resp.sendError(HttpServletResponse.SC_SERVICE_UNAVAILABLE);
return;
}
final HttpServletRequest req = (HttpServletRequest) request;
String userString = getAttribute(req, Authentication.AUTHENTICATION_USER_ID);
final LoginProtection loginProtection = LoginProtection.instance();
final String clientIpAddress = ClientIpResolver.getClientIp(request);
PFUserDO user = null;
if (userString != null) {
final Integer userId = NumberHelper.parseInteger(userString);
if (userId != null) {
final long offset = loginProtection.getFailedLoginTimeOffsetIfExists(userString, clientIpAddress);
if (offset > 0) {
final String seconds = String.valueOf(offset / 1000);
log.warn("The account for '"
+ userString
+ "' is locked for "
+ seconds
+ " seconds due to failed login attempts (ip=" + clientIpAddress + ").");
final HttpServletResponse resp = (HttpServletResponse) response;
resp.sendError(HttpServletResponse.SC_FORBIDDEN);
return;
}
final String authenticationToken = getAttribute(req, Authentication.AUTHENTICATION_TOKEN);
if (authenticationToken != null) {
if (authenticationToken.equals(userDao.getCachedAuthenticationToken(userId)) == true) {
user = userDao.getUserGroupCache().getUser(userId);
} else {
log.error(Authentication.AUTHENTICATION_TOKEN
+ " doesn't match for "
+ Authentication.AUTHENTICATION_USER_ID
+ " '"
+ userId
+ "'. Rest call forbidden.");
}
} else {
log.error(Authentication.AUTHENTICATION_TOKEN + " not given for userId '" + userId + "'. Rest call forbidden.");
}
} else {
log.error(Authentication.AUTHENTICATION_USER_ID + " is not an integer: '" + userString + "'. Rest call forbidden.");
}
} else {
userString = getAttribute(req, Authentication.AUTHENTICATION_USERNAME);
final String password = getAttribute(req, Authentication.AUTHENTICATION_PASSWORD);
final long offset = loginProtection.getFailedLoginTimeOffsetIfExists(userString, clientIpAddress);
if (offset > 0) {
final String seconds = String.valueOf(offset / 1000);
log.warn("The account for '"
+ userString
+ "' is locked for "
+ seconds
+ " seconds due to failed login attempts (ip=" + clientIpAddress + ").");
final HttpServletResponse resp = (HttpServletResponse) response;
resp.sendError(HttpServletResponse.SC_FORBIDDEN);
return;
}
if (userString != null && password != null) {
user = userDao.authenticateUser(userString, password);
if (user == null) {
log.error("Authentication failed for "
+ Authentication.AUTHENTICATION_USERNAME
+ "='"
+ userString
+ "' with given password. Rest call forbidden.");
}
} else {
log.error("Neither "
+ Authentication.AUTHENTICATION_USER_ID
+ " nor "
+ Authentication.AUTHENTICATION_USERNAME
+ "/"
+ Authentication.AUTHENTICATION_PASSWORD
+ " is given. Rest call forbidden.");
}
}
if (user == null) {
loginProtection.incrementFailedLoginTimeOffset(userString, clientIpAddress);
final HttpServletResponse resp = (HttpServletResponse) response;
resp.sendError(HttpServletResponse.SC_UNAUTHORIZED);
return;
}
try {
loginProtection.clearLoginTimeOffset(userString, clientIpAddress);
PFUserContext.setUser(user);
final ConnectionSettings settings = getConnectionSettings(req);
ConnectionSettings.set(settings);
final String ip = request.getRemoteAddr();
if (ip != null) {