Package org.apache.geronimo.security.realm.providers

Source Code of org.apache.geronimo.security.realm.providers.RepeatedFailureLockoutLoginModule$LoginHistory

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
/**
*
* Copyright 2003-2004 The Apache Software Foundation
*
*  Licensed under the Apache License, Version 2.0 (the "License");
*  you may not use this file except in compliance with the License.
*  You may obtain a copy of the License at
*
*     http://www.apache.org/licenses/LICENSE-2.0
*
*  Unless required by applicable law or agreed to in writing, software
*  distributed under the License is distributed on an "AS IS" BASIS,
*  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
*  See the License for the specific language governing permissions and
*  limitations under the License.
*/
package org.apache.geronimo.security.realm.providers;

import java.io.Serializable;
import java.util.Map;
import java.util.HashMap;
import java.util.LinkedList;
import java.util.Iterator;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.login.LoginException;
import javax.security.auth.login.FailedLoginException;
import javax.security.auth.spi.LoginModule;

/**
* Tracks the number of recent login failures for each user, and starts
* rejecting login attemps if the number of failures in a certain period for a
* particular user gets too high.  The period, number of failures, and lockout
* duration are configurable, but default to 5 failures in 5 minutes cause all
* subsequent attemps to fail for 30 minutes.
*
* This module does not write any Principals into the Subject.
*
* To enable this login module, set your primary login module and any other
* login modules to REQUIRED or OPTIONAL, and list this module in last place,
* set to REQUISITE.
*
* The parameters used by this module are:
* <ul>
*   <li><b>failureCount</b> - The number of failures to allow before subsequent
*                             login attempts automatically fail</li>
*   <li><b>failurePeriodSecs</b> - The window of time the failures must occur
*                                 in in order to cause the lockout</li>
*   <li><b>lockoutDurationSecs</b> - The duration of a lockout caused by
*                                    exceeding the failureCount in
*                                    failurePeriodSecs.</li>
* </ul>
*
* @version $Rev: 355877 $ $Date: 2005-12-11 03:48:27 +0100 (Sun, 11 Dec 2005) $
*/
public class RepeatedFailureLockoutLoginModule implements LoginModule {
    public static final String FAILURE_COUNT_OPTION = "failureCount";
    public static final String FAILURE_PERIOD_OPTION = "failurePeriodSecs";
    public static final String LOCKOUT_DURATION_OPTION = "lockoutDurationSecs";
    private static final HashMap userData = new HashMap();
    private CallbackHandler handler;
    private String username;
    private int failureCount = 5;
    private int failurePeriod = 5 * 60 * 1000;
    private int lockoutDuration = 30 * 60 * 1000;

    /**
     * Reads the configuration settings for this module.
     */
    public void initialize(Subject subject, CallbackHandler callbackHandler,
                           Map sharedState, Map options) {
        String fcString = (String) options.get(FAILURE_COUNT_OPTION);
        if(fcString != null) {
            fcString = fcString.trim();
            if(!fcString.equals("")) {
                failureCount = Integer.parseInt(fcString);
            }
        }
        String fpString = (String) options.get(FAILURE_PERIOD_OPTION);
        if(fpString != null) {
            fpString = fpString.trim();
            if(!fpString.equals("")) {
                failurePeriod = Integer.parseInt(fpString) * 1000;
            }
        }
        String ldString = (String) options.get(LOCKOUT_DURATION_OPTION);
        if(ldString != null) {
            ldString = ldString.trim();
            if(!ldString.equals("")) {
                lockoutDuration = Integer.parseInt(ldString) * 1000;
            }
        }
        handler = callbackHandler;
    }

    /**
     * Checks whether the user should be or has been locked out.
     */
    public boolean login() throws LoginException {
        NameCallback user = new NameCallback("User name:");
        Callback[] callbacks = new Callback[]{user};
        try {
            handler.handle(callbacks);
        } catch (Exception e) {
            throw new LoginException("Unable to process callback: "+e);
        }
        if(callbacks.length != 1) {
            throw new IllegalStateException("Number of callbacks changed by server!");
        }
        user = (NameCallback) callbacks[0];
        username = user.getName();
        if(username != null) {
            LoginHistory history;
            synchronized (userData) {
                history = (LoginHistory) userData.get(username);
            }
            if(history != null && !history.isLoginAllowed(lockoutDuration, failurePeriod, failureCount)) {
                username = null;
                throw new FailedLoginException("Maximum login failures exceeded; try again later");
            }
        } else {
            return false; // it's a fake login, ignore this module
        }
        return true;
    }

    /**
     * This module does nothing if a login succeeds.
     */
    public boolean commit() throws LoginException {
        return username != null;
    }

    /**
     * Notes that (and when) a login failure occured, used to calculate
     * whether the user should be locked out.
     */
    public boolean abort() throws LoginException {
        if(username != null) { //work around initial "fake" login
            LoginHistory history;
            synchronized (userData) {
                history = (LoginHistory) userData.get(username);
                if(history == null) {
                    history = new LoginHistory(username);
                    userData.put(username, history);
                }
            }
            history.addFailure();
            username = null;
            return true;
        } else {
            return false;
        }
    }

    /**
     * This module does nothing on a logout.
     */
    public boolean logout() throws LoginException {
        username = null;
        handler = null;
        return true;
    }

    /**
     * Tracks failure attempts for a user, and calculates lockout
     * status and expiry, etc.
     */
    private static class LoginHistory implements Serializable {
        private String user;
        private LinkedList data = new LinkedList();
        private long lockExpires = -1;

        public LoginHistory(String user) {
            this.user = user;
        }

        public String getUser() {
            return user;
        }

        /**
         * Cleans up the failure history and then calculates whether this user
         * is locked out or not.
         */
        public synchronized boolean isLoginAllowed(int lockoutLengthMillis, int failureAgeMillis, int maxFailures) {
            long now = System.currentTimeMillis();
            cleanup(now - failureAgeMillis);
            if(lockExpires > now) {
                return false;
            }
            if(data.size() >= maxFailures) {
                lockExpires = ((Long)data.getLast()).longValue() + lockoutLengthMillis;
                if(lockExpires > now) {
                    return false;
                }
            }
            return true;
        }

        /**
         * Notes that a failure occured.
         */
        public synchronized void addFailure() {
            data.add(new Long(System.currentTimeMillis()));
        }

        /**
         * Cleans up all failure records outside the window of time we care
         * about.
         */
        public synchronized void cleanup(long ignoreOlderThan) {
            for (Iterator it = data.iterator(); it.hasNext();) {
                Long time = (Long) it.next();
                if(time.longValue() < ignoreOlderThan) {
                    it.remove();
                } else {
                    break;
                }
            }
        }
    }
}
TOP

Related Classes of org.apache.geronimo.security.realm.providers.RepeatedFailureLockoutLoginModule$LoginHistory

  • javax.security.auth.login.FailedLoginException
  • javax.security.auth.callback.NameCallback
  • javax.security.auth.login.LoginException
    • TOP
    Copyright © 2018 www.massapi.com. All rights reserved.
    All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.