Class CmsLoginManager
- java.lang.Object
-
- org.opencms.db.CmsLoginManager
-
public class CmsLoginManager extends java.lang.Object
Provides functions used to check the validity of a user login.Stores invalid login attempts and disables a user account temporarily in case the configured threshold of invalid logins is reached.
The invalid login attempt storage operates on a combination of user name, login remote IP address and user type. This means that a user can be disabled for one remote IP, but still be enabled for another remote IP.
Also allows to temporarily disallow logins (for example in case of maintenance work on the system).
- Since:
- 6.0.0
-
-
Field Summary
Fields Modifier and Type Field Description static long
DEFAULT_TOKEN_LIFETIME
Default token lifetime.static int
DISABLE_MINUTES_DEFAULT
Default lock time if treshold for bad login attempts is reached.static boolean
ENABLE_SECURITY_DEFAULT
Default setting for the security option.static java.lang.String
KEY_SEPARATOR
Separator used for storage keys.protected int
m_disableMillis
The milliseconds to disable an account if the threshold is reached.protected int
m_disableMinutes
The minutes to disable an account if the threshold is reached.protected boolean
m_enableSecurity
The flag to determine if the security option ahould be enabled on the login dialog.protected int
m_maxBadAttempts
The number of bad login attempts allowed before an account is temporarily disabled.protected java.util.Map<java.lang.String,org.opencms.db.CmsLoginManager.CmsUserData>
m_storage
The storage for the bad login attempts.protected java.lang.String
m_tokenLifetimeStr
The token lifetime.static int
MAX_BAD_ATTEMPTS_DEFAULT
Default for bad login attempts.protected static java.util.Map<java.lang.String,java.util.Set<org.opencms.db.CmsLoginManager.CmsUserData>>
TEMP_DISABLED_USER
Map holding usernames and userdata for user which are currently locked.
-
Constructor Summary
Constructors Constructor Description CmsLoginManager(int disableMinutes, int maxBadAttempts, boolean enableSecurity, java.lang.String tokenLifetime, java.lang.String maxInactive, java.lang.String passwordChangeInterval, java.lang.String userDataCheckInterval, boolean requireOrgUnit, java.lang.String logoutUri)
Creates a new storage for invalid logins.
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected void
addInvalidLogin(java.lang.String userName, java.lang.String remoteAddress)
Adds an invalid attempt to login for the given user / IP to the storage.boolean
canLockBecauseOfInactivity(CmsObject cms, CmsUser user)
Checks whether a user account can be locked because of inactivity.boolean
checkInactive(CmsUser user)
Checks whether the given user has been inactive for longer than the configured limit.void
checkInvalidLogins(java.lang.String userName, java.lang.String remoteAddress)
Checks if the threshold for the invalid logins has been reached for the given user.void
checkLoginAllowed()
Checks if a login is currently allowed.CmsLoginMessage
getBeforeLoginMessage()
Returns the current before login message that is displayed on the login form.int
getDisableMinutes()
Returns the minutes an account gets disabled after too many failed login attempts.CmsLoginMessage
getLoginMessage()
Returns the current login message that is displayed if a user logs in.java.lang.String
getLogoutUri()
Gets the logout URI.int
getMaxBadAttempts()
Returns the number of bad login attempts allowed before an account is temporarily disabled.java.lang.String
getMaxInactive()
Gets the max inactivity time.long
getPasswordChangeInterval()
Gets the password change interval.java.lang.String
getPasswordChangeIntervalStr()
Gets the raw password change interval string.long
getTokenLifetime()
Gets the authorization token lifetime in milliseconds.java.lang.String
getTokenLifetimeStr()
Gets the configured token lifetime as a string.long
getUserDataCheckInterval()
Gets the user data check interval.java.lang.String
getUserDataCheckIntervalStr()
Gets the raw user data check interval string.boolean
isEnableSecurity()
Returns if the security option ahould be enabled on the login dialog.boolean
isOrgUnitRequired()
Returns true if organizational unit selection should be required on login.boolean
isPasswordReset(CmsObject cms, CmsUser user)
Checks if password has to be reset.boolean
isUserLocked(CmsUser user)
Checks if a user is locked due to too many failed logins.boolean
isUserTempDisabled(java.lang.String username)
Checks if given user it temporarily locked.protected void
removeInvalidLogins(java.lang.String userName, java.lang.String remoteAddress)
Removes all invalid attempts to login for the given user / IP.void
removeLoginMessage(CmsObject cms)
Removes the current login message.boolean
requiresPasswordChange(CmsObject cms, CmsUser user)
Checks if a user is required to change his password now.boolean
requiresUserDataCheck(CmsObject cms, CmsUser user)
Checks if a user is required to change his password now.void
resetUserTempDisable(java.lang.String username)
Resets lock from user.void
setBeforeLoginMessage(CmsObject cms, CmsLoginMessage message)
Sets the before login message to display on the login form.void
setLoginMessage(CmsObject cms, CmsLoginMessage message)
Sets the login message to display if a user logs in.void
unlockUser(CmsObject cms, CmsUser user)
Unlocks a user who has exceeded his number of failed login attempts so that he can try to log in again.
-
-
-
Field Detail
-
DEFAULT_TOKEN_LIFETIME
public static final long DEFAULT_TOKEN_LIFETIME
Default token lifetime.- See Also:
- Constant Field Values
-
DISABLE_MINUTES_DEFAULT
public static final int DISABLE_MINUTES_DEFAULT
Default lock time if treshold for bad login attempts is reached.- See Also:
- Constant Field Values
-
ENABLE_SECURITY_DEFAULT
public static final boolean ENABLE_SECURITY_DEFAULT
Default setting for the security option.- See Also:
- Constant Field Values
-
KEY_SEPARATOR
public static final java.lang.String KEY_SEPARATOR
Separator used for storage keys.- See Also:
- Constant Field Values
-
MAX_BAD_ATTEMPTS_DEFAULT
public static final int MAX_BAD_ATTEMPTS_DEFAULT
Default for bad login attempts.- See Also:
- Constant Field Values
-
TEMP_DISABLED_USER
protected static java.util.Map<java.lang.String,java.util.Set<org.opencms.db.CmsLoginManager.CmsUserData>> TEMP_DISABLED_USER
Map holding usernames and userdata for user which are currently locked.
-
m_disableMillis
protected int m_disableMillis
The milliseconds to disable an account if the threshold is reached.
-
m_disableMinutes
protected int m_disableMinutes
The minutes to disable an account if the threshold is reached.
-
m_enableSecurity
protected boolean m_enableSecurity
The flag to determine if the security option ahould be enabled on the login dialog.
-
m_maxBadAttempts
protected int m_maxBadAttempts
The number of bad login attempts allowed before an account is temporarily disabled.
-
m_storage
protected java.util.Map<java.lang.String,org.opencms.db.CmsLoginManager.CmsUserData> m_storage
The storage for the bad login attempts.
-
m_tokenLifetimeStr
protected java.lang.String m_tokenLifetimeStr
The token lifetime.
-
-
Constructor Detail
-
CmsLoginManager
public CmsLoginManager(int disableMinutes, int maxBadAttempts, boolean enableSecurity, java.lang.String tokenLifetime, java.lang.String maxInactive, java.lang.String passwordChangeInterval, java.lang.String userDataCheckInterval, boolean requireOrgUnit, java.lang.String logoutUri)
Creates a new storage for invalid logins.- Parameters:
disableMinutes
- the minutes to disable an account if the threshold is reachedmaxBadAttempts
- the number of bad login attempts allowed before an account is temporarily disabledenableSecurity
- flag to determine if the security option should be enabled on the login dialogtokenLifetime
- the lifetime of authorization tokens, i.e. the time for which they are validmaxInactive
- maximum inactivity timepasswordChangeInterval
- the password change intervaluserDataCheckInterval
- the user data check intervalrequireOrgUnit
- if true, should require organizational unit selection on loginlogoutUri
- the alternative logout handler URI
-
-
Method Detail
-
canLockBecauseOfInactivity
public boolean canLockBecauseOfInactivity(CmsObject cms, CmsUser user)
Checks whether a user account can be locked because of inactivity.- Parameters:
cms
- the CMS contextuser
- the user to check- Returns:
- true if the user may be locked after being inactive for too long
-
checkInactive
public boolean checkInactive(CmsUser user)
Checks whether the given user has been inactive for longer than the configured limit.If no max inactivity time is configured, always returns false.
- Parameters:
user
- the user to check- Returns:
- true if the user has been inactive for longer than the configured limit
-
checkInvalidLogins
public void checkInvalidLogins(java.lang.String userName, java.lang.String remoteAddress) throws CmsAuthentificationException
Checks if the threshold for the invalid logins has been reached for the given user.In case the configured threshold is reached, an Exception is thrown.
- Parameters:
userName
- the name of the userremoteAddress
- the remote address (IP) from which the login attempt was made- Throws:
CmsAuthentificationException
- in case the threshold of invalid login attempts has been reached
-
checkLoginAllowed
public void checkLoginAllowed() throws CmsAuthentificationException
Checks if a login is currently allowed.In case no logins are allowed, an Exception is thrown.
- Throws:
CmsAuthentificationException
- in case no logins are allowed
-
getBeforeLoginMessage
public CmsLoginMessage getBeforeLoginMessage()
Returns the current before login message that is displayed on the login form.if
null
is returned, no login message has been currently set.- Returns:
- the current login message that is displayed if a user logs in
-
getDisableMinutes
public int getDisableMinutes()
Returns the minutes an account gets disabled after too many failed login attempts.- Returns:
- the minutes an account gets disabled after too many failed login attempts
-
getLoginMessage
public CmsLoginMessage getLoginMessage()
Returns the current login message that is displayed if a user logs in.if
null
is returned, no login message has been currently set.- Returns:
- the current login message that is displayed if a user logs in
-
getLogoutUri
public java.lang.String getLogoutUri()
Gets the logout URI.If this is not null, users will be redirected to this JSP when logging out from the workplace or page editor. The JSP is responsible for invalidating the user's session.
- Returns:
- the logout URI
-
getMaxBadAttempts
public int getMaxBadAttempts()
Returns the number of bad login attempts allowed before an account is temporarily disabled.- Returns:
- the number of bad login attempts allowed before an account is temporarily disabled
-
getMaxInactive
public java.lang.String getMaxInactive()
Gets the max inactivity time.- Returns:
- the max inactivity time
-
getPasswordChangeInterval
public long getPasswordChangeInterval()
Gets the password change interval.- Returns:
- the password change interval
-
getPasswordChangeIntervalStr
public java.lang.String getPasswordChangeIntervalStr()
Gets the raw password change interval string.- Returns:
- the configured string for the password change interval
-
getTokenLifetime
public long getTokenLifetime()
Gets the authorization token lifetime in milliseconds.- Returns:
- the authorization token lifetime in milliseconds
-
getTokenLifetimeStr
public java.lang.String getTokenLifetimeStr()
Gets the configured token lifetime as a string.- Returns:
- the configured token lifetime as a string
-
getUserDataCheckInterval
public long getUserDataCheckInterval()
Gets the user data check interval.- Returns:
- the user data check interval
-
getUserDataCheckIntervalStr
public java.lang.String getUserDataCheckIntervalStr()
Gets the raw user data check interval string.- Returns:
- the configured string for the user data check interval
-
isEnableSecurity
public boolean isEnableSecurity()
Returns if the security option ahould be enabled on the login dialog.- Returns:
true
if the security option ahould be enabled on the login dialog, otherwisefalse
-
isOrgUnitRequired
public boolean isOrgUnitRequired()
Returns true if organizational unit selection should be required on login.- Returns:
- true if org unit selection should be required
-
isPasswordReset
public boolean isPasswordReset(CmsObject cms, CmsUser user)
Checks if password has to be reset.- Parameters:
cms
- CmsObjectuser
- CmsUser- Returns:
- true if password should be reset
-
isUserLocked
public boolean isUserLocked(CmsUser user)
Checks if a user is locked due to too many failed logins.- Parameters:
user
- the user to check- Returns:
- true if the user is locked
-
isUserTempDisabled
public boolean isUserTempDisabled(java.lang.String username)
Checks if given user it temporarily locked.- Parameters:
username
- to check- Returns:
- true if user is locked
-
removeLoginMessage
public void removeLoginMessage(CmsObject cms) throws CmsRoleViolationException
Removes the current login message.This operation requires that the current user has role permissions of
.CmsRole.ROOT_ADMIN
- Parameters:
cms
- the current OpenCms user context- Throws:
CmsRoleViolationException
- in case the current user does not have the required role permissions
-
requiresPasswordChange
public boolean requiresPasswordChange(CmsObject cms, CmsUser user)
Checks if a user is required to change his password now.- Parameters:
cms
- the current CMS contextuser
- the user to check- Returns:
- true if the user should be asked to change his password
-
requiresUserDataCheck
public boolean requiresUserDataCheck(CmsObject cms, CmsUser user)
Checks if a user is required to change his password now.- Parameters:
cms
- the current CMS contextuser
- the user to check- Returns:
- true if the user should be asked to change his password
-
resetUserTempDisable
public void resetUserTempDisable(java.lang.String username)
Resets lock from user.- Parameters:
username
- to reset lock for
-
setBeforeLoginMessage
public void setBeforeLoginMessage(CmsObject cms, CmsLoginMessage message) throws CmsRoleViolationException
Sets the before login message to display on the login form.This operation requires that the current user has role permissions of
.CmsRole.ROOT_ADMIN
- Parameters:
cms
- the current OpenCms user contextmessage
- the message to set- Throws:
CmsRoleViolationException
- in case the current user does not have the required role permissions
-
setLoginMessage
public void setLoginMessage(CmsObject cms, CmsLoginMessage message) throws CmsRoleViolationException
Sets the login message to display if a user logs in.This operation requires that the current user has role permissions of
.CmsRole.ROOT_ADMIN
- Parameters:
cms
- the current OpenCms user contextmessage
- the message to set- Throws:
CmsRoleViolationException
- in case the current user does not have the required role permissions
-
unlockUser
public void unlockUser(CmsObject cms, CmsUser user) throws CmsRoleViolationException
Unlocks a user who has exceeded his number of failed login attempts so that he can try to log in again.This requires the "account manager" role.
- Parameters:
cms
- the current CMS contextuser
- the user to unlock- Throws:
CmsRoleViolationException
- if the permission check fails
-
addInvalidLogin
protected void addInvalidLogin(java.lang.String userName, java.lang.String remoteAddress)
Adds an invalid attempt to login for the given user / IP to the storage.In case the configured threshold is reached, the user is disabled for the configured time.
- Parameters:
userName
- the name of the userremoteAddress
- the remore address (IP) from which the login attempt was made
-
removeInvalidLogins
protected void removeInvalidLogins(java.lang.String userName, java.lang.String remoteAddress)
Removes all invalid attempts to login for the given user / IP.- Parameters:
userName
- the name of the userremoteAddress
- the remore address (IP) from which the login attempt was made
-
-