org.apache.jetspeed.security.spi.impl
Class MaxPasswordAuthenticationFailuresInterceptor

java.lang.Object
  extended by org.apache.jetspeed.security.spi.impl.AbstractInternalPasswordCredentialInterceptorImpl
      extended by org.apache.jetspeed.security.spi.impl.MaxPasswordAuthenticationFailuresInterceptor
All Implemented Interfaces:
InternalPasswordCredentialInterceptor

public class MaxPasswordAuthenticationFailuresInterceptor
extends AbstractInternalPasswordCredentialInterceptorImpl

Enforces a maximum number of times a user may provide an invalid password. Once the maximum number of invalid authentications is reached, the credential is disabled.

Note: the current count is not reset on valid authentication by this interceptor. This is done by the DefaultCredentialHandler which invokes the interceptor(s) after authentication and no interceptor afterAuthenicated method returns true.

But, this interceptor does (re)sets the count on creation and on change of the password.

Version:
$Id$
Author:
Ate Douma

Constructor Summary
MaxPasswordAuthenticationFailuresInterceptor(int maxNumberOfAuthenticationFailures)
           Configure the maximum number of invalid authentications allowed in a row.
 
Method Summary
 boolean afterAuthenticated(InternalUserPrincipal internalUser, java.lang.String userName, InternalCredential credential, boolean authenticated)
          Checks the current count of authentication failures when the credential is not expired and authentication failed.
 void beforeCreate(InternalUserPrincipal internalUser, java.util.Collection credentials, java.lang.String userName, InternalCredential credential, java.lang.String password)
          Sets the count of invalid authentications to zero (0).
 void beforeSetPassword(InternalUserPrincipal internalUser, java.util.Collection credentials, java.lang.String userName, InternalCredential credential, java.lang.String password, boolean authenticated)
          Resets the count of invalid authentications to zero (0).
 
Methods inherited from class org.apache.jetspeed.security.spi.impl.AbstractInternalPasswordCredentialInterceptorImpl
afterLoad
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

MaxPasswordAuthenticationFailuresInterceptor

public MaxPasswordAuthenticationFailuresInterceptor(int maxNumberOfAuthenticationFailures)

Configure the maximum number of invalid authentications allowed in a row.

A value of zero (0) disables the check

Method Detail

afterAuthenticated

public boolean afterAuthenticated(InternalUserPrincipal internalUser,
                                  java.lang.String userName,
                                  InternalCredential credential,
                                  boolean authenticated)
                           throws SecurityException
Checks the current count of authentication failures when the credential is not expired and authentication failed.

Specified by:
afterAuthenticated in interface InternalPasswordCredentialInterceptor
Overrides:
afterAuthenticated in class AbstractInternalPasswordCredentialInterceptorImpl
Parameters:
internalUser - the user to which the credential belongs
userName - the name of the principal to which the credential belongs
credential - the credential of the user
authenticated - true if the provided password matches the value of the credential
Returns:
true if the maximum number of invalid authentications is reached and the credential is disabled.
Throws:
SecurityException
See Also:
InternalPasswordCredentialInterceptor.afterAuthenticated(org.apache.jetspeed.security.om.InternalUserPrincipal, java.lang.String, org.apache.jetspeed.security.om.InternalCredential, boolean)

beforeCreate

public void beforeCreate(InternalUserPrincipal internalUser,
                         java.util.Collection credentials,
                         java.lang.String userName,
                         InternalCredential credential,
                         java.lang.String password)
                  throws SecurityException
Sets the count of invalid authentications to zero (0).

Specified by:
beforeCreate in interface InternalPasswordCredentialInterceptor
Overrides:
beforeCreate in class AbstractInternalPasswordCredentialInterceptorImpl
Parameters:
internalUser - the user to which the credential belongs
credentials - the collection of credentials which will set on the user after (already contains the new credential)
userName - the name of the principal to which the credential belongs
credential - the credential of the user
password - the new password value (already set on the new credential)
Throws:
SecurityException
See Also:
InternalPasswordCredentialInterceptor.beforeCreate(org.apache.jetspeed.security.om.InternalUserPrincipal, java.util.Collection, java.lang.String, InternalCredential, java.lang.String)

beforeSetPassword

public void beforeSetPassword(InternalUserPrincipal internalUser,
                              java.util.Collection credentials,
                              java.lang.String userName,
                              InternalCredential credential,
                              java.lang.String password,
                              boolean authenticated)
                       throws SecurityException
Resets the count of invalid authentications to zero (0).

Specified by:
beforeSetPassword in interface InternalPasswordCredentialInterceptor
Overrides:
beforeSetPassword in class AbstractInternalPasswordCredentialInterceptorImpl
Parameters:
internalUser - the user to which the credential belongs
credentials - the collection of credentials which will set on the user after (already contains the new credential)
userName - the name of the principal to which the credential belongs
credential - the credential of the user
password - the new password value (already set on the new credential)
authenticated - true if the new password value is provided by the user directly
Throws:
SecurityException
See Also:
InternalPasswordCredentialInterceptor.beforeSetPassword(org.apache.jetspeed.security.om.InternalUserPrincipal, java.util.Collection, java.lang.String, org.apache.jetspeed.security.om.InternalCredential, java.lang.String, boolean)


Copyright © 1999-2010 Apache Software Foundation. All Rights Reserved.