 
-                        grantedAuthoritys
-                );
-        
-        authenticationToken.setDetails(
-                new WebAuthenticationDetails(WebContext.getRequest()));
-        
-        onlineTicket.setAuthentication(authenticationToken);
-        
-        //store onlineTicket
-        this.onlineTicketServices.store(onlineTicket.getTicketId(), onlineTicket);
-        
-        /*
-         *  put Authentication to current session context
-         */
-        AuthorizationUtils.setAuthentication(authenticationToken);
-     
-        return authenticationToken;
     }
+
+   
   
 }

maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/provider/TrustedAuthenticationProvider.java

@@ -17,6 +17,7 @@
 
 package org.maxkey.authn.provider;
 
+import org.maxkey.authn.AbstractAuthenticationProvider;
 import org.maxkey.authn.LoginCredential;
 import org.maxkey.authn.online.OnlineTicketService;
 import org.maxkey.authn.realm.AbstractAuthenticationRealm;
@@ -33,7 +34,7 @@ import org.springframework.security.core.Authentication;
  * @author Crystal.Sea
  *
  */
-public class TrustedAuthenticationProvider extends NormalAuthenticationProvider {
+public class TrustedAuthenticationProvider extends AbstractAuthenticationProvider {
     private static final Logger _logger =
             LoggerFactory.getLogger(TrustedAuthenticationProvider.class);
 
@@ -63,7 +64,7 @@ public class TrustedAuthenticationProvider extends NormalAuthenticationProvider
             authenticationRealm.getPasswordPolicyValidator().passwordPolicyValid(loadeduserInfo);
             //apply PasswordSetType and resetBadPasswordCount
             authenticationRealm.getPasswordPolicyValidator().applyPasswordPolicy(loadeduserInfo);
-            Authentication authentication = createOnlineSession(loginCredential,loadeduserInfo);
+            Authentication authentication = createOnlineTicket(loginCredential,loadeduserInfo);
             
             authenticationRealm.insertLoginHistory( loadeduserInfo, 
                                                     loginCredential.getAuthType(),